Whose Afraid of the Big Bad Wolf: Accepting Audit as a Service
<ul><li>Jeff Kirsch </li></ul><ul><li>  14 years in Audit  </li></ul><ul><li>10 years in IT Audit </li></ul>
ghostnomad got into computers: age 9 attempted computer science no passion to code on deadlines
<ul><li>Have you been audited? </li></ul>Honesty Then you have lied So auditors need to lie
Defensive Audit Techniques Use terms to depersonalize & confuse Request more information than you need Hide the fact resul...
Grand Finale – We are here to help Wait, what?
Evil Auditors, Really? Understanding is the foundation we lack Everyone uses their own lingo Nobody likes to be corrected
Lets Talk Audit
Audit <ul><li>Evaluation of a person, organization, system, process, enterprise, project or product. </li></ul><ul><li>- w...
Inherent Risk <ul><li>Risk exists without consideration of controls </li></ul>We have controls so who cares, right? Are yo...
Scope What is the purpose of the audit Drives the audit results
Controls A process or procedure which manages risk Controls must have a cost benefit Management defines controls
Types of Audits Financial Audit/Attestation SAS 70 Regulatory/Compliance
<ul><li>Why are results significant? </li></ul><ul><li>Stockholders </li></ul><ul><li>Regulators </li></ul><ul><li>Executi...
How to deal with auditors <ul><li>If you don’t understand, ask </li></ul><ul><li>If they don’t understand, explain </li></...
How to Manage Auditors <ul><li>Clarify the “scope” and don’t be afraid to ask how it fits in to testing </li></ul><ul><li>...
Drive Out Value
<ul><li>The security of an information technology (IT) system typically can be improved if the identified software flaws a...
Where is the Value Audit as a Hammer (yeah, I went there) Audit has direct line to upper management Shows the forest when ...
Types of Audits Redux Financial Audit/Attestation SAS 70 Regulatory/Compliance
<ul><li>In IT Audit it is all about controls </li></ul><ul><li>Information Security is all about controlling </li></ul><ul...
<ul><li>My corollary “then auditors are like the actuaries” </li></ul>Rafal Los said “People in infosec are like insurance...
Where to Find Me <ul><li>Twitter: @ghostnomad </li></ul><ul><li>Email:  [email_address] </li></ul><ul><li>Blog: www.ghostn...
Hidden Message Whose  Afraid of the Big Bad Wolf: Accepting Audit  as a Service
Questions?
Upcoming SlideShare
Loading in...5
×

Whose Afraid Of The Big Bad Wolf

1,879

Published on

A talk I gave to the NEOISF group.

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
1,879
On Slideshare
0
From Embeds
0
Number of Embeds
5
Actions
Shares
0
Downloads
0
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Whose Afraid Of The Big Bad Wolf

  1. 1. Whose Afraid of the Big Bad Wolf: Accepting Audit as a Service
  2. 2. <ul><li>Jeff Kirsch </li></ul><ul><li> 14 years in Audit </li></ul><ul><li>10 years in IT Audit </li></ul>
  3. 3. ghostnomad got into computers: age 9 attempted computer science no passion to code on deadlines
  4. 4. <ul><li>Have you been audited? </li></ul>Honesty Then you have lied So auditors need to lie
  5. 5. Defensive Audit Techniques Use terms to depersonalize & confuse Request more information than you need Hide the fact results will sink the “auditee”
  6. 6. Grand Finale – We are here to help Wait, what?
  7. 7. Evil Auditors, Really? Understanding is the foundation we lack Everyone uses their own lingo Nobody likes to be corrected
  8. 8. Lets Talk Audit
  9. 9. Audit <ul><li>Evaluation of a person, organization, system, process, enterprise, project or product. </li></ul><ul><li>- wikipedia </li></ul>
  10. 10. Inherent Risk <ul><li>Risk exists without consideration of controls </li></ul>We have controls so who cares, right? Are your controls working
  11. 11. Scope What is the purpose of the audit Drives the audit results
  12. 12. Controls A process or procedure which manages risk Controls must have a cost benefit Management defines controls
  13. 13. Types of Audits Financial Audit/Attestation SAS 70 Regulatory/Compliance
  14. 14. <ul><li>Why are results significant? </li></ul><ul><li>Stockholders </li></ul><ul><li>Regulators </li></ul><ul><li>Executives </li></ul><ul><li>Management </li></ul>Oh hey, you too
  15. 15. How to deal with auditors <ul><li>If you don’t understand, ask </li></ul><ul><li>If they don’t understand, explain </li></ul><ul><li>Communication is key </li></ul>Don’t try to hide things, someone will spill the beans at some point
  16. 16. How to Manage Auditors <ul><li>Clarify the “scope” and don’t be afraid to ask how it fits in to testing </li></ul><ul><li>Keep documents up to date, they reduce face time </li></ul><ul><li>If you know it is ongoing, develop your own response process </li></ul>
  17. 17. Drive Out Value
  18. 18. <ul><li>The security of an information technology (IT) system typically can be improved if the identified software flaws and configuration settings that affect security are properly addressed. </li></ul><ul><li>-- NIST “Specification for the Extensible Configuration Checklist Description Format (XCCDF) Version 1.1.4“ </li></ul>
  19. 19. Where is the Value Audit as a Hammer (yeah, I went there) Audit has direct line to upper management Shows the forest when you only see trees
  20. 20. Types of Audits Redux Financial Audit/Attestation SAS 70 Regulatory/Compliance
  21. 21. <ul><li>In IT Audit it is all about controls </li></ul><ul><li>Information Security is all about controlling </li></ul><ul><li>What makes you think we are different? </li></ul>Different
  22. 22. <ul><li>My corollary “then auditors are like the actuaries” </li></ul>Rafal Los said “People in infosec are like insurance salesmen” Insurance policies make money because you have to know how to price the risk and sell the risk
  23. 23. Where to Find Me <ul><li>Twitter: @ghostnomad </li></ul><ul><li>Email: [email_address] </li></ul><ul><li>Blog: www.ghostnomad.com/blog </li></ul><ul><ul><li>Or www.it-haiku.com </li></ul></ul>
  24. 24. Hidden Message Whose Afraid of the Big Bad Wolf: Accepting Audit as a Service
  25. 25. Questions?

×