SlideShare a Scribd company logo

Brainwave GRC - Continuous Audit and Controls at ISACA event

Brainwave GRC
Brainwave GRC

Discover Eric In's presentation, as VP of Brainwave GRC in North-America, for an ISACA Montreal event on the 13th of April 2017: how Machine learning makes continuous audit and control possible.

Software
1 of 27
Download to read offline
BRAINWAVE GRC How Machine Learning makes continuous audit and control possible
2 Continuous Audit combined continuous evaluation of risks and controls on IT systems. Continuous audit allows the internal auditor to communicate his analysis of the object under consideration far faster than in the traditional retrospective approach. Continuous Control process executed by management that enables them to verify that controls are functioning effectively (MPA 2320-4 : Continuous assurance). GTAG3, Institute of Internal Auditors Continuous Audit & Control? © Brainwave GRC – Proprietary and Confidential Information – All Rights Reserved
Rapid adaptation to evolution of the enterprise: More interactions with partners and outside providers Evolution of systems, consolidation, cloud adoption More sharing of data Evolution of work: employees, consultants, outsourced operations Reduce the impact of risk Efficiency (Automation) 3 Why put in place continuous audit and controls? © Brainwave GRC – Proprietary and Confidential Information – All Rights Reserved Proactive vs Reactive Add value to Line of Business
You?  Data silos  Data volume to manage  Complexity of controls  Identify best solutions  Financial and operational support from IT and Line of Business What are the hurdles? 4 Hurdles to deploying continuous audit and controls – Technology © Brainwave GRC – Proprietary and Confidential Information – All Rights Reserved  Computing power  Progress of analytics  Reliability and traceability  Productivity (automation)  Availability Capabilities of technology
5  The following is based on real deployment cases with clients  Details have been anonymized What approach to adopt? © Brainwave GRC – Proprietary and Confidential Information – All Rights Reserved Step 1 Step 2 Step 3 Step 4 Step 5 Exhaustive controls on existing perimeter Add new controls and extend perimeter Implement more sophisticated controls Controls on business processes Behavioral analytics
6 Internal Audit– Preparation  I take a sample  Get results  Remediate External Audit – Big day  New sample  Unpleasant surprise !  In-depth control (SoX), select more data and ask detailed questions of IT, internal audit… Motivation 1 © Brainwave GRC – Proprietary and Confidential Information – All Rights Reserved 1 Reduce surprises !
7 1 Calendar  Audit launched in February, results in August, corrections in September  In between, no visibility Organization and risks change rapidly  Reorganization / Acquisition / Sale  New systems, partners  New risks, new regulations Motivation 2 © Brainwave GRC – Proprietary and Confidential Information – All Rights Reserved Be more proactive
8 1  I manage valuable data for my clients  Very competitive and sensitive sector  New client > new applications > new controls  Explosive growth in cost of implementing a new control  This is unsustainable, I do not want to be a permanent roadblock to business! Motivation 3 © Brainwave GRC – Proprietary and Confidential Information – All Rights Reserved Enable business
9 Step 1 : Exhaustive controls on existing perimeter © Brainwave GRC – Proprietary and Confidential Information – All Rights Reserved Define audit frequency Automate collection process Resume data extracts Sample -> Comprehensive controls 1 2 3 4 5 1. Exhaustive controls on existing perimeter
Controls Dashboard 10 1 2 3 4 5 1. Exhaustive controls on existing perimeter
11 No more surprises : I have control over everyone © Brainwave GRC – Proprietary and Confidential Information – All Rights Reserved 1 2 3 4 5 1. Exhaustive controls on existing perimeter
12 I have the answers to questions from my auditor © Brainwave GRC – Proprietary and Confidential Information – All Rights Reserved 1 2 3 4 5 1. Exhaustive controls on existing perimeter
13 Complete view of access to applications © Brainwave GRC – Proprietary and Confidential Information – All Rights Reserved Individuals and entities Applications & permissions 1 2 3 4 5 1. Exhaustive controls on existing perimeter
14 Step 2 : Add new controls and extend the perimeter © Brainwave GRC – Proprietary and Confidential Information – All Rights Reserved The right automation solutions allows the addition of new controls with minimal effort & no coding Agile construction of control and rule matrix 1 2 3 4 5 2. Add new controls and extend the perimeter
Add new controls 15© Brainwave GRC – Proprietary and Confidential Information – All Rights Reserved 1 2 3 4 5 2. Add new controls and extend the perimeter
16 Visualization of data access © Brainwave GRC – Proprietary and Confidential Information – All Rights Reserved Individuals and entities Shared folders and type of access 1 2 3 4 5 2. Add new controls and extend the perimeter
17 Step 3 : Implement more sophisticated controls © Brainwave GRC – Proprietary and Confidential Information – All Rights Reserved Sophisticated control: FRAUD  SoD + multiple operational steps across several applications  Based on a fraud scenario  Object : Trader on mandatory vacation must not access trading platform  Data : vacation/time-tracking application (HR), physical access control system (badge swipe), trading platform  Results : List of suspects sent to manager in charge of control for investigation 1500 controls 450 applications 2 times/ week 1 2 3 4 5 3. Implement more sophisticated controls
18 Residual access in real life, situation that must be temporary © Brainwave GRC – Proprietary and Confidential Information – All Rights Reserved 1 2 3 4 5 3. Implement more sophisticated controls Sophisticated controls : INTERNAL MOBILITY  Manufacturing client  Temporary exception on SoD matrix: internal transfer  Track deviations with a custom tolerance threshhold(x%)  Alert temporarily suppressed (x days) 1 million identities 65 million tested permissions
19 Pareto : identify priorities for remediation © Brainwave GRC – Proprietary and Confidential Information – All Rights Reserved Resolving conflicts on these 6 SoD rules would eliminate 80% of problems. 1 2 3 4 5 3. Implement more sophisticated controls
20 Step 4 : Business process controls © Brainwave GRC – Proprietary and Confidential Information – All Rights Reserved Add financial dimension to IT risks Additional level of confort for internal & external auditors SoD on complete business processes 1 2 3 4 5 4. Business process controls
21© Brainwave GRC – Proprietary and Confidential Information – All Rights Reserved End-to-end view of fraud risk in the « Purchase to Pay » process Detect intra application fraudsDetect inter application frauds Model segregation of duties conflicts 1 2 3 4 5 4. Business process controls
22© Brainwave GRC – Proprietary and Confidential Information – All Rights Reserved Allocation of potential fraud risks by business process Impact of proven fraud by business process Valuation of fraud risks on business processes 1 2 3 4 5 4. Business process controls
23 Details of dangerous transactions © Brainwave GRC – Proprietary and Confidential Information – All Rights Reserved Why did an ASSISTANT perform these dangerous transactions ? 1 2 3 4 5 4. Business process controls
24  Detect unknown risks Step 5: Behavioral Analytics © Brainwave GRC – Proprietary and Confidential Information – All Rights Reserved Individuals with abnormal behavior Accessed files abnormally high for an IT consultant 1 2 3 4 5 5. Behavioral analytics
25 Benefits © Brainwave GRC – Proprietary and Confidential Information – All Rights Reserved Before After Internal Audit Data collection & processing Analysis of results Remediation Before After Line of Business/application manager Time to perform reviews Time to monitor reviews Before After IT Data collection Response to auditors Corrections Better relations between business, IT, internal audit, & external audit Gain in productivity across the organisation Increased value add
26 Share ! © Brainwave GRC – Proprietary and Confidential Information – All Rights Reserved Internal Audit IT Security Operational Risk Application owners Line of Business External Auditors Value added by analytics across the organisationDeliver value 30 to 90 days of effort to productionSpeed Autonomy to create controls and analyse resultsFlexibility / Agility Share results and benefits with:  More confidence and comfort  More value across the organisation  More operational and financial support
Contacts Emmanuel Sol C: +1 514 647 6574 emmanuel.sol@brainwavegrc.com Eric In D: +1 437 836 3621 C: +1 647 544 6000 eric.in@brainwavegrc.com © Brainwave GRC – Proprietary and Confidential Information – All Rights Reserved 27 Graeme Hein C: +1 416 795 3858 graeme.hein@brainwavegrc.com

Recommended

Continous Audit and Controls with Brainwave GRC
Continous Audit and Controls with Brainwave GRCContinous Audit and Controls with Brainwave GRC
Continous Audit and Controls with Brainwave GRCGraeme Hein
 
Analyzing Your GovCon Cybersecurity Compliance
Analyzing Your GovCon Cybersecurity ComplianceAnalyzing Your GovCon Cybersecurity Compliance
Analyzing Your GovCon Cybersecurity ComplianceRobert E Jones
 
Net Monitor Presentation
Net Monitor PresentationNet Monitor Presentation
Net Monitor Presentationentrecomputersolutions
 
IT Audit For Non-IT Auditors
IT Audit For Non-IT AuditorsIT Audit For Non-IT Auditors
IT Audit For Non-IT AuditorsEd Tobias
 
Using IP Cameras and Advanced Analytics to help Protect Critical Infrastructure
Using IP Cameras and Advanced Analytics to help Protect Critical InfrastructureUsing IP Cameras and Advanced Analytics to help Protect Critical Infrastructure
Using IP Cameras and Advanced Analytics to help Protect Critical InfrastructureEnergySec
 
Audit of it infrastructure
Audit of it infrastructureAudit of it infrastructure
Audit of it infrastructurepramod_kmr73
 
Cybersecurity Compliance in Government Contracts
Cybersecurity Compliance in Government ContractsCybersecurity Compliance in Government Contracts
Cybersecurity Compliance in Government ContractsRobert E Jones
 
Analyzing Your Government Contract Cybersecurity Compliance
Analyzing Your Government Contract Cybersecurity ComplianceAnalyzing Your Government Contract Cybersecurity Compliance
Analyzing Your Government Contract Cybersecurity ComplianceRobert E Jones
 

Recommended

Continous Audit and Controls with Brainwave GRC
Continous Audit and Controls with Brainwave GRCContinous Audit and Controls with Brainwave GRC
Continous Audit and Controls with Brainwave GRCGraeme Hein
 
Analyzing Your GovCon Cybersecurity Compliance
Analyzing Your GovCon Cybersecurity ComplianceAnalyzing Your GovCon Cybersecurity Compliance
Analyzing Your GovCon Cybersecurity ComplianceRobert E Jones
 
Net Monitor Presentation
Net Monitor PresentationNet Monitor Presentation
Net Monitor Presentationentrecomputersolutions
 
IT Audit For Non-IT Auditors
IT Audit For Non-IT AuditorsIT Audit For Non-IT Auditors
IT Audit For Non-IT AuditorsEd Tobias
 
Using IP Cameras and Advanced Analytics to help Protect Critical Infrastructure
Using IP Cameras and Advanced Analytics to help Protect Critical InfrastructureUsing IP Cameras and Advanced Analytics to help Protect Critical Infrastructure
Using IP Cameras and Advanced Analytics to help Protect Critical InfrastructureEnergySec
 
Audit of it infrastructure
Audit of it infrastructureAudit of it infrastructure
Audit of it infrastructurepramod_kmr73
 
Cybersecurity Compliance in Government Contracts
Cybersecurity Compliance in Government ContractsCybersecurity Compliance in Government Contracts
Cybersecurity Compliance in Government ContractsRobert E Jones
 
Analyzing Your Government Contract Cybersecurity Compliance
Analyzing Your Government Contract Cybersecurity ComplianceAnalyzing Your Government Contract Cybersecurity Compliance
Analyzing Your Government Contract Cybersecurity ComplianceRobert E Jones
 
Firewall best-practices-firewall-analyzer
Firewall best-practices-firewall-analyzerFirewall best-practices-firewall-analyzer
Firewall best-practices-firewall-analyzeriDric Soluciones de TI y Seguridad Informática
 
Why Use Westech Solutions
Why Use Westech SolutionsWhy Use Westech Solutions
Why Use Westech SolutionsJhugueno
 
Why Use Wes Tech Solutions
Why Use Wes Tech SolutionsWhy Use Wes Tech Solutions
Why Use Wes Tech Solutionsdoughold
 
Case ware monitor product profile
Case ware monitor product profileCase ware monitor product profile
Case ware monitor product profileAuditWare Systems Ltd.
 
Cisa_AB special top pointer’s, expect questions in exam form this topic
Cisa_AB special top pointer’s, expect questions in exam form this topicCisa_AB special top pointer’s, expect questions in exam form this topic
Cisa_AB special top pointer’s, expect questions in exam form this topicAbbasi Mirza, CA, CFE
 
The Edge of Disaster Recovery - May Events Presentation FINAL
The Edge of Disaster Recovery - May Events Presentation FINALThe Edge of Disaster Recovery - May Events Presentation FINAL
The Edge of Disaster Recovery - May Events Presentation FINALJohn Baumgarten
 
brainwaregroup ITAM Review Tools Day Presentation 2015
brainwaregroup ITAM Review Tools Day Presentation 2015brainwaregroup ITAM Review Tools Day Presentation 2015
brainwaregroup ITAM Review Tools Day Presentation 2015Martin Thompson
 
ERP IT Infrastructure Audit
ERP IT Infrastructure AuditERP IT Infrastructure Audit
ERP IT Infrastructure Auditvelcomerp
 
Rapid7 NERC-CIP Compliance Guide
Rapid7 NERC-CIP Compliance GuideRapid7 NERC-CIP Compliance Guide
Rapid7 NERC-CIP Compliance GuideRapid7
 
Risk Based Approach To Recovery And Continuity Management John P Morency
Risk Based Approach To Recovery And Continuity Management John P MorencyRisk Based Approach To Recovery And Continuity Management John P Morency
Risk Based Approach To Recovery And Continuity Management John P Morencyjmorency1952
 
NuvoSys Solutions, LLC
NuvoSys Solutions, LLCNuvoSys Solutions, LLC
NuvoSys Solutions, LLCnygonz
 
AGSL brochure
AGSL brochureAGSL brochure
AGSL brochureMark Steel
 
Use Of Techniques And Technology In Internal Audit
Use Of Techniques And Technology In Internal AuditUse Of Techniques And Technology In Internal Audit
Use Of Techniques And Technology In Internal AuditManoj Agarwal
 
How can managed services improve your SAP security and compliance? [Webinar]
How can managed services improve your SAP security and compliance? [Webinar]How can managed services improve your SAP security and compliance? [Webinar]
How can managed services improve your SAP security and compliance? [Webinar]akquinet enterprise solutions GmbH
 
Internal Controls
Internal ControlsInternal Controls
Internal ControlsNational Pork Board
 
Resolute IT Managed Services
Resolute IT Managed ServicesResolute IT Managed Services
Resolute IT Managed Servicesresoluteit
 
GRC 10 ONLINE TRAINING | GRC 12 Training
GRC 10 ONLINE TRAINING | GRC 12 TrainingGRC 10 ONLINE TRAINING | GRC 12 Training
GRC 10 ONLINE TRAINING | GRC 12 Traininggrconlinetraining
 
Computer System Validation – Reduce Costs and Avoid 483s
Computer System Validation – Reduce Costs and Avoid 483sComputer System Validation – Reduce Costs and Avoid 483s
Computer System Validation – Reduce Costs and Avoid 483sReferral
 
Apac 2015 minimizing integrity failure r02
Apac 2015 minimizing integrity failure r02Apac 2015 minimizing integrity failure r02
Apac 2015 minimizing integrity failure r02BhaveshShukla15
 
Auditing In Computer Environment Presentation
Auditing In Computer Environment PresentationAuditing In Computer Environment Presentation
Auditing In Computer Environment PresentationEMAC Consulting Group
 
IT Compliance: Shifting from Cost Center to Profit Center
IT Compliance: Shifting from Cost Center to Profit CenterIT Compliance: Shifting from Cost Center to Profit Center
IT Compliance: Shifting from Cost Center to Profit CenterGary Pennington
 
T CompliIT Compliance: Shifting from Cost Center to Profit Center
T CompliIT Compliance: Shifting from Cost Center to Profit CenterT CompliIT Compliance: Shifting from Cost Center to Profit Center
T CompliIT Compliance: Shifting from Cost Center to Profit CenterGary Pennington
 

More Related Content

What's hot

Why Use Westech Solutions
Why Use Westech SolutionsWhy Use Westech Solutions
Why Use Westech SolutionsJhugueno
 
Why Use Wes Tech Solutions
Why Use Wes Tech SolutionsWhy Use Wes Tech Solutions
Why Use Wes Tech Solutionsdoughold
 
Cisa_AB special top pointer’s, expect questions in exam form this topic
Cisa_AB special top pointer’s, expect questions in exam form this topicCisa_AB special top pointer’s, expect questions in exam form this topic
Cisa_AB special top pointer’s, expect questions in exam form this topicAbbasi Mirza, CA, CFE
 
The Edge of Disaster Recovery - May Events Presentation FINAL
The Edge of Disaster Recovery - May Events Presentation FINALThe Edge of Disaster Recovery - May Events Presentation FINAL
The Edge of Disaster Recovery - May Events Presentation FINALJohn Baumgarten
 
brainwaregroup ITAM Review Tools Day Presentation 2015
brainwaregroup ITAM Review Tools Day Presentation 2015brainwaregroup ITAM Review Tools Day Presentation 2015
brainwaregroup ITAM Review Tools Day Presentation 2015Martin Thompson
 
ERP IT Infrastructure Audit
ERP IT Infrastructure AuditERP IT Infrastructure Audit
ERP IT Infrastructure Auditvelcomerp
 
Rapid7 NERC-CIP Compliance Guide
Rapid7 NERC-CIP Compliance GuideRapid7 NERC-CIP Compliance Guide
Rapid7 NERC-CIP Compliance GuideRapid7
 
Risk Based Approach To Recovery And Continuity Management John P Morency
Risk Based Approach To Recovery And Continuity Management John P MorencyRisk Based Approach To Recovery And Continuity Management John P Morency
Risk Based Approach To Recovery And Continuity Management John P Morencyjmorency1952
 
NuvoSys Solutions, LLC
NuvoSys Solutions, LLCNuvoSys Solutions, LLC
NuvoSys Solutions, LLCnygonz
 
Use Of Techniques And Technology In Internal Audit
Use Of Techniques And Technology In Internal AuditUse Of Techniques And Technology In Internal Audit
Use Of Techniques And Technology In Internal AuditManoj Agarwal
 
How can managed services improve your SAP security and compliance? [Webinar]
How can managed services improve your SAP security and compliance? [Webinar]How can managed services improve your SAP security and compliance? [Webinar]
How can managed services improve your SAP security and compliance? [Webinar]akquinet enterprise solutions GmbH
 
Resolute IT Managed Services
Resolute IT Managed ServicesResolute IT Managed Services
Resolute IT Managed Servicesresoluteit
 
GRC 10 ONLINE TRAINING | GRC 12 Training
GRC 10 ONLINE TRAINING | GRC 12 TrainingGRC 10 ONLINE TRAINING | GRC 12 Training
GRC 10 ONLINE TRAINING | GRC 12 Traininggrconlinetraining
 
Computer System Validation – Reduce Costs and Avoid 483s
Computer System Validation – Reduce Costs and Avoid 483sComputer System Validation – Reduce Costs and Avoid 483s
Computer System Validation – Reduce Costs and Avoid 483sReferral
 
Apac 2015 minimizing integrity failure r02
Apac 2015 minimizing integrity failure r02Apac 2015 minimizing integrity failure r02
Apac 2015 minimizing integrity failure r02BhaveshShukla15
 
Auditing In Computer Environment Presentation
Auditing In Computer Environment PresentationAuditing In Computer Environment Presentation
Auditing In Computer Environment PresentationEMAC Consulting Group
 

What's hot (20)

Firewall best-practices-firewall-analyzer
Firewall best-practices-firewall-analyzerFirewall best-practices-firewall-analyzer
Firewall best-practices-firewall-analyzer
 
Why Use Westech Solutions
Why Use Westech SolutionsWhy Use Westech Solutions
Why Use Westech Solutions
 
Why Use Wes Tech Solutions
Why Use Wes Tech SolutionsWhy Use Wes Tech Solutions
Why Use Wes Tech Solutions
 
Case ware monitor product profile
Case ware monitor product profileCase ware monitor product profile
Case ware monitor product profile
 
Cisa_AB special top pointer’s, expect questions in exam form this topic
Cisa_AB special top pointer’s, expect questions in exam form this topicCisa_AB special top pointer’s, expect questions in exam form this topic
Cisa_AB special top pointer’s, expect questions in exam form this topic
 
The Edge of Disaster Recovery - May Events Presentation FINAL
The Edge of Disaster Recovery - May Events Presentation FINALThe Edge of Disaster Recovery - May Events Presentation FINAL
The Edge of Disaster Recovery - May Events Presentation FINAL
 
brainwaregroup ITAM Review Tools Day Presentation 2015
brainwaregroup ITAM Review Tools Day Presentation 2015brainwaregroup ITAM Review Tools Day Presentation 2015
brainwaregroup ITAM Review Tools Day Presentation 2015
 
ERP IT Infrastructure Audit
ERP IT Infrastructure AuditERP IT Infrastructure Audit
ERP IT Infrastructure Audit
 
Rapid7 NERC-CIP Compliance Guide
Rapid7 NERC-CIP Compliance GuideRapid7 NERC-CIP Compliance Guide
Rapid7 NERC-CIP Compliance Guide
 
Risk Based Approach To Recovery And Continuity Management John P Morency
Risk Based Approach To Recovery And Continuity Management John P MorencyRisk Based Approach To Recovery And Continuity Management John P Morency
Risk Based Approach To Recovery And Continuity Management John P Morency
 
NuvoSys Solutions, LLC
NuvoSys Solutions, LLCNuvoSys Solutions, LLC
NuvoSys Solutions, LLC
 
AGSL brochure
AGSL brochureAGSL brochure
AGSL brochure
 
Use Of Techniques And Technology In Internal Audit
Use Of Techniques And Technology In Internal AuditUse Of Techniques And Technology In Internal Audit
Use Of Techniques And Technology In Internal Audit
 
How can managed services improve your SAP security and compliance? [Webinar]
How can managed services improve your SAP security and compliance? [Webinar]How can managed services improve your SAP security and compliance? [Webinar]
How can managed services improve your SAP security and compliance? [Webinar]
 
Internal Controls
Internal ControlsInternal Controls
Internal Controls
 
Resolute IT Managed Services
Resolute IT Managed ServicesResolute IT Managed Services
Resolute IT Managed Services
 
GRC 10 ONLINE TRAINING | GRC 12 Training
GRC 10 ONLINE TRAINING | GRC 12 TrainingGRC 10 ONLINE TRAINING | GRC 12 Training
GRC 10 ONLINE TRAINING | GRC 12 Training
 
Computer System Validation – Reduce Costs and Avoid 483s
Computer System Validation – Reduce Costs and Avoid 483sComputer System Validation – Reduce Costs and Avoid 483s
Computer System Validation – Reduce Costs and Avoid 483s
 
Apac 2015 minimizing integrity failure r02
Apac 2015 minimizing integrity failure r02Apac 2015 minimizing integrity failure r02
Apac 2015 minimizing integrity failure r02
 
Auditing In Computer Environment Presentation
Auditing In Computer Environment PresentationAuditing In Computer Environment Presentation
Auditing In Computer Environment Presentation
 

Similar to Brainwave GRC - Continuous Audit and Controls at ISACA event

IT Compliance: Shifting from Cost Center to Profit Center
IT Compliance: Shifting from Cost Center to Profit CenterIT Compliance: Shifting from Cost Center to Profit Center
IT Compliance: Shifting from Cost Center to Profit CenterGary Pennington
 
T CompliIT Compliance: Shifting from Cost Center to Profit Center
T CompliIT Compliance: Shifting from Cost Center to Profit CenterT CompliIT Compliance: Shifting from Cost Center to Profit Center
T CompliIT Compliance: Shifting from Cost Center to Profit CenterGary Pennington
 
Privacy & Security Controls In Vendor Management Al Raymond
Privacy & Security Controls In Vendor Management Al RaymondPrivacy & Security Controls In Vendor Management Al Raymond
Privacy & Security Controls In Vendor Management Al Raymondspencerharry
 
Performing One Audit Using Zero Trust Principles
Performing One Audit Using Zero Trust PrinciplesPerforming One Audit Using Zero Trust Principles
Performing One Audit Using Zero Trust PrinciplesControlCase
 
How much does it cost to be Secure?
How much does it cost to be Secure?How much does it cost to be Secure?
How much does it cost to be Secure?mbmobile
 
Continuous Transaction Monitoring Detect and analyze anomalous transactions t...
Continuous Transaction Monitoring Detect and analyze anomalous transactions t...Continuous Transaction Monitoring Detect and analyze anomalous transactions t...
Continuous Transaction Monitoring Detect and analyze anomalous transactions t...Genpact Ltd
 
2010 06 gartner avoiding audit fatigue in nine steps 1d
2010 06 gartner avoiding audit fatigue in nine steps 1d2010 06 gartner avoiding audit fatigue in nine steps 1d
2010 06 gartner avoiding audit fatigue in nine steps 1dGene Kim
 
Continuous Compliance Monitoring
Continuous Compliance MonitoringContinuous Compliance Monitoring
Continuous Compliance MonitoringControlCase
 
Continuous Compliance Monitoring
Continuous Compliance MonitoringContinuous Compliance Monitoring
Continuous Compliance MonitoringControlCase
 
Maclear’s IT GRC Tools – Key Issues and Trends
Maclear’s IT GRC Tools – Key Issues and TrendsMaclear’s IT GRC Tools – Key Issues and Trends
Maclear’s IT GRC Tools – Key Issues and TrendsMaclear LLC
 
Adaptive grc life_sciences_case_study
Adaptive grc life_sciences_case_studyAdaptive grc life_sciences_case_study
Adaptive grc life_sciences_case_studyRob Johnston, MBA
 
GLOBAL LIFE SCIENCES COMPANY USES ADAPTIVEGRC SUITE TO MANAGE RISK & COMPLI...
GLOBAL LIFE SCIENCES COMPANY USES ADAPTIVEGRC SUITE TO MANAGE RISK & COMPLI...GLOBAL LIFE SCIENCES COMPANY USES ADAPTIVEGRC SUITE TO MANAGE RISK & COMPLI...
GLOBAL LIFE SCIENCES COMPANY USES ADAPTIVEGRC SUITE TO MANAGE RISK & COMPLI...D. Scott Clark
 
2016 Risk Management Workshop
2016 Risk Management Workshop2016 Risk Management Workshop
2016 Risk Management WorkshopStacy Willis
 
Sample Risk Assessment Report- QuantumBanking.pdf
Sample Risk Assessment Report- QuantumBanking.pdfSample Risk Assessment Report- QuantumBanking.pdf
Sample Risk Assessment Report- QuantumBanking.pdfSathishKumar960827
 
Managing Multiple Assessments Using Zero Trust Principles
Managing Multiple Assessments Using Zero Trust PrinciplesManaging Multiple Assessments Using Zero Trust Principles
Managing Multiple Assessments Using Zero Trust PrinciplesControlCase
 
Part II of III: Advanced Authorization for SAP Global Deployments: September ...
Part II of III: Advanced Authorization for SAP Global Deployments: September ...Part II of III: Advanced Authorization for SAP Global Deployments: September ...
Part II of III: Advanced Authorization for SAP Global Deployments: September ...NextLabs, Inc.
 
Les Assises 2015 - Why people are the most important aspect of IT security?
Les Assises 2015 - Why people are the most important aspect of IT security?Les Assises 2015 - Why people are the most important aspect of IT security?
Les Assises 2015 - Why people are the most important aspect of IT security?BalaBit
 
Con8154 controlling for multiple erp systems with oracle advanced controls
Con8154 controlling for multiple erp systems with oracle advanced controlsCon8154 controlling for multiple erp systems with oracle advanced controls
Con8154 controlling for multiple erp systems with oracle advanced controlsOracle
 
Customers talk about controlling access for multiple erp systems with oracle ...
Customers talk about controlling access for multiple erp systems with oracle ...Customers talk about controlling access for multiple erp systems with oracle ...
Customers talk about controlling access for multiple erp systems with oracle ...Oracle
 

Similar to Brainwave GRC - Continuous Audit and Controls at ISACA event (20)

IT Compliance: Shifting from Cost Center to Profit Center
IT Compliance: Shifting from Cost Center to Profit CenterIT Compliance: Shifting from Cost Center to Profit Center
IT Compliance: Shifting from Cost Center to Profit Center
 
T CompliIT Compliance: Shifting from Cost Center to Profit Center
T CompliIT Compliance: Shifting from Cost Center to Profit CenterT CompliIT Compliance: Shifting from Cost Center to Profit Center
T CompliIT Compliance: Shifting from Cost Center to Profit Center
 
Privacy & Security Controls In Vendor Management Al Raymond
Privacy & Security Controls In Vendor Management Al RaymondPrivacy & Security Controls In Vendor Management Al Raymond
Privacy & Security Controls In Vendor Management Al Raymond
 
Performing One Audit Using Zero Trust Principles
Performing One Audit Using Zero Trust PrinciplesPerforming One Audit Using Zero Trust Principles
Performing One Audit Using Zero Trust Principles
 
How much does it cost to be Secure?
How much does it cost to be Secure?How much does it cost to be Secure?
How much does it cost to be Secure?
 
Continuous Transaction Monitoring Detect and analyze anomalous transactions t...
Continuous Transaction Monitoring Detect and analyze anomalous transactions t...Continuous Transaction Monitoring Detect and analyze anomalous transactions t...
Continuous Transaction Monitoring Detect and analyze anomalous transactions t...
 
2010 06 gartner avoiding audit fatigue in nine steps 1d
2010 06 gartner avoiding audit fatigue in nine steps 1d2010 06 gartner avoiding audit fatigue in nine steps 1d
2010 06 gartner avoiding audit fatigue in nine steps 1d
 
Continuous Compliance Monitoring
Continuous Compliance MonitoringContinuous Compliance Monitoring
Continuous Compliance Monitoring
 
Government and SOX Compliance for ERP Systems
Government and SOX Compliance for ERP SystemsGovernment and SOX Compliance for ERP Systems
Government and SOX Compliance for ERP Systems
 
Continuous Compliance Monitoring
Continuous Compliance MonitoringContinuous Compliance Monitoring
Continuous Compliance Monitoring
 
Maclear’s IT GRC Tools – Key Issues and Trends
Maclear’s IT GRC Tools – Key Issues and TrendsMaclear’s IT GRC Tools – Key Issues and Trends
Maclear’s IT GRC Tools – Key Issues and Trends
 
Adaptive grc life_sciences_case_study
Adaptive grc life_sciences_case_studyAdaptive grc life_sciences_case_study
Adaptive grc life_sciences_case_study
 
GLOBAL LIFE SCIENCES COMPANY USES ADAPTIVEGRC SUITE TO MANAGE RISK & COMPLI...
GLOBAL LIFE SCIENCES COMPANY USES ADAPTIVEGRC SUITE TO MANAGE RISK & COMPLI...GLOBAL LIFE SCIENCES COMPANY USES ADAPTIVEGRC SUITE TO MANAGE RISK & COMPLI...
GLOBAL LIFE SCIENCES COMPANY USES ADAPTIVEGRC SUITE TO MANAGE RISK & COMPLI...
 
2016 Risk Management Workshop
2016 Risk Management Workshop2016 Risk Management Workshop
2016 Risk Management Workshop
 
Sample Risk Assessment Report- QuantumBanking.pdf
Sample Risk Assessment Report- QuantumBanking.pdfSample Risk Assessment Report- QuantumBanking.pdf
Sample Risk Assessment Report- QuantumBanking.pdf
 
Managing Multiple Assessments Using Zero Trust Principles
Managing Multiple Assessments Using Zero Trust PrinciplesManaging Multiple Assessments Using Zero Trust Principles
Managing Multiple Assessments Using Zero Trust Principles
 
Part II of III: Advanced Authorization for SAP Global Deployments: September ...
Part II of III: Advanced Authorization for SAP Global Deployments: September ...Part II of III: Advanced Authorization for SAP Global Deployments: September ...
Part II of III: Advanced Authorization for SAP Global Deployments: September ...
 
Les Assises 2015 - Why people are the most important aspect of IT security?
Les Assises 2015 - Why people are the most important aspect of IT security?Les Assises 2015 - Why people are the most important aspect of IT security?
Les Assises 2015 - Why people are the most important aspect of IT security?
 
Con8154 controlling for multiple erp systems with oracle advanced controls
Con8154 controlling for multiple erp systems with oracle advanced controlsCon8154 controlling for multiple erp systems with oracle advanced controls
Con8154 controlling for multiple erp systems with oracle advanced controls
 
Customers talk about controlling access for multiple erp systems with oracle ...
Customers talk about controlling access for multiple erp systems with oracle ...Customers talk about controlling access for multiple erp systems with oracle ...
Customers talk about controlling access for multiple erp systems with oracle ...
 

Recently uploaded

Professional Resume Template for Software Developers
Professional Resume Template for Software DevelopersProfessional Resume Template for Software Developers
Professional Resume Template for Software DevelopersVinodh Ram
 
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfLearn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfkalichargn70th171
 
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...stazi3110
 
Der Spagat zwischen BIAS und FAIRNESS (2024)
Der Spagat zwischen BIAS und FAIRNESS (2024)Der Spagat zwischen BIAS und FAIRNESS (2024)
Der Spagat zwischen BIAS und FAIRNESS (2024)OPEN KNOWLEDGE GmbH
 
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptxKnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptxTier1 app
 
XpertSolvers: Your Partner in Building Innovative Software Solutions
XpertSolvers: Your Partner in Building Innovative Software SolutionsXpertSolvers: Your Partner in Building Innovative Software Solutions
XpertSolvers: Your Partner in Building Innovative Software SolutionsMehedi Hasan Shohan
 
Asset Management Software - Infographic
Asset Management Software - InfographicAsset Management Software - Infographic
Asset Management Software - InfographicHr365.us smith
 
Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...OnePlan Solutions
 
HR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comHR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comFatema Valibhai
 
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...MyIntelliSource, Inc.
 
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASEBATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASEOrtus Solutions, Corp
 
Call Girls in Naraina Delhi 💯Call Us 🔝8264348440🔝
Call Girls in Naraina Delhi 💯Call Us 🔝8264348440🔝Call Girls in Naraina Delhi 💯Call Us 🔝8264348440🔝
Call Girls in Naraina Delhi 💯Call Us 🔝8264348440🔝soniya singh
 
Cloud Management Software Platforms: OpenStack
Cloud Management Software Platforms: OpenStackCloud Management Software Platforms: OpenStack
Cloud Management Software Platforms: OpenStackVICTOR MAESTRE RAMIREZ
 
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed DataAlluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed DataAlluxio, Inc.
 
Salesforce Certified Field Service Consultant
Salesforce Certified Field Service ConsultantSalesforce Certified Field Service Consultant
Salesforce Certified Field Service ConsultantAxelRicardoTrocheRiq
 
5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdf5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdfWave PLM
 
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer DataAdobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer DataBradBedford3
 
cybersecurity notes for mca students for learning
cybersecurity notes for mca students for learningcybersecurity notes for mca students for learning
cybersecurity notes for mca students for learningVitsRangannavar
 
Project Based Learning (A.I).pptx detail explanation
Project Based Learning (A.I).pptx detail explanationProject Based Learning (A.I).pptx detail explanation
Project Based Learning (A.I).pptx detail explanationkaushalgiri8080
 
Engage Usergroup 2024 - The Good The Bad_The Ugly
Engage Usergroup 2024 - The Good The Bad_The UglyEngage Usergroup 2024 - The Good The Bad_The Ugly
Engage Usergroup 2024 - The Good The Bad_The UglyFrank van der Linden
 

Recently uploaded (20)

Professional Resume Template for Software Developers
Professional Resume Template for Software DevelopersProfessional Resume Template for Software Developers
Professional Resume Template for Software Developers
 
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfLearn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
 
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
 
Der Spagat zwischen BIAS und FAIRNESS (2024)
Der Spagat zwischen BIAS und FAIRNESS (2024)Der Spagat zwischen BIAS und FAIRNESS (2024)
Der Spagat zwischen BIAS und FAIRNESS (2024)
 
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptxKnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
 
XpertSolvers: Your Partner in Building Innovative Software Solutions
XpertSolvers: Your Partner in Building Innovative Software SolutionsXpertSolvers: Your Partner in Building Innovative Software Solutions
XpertSolvers: Your Partner in Building Innovative Software Solutions
 
Asset Management Software - Infographic
Asset Management Software - InfographicAsset Management Software - Infographic
Asset Management Software - Infographic
 
Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...
 
HR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comHR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.com
 
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
 
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASEBATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
 
Call Girls in Naraina Delhi 💯Call Us 🔝8264348440🔝
Call Girls in Naraina Delhi 💯Call Us 🔝8264348440🔝Call Girls in Naraina Delhi 💯Call Us 🔝8264348440🔝
Call Girls in Naraina Delhi 💯Call Us 🔝8264348440🔝
 
Cloud Management Software Platforms: OpenStack
Cloud Management Software Platforms: OpenStackCloud Management Software Platforms: OpenStack
Cloud Management Software Platforms: OpenStack
 
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed DataAlluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
 
Salesforce Certified Field Service Consultant
Salesforce Certified Field Service ConsultantSalesforce Certified Field Service Consultant
Salesforce Certified Field Service Consultant
 
5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdf5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdf
 
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer DataAdobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
 
cybersecurity notes for mca students for learning
cybersecurity notes for mca students for learningcybersecurity notes for mca students for learning
cybersecurity notes for mca students for learning
 
Project Based Learning (A.I).pptx detail explanation
Project Based Learning (A.I).pptx detail explanationProject Based Learning (A.I).pptx detail explanation
Project Based Learning (A.I).pptx detail explanation
 
Engage Usergroup 2024 - The Good The Bad_The Ugly
Engage Usergroup 2024 - The Good The Bad_The UglyEngage Usergroup 2024 - The Good The Bad_The Ugly
Engage Usergroup 2024 - The Good The Bad_The Ugly
 

Brainwave GRC - Continuous Audit and Controls at ISACA event

  • 1. BRAINWAVE GRC How Machine Learning makes continuous audit and control possible
  • 2. 2 Continuous Audit combined continuous evaluation of risks and controls on IT systems. Continuous audit allows the internal auditor to communicate his analysis of the object under consideration far faster than in the traditional retrospective approach. Continuous Control process executed by management that enables them to verify that controls are functioning effectively (MPA 2320-4 : Continuous assurance). GTAG3, Institute of Internal Auditors Continuous Audit & Control? © Brainwave GRC – Proprietary and Confidential Information – All Rights Reserved
  • 3. Rapid adaptation to evolution of the enterprise: More interactions with partners and outside providers Evolution of systems, consolidation, cloud adoption More sharing of data Evolution of work: employees, consultants, outsourced operations Reduce the impact of risk Efficiency (Automation) 3 Why put in place continuous audit and controls? © Brainwave GRC – Proprietary and Confidential Information – All Rights Reserved Proactive vs Reactive Add value to Line of Business
  • 4. You?  Data silos  Data volume to manage  Complexity of controls  Identify best solutions  Financial and operational support from IT and Line of Business What are the hurdles? 4 Hurdles to deploying continuous audit and controls – Technology © Brainwave GRC – Proprietary and Confidential Information – All Rights Reserved  Computing power  Progress of analytics  Reliability and traceability  Productivity (automation)  Availability Capabilities of technology
  • 5. 5  The following is based on real deployment cases with clients  Details have been anonymized What approach to adopt? © Brainwave GRC – Proprietary and Confidential Information – All Rights Reserved Step 1 Step 2 Step 3 Step 4 Step 5 Exhaustive controls on existing perimeter Add new controls and extend perimeter Implement more sophisticated controls Controls on business processes Behavioral analytics
  • 6. 6 Internal Audit– Preparation  I take a sample  Get results  Remediate External Audit – Big day  New sample  Unpleasant surprise !  In-depth control (SoX), select more data and ask detailed questions of IT, internal audit… Motivation 1 © Brainwave GRC – Proprietary and Confidential Information – All Rights Reserved 1 Reduce surprises !
  • 7. 7 1 Calendar  Audit launched in February, results in August, corrections in September  In between, no visibility Organization and risks change rapidly  Reorganization / Acquisition / Sale  New systems, partners  New risks, new regulations Motivation 2 © Brainwave GRC – Proprietary and Confidential Information – All Rights Reserved Be more proactive
  • 8. 8 1  I manage valuable data for my clients  Very competitive and sensitive sector  New client > new applications > new controls  Explosive growth in cost of implementing a new control  This is unsustainable, I do not want to be a permanent roadblock to business! Motivation 3 © Brainwave GRC – Proprietary and Confidential Information – All Rights Reserved Enable business
  • 9. 9 Step 1 : Exhaustive controls on existing perimeter © Brainwave GRC – Proprietary and Confidential Information – All Rights Reserved Define audit frequency Automate collection process Resume data extracts Sample -> Comprehensive controls 1 2 3 4 5 1. Exhaustive controls on existing perimeter
  • 10. Controls Dashboard 10 1 2 3 4 5 1. Exhaustive controls on existing perimeter
  • 11. 11 No more surprises : I have control over everyone © Brainwave GRC – Proprietary and Confidential Information – All Rights Reserved 1 2 3 4 5 1. Exhaustive controls on existing perimeter
  • 12. 12 I have the answers to questions from my auditor © Brainwave GRC – Proprietary and Confidential Information – All Rights Reserved 1 2 3 4 5 1. Exhaustive controls on existing perimeter
  • 13. 13 Complete view of access to applications © Brainwave GRC – Proprietary and Confidential Information – All Rights Reserved Individuals and entities Applications & permissions 1 2 3 4 5 1. Exhaustive controls on existing perimeter
  • 14. 14 Step 2 : Add new controls and extend the perimeter © Brainwave GRC – Proprietary and Confidential Information – All Rights Reserved The right automation solutions allows the addition of new controls with minimal effort & no coding Agile construction of control and rule matrix 1 2 3 4 5 2. Add new controls and extend the perimeter
  • 15. Add new controls 15© Brainwave GRC – Proprietary and Confidential Information – All Rights Reserved 1 2 3 4 5 2. Add new controls and extend the perimeter
  • 16. 16 Visualization of data access © Brainwave GRC – Proprietary and Confidential Information – All Rights Reserved Individuals and entities Shared folders and type of access 1 2 3 4 5 2. Add new controls and extend the perimeter
  • 17. 17 Step 3 : Implement more sophisticated controls © Brainwave GRC – Proprietary and Confidential Information – All Rights Reserved Sophisticated control: FRAUD  SoD + multiple operational steps across several applications  Based on a fraud scenario  Object : Trader on mandatory vacation must not access trading platform  Data : vacation/time-tracking application (HR), physical access control system (badge swipe), trading platform  Results : List of suspects sent to manager in charge of control for investigation 1500 controls 450 applications 2 times/ week 1 2 3 4 5 3. Implement more sophisticated controls
  • 18. 18 Residual access in real life, situation that must be temporary © Brainwave GRC – Proprietary and Confidential Information – All Rights Reserved 1 2 3 4 5 3. Implement more sophisticated controls Sophisticated controls : INTERNAL MOBILITY  Manufacturing client  Temporary exception on SoD matrix: internal transfer  Track deviations with a custom tolerance threshhold(x%)  Alert temporarily suppressed (x days) 1 million identities 65 million tested permissions
  • 19. 19 Pareto : identify priorities for remediation © Brainwave GRC – Proprietary and Confidential Information – All Rights Reserved Resolving conflicts on these 6 SoD rules would eliminate 80% of problems. 1 2 3 4 5 3. Implement more sophisticated controls
  • 20. 20 Step 4 : Business process controls © Brainwave GRC – Proprietary and Confidential Information – All Rights Reserved Add financial dimension to IT risks Additional level of confort for internal & external auditors SoD on complete business processes 1 2 3 4 5 4. Business process controls
  • 21. 21© Brainwave GRC – Proprietary and Confidential Information – All Rights Reserved End-to-end view of fraud risk in the « Purchase to Pay » process Detect intra application fraudsDetect inter application frauds Model segregation of duties conflicts 1 2 3 4 5 4. Business process controls
  • 22. 22© Brainwave GRC – Proprietary and Confidential Information – All Rights Reserved Allocation of potential fraud risks by business process Impact of proven fraud by business process Valuation of fraud risks on business processes 1 2 3 4 5 4. Business process controls
  • 23. 23 Details of dangerous transactions © Brainwave GRC – Proprietary and Confidential Information – All Rights Reserved Why did an ASSISTANT perform these dangerous transactions ? 1 2 3 4 5 4. Business process controls
  • 24. 24  Detect unknown risks Step 5: Behavioral Analytics © Brainwave GRC – Proprietary and Confidential Information – All Rights Reserved Individuals with abnormal behavior Accessed files abnormally high for an IT consultant 1 2 3 4 5 5. Behavioral analytics
  • 25. 25 Benefits © Brainwave GRC – Proprietary and Confidential Information – All Rights Reserved Before After Internal Audit Data collection & processing Analysis of results Remediation Before After Line of Business/application manager Time to perform reviews Time to monitor reviews Before After IT Data collection Response to auditors Corrections Better relations between business, IT, internal audit, & external audit Gain in productivity across the organisation Increased value add
  • 26. 26 Share ! © Brainwave GRC – Proprietary and Confidential Information – All Rights Reserved Internal Audit IT Security Operational Risk Application owners Line of Business External Auditors Value added by analytics across the organisationDeliver value 30 to 90 days of effort to productionSpeed Autonomy to create controls and analyse resultsFlexibility / Agility Share results and benefits with:  More confidence and comfort  More value across the organisation  More operational and financial support
  • 27. Contacts Emmanuel Sol C: +1 514 647 6574 emmanuel.sol@brainwavegrc.com Eric In D: +1 437 836 3621 C: +1 647 544 6000 eric.in@brainwavegrc.com © Brainwave GRC – Proprietary and Confidential Information – All Rights Reserved 27 Graeme Hein C: +1 416 795 3858 graeme.hein@brainwavegrc.com