Strategies for

Deriving Maximum

Benefit From Audit

Allan Boardman

CyberAdvisor.London

Agenda

Setting the scene

Why Audit often struggle working with Security and Risk

Spotlight on Audit

Spotlight on Security

Spotlight on Risk

Highlight specific conflict areas

Strategies for successful partnership

About the presenter

Allan Boardman CISA, CISM, CGEIT, CRISC, CA(SA), ACA, CISSP

Independent Business Advisor – CyberAdvisor.London

Most recently Business Information Security Officer at GSK

Background in Audit, Risk, Security and Governance roles

Chair ISACA International Audit and Risk Committee, 2014/15 – currently a member

Chair ISACA International Credentialing Board & Career Management Board, 2011/14

Member ISACA International Board of Directors, 2011/14

Member ISACA International Strategy Advisory Council, 2011/14

ISACA International Vice President, 2012/14

Member ITGI Board of Trustees, 2012/14

Chair CISM Certification Committee 2009/11, member since 2006

Member ISACA CGEIT Certification Committee 2016/current

Member ISACA Leadership Development Committee 2010/11

London Chapter President 2004/06. Chapter Board member 1999/08

Paralympics and Olympics Volunteer – London 2012, Sochi 2014, Rio 2016

Are you ready for this?

Spotlight on Audit

Some common characteristics:

Enquiring

Searching

Probing

Analytical

Attention to detail

Determined

Persistent

Thorough

Question: What’s the difference between a Rottweiler and an auditor?

Answer: The Auditor eventually lets go!

Business perception?

How do others view Audit?

How does the business react

when Audit arrive?

Actual business reaction??

Run for the hills, the auditors

are coming!!

It’s all about perception

Spotlight on Security

Security’s dilemma:

Significantly increased threat landscape

Working with limited resources

Lack of skilled people resources

Pressure on costs

Increased level of incidents

Devote significant efforts on audit issues

Impact on BAU activities?

Is Security guilty of overusing FUD?

Does Security have an image problem?

Are Security People a Bunch of Geeks?

Spotlight on Risk

Alignment with Operational Risk

Owns the control framework and risk assessment methodology

Perception that Risk is looking ahead and Audit looking back

Potential overlaps with security

1st Line or 2nd Line?

Where does Compliance come into the picture?

Three Lines of Defence Model

Framework helps understanding the role of internal audit in the overall risk management

and internal control process.

1st Line - - > Operational management controls

2nd Line - - > Monitoring controls

3rd Line - - > Independent assurance

Specific areas that highlight

potential conflicts Tone at the top can drive undesirable behavior

Open communications?

Audit requirements, i.e. things done because Audit “say so”

Checkbox, i.e. things done just for Audit

Strict adherence to auditing against policies

Pre-audits or clean up exercises before audits

Continuous auditing. Being “close to the deal flow”

Feeling of being over-audited

Adverse audit points linked directly to staff pay awards

So how do we move forward?

From this

From this

To this

To this

Communication is key

Strategies for successful partnership Respect business priorities

Establish credibility

Develop relationships at all levels

Get a “seat at the table”

Be well prepared and learn the business

Be empathetic and reasonable

Be prepared to be flexible

Audit findings must be practical and risk based

Look for opportunities to provide advice

Be a trusted but critical partner and advisor

Solicit feedback

Communicate, communicate, communicate!

Remember:

All supporting the same business objectives

Security and Risk also have a role to play

Overall

Align with management in such a way that organizational goals are jointly achieved

“Leave every place a little better than you found it”

Word of caution: Don’t be a pushover

How much do management

know about Audit

Ten ways to get the most from Internal Audit

IT Audit Best Practices

2016

Final Reminder

If Internal Audit was an option, i.e. not mandated, would your business choose to have it?

Just a Reminder of the origins of

audit (over 800 years old!) Magna Carta signed at Runnemede, England 15 June 1215

Final, final thought……

Thank you

info@cyberadvisor.london

@allanboardman

www.linkedin.com/in/allanboardman