Integrating internal controls, risk management, compliance, information security, and financial reporting can save money and increase effectiveness. Coordinating these areas through enterprise risk management helps align risk assessment, control monitoring, and assurance activities between departments. Using a common framework prevents duplicative work and helps ensure all risks are addressed.
Scanning the Internet for External Cloud Exposures via SSL Certs
Integrating Controls for Efficiency
1. Integrating Internal
Controls
Save money and increase the effectiveness of internal
controls and risk management processes by
coordinating compliance, enterprise risk management,
privacy, information security, internal audit, and
financial reporting control assessment.
MOSS ADAMS LLP | 1
2. A TALE OF INEFFICIENCY. OR: WHY WE
CARE
o Performs and updates an IT security risk assessment
• Information Security Manager, Brian
o Designs and enforces IT policies and governance processes to ensure system security
o Tests the effectiveness of the information security management program (ISMS)
o Deals with constant requests from 4 different “audit”, “compliance”, or “security” stakeholders
• Network Security Engineer, Bill
o Ignores the various risk assessments, and just does what “he thinks is right”.
o Performs an annual risk assessment of the audit universe
• Internal Auditor, Mary
o Examines internal controls for design and operating effectiveness.
o Performs a risk assessment focused on financial reporting
• Financial Auditor, John
o Tests the operating effectiveness of key ICOFR controls
o Keeps up to date with changing regulations, and communicates new requirements throughout
• Compliance Manager, Sally
the organization
o Maintains a compliance management system to ensure that the organization is not breaking the
law
MOSS ADAMS LLP | 2
3. • Integrate your risk-
WHAT CAN I DO?
centric business
processes
Enterprise Risk Management
Risk Assessment Risk Management
o Get your colleagues
onboard
o Develop a Map
Assurance
o Create touchpoints
Control Design and Self Operating Effectiveness
between departments
Assessment Testing
o Crosswalk controls or
testing at key
touchpoints
Program Management
Compliance Information Security
MOSS ADAMS LLP | 3
4. THE GENERIC RISK MANAGEMENT CYCLE
Assess Risks
Perform
Implement Assessment
Improvements of Controls’
Design and
Operation
Report Results
MOSS ADAMS LLP | 4
5. • Internal Auditor, Mary: “You know Brian, I noticed that you are
WHAT DOES IT LOOK LIKE?
looking at new multi-factor authentication technologies for our
internet banking customers. I was thinking about doing an audit
to examine those controls.”
• Information Security Manager, Brian: “Interesting! That would
be great! I did a risk assessment last year, and identified that as
a key fraud risk.”
• Mary: “Let’s start by letting me evaluate your risk assessment as
I plan my audit.”
• Brian: “OK. Also, I map my risk assessment to ISO 27002
controls. Do you think you could report your audit against that
standard to help me evaluate risks more effectively?”
MOSS ADAMS LLP | 5
6. • The format is not critical.
WHAT IT LOOKS LIKE (CONTINUED)
• Just keep it simple, and manageable.
MOSS ADAMS LLP | 6
7. HOW WILL THIS IMPACT MY
• Watch out. The auditors will start to pay heed
INFORMATION SECURITY PROGRAM?
to your risk assessments, and will start to audit
the areas you are concerned about.
MOSS ADAMS LLP | 7
8. HOW WILL THIS IMPACT INTERNAL
• Your internal audit program will be challenged with
AUDITS?
new sources of information for risk assessment and
internal controls documentation.
• There may be messy conflicts of interest to be worked
out.
o This is a good sign that Internal Audit is valuable within your
organization.
• You do not need to rely only on your own judgment or a
simple survey as the only source to identify key risks in
the organization.
o Don’t let this be you:
How many Information Security pros does it take to change a light
bulb?
How many did it take last year?
MOSS ADAMS LLP | 8
9. SHARED RISK ASSESSMENTS?
Entity Audit Process Audit Dollar Operational Compliance Nature/ Strategic Last time
Total Volume Risk Risk Sensitivity Audited
Objective
Score
Information Technology 4.10 4.00 4.00 5.00 4.00 4.00 3.00
– Enterprise Applications
Accounting and Billing 4.30 4.00 5.00 4.00 5.00 3.00 4.00
Facilities 3.80 5.00 4.00 3.00 2.00 4.00 5.00
MOSS ADAMS LLP | 9
10. SHARE A CONTROL FRAMEWORK?
COSO
CobIT
ISO 27000/27002
•
NIST 800
•
PMBOK
•
CMMI
•
CIS
•
ITIL
•
PCI
•
Industry-Specific Compliance
•
•
Do we pick one, or do we integrate several?
•
MOSS ADAMS LLP | 10
11. THE COSO INTERNAL CONTROL MODEL
MONITORING:
throughout
CONTROL
ACTIVITIES:
processes, procedures,
safeguards, access security,
authorization
RISK ASSESSMENT:
identify, prioritize, mitigate risks;
ongoing;
wide participation
CONTROL ENVIRONMENT:
tone at the top, infrastructure, compliance;
culture: integrity and competence of people
MOSS ADAMS LLP | 11
Adapted from Committee of Sponsoring Organizations of the Treadway Commission (COSO)
12. • Code of Practice for Information Security
ISO 27002
Management
• Divides IT Security into 11 Categories (Domains)
• Defines key controls over specific sub-categories
• Defines implementation guidance for each key
control
• 39 Control Objectives with 139 Controls
• Control objectives are generic functional
requirement specifications for an organization’s
information and information system security
management control architecture
MOSS ADAMS LLP | 12
13. • NIST offers security guidance in many areas
NIST
• Special Publications 800 Series
• Useful high level governance standards and
practices
• Practically every IT security subject is covered
here
• Written for the Federal Government but very
useful for any organization
MOSS ADAMS LLP | 13
15. • Value of IT, Risk, and Control
COBIT
• Links IT service delivery to business requirements
(already defined, right?)
• A lifecycle; constantly adapting, improving, re-
adapting
• Four Responsibility Domains:
o Plan and Organize (PO)
o Acquire and Implement (AI)
o Deliver and Support (DS)
o Monitor and Evaluate (ME)
• Make a grocery list of needs and then go shopping
MOSS ADAMS LLP | 15
16. • CIS Benchmarks provide guidelines for operating
CENTER FOR INTERNET SECURITY (CIS)
systems and databases;
• User originated, widely accepted, and reflect the
consensus of expert users worldwide;
• Compliance with these benchmarks will reduce
findings and lead to more secure computing
platforms
• Some benchmarks include :
Windows Server
Solaris
o
Oracle
o
Exchange
o
o
MOSS ADAMS LLP | 16
17. • When you don’t have a good understanding of
ITIL - PROCESS MODELING
“what right looks like”
• Models most “Industry Standard” information and
information system technology processes
• When in doubt “check it out and test it out”
Maps to COBIT
Complimentary to NIST and ISO
o
Helps to provide a starting place
o
Caution - can be complicated
o
o
MOSS ADAMS LLP | 17
18. CAPABILITY MATURITY
UNRELIABLE INFORMAL STANDARDIZED MONITORED OPTIMIZED
Level 1 – Unreliable Level 2 – Informal Level 3 – Level 4 – Monitored Level 5 – Optimized
Standardized
Unpredictable Disclosure activities Standardized controls An integrated internal
environment where and controls are Control activities are with periodic testing control framework
control activities are designed and designed and in place. for effective design with
not designed in place. and operation with real-time monitoring
Control activities have
or in place. reporting to by management
Controls are been documented and
management. with continuous
not adequately communicated to
improvement
documented; employees. Automation and tools
(Enterprise-Wide Risk
controls mostly may be used in a
Deviations from control Management).
dependent on limited way to support
activities will likely not be
people. control activities.
detected.
No formal training
or communication
of control activities.
MOSS ADAMS LLP | 18
19. CONCLUDING ON THE FRAMEWORKS
• Don’t spend all your time mapping
• Use what works
• Focus on the ‘key’ controls for your
organization
• Focus on the risk assessment process first
MOSS ADAMS LLP | 19
20. WHAT SOFTWARE SHOULD I BUY?
• Microsoft Excel
• Enterprise-grade GRC software
• Online internal control and risk management
packages
MOSS ADAMS LLP | 20
21. CONCLUDING
• In organizations where multiple groups have
responsibilities for enterprise risk, internal
control, information security, compliance:
o Team up
o Create touch points
Risk Assessment
Testing
Controls documentation
o Use the tools, don’t let them use you
MOSS ADAMS LLP | 21