Whose afraid of the big bad wolf


Published on

Let’s see if you have a picture in your head of auditors. Do see you them, sitting there in the darkness, with a maniacal look on their faces. They pour over your documentation and configuration files just hoping to find the red meat. If there is anything juicy they will find it and feed off it at your expense. Is this the image you have of auditors? Perhaps you were burned during an audit, or just didn’t have a very good experience at the auditor’s hands. With a bit of explanation, your next audit doesn’t have to be so stressful and adversarial. Maybe, just maybe, you can walk away with some value to help improve what you do that you hadn’t thought of before.

Starting from the beginning, we will walk through why IT auditors exist and what role they play in the organizations risk management process. Since we all can relate to risk, maybe we can find the common ground and start to derive value from what auditors provide. Given the right amount of attention and care, organizations can ultimately benefit from IT and Audit working together. Plus you will sleep better at night knowing the bogeyman is just a myth.

Speaker Bio
Jeff Kirsch is an IT auditor by day and ghostnomad, an infosec geek alter ego, every chance he can get. Always trying to learn new things drives him to find better ways to help others learn about technology. His passion for technology also drives him to help those in technology understand auditors and the audit process.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Whose afraid of the big bad wolf

  1. 1. Whose Afraid of the Big Bad Wolf: Accepting Audit as a Service
  2. 2. <ul><li>Jeff Kirsch </li></ul><ul><li> 14 years in Audit </li></ul><ul><li>10 years in IT Audit </li></ul>
  3. 3. ghostnomad got into computers: age 9 attempted computer science no passion to code on deadlines
  4. 4. <ul><li>Have you been audited? </li></ul>Honesty Then you have lied So auditors need to lie
  5. 5. Defensive Audit Techniques Use terms to depersonalize & confuse Request more information than you need Hide the fact results will sink the “auditee”
  6. 6. Grand Finale – We are here to help Wait, what?
  7. 7. Evil Auditors, Really? Understanding is the foundation we lack Everyone uses their own lingo Nobody likes to be corrected
  8. 8. Lets Talk Audit
  9. 9. Audit <ul><li>Evaluation of a person, organization, system, process, enterprise, project or product. </li></ul><ul><li>- wikipedia </li></ul>
  10. 10. Inherent Risk <ul><li>Risk exists without consideration of controls </li></ul>We have controls so who cares, right? Are your controls working
  11. 11. Scope What is the purpose of the audit Drives the audit results
  12. 12. Controls A process or procedure which manages risk Controls must have a cost benefit Management defines controls
  13. 13. Types of Audits Financial Audit/Attestation SAS 70 Regulatory/Compliance
  14. 14. <ul><li>Why are results significant? </li></ul><ul><li>Stockholders </li></ul><ul><li>Regulators </li></ul><ul><li>Executives </li></ul><ul><li>Management </li></ul>Oh hey, you too
  15. 15. How to deal with auditors <ul><li>If you don’t understand, ask </li></ul><ul><li>If they don’t understand, explain </li></ul><ul><li>Communication is key </li></ul>Don’t try to hide things, someone will spill the beans at some point
  16. 16. How to Manage Auditors <ul><li>Clarify the “scope” and don’t be afraid to ask how it fits in to testing </li></ul><ul><li>Keep documents up to date, they reduce face time </li></ul><ul><li>If you know it is ongoing, develop your own response process </li></ul>
  17. 17. Drive Out Value
  18. 18. <ul><li>The security of an information technology (IT) system typically can be improved if the identified software flaws and configuration settings that affect security are properly addressed. </li></ul><ul><li>-- NIST “Specification for the Extensible Configuration Checklist Description Format (XCCDF) Version 1.1.4“ </li></ul>
  19. 19. Where is the Value Audit as a Hammer (yeah, I went there) Audit has direct line to upper management Shows the forest when you only see trees
  20. 20. Types of Audits Redux Financial Audit/Attestation SAS 70 Regulatory/Compliance
  21. 21. <ul><li>In IT Audit it is all about controls </li></ul><ul><li>Information Security is all about controlling </li></ul><ul><li>What makes you think we are different? </li></ul>Different
  22. 22. <ul><li>My corollary “then auditors are like the actuaries” </li></ul>Rafal Los said “People in infosec are like insurance salesmen” Insurance policies make money because you have to know how to price the risk and sell the risk
  23. 23. Where to Find Me <ul><li>Twitter: @ghostnomad </li></ul><ul><li>Email: [email_address] </li></ul><ul><li>Blog: www.ghostnomad.com/blog </li></ul><ul><ul><li>Or www.it-haiku.com </li></ul></ul>
  24. 24. Hidden Message Whose Afraid of the Big Bad Wolf: Accepting Audit as a Service
  25. 25. Questions?