Integrating Internal Controls


Published on

Presented at InnoTech Oregon on May 3, 2012. All rights reserved.

Published in: Technology, Business
1 Like
  • Be the first to comment

No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Integrating Internal Controls

  1. 1. Integrating InternalControlsSave money and increase the effectiveness of internalcontrols and risk management processes bycoordinating compliance, enterprise risk management,privacy, information security, internal audit, andfinancial reporting control assessment. MOSS ADAMS LLP | 1
  2. 2. A TALE OF INEFFICIENCY. OR: WHY WE CARE o Performs and updates an IT security risk assessment• Information Security Manager, Brian o Designs and enforces IT policies and governance processes to ensure system security o Tests the effectiveness of the information security management program (ISMS) o Deals with constant requests from 4 different “audit”, “compliance”, or “security” stakeholders• Network Security Engineer, Bill o Ignores the various risk assessments, and just does what “he thinks is right”. o Performs an annual risk assessment of the audit universe• Internal Auditor, Mary o Examines internal controls for design and operating effectiveness. o Performs a risk assessment focused on financial reporting• Financial Auditor, John o Tests the operating effectiveness of key ICOFR controls o Keeps up to date with changing regulations, and communicates new requirements throughout• Compliance Manager, Sally the organization o Maintains a compliance management system to ensure that the organization is not breaking the law MOSS ADAMS LLP | 2
  3. 3. • Integrate your risk- WHAT CAN I DO? centric business processes Enterprise Risk Management Risk Assessment Risk Management o Get your colleagues onboard o Develop a Map Assurance o Create touchpoints Control Design and Self Operating Effectiveness between departments Assessment Testing o Crosswalk controls or testing at key touchpoints Program Management Compliance Information Security MOSS ADAMS LLP | 3
  4. 4. THE GENERIC RISK MANAGEMENT CYCLE Assess Risks Perform Implement AssessmentImprovements of Controls’ Design and Operation Report Results MOSS ADAMS LLP | 4
  5. 5. • Internal Auditor, Mary: “You know Brian, I noticed that you are WHAT DOES IT LOOK LIKE? looking at new multi-factor authentication technologies for our internet banking customers. I was thinking about doing an audit to examine those controls.”• Information Security Manager, Brian: “Interesting! That would be great! I did a risk assessment last year, and identified that as a key fraud risk.”• Mary: “Let’s start by letting me evaluate your risk assessment as I plan my audit.”• Brian: “OK. Also, I map my risk assessment to ISO 27002 controls. Do you think you could report your audit against that standard to help me evaluate risks more effectively?” MOSS ADAMS LLP | 5
  6. 6. • The format is not critical. WHAT IT LOOKS LIKE (CONTINUED)• Just keep it simple, and manageable. MOSS ADAMS LLP | 6
  7. 7. HOW WILL THIS IMPACT MY• Watch out. The auditors will start to pay heedINFORMATION SECURITY PROGRAM? to your risk assessments, and will start to audit the areas you are concerned about. MOSS ADAMS LLP | 7
  8. 8. HOW WILL THIS IMPACT INTERNAL• Your internal audit program will be challenged withAUDITS? new sources of information for risk assessment and internal controls documentation.• There may be messy conflicts of interest to be worked out. o This is a good sign that Internal Audit is valuable within your organization.• You do not need to rely only on your own judgment or a simple survey as the only source to identify key risks in the organization. o Don’t let this be you:  How many Information Security pros does it take to change a light bulb?  How many did it take last year? MOSS ADAMS LLP | 8
  9. 9. SHARED RISK ASSESSMENTS? Entity Audit Process Audit Dollar Operational Compliance Nature/ Strategic Last time Total Volume Risk Risk Sensitivity Audited Objective ScoreInformation Technology 4.10 4.00 4.00 5.00 4.00 4.00 3.00– Enterprise ApplicationsAccounting and Billing 4.30 4.00 5.00 4.00 5.00 3.00 4.00Facilities 3.80 5.00 4.00 3.00 2.00 4.00 5.00 MOSS ADAMS LLP | 9
  10. 10. SHARE A CONTROL FRAMEWORK? COSO CobIT ISO 27000/27002• NIST 800• PMBOK• CMMI• CIS• ITIL• PCI• Industry-Specific Compliance••Do we pick one, or do we integrate several?• MOSS ADAMS LLP | 10
  11. 11. THE COSO INTERNAL CONTROL MODEL MONITORING: throughout CONTROL ACTIVITIES: processes, procedures, safeguards, access security, authorization RISK ASSESSMENT: identify, prioritize, mitigate risks; ongoing; wide participation CONTROL ENVIRONMENT: tone at the top, infrastructure, compliance; culture: integrity and competence of people MOSS ADAMS LLP | 11 Adapted from Committee of Sponsoring Organizations of the Treadway Commission (COSO)
  12. 12. • Code of Practice for Information SecurityISO 27002 Management • Divides IT Security into 11 Categories (Domains) • Defines key controls over specific sub-categories • Defines implementation guidance for each key control • 39 Control Objectives with 139 Controls • Control objectives are generic functional requirement specifications for an organization’s information and information system security management control architecture MOSS ADAMS LLP | 12
  13. 13. • NIST offers security guidance in many areasNIST • Special Publications 800 Series • Useful high level governance standards and practices • Practically every IT security subject is covered here • Written for the Federal Government but very useful for any organization MOSS ADAMS LLP | 13
  14. 14. NIST MOSS ADAMS LLP | 14
  15. 15. • Value of IT, Risk, and ControlCOBIT • Links IT service delivery to business requirements (already defined, right?) • A lifecycle; constantly adapting, improving, re- adapting • Four Responsibility Domains: o Plan and Organize (PO) o Acquire and Implement (AI) o Deliver and Support (DS) o Monitor and Evaluate (ME) • Make a grocery list of needs and then go shopping MOSS ADAMS LLP | 15
  16. 16. • CIS Benchmarks provide guidelines for operatingCENTER FOR INTERNET SECURITY (CIS) systems and databases; • User originated, widely accepted, and reflect the consensus of expert users worldwide; • Compliance with these benchmarks will reduce findings and lead to more secure computing platforms • Some benchmarks include : Windows Server Solaris o Oracle o Exchange o o MOSS ADAMS LLP | 16
  17. 17. • When you don’t have a good understanding ofITIL - PROCESS MODELING “what right looks like”• Models most “Industry Standard” information and information system technology processes• When in doubt “check it out and test it out” Maps to COBIT Complimentary to NIST and ISO o Helps to provide a starting place o Caution - can be complicated o o MOSS ADAMS LLP | 17
  18. 18. CAPABILITY MATURITY UNRELIABLE INFORMAL STANDARDIZED MONITORED OPTIMIZEDLevel 1 – Unreliable Level 2 – Informal Level 3 – Level 4 – Monitored Level 5 – Optimized StandardizedUnpredictable Disclosure activities Standardized controls An integrated internalenvironment where and controls are Control activities are with periodic testing control frameworkcontrol activities are designed and designed and in place. for effective design withnot designed in place. and operation with real-time monitoring Control activities haveor in place. reporting to by management Controls are been documented and management. with continuous not adequately communicated to improvement documented; employees. Automation and tools (Enterprise-Wide Risk controls mostly may be used in a Deviations from control Management). dependent on limited way to support activities will likely not be people. control activities. detected. No formal training or communication of control activities. MOSS ADAMS LLP | 18
  19. 19. CONCLUDING ON THE FRAMEWORKS• Don’t spend all your time mapping• Use what works• Focus on the ‘key’ controls for your organization• Focus on the risk assessment process first MOSS ADAMS LLP | 19
  20. 20. WHAT SOFTWARE SHOULD I BUY?• Microsoft Excel• Enterprise-grade GRC software• Online internal control and risk management packages MOSS ADAMS LLP | 20
  21. 21. CONCLUDING• In organizations where multiple groups have responsibilities for enterprise risk, internal control, information security, compliance: o Team up o Create touch points  Risk Assessment  Testing  Controls documentation o Use the tools, don’t let them use you MOSS ADAMS LLP | 21
  22. 22. THANKS 503-512-0004 MOSS ADAMS LLP | 22