SlideShare a Scribd company logo

Continous Audit and Controls with Brainwave GRC

Download as PPTX, PDF
Graeme Hein
Graeme Hein

How businesses can cut costs, improve operations, and reduce risk by adopting continuous audit and internal controls. What steps to take immediately and what to look for in an automation solution.

Business
1 of 27
BRAINWAVE GRC How Machine Learning makes continuous audit and control possible
2 Continuous Audit combined continuous evaluation of risks and controls on IT systems. Continuous audit allows the internal auditor to communicate his analysis of the object under consideration far faster than in the traditional retrospective approach. Continuous Control process executed by management that enables them to verify that controls are functioning effectively (MPA 2320-4 : Continuous assurance). GTAG3, Institute of Internal Auditors Continuous Audit & Control? © Brainwave GRC – Proprietary and Confidential Information – All Rights Reserved
Rapid adaptation to evolution of the enterprise: More interactions with partners and outside providers Evolution of systems, consolidation, cloud adoption More sharing of data Evolution of work: employees, consultants, outsourced operations Reduce the impact of risk Efficiency (Automation) 3 Why put in place continuous audit and controls? © Brainwave GRC – Proprietary and Confidential Information – All Rights Reserved Proactive vs Reactive Add value to Line of Business
You?  Data silos  Data volume to manage  Complexity of controls  Identify best solutions  Financial and operational support from IT and Line of Business What are the hurdles? 4 Hurdles to deploying continuous audit and controls – Technology © Brainwave GRC – Proprietary and Confidential Information – All Rights Reserved  Computing power  Progress of analytics  Reliability and traceability  Productivity (automation)  Availability Capabilities of technology
5  The following is based on real deployment cases with clients  Details have been anonymized What approach to adopt? © Brainwave GRC – Proprietary and Confidential Information – All Rights Reserved Step 1 Step 2 Step 3 Step 4 Step 5 Exhaustive controls on existing perimeter Add new controls and extend perimeter Implement more sophisticated controls Controls on business processes Behavioral analytics
6 Internal Audit– Preparation  I take a sample  Get results  Remediate External Audit – Big day  New sample  Unpleasant surprise !  In-depth control (SoX), select more data and ask detailed questions of IT, internal audit… Motivation 1 © Brainwave GRC – Proprietary and Confidential Information – All Rights Reserved 1 Reduce surprises !
7 1 Calendar  Audit launched in February, results in August, corrections in September  In between, no visibility Organization and risks change rapidly  Reorganization / Acquisition / Sale  New systems, partners  New risks, new regulations Motivation 2 © Brainwave GRC – Proprietary and Confidential Information – All Rights Reserved Be more proactive
8 1  I manage valuable data for my clients  Very competitive and sensitive sector  New client > new applications > new controls  Explosive growth in cost of implementing a new control  This is unsustainable, I do not want to be a permanent roadblock to business! Motivation 3 © Brainwave GRC – Proprietary and Confidential Information – All Rights Reserved Enable business
9 Step 1 : Exhaustive controls on existing perimeter © Brainwave GRC – Proprietary and Confidential Information – All Rights Reserved Define audit frequency Automate collection process Resume data extracts Sample -> Comprehensive controls 1 2 3 4 5 1. Exhaustive controls on existing perimeter
Controls Dashboard 10 1 2 3 4 5 1. Exhaustive controls on existing perimeter
11 No more surprises : I have control over everyone © Brainwave GRC – Proprietary and Confidential Information – All Rights Reserved 1 2 3 4 5 1. Exhaustive controls on existing perimeter
12 I have the answers to questions from my auditor © Brainwave GRC – Proprietary and Confidential Information – All Rights Reserved 1 2 3 4 5 1. Exhaustive controls on existing perimeter
13 Complete view of access to applications © Brainwave GRC – Proprietary and Confidential Information – All Rights Reserved Individuals and entities Applications & permissions 1 2 3 4 5 1. Exhaustive controls on existing perimeter
14 Step 2 : Add new controls and extend the perimeter © Brainwave GRC – Proprietary and Confidential Information – All Rights Reserved The right automation solutions allows the addition of new controls with minimal effort & no coding Agile construction of control and rule matrix 1 2 3 4 5 2. Add new controls and extend the perimeter
Add new controls 15© Brainwave GRC – Proprietary and Confidential Information – All Rights Reserved 1 2 3 4 5 2. Add new controls and extend the perimeter
16 Visualization of data access © Brainwave GRC – Proprietary and Confidential Information – All Rights Reserved Individuals and entities Shared folders and type of access 1 2 3 4 5 2. Add new controls and extend the perimeter
17 Step 3 : Implement more sophisticated controls © Brainwave GRC – Proprietary and Confidential Information – All Rights Reserved Sophisticated control: FRAUD  SoD + multiple operational steps across several applications  Based on a fraud scenario  Object : Trader on mandatory vacation must not access trading platform  Data : vacation/time-tracking application (HR), physical access control system (badge swipe), trading platform  Results : List of suspects sent to manager in charge of control for investigation 1500 controls 450 applications 2 times/ week 1 2 3 4 5 3. Implement more sophisticated controls
18 Residual access in real life, situation that must be temporary © Brainwave GRC – Proprietary and Confidential Information – All Rights Reserved 1 2 3 4 5 3. Implement more sophisticated controls Sophisticated controls : INTERNAL MOBILITY  Manufacturing client  Temporary exception on SoD matrix: internal transfer  Track deviations with a custom tolerance threshhold(x%)  Alert temporarily suppressed (x days) 1 million identities 65 million tested permissions
19 Pareto : identify priorities for remediation © Brainwave GRC – Proprietary and Confidential Information – All Rights Reserved Resolving conflicts on these 6 SoD rules would eliminate 80% of problems. 1 2 3 4 5 3. Implement more sophisticated controls
20 Step 4 : Business process controls © Brainwave GRC – Proprietary and Confidential Information – All Rights Reserved Add financial dimension to IT risks Additional level of confort for internal & external auditors SoD on complete business processes 1 2 3 4 5 4. Business process controls
21© Brainwave GRC – Proprietary and Confidential Information – All Rights Reserved End-to-end view of fraud risk in the « Purchase to Pay » process Detect intra application fraudsDetect inter application frauds Model segregation of duties conflicts 1 2 3 4 5 4. Business process controls
22© Brainwave GRC – Proprietary and Confidential Information – All Rights Reserved Allocation of potential fraud risks by business process Impact of proven fraud by business process Valuation of fraud risks on business processes 1 2 3 4 5 4. Business process controls
23 Details of dangerous transactions © Brainwave GRC – Proprietary and Confidential Information – All Rights Reserved Why did an ASSISTANT perform these dangerous transactions ? 1 2 3 4 5 4. Business process controls
24  Detect unknown risks Step 5: Behavioral Analytics © Brainwave GRC – Proprietary and Confidential Information – All Rights Reserved Individuals with abnormal behavior Accessed files abnormally high for an IT consultant 1 2 3 4 5 5. Behavioral analytics
25 Benefits © Brainwave GRC – Proprietary and Confidential Information – All Rights Reserved Before After Internal Audit Data collection & processing Analysis of results Remediation Before After Line of Business/application manager Time to perform reviews Time to monitor reviews Before After IT Data collection Response to auditors Corrections Better relations between business, IT, internal audit, & external audit Gain in productivity across the organisation Increased value add
26 Share ! © Brainwave GRC – Proprietary and Confidential Information – All Rights Reserved Internal Audit IT Security Operational Risk Application owners Line of Business External Auditors Value added by analytics across the organisationDeliver value 30 to 90 days of effort to productionSpeed Autonomy to create controls and analyse resultsFlexibility / Agility Share results and benefits with:  More confidence and comfort  More value across the organisation  More operational and financial support
Contacts Emmanuel Sol C: +1 514 647 6574 emmanuel.sol@brainwavegrc.com Eric In D: +1 437 836 3621 C: +1 647 544 6000 eric.in@brainwavegrc.com © Brainwave GRC – Proprietary and Confidential Information – All Rights Reserved 27 Graeme Hein C: +1 416 795 3858 graeme.hein@brainwavegrc.com

Recommended

Brainwave GRC - Continuous Audit and Controls at ISACA event
Brainwave GRC - Continuous Audit and Controls at ISACA eventBrainwave GRC - Continuous Audit and Controls at ISACA event
Brainwave GRC - Continuous Audit and Controls at ISACA eventBrainwave GRC
 
Vendor risk management webinar 10022019 v1
Vendor risk management webinar 10022019 v1Vendor risk management webinar 10022019 v1
Vendor risk management webinar 10022019 v1ControlCase
 
General Data Protection Regulation (GDPR)
General Data Protection Regulation (GDPR) General Data Protection Regulation (GDPR)
General Data Protection Regulation (GDPR) ControlCase
 
IT Audit For Non-IT Auditors
IT Audit For Non-IT AuditorsIT Audit For Non-IT Auditors
IT Audit For Non-IT AuditorsEd Tobias
 
PCI DSS and PA DSS Compliance
PCI DSS and PA DSS CompliancePCI DSS and PA DSS Compliance
PCI DSS and PA DSS ComplianceControlCase
 
Performing One Audit Using Zero Trust Principles
Performing One Audit Using Zero Trust PrinciplesPerforming One Audit Using Zero Trust Principles
Performing One Audit Using Zero Trust PrinciplesControlCase
 
Audit Sample Report
Audit Sample ReportAudit Sample Report
Audit Sample ReportRandy James
 
Continuous Compliance Monitoring
Continuous Compliance MonitoringContinuous Compliance Monitoring
Continuous Compliance MonitoringControlCase
 

Recommended

Brainwave GRC - Continuous Audit and Controls at ISACA event
Brainwave GRC - Continuous Audit and Controls at ISACA eventBrainwave GRC - Continuous Audit and Controls at ISACA event
Brainwave GRC - Continuous Audit and Controls at ISACA eventBrainwave GRC
 
Vendor risk management webinar 10022019 v1
Vendor risk management webinar 10022019 v1Vendor risk management webinar 10022019 v1
Vendor risk management webinar 10022019 v1ControlCase
 
General Data Protection Regulation (GDPR)
General Data Protection Regulation (GDPR) General Data Protection Regulation (GDPR)
General Data Protection Regulation (GDPR) ControlCase
 
IT Audit For Non-IT Auditors
IT Audit For Non-IT AuditorsIT Audit For Non-IT Auditors
IT Audit For Non-IT AuditorsEd Tobias
 
PCI DSS and PA DSS Compliance
PCI DSS and PA DSS CompliancePCI DSS and PA DSS Compliance
PCI DSS and PA DSS ComplianceControlCase
 
Performing One Audit Using Zero Trust Principles
Performing One Audit Using Zero Trust PrinciplesPerforming One Audit Using Zero Trust Principles
Performing One Audit Using Zero Trust PrinciplesControlCase
 
Audit Sample Report
Audit Sample ReportAudit Sample Report
Audit Sample ReportRandy James
 
Continuous Compliance Monitoring
Continuous Compliance MonitoringContinuous Compliance Monitoring
Continuous Compliance MonitoringControlCase
 
Continuous Compliance Monitoring
Continuous Compliance MonitoringContinuous Compliance Monitoring
Continuous Compliance MonitoringControlCase
 
Audit of it infrastructure
Audit of it infrastructureAudit of it infrastructure
Audit of it infrastructurepramod_kmr73
 
Analyzing Your GovCon Cybersecurity Compliance
Analyzing Your GovCon Cybersecurity ComplianceAnalyzing Your GovCon Cybersecurity Compliance
Analyzing Your GovCon Cybersecurity ComplianceRobert E Jones
 
Analyzing Your Government Contract Cybersecurity Compliance
Analyzing Your Government Contract Cybersecurity ComplianceAnalyzing Your Government Contract Cybersecurity Compliance
Analyzing Your Government Contract Cybersecurity ComplianceRobert E Jones
 
Net Monitor Presentation
Net Monitor PresentationNet Monitor Presentation
Net Monitor Presentationentrecomputersolutions
 
How to Effectively Audit your IT Infrastructure
How to Effectively Audit your IT InfrastructureHow to Effectively Audit your IT Infrastructure
How to Effectively Audit your IT InfrastructureNetwrix Corporation
 
Cybersecurity Compliance in Government Contracts
Cybersecurity Compliance in Government ContractsCybersecurity Compliance in Government Contracts
Cybersecurity Compliance in Government ContractsRobert E Jones
 
IT Audit methodologies
IT Audit methodologiesIT Audit methodologies
IT Audit methodologiesgenetics
 
Integrated Compliance – Collect Evidence Once, Certify to Many
Integrated Compliance – Collect Evidence Once, Certify to ManyIntegrated Compliance – Collect Evidence Once, Certify to Many
Integrated Compliance – Collect Evidence Once, Certify to ManyControlCase
 
Log Monitoring and File Integrity Monitoring
Log Monitoring and File Integrity MonitoringLog Monitoring and File Integrity Monitoring
Log Monitoring and File Integrity MonitoringControlCase
 
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIEC
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIECVendor Management for PCI DSS; EI3PA; HIPAA and FFIEC
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIECControlCase
 
IS audit checklist
IS audit checklistIS audit checklist
IS audit checklistiFour Consultancy Services
 
It Audit Expectations High Detail
It Audit Expectations High DetailIt Audit Expectations High Detail
It Audit Expectations High Detailecarrow
 
PCI DSS Business as Usual (BAU)
PCI DSS Business as Usual (BAU)PCI DSS Business as Usual (BAU)
PCI DSS Business as Usual (BAU)ControlCase
 
Vendor Management for PCI DSS, HIPAA, and FFIEC
Vendor Management for PCI DSS, HIPAA, and FFIECVendor Management for PCI DSS, HIPAA, and FFIEC
Vendor Management for PCI DSS, HIPAA, and FFIECControlCase
 
Auditing In Computer Environment Presentation
Auditing In Computer Environment PresentationAuditing In Computer Environment Presentation
Auditing In Computer Environment PresentationEMAC Consulting Group
 
Its time to rethink everything a governance risk compliance primer
Its time to rethink everything a governance risk compliance primerIts time to rethink everything a governance risk compliance primer
Its time to rethink everything a governance risk compliance primerEnclaveSecurity
 
PCI DSS Business as Usual
PCI DSS Business as UsualPCI DSS Business as Usual
PCI DSS Business as UsualControlCase
 
Why Use Westech Solutions
Why Use Westech SolutionsWhy Use Westech Solutions
Why Use Westech SolutionsJhugueno
 
Why Use Wes Tech Solutions
Why Use Wes Tech SolutionsWhy Use Wes Tech Solutions
Why Use Wes Tech Solutionsdoughold
 
IT Compliance: Shifting from Cost Center to Profit Center
IT Compliance: Shifting from Cost Center to Profit CenterIT Compliance: Shifting from Cost Center to Profit Center
IT Compliance: Shifting from Cost Center to Profit CenterGary Pennington
 
Privacy & Security Controls In Vendor Management Al Raymond
Privacy & Security Controls In Vendor Management Al RaymondPrivacy & Security Controls In Vendor Management Al Raymond
Privacy & Security Controls In Vendor Management Al Raymondspencerharry
 

More Related Content

What's hot

Continuous Compliance Monitoring
Continuous Compliance MonitoringContinuous Compliance Monitoring
Continuous Compliance MonitoringControlCase
 
Audit of it infrastructure
Audit of it infrastructureAudit of it infrastructure
Audit of it infrastructurepramod_kmr73
 
Analyzing Your GovCon Cybersecurity Compliance
Analyzing Your GovCon Cybersecurity ComplianceAnalyzing Your GovCon Cybersecurity Compliance
Analyzing Your GovCon Cybersecurity ComplianceRobert E Jones
 
Analyzing Your Government Contract Cybersecurity Compliance
Analyzing Your Government Contract Cybersecurity ComplianceAnalyzing Your Government Contract Cybersecurity Compliance
Analyzing Your Government Contract Cybersecurity ComplianceRobert E Jones
 
How to Effectively Audit your IT Infrastructure
How to Effectively Audit your IT InfrastructureHow to Effectively Audit your IT Infrastructure
How to Effectively Audit your IT InfrastructureNetwrix Corporation
 
Cybersecurity Compliance in Government Contracts
Cybersecurity Compliance in Government ContractsCybersecurity Compliance in Government Contracts
Cybersecurity Compliance in Government ContractsRobert E Jones
 
IT Audit methodologies
IT Audit methodologiesIT Audit methodologies
IT Audit methodologiesgenetics
 
Integrated Compliance – Collect Evidence Once, Certify to Many
Integrated Compliance – Collect Evidence Once, Certify to ManyIntegrated Compliance – Collect Evidence Once, Certify to Many
Integrated Compliance – Collect Evidence Once, Certify to ManyControlCase
 
Log Monitoring and File Integrity Monitoring
Log Monitoring and File Integrity MonitoringLog Monitoring and File Integrity Monitoring
Log Monitoring and File Integrity MonitoringControlCase
 
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIEC
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIECVendor Management for PCI DSS; EI3PA; HIPAA and FFIEC
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIECControlCase
 
It Audit Expectations High Detail
It Audit Expectations High DetailIt Audit Expectations High Detail
It Audit Expectations High Detailecarrow
 
PCI DSS Business as Usual (BAU)
PCI DSS Business as Usual (BAU)PCI DSS Business as Usual (BAU)
PCI DSS Business as Usual (BAU)ControlCase
 
Vendor Management for PCI DSS, HIPAA, and FFIEC
Vendor Management for PCI DSS, HIPAA, and FFIECVendor Management for PCI DSS, HIPAA, and FFIEC
Vendor Management for PCI DSS, HIPAA, and FFIECControlCase
 
Auditing In Computer Environment Presentation
Auditing In Computer Environment PresentationAuditing In Computer Environment Presentation
Auditing In Computer Environment PresentationEMAC Consulting Group
 
Its time to rethink everything a governance risk compliance primer
Its time to rethink everything a governance risk compliance primerIts time to rethink everything a governance risk compliance primer
Its time to rethink everything a governance risk compliance primerEnclaveSecurity
 
PCI DSS Business as Usual
PCI DSS Business as UsualPCI DSS Business as Usual
PCI DSS Business as UsualControlCase
 
Why Use Westech Solutions
Why Use Westech SolutionsWhy Use Westech Solutions
Why Use Westech SolutionsJhugueno
 
Why Use Wes Tech Solutions
Why Use Wes Tech SolutionsWhy Use Wes Tech Solutions
Why Use Wes Tech Solutionsdoughold
 

What's hot (20)

Continuous Compliance Monitoring
Continuous Compliance MonitoringContinuous Compliance Monitoring
Continuous Compliance Monitoring
 
Audit of it infrastructure
Audit of it infrastructureAudit of it infrastructure
Audit of it infrastructure
 
Analyzing Your GovCon Cybersecurity Compliance
Analyzing Your GovCon Cybersecurity ComplianceAnalyzing Your GovCon Cybersecurity Compliance
Analyzing Your GovCon Cybersecurity Compliance
 
Analyzing Your Government Contract Cybersecurity Compliance
Analyzing Your Government Contract Cybersecurity ComplianceAnalyzing Your Government Contract Cybersecurity Compliance
Analyzing Your Government Contract Cybersecurity Compliance
 
Net Monitor Presentation
Net Monitor PresentationNet Monitor Presentation
Net Monitor Presentation
 
How to Effectively Audit your IT Infrastructure
How to Effectively Audit your IT InfrastructureHow to Effectively Audit your IT Infrastructure
How to Effectively Audit your IT Infrastructure
 
Cybersecurity Compliance in Government Contracts
Cybersecurity Compliance in Government ContractsCybersecurity Compliance in Government Contracts
Cybersecurity Compliance in Government Contracts
 
IT Audit methodologies
IT Audit methodologiesIT Audit methodologies
IT Audit methodologies
 
Integrated Compliance – Collect Evidence Once, Certify to Many
Integrated Compliance – Collect Evidence Once, Certify to ManyIntegrated Compliance – Collect Evidence Once, Certify to Many
Integrated Compliance – Collect Evidence Once, Certify to Many
 
Log Monitoring and File Integrity Monitoring
Log Monitoring and File Integrity MonitoringLog Monitoring and File Integrity Monitoring
Log Monitoring and File Integrity Monitoring
 
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIEC
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIECVendor Management for PCI DSS; EI3PA; HIPAA and FFIEC
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIEC
 
IS audit checklist
IS audit checklistIS audit checklist
IS audit checklist
 
It Audit Expectations High Detail
It Audit Expectations High DetailIt Audit Expectations High Detail
It Audit Expectations High Detail
 
PCI DSS Business as Usual (BAU)
PCI DSS Business as Usual (BAU)PCI DSS Business as Usual (BAU)
PCI DSS Business as Usual (BAU)
 
Vendor Management for PCI DSS, HIPAA, and FFIEC
Vendor Management for PCI DSS, HIPAA, and FFIECVendor Management for PCI DSS, HIPAA, and FFIEC
Vendor Management for PCI DSS, HIPAA, and FFIEC
 
Auditing In Computer Environment Presentation
Auditing In Computer Environment PresentationAuditing In Computer Environment Presentation
Auditing In Computer Environment Presentation
 
Its time to rethink everything a governance risk compliance primer
Its time to rethink everything a governance risk compliance primerIts time to rethink everything a governance risk compliance primer
Its time to rethink everything a governance risk compliance primer
 
PCI DSS Business as Usual
PCI DSS Business as UsualPCI DSS Business as Usual
PCI DSS Business as Usual
 
Why Use Westech Solutions
Why Use Westech SolutionsWhy Use Westech Solutions
Why Use Westech Solutions
 
Why Use Wes Tech Solutions
Why Use Wes Tech SolutionsWhy Use Wes Tech Solutions
Why Use Wes Tech Solutions
 

Similar to Continous Audit and Controls with Brainwave GRC

IT Compliance: Shifting from Cost Center to Profit Center
IT Compliance: Shifting from Cost Center to Profit CenterIT Compliance: Shifting from Cost Center to Profit Center
IT Compliance: Shifting from Cost Center to Profit CenterGary Pennington
 
Privacy & Security Controls In Vendor Management Al Raymond
Privacy & Security Controls In Vendor Management Al RaymondPrivacy & Security Controls In Vendor Management Al Raymond
Privacy & Security Controls In Vendor Management Al Raymondspencerharry
 
T CompliIT Compliance: Shifting from Cost Center to Profit Center
T CompliIT Compliance: Shifting from Cost Center to Profit CenterT CompliIT Compliance: Shifting from Cost Center to Profit Center
T CompliIT Compliance: Shifting from Cost Center to Profit CenterGary Pennington
 
How much does it cost to be Secure?
How much does it cost to be Secure?How much does it cost to be Secure?
How much does it cost to be Secure?mbmobile
 
2010 06 gartner avoiding audit fatigue in nine steps 1d
2010 06 gartner avoiding audit fatigue in nine steps 1d2010 06 gartner avoiding audit fatigue in nine steps 1d
2010 06 gartner avoiding audit fatigue in nine steps 1dGene Kim
 
Continuous Transaction Monitoring Detect and analyze anomalous transactions t...
Continuous Transaction Monitoring Detect and analyze anomalous transactions t...Continuous Transaction Monitoring Detect and analyze anomalous transactions t...
Continuous Transaction Monitoring Detect and analyze anomalous transactions t...Genpact Ltd
 
Maclear’s IT GRC Tools – Key Issues and Trends
Maclear’s IT GRC Tools – Key Issues and TrendsMaclear’s IT GRC Tools – Key Issues and Trends
Maclear’s IT GRC Tools – Key Issues and TrendsMaclear LLC
 
2016 Risk Management Workshop
2016 Risk Management Workshop2016 Risk Management Workshop
2016 Risk Management WorkshopStacy Willis
 
Adaptive grc life_sciences_case_study
Adaptive grc life_sciences_case_studyAdaptive grc life_sciences_case_study
Adaptive grc life_sciences_case_studyRob Johnston, MBA
 
GLOBAL LIFE SCIENCES COMPANY USES ADAPTIVEGRC SUITE TO MANAGE RISK & COMPLI...
GLOBAL LIFE SCIENCES COMPANY USES ADAPTIVEGRC SUITE TO MANAGE RISK & COMPLI...GLOBAL LIFE SCIENCES COMPANY USES ADAPTIVEGRC SUITE TO MANAGE RISK & COMPLI...
GLOBAL LIFE SCIENCES COMPANY USES ADAPTIVEGRC SUITE TO MANAGE RISK & COMPLI...D. Scott Clark
 
Internal Controls Over Information Systems
Internal Controls Over Information Systems Internal Controls Over Information Systems
Internal Controls Over Information Systems Jeffrey Paulette
 
Sample Risk Assessment Report- QuantumBanking.pdf
Sample Risk Assessment Report- QuantumBanking.pdfSample Risk Assessment Report- QuantumBanking.pdf
Sample Risk Assessment Report- QuantumBanking.pdfSathishKumar960827
 
Data Analytics for Auditors Analysis and Monitoring
Data Analytics for Auditors Analysis and MonitoringData Analytics for Auditors Analysis and Monitoring
Data Analytics for Auditors Analysis and MonitoringJim Kaplan CIA CFE
 
Thousands of Hours Saved and Risk Reduced for EBS Upgrades & Implementations
Thousands of Hours Saved and Risk Reduced for EBS Upgrades & ImplementationsThousands of Hours Saved and Risk Reduced for EBS Upgrades & Implementations
Thousands of Hours Saved and Risk Reduced for EBS Upgrades & ImplementationsOracle
 
Part II of III: Advanced Authorization for SAP Global Deployments: September ...
Part II of III: Advanced Authorization for SAP Global Deployments: September ...Part II of III: Advanced Authorization for SAP Global Deployments: September ...
Part II of III: Advanced Authorization for SAP Global Deployments: September ...NextLabs, Inc.
 
How to Make Your Enterprise Cyber Resilient
How to Make Your Enterprise Cyber ResilientHow to Make Your Enterprise Cyber Resilient
How to Make Your Enterprise Cyber ResilientAccenture Operations
 
Managing Multiple Assessments Using Zero Trust Principles
Managing Multiple Assessments Using Zero Trust PrinciplesManaging Multiple Assessments Using Zero Trust Principles
Managing Multiple Assessments Using Zero Trust PrinciplesControlCase
 
Advanced Analytics for Asset Management with IBM
Advanced Analytics for Asset Management with IBMAdvanced Analytics for Asset Management with IBM
Advanced Analytics for Asset Management with IBMPerficient, Inc.
 
Happiest Minds Technologies- ComplianceVigil Solution Overview
Happiest Minds Technologies- ComplianceVigil Solution OverviewHappiest Minds Technologies- ComplianceVigil Solution Overview
Happiest Minds Technologies- ComplianceVigil Solution OverviewHappiest Minds Technologies
 

Similar to Continous Audit and Controls with Brainwave GRC (20)

IT Compliance: Shifting from Cost Center to Profit Center
IT Compliance: Shifting from Cost Center to Profit CenterIT Compliance: Shifting from Cost Center to Profit Center
IT Compliance: Shifting from Cost Center to Profit Center
 
Privacy & Security Controls In Vendor Management Al Raymond
Privacy & Security Controls In Vendor Management Al RaymondPrivacy & Security Controls In Vendor Management Al Raymond
Privacy & Security Controls In Vendor Management Al Raymond
 
T CompliIT Compliance: Shifting from Cost Center to Profit Center
T CompliIT Compliance: Shifting from Cost Center to Profit CenterT CompliIT Compliance: Shifting from Cost Center to Profit Center
T CompliIT Compliance: Shifting from Cost Center to Profit Center
 
How much does it cost to be Secure?
How much does it cost to be Secure?How much does it cost to be Secure?
How much does it cost to be Secure?
 
2010 06 gartner avoiding audit fatigue in nine steps 1d
2010 06 gartner avoiding audit fatigue in nine steps 1d2010 06 gartner avoiding audit fatigue in nine steps 1d
2010 06 gartner avoiding audit fatigue in nine steps 1d
 
Continuous Transaction Monitoring Detect and analyze anomalous transactions t...
Continuous Transaction Monitoring Detect and analyze anomalous transactions t...Continuous Transaction Monitoring Detect and analyze anomalous transactions t...
Continuous Transaction Monitoring Detect and analyze anomalous transactions t...
 
Maclear’s IT GRC Tools – Key Issues and Trends
Maclear’s IT GRC Tools – Key Issues and TrendsMaclear’s IT GRC Tools – Key Issues and Trends
Maclear’s IT GRC Tools – Key Issues and Trends
 
2016 Risk Management Workshop
2016 Risk Management Workshop2016 Risk Management Workshop
2016 Risk Management Workshop
 
Adaptive grc life_sciences_case_study
Adaptive grc life_sciences_case_studyAdaptive grc life_sciences_case_study
Adaptive grc life_sciences_case_study
 
GLOBAL LIFE SCIENCES COMPANY USES ADAPTIVEGRC SUITE TO MANAGE RISK & COMPLI...
GLOBAL LIFE SCIENCES COMPANY USES ADAPTIVEGRC SUITE TO MANAGE RISK & COMPLI...GLOBAL LIFE SCIENCES COMPANY USES ADAPTIVEGRC SUITE TO MANAGE RISK & COMPLI...
GLOBAL LIFE SCIENCES COMPANY USES ADAPTIVEGRC SUITE TO MANAGE RISK & COMPLI...
 
Internal Controls Over Information Systems
Internal Controls Over Information Systems Internal Controls Over Information Systems
Internal Controls Over Information Systems
 
Government and SOX Compliance for ERP Systems
Government and SOX Compliance for ERP SystemsGovernment and SOX Compliance for ERP Systems
Government and SOX Compliance for ERP Systems
 
Sample Risk Assessment Report- QuantumBanking.pdf
Sample Risk Assessment Report- QuantumBanking.pdfSample Risk Assessment Report- QuantumBanking.pdf
Sample Risk Assessment Report- QuantumBanking.pdf
 
Data Analytics for Auditors Analysis and Monitoring
Data Analytics for Auditors Analysis and MonitoringData Analytics for Auditors Analysis and Monitoring
Data Analytics for Auditors Analysis and Monitoring
 
Thousands of Hours Saved and Risk Reduced for EBS Upgrades & Implementations
Thousands of Hours Saved and Risk Reduced for EBS Upgrades & ImplementationsThousands of Hours Saved and Risk Reduced for EBS Upgrades & Implementations
Thousands of Hours Saved and Risk Reduced for EBS Upgrades & Implementations
 
Part II of III: Advanced Authorization for SAP Global Deployments: September ...
Part II of III: Advanced Authorization for SAP Global Deployments: September ...Part II of III: Advanced Authorization for SAP Global Deployments: September ...
Part II of III: Advanced Authorization for SAP Global Deployments: September ...
 
How to Make Your Enterprise Cyber Resilient
How to Make Your Enterprise Cyber ResilientHow to Make Your Enterprise Cyber Resilient
How to Make Your Enterprise Cyber Resilient
 
Managing Multiple Assessments Using Zero Trust Principles
Managing Multiple Assessments Using Zero Trust PrinciplesManaging Multiple Assessments Using Zero Trust Principles
Managing Multiple Assessments Using Zero Trust Principles
 
Advanced Analytics for Asset Management with IBM
Advanced Analytics for Asset Management with IBMAdvanced Analytics for Asset Management with IBM
Advanced Analytics for Asset Management with IBM
 
Happiest Minds Technologies- ComplianceVigil Solution Overview
Happiest Minds Technologies- ComplianceVigil Solution OverviewHappiest Minds Technologies- ComplianceVigil Solution Overview
Happiest Minds Technologies- ComplianceVigil Solution Overview
 

Recently uploaded

Call Girls Electronic City Just Call 👗 7737669865 👗 Top Class Call Girl Servi...
Call Girls Electronic City Just Call 👗 7737669865 👗 Top Class Call Girl Servi...Call Girls Electronic City Just Call 👗 7737669865 👗 Top Class Call Girl Servi...
Call Girls Electronic City Just Call 👗 7737669865 👗 Top Class Call Girl Servi...amitlee9823
 
Dr. Admir Softic_ presentation_Green Club_ENG.pdf
Dr. Admir Softic_ presentation_Green Club_ENG.pdfDr. Admir Softic_ presentation_Green Club_ENG.pdf
Dr. Admir Softic_ presentation_Green Club_ENG.pdfAdmir Softic
 
John Halpern sued for sexual assault.pdf
John Halpern sued for sexual assault.pdfJohn Halpern sued for sexual assault.pdf
John Halpern sued for sexual assault.pdfAmzadHosen3
 
FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756
FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756
FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756dollysharma2066
 
It will be International Nurses' Day on 12 May
It will be International Nurses' Day on 12 MayIt will be International Nurses' Day on 12 May
It will be International Nurses' Day on 12 MayNZSG
 
The Path to Product Excellence: Avoiding Common Pitfalls and Enhancing Commun...
The Path to Product Excellence: Avoiding Common Pitfalls and Enhancing Commun...The Path to Product Excellence: Avoiding Common Pitfalls and Enhancing Commun...
The Path to Product Excellence: Avoiding Common Pitfalls and Enhancing Commun...Aggregage
 
HONOR Veterans Event Keynote by Michael Hawkins
HONOR Veterans Event Keynote by Michael HawkinsHONOR Veterans Event Keynote by Michael Hawkins
HONOR Veterans Event Keynote by Michael HawkinsMichael W. Hawkins
 
How to Get Started in Social Media for Art League City
How to Get Started in Social Media for Art League CityHow to Get Started in Social Media for Art League City
How to Get Started in Social Media for Art League CityEric T. Tung
 
Call Girls Pune Just Call 9907093804 Top Class Call Girl Service Available
Call Girls Pune Just Call 9907093804 Top Class Call Girl Service AvailableCall Girls Pune Just Call 9907093804 Top Class Call Girl Service Available
Call Girls Pune Just Call 9907093804 Top Class Call Girl Service AvailableDipal Arora
 
The Coffee Bean & Tea Leaf(CBTL), Business strategy case study
The Coffee Bean & Tea Leaf(CBTL), Business strategy case studyThe Coffee Bean & Tea Leaf(CBTL), Business strategy case study
The Coffee Bean & Tea Leaf(CBTL), Business strategy case studyEthan lee
 
Cracking the Cultural Competence Code.pptx
Cracking the Cultural Competence Code.pptxCracking the Cultural Competence Code.pptx
Cracking the Cultural Competence Code.pptxWorkforce Group
 
Russian Call Girls In Gurgaon ❤️8448577510 ⊹Best Escorts Service In 24/7 Delh...
Russian Call Girls In Gurgaon ❤️8448577510 ⊹Best Escorts Service In 24/7 Delh...Russian Call Girls In Gurgaon ❤️8448577510 ⊹Best Escorts Service In 24/7 Delh...
Russian Call Girls In Gurgaon ❤️8448577510 ⊹Best Escorts Service In 24/7 Delh...lizamodels9
 
Insurers' journeys to build a mastery in the IoT usage
Insurers' journeys to build a mastery in the IoT usageInsurers' journeys to build a mastery in the IoT usage
Insurers' journeys to build a mastery in the IoT usageMatteo Carbone
 
Enhancing and Restoring Safety & Quality Cultures - Dave Litwiller - May 2024...
Enhancing and Restoring Safety & Quality Cultures - Dave Litwiller - May 2024...Enhancing and Restoring Safety & Quality Cultures - Dave Litwiller - May 2024...
Enhancing and Restoring Safety & Quality Cultures - Dave Litwiller - May 2024...Dave Litwiller
 
Value Proposition canvas- Customer needs and pains
Value Proposition canvas- Customer needs and painsValue Proposition canvas- Customer needs and pains
Value Proposition canvas- Customer needs and painsP&CO
 
Call Girls in Gomti Nagar - 7388211116 - With room Service
Call Girls in Gomti Nagar - 7388211116 - With room ServiceCall Girls in Gomti Nagar - 7388211116 - With room Service
Call Girls in Gomti Nagar - 7388211116 - With room Servicediscovermytutordmt
 
Call Girls Navi Mumbai Just Call 9907093804 Top Class Call Girl Service Avail...
Call Girls Navi Mumbai Just Call 9907093804 Top Class Call Girl Service Avail...Call Girls Navi Mumbai Just Call 9907093804 Top Class Call Girl Service Avail...
Call Girls Navi Mumbai Just Call 9907093804 Top Class Call Girl Service Avail...Dipal Arora
 
Call Girls Jp Nagar Just Call 👗 7737669865 👗 Top Class Call Girl Service Bang...
Call Girls Jp Nagar Just Call 👗 7737669865 👗 Top Class Call Girl Service Bang...Call Girls Jp Nagar Just Call 👗 7737669865 👗 Top Class Call Girl Service Bang...
Call Girls Jp Nagar Just Call 👗 7737669865 👗 Top Class Call Girl Service Bang...amitlee9823
 
Monthly Social Media Update April 2024 pptx.pptx
Monthly Social Media Update April 2024 pptx.pptxMonthly Social Media Update April 2024 pptx.pptx
Monthly Social Media Update April 2024 pptx.pptxAndy Lambert
 
A DAY IN THE LIFE OF A SALESMAN / WOMAN
A DAY IN THE LIFE OF A SALESMAN / WOMANA DAY IN THE LIFE OF A SALESMAN / WOMAN
A DAY IN THE LIFE OF A SALESMAN / WOMANIlamathiKannappan
 

Recently uploaded (20)

Call Girls Electronic City Just Call 👗 7737669865 👗 Top Class Call Girl Servi...
Call Girls Electronic City Just Call 👗 7737669865 👗 Top Class Call Girl Servi...Call Girls Electronic City Just Call 👗 7737669865 👗 Top Class Call Girl Servi...
Call Girls Electronic City Just Call 👗 7737669865 👗 Top Class Call Girl Servi...
 
Dr. Admir Softic_ presentation_Green Club_ENG.pdf
Dr. Admir Softic_ presentation_Green Club_ENG.pdfDr. Admir Softic_ presentation_Green Club_ENG.pdf
Dr. Admir Softic_ presentation_Green Club_ENG.pdf
 
John Halpern sued for sexual assault.pdf
John Halpern sued for sexual assault.pdfJohn Halpern sued for sexual assault.pdf
John Halpern sued for sexual assault.pdf
 
FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756
FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756
FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756
 
It will be International Nurses' Day on 12 May
It will be International Nurses' Day on 12 MayIt will be International Nurses' Day on 12 May
It will be International Nurses' Day on 12 May
 
The Path to Product Excellence: Avoiding Common Pitfalls and Enhancing Commun...
The Path to Product Excellence: Avoiding Common Pitfalls and Enhancing Commun...The Path to Product Excellence: Avoiding Common Pitfalls and Enhancing Commun...
The Path to Product Excellence: Avoiding Common Pitfalls and Enhancing Commun...
 
HONOR Veterans Event Keynote by Michael Hawkins
HONOR Veterans Event Keynote by Michael HawkinsHONOR Veterans Event Keynote by Michael Hawkins
HONOR Veterans Event Keynote by Michael Hawkins
 
How to Get Started in Social Media for Art League City
How to Get Started in Social Media for Art League CityHow to Get Started in Social Media for Art League City
How to Get Started in Social Media for Art League City
 
Call Girls Pune Just Call 9907093804 Top Class Call Girl Service Available
Call Girls Pune Just Call 9907093804 Top Class Call Girl Service AvailableCall Girls Pune Just Call 9907093804 Top Class Call Girl Service Available
Call Girls Pune Just Call 9907093804 Top Class Call Girl Service Available
 
The Coffee Bean & Tea Leaf(CBTL), Business strategy case study
The Coffee Bean & Tea Leaf(CBTL), Business strategy case studyThe Coffee Bean & Tea Leaf(CBTL), Business strategy case study
The Coffee Bean & Tea Leaf(CBTL), Business strategy case study
 
Cracking the Cultural Competence Code.pptx
Cracking the Cultural Competence Code.pptxCracking the Cultural Competence Code.pptx
Cracking the Cultural Competence Code.pptx
 
Russian Call Girls In Gurgaon ❤️8448577510 ⊹Best Escorts Service In 24/7 Delh...
Russian Call Girls In Gurgaon ❤️8448577510 ⊹Best Escorts Service In 24/7 Delh...Russian Call Girls In Gurgaon ❤️8448577510 ⊹Best Escorts Service In 24/7 Delh...
Russian Call Girls In Gurgaon ❤️8448577510 ⊹Best Escorts Service In 24/7 Delh...
 
Insurers' journeys to build a mastery in the IoT usage
Insurers' journeys to build a mastery in the IoT usageInsurers' journeys to build a mastery in the IoT usage
Insurers' journeys to build a mastery in the IoT usage
 
Enhancing and Restoring Safety & Quality Cultures - Dave Litwiller - May 2024...
Enhancing and Restoring Safety & Quality Cultures - Dave Litwiller - May 2024...Enhancing and Restoring Safety & Quality Cultures - Dave Litwiller - May 2024...
Enhancing and Restoring Safety & Quality Cultures - Dave Litwiller - May 2024...
 
Value Proposition canvas- Customer needs and pains
Value Proposition canvas- Customer needs and painsValue Proposition canvas- Customer needs and pains
Value Proposition canvas- Customer needs and pains
 
Call Girls in Gomti Nagar - 7388211116 - With room Service
Call Girls in Gomti Nagar - 7388211116 - With room ServiceCall Girls in Gomti Nagar - 7388211116 - With room Service
Call Girls in Gomti Nagar - 7388211116 - With room Service
 
Call Girls Navi Mumbai Just Call 9907093804 Top Class Call Girl Service Avail...
Call Girls Navi Mumbai Just Call 9907093804 Top Class Call Girl Service Avail...Call Girls Navi Mumbai Just Call 9907093804 Top Class Call Girl Service Avail...
Call Girls Navi Mumbai Just Call 9907093804 Top Class Call Girl Service Avail...
 
Call Girls Jp Nagar Just Call 👗 7737669865 👗 Top Class Call Girl Service Bang...
Call Girls Jp Nagar Just Call 👗 7737669865 👗 Top Class Call Girl Service Bang...Call Girls Jp Nagar Just Call 👗 7737669865 👗 Top Class Call Girl Service Bang...
Call Girls Jp Nagar Just Call 👗 7737669865 👗 Top Class Call Girl Service Bang...
 
Monthly Social Media Update April 2024 pptx.pptx
Monthly Social Media Update April 2024 pptx.pptxMonthly Social Media Update April 2024 pptx.pptx
Monthly Social Media Update April 2024 pptx.pptx
 
A DAY IN THE LIFE OF A SALESMAN / WOMAN
A DAY IN THE LIFE OF A SALESMAN / WOMANA DAY IN THE LIFE OF A SALESMAN / WOMAN
A DAY IN THE LIFE OF A SALESMAN / WOMAN
 

Continous Audit and Controls with Brainwave GRC

  • 1. BRAINWAVE GRC How Machine Learning makes continuous audit and control possible
  • 2. 2 Continuous Audit combined continuous evaluation of risks and controls on IT systems. Continuous audit allows the internal auditor to communicate his analysis of the object under consideration far faster than in the traditional retrospective approach. Continuous Control process executed by management that enables them to verify that controls are functioning effectively (MPA 2320-4 : Continuous assurance). GTAG3, Institute of Internal Auditors Continuous Audit & Control? © Brainwave GRC – Proprietary and Confidential Information – All Rights Reserved
  • 3. Rapid adaptation to evolution of the enterprise: More interactions with partners and outside providers Evolution of systems, consolidation, cloud adoption More sharing of data Evolution of work: employees, consultants, outsourced operations Reduce the impact of risk Efficiency (Automation) 3 Why put in place continuous audit and controls? © Brainwave GRC – Proprietary and Confidential Information – All Rights Reserved Proactive vs Reactive Add value to Line of Business
  • 4. You?  Data silos  Data volume to manage  Complexity of controls  Identify best solutions  Financial and operational support from IT and Line of Business What are the hurdles? 4 Hurdles to deploying continuous audit and controls – Technology © Brainwave GRC – Proprietary and Confidential Information – All Rights Reserved  Computing power  Progress of analytics  Reliability and traceability  Productivity (automation)  Availability Capabilities of technology
  • 5. 5  The following is based on real deployment cases with clients  Details have been anonymized What approach to adopt? © Brainwave GRC – Proprietary and Confidential Information – All Rights Reserved Step 1 Step 2 Step 3 Step 4 Step 5 Exhaustive controls on existing perimeter Add new controls and extend perimeter Implement more sophisticated controls Controls on business processes Behavioral analytics
  • 6. 6 Internal Audit– Preparation  I take a sample  Get results  Remediate External Audit – Big day  New sample  Unpleasant surprise !  In-depth control (SoX), select more data and ask detailed questions of IT, internal audit… Motivation 1 © Brainwave GRC – Proprietary and Confidential Information – All Rights Reserved 1 Reduce surprises !
  • 7. 7 1 Calendar  Audit launched in February, results in August, corrections in September  In between, no visibility Organization and risks change rapidly  Reorganization / Acquisition / Sale  New systems, partners  New risks, new regulations Motivation 2 © Brainwave GRC – Proprietary and Confidential Information – All Rights Reserved Be more proactive
  • 8. 8 1  I manage valuable data for my clients  Very competitive and sensitive sector  New client > new applications > new controls  Explosive growth in cost of implementing a new control  This is unsustainable, I do not want to be a permanent roadblock to business! Motivation 3 © Brainwave GRC – Proprietary and Confidential Information – All Rights Reserved Enable business
  • 9. 9 Step 1 : Exhaustive controls on existing perimeter © Brainwave GRC – Proprietary and Confidential Information – All Rights Reserved Define audit frequency Automate collection process Resume data extracts Sample -> Comprehensive controls 1 2 3 4 5 1. Exhaustive controls on existing perimeter
  • 10. Controls Dashboard 10 1 2 3 4 5 1. Exhaustive controls on existing perimeter
  • 11. 11 No more surprises : I have control over everyone © Brainwave GRC – Proprietary and Confidential Information – All Rights Reserved 1 2 3 4 5 1. Exhaustive controls on existing perimeter
  • 12. 12 I have the answers to questions from my auditor © Brainwave GRC – Proprietary and Confidential Information – All Rights Reserved 1 2 3 4 5 1. Exhaustive controls on existing perimeter
  • 13. 13 Complete view of access to applications © Brainwave GRC – Proprietary and Confidential Information – All Rights Reserved Individuals and entities Applications & permissions 1 2 3 4 5 1. Exhaustive controls on existing perimeter
  • 14. 14 Step 2 : Add new controls and extend the perimeter © Brainwave GRC – Proprietary and Confidential Information – All Rights Reserved The right automation solutions allows the addition of new controls with minimal effort & no coding Agile construction of control and rule matrix 1 2 3 4 5 2. Add new controls and extend the perimeter
  • 15. Add new controls 15© Brainwave GRC – Proprietary and Confidential Information – All Rights Reserved 1 2 3 4 5 2. Add new controls and extend the perimeter
  • 16. 16 Visualization of data access © Brainwave GRC – Proprietary and Confidential Information – All Rights Reserved Individuals and entities Shared folders and type of access 1 2 3 4 5 2. Add new controls and extend the perimeter
  • 17. 17 Step 3 : Implement more sophisticated controls © Brainwave GRC – Proprietary and Confidential Information – All Rights Reserved Sophisticated control: FRAUD  SoD + multiple operational steps across several applications  Based on a fraud scenario  Object : Trader on mandatory vacation must not access trading platform  Data : vacation/time-tracking application (HR), physical access control system (badge swipe), trading platform  Results : List of suspects sent to manager in charge of control for investigation 1500 controls 450 applications 2 times/ week 1 2 3 4 5 3. Implement more sophisticated controls
  • 18. 18 Residual access in real life, situation that must be temporary © Brainwave GRC – Proprietary and Confidential Information – All Rights Reserved 1 2 3 4 5 3. Implement more sophisticated controls Sophisticated controls : INTERNAL MOBILITY  Manufacturing client  Temporary exception on SoD matrix: internal transfer  Track deviations with a custom tolerance threshhold(x%)  Alert temporarily suppressed (x days) 1 million identities 65 million tested permissions
  • 19. 19 Pareto : identify priorities for remediation © Brainwave GRC – Proprietary and Confidential Information – All Rights Reserved Resolving conflicts on these 6 SoD rules would eliminate 80% of problems. 1 2 3 4 5 3. Implement more sophisticated controls
  • 20. 20 Step 4 : Business process controls © Brainwave GRC – Proprietary and Confidential Information – All Rights Reserved Add financial dimension to IT risks Additional level of confort for internal & external auditors SoD on complete business processes 1 2 3 4 5 4. Business process controls
  • 21. 21© Brainwave GRC – Proprietary and Confidential Information – All Rights Reserved End-to-end view of fraud risk in the « Purchase to Pay » process Detect intra application fraudsDetect inter application frauds Model segregation of duties conflicts 1 2 3 4 5 4. Business process controls
  • 22. 22© Brainwave GRC – Proprietary and Confidential Information – All Rights Reserved Allocation of potential fraud risks by business process Impact of proven fraud by business process Valuation of fraud risks on business processes 1 2 3 4 5 4. Business process controls
  • 23. 23 Details of dangerous transactions © Brainwave GRC – Proprietary and Confidential Information – All Rights Reserved Why did an ASSISTANT perform these dangerous transactions ? 1 2 3 4 5 4. Business process controls
  • 24. 24  Detect unknown risks Step 5: Behavioral Analytics © Brainwave GRC – Proprietary and Confidential Information – All Rights Reserved Individuals with abnormal behavior Accessed files abnormally high for an IT consultant 1 2 3 4 5 5. Behavioral analytics
  • 25. 25 Benefits © Brainwave GRC – Proprietary and Confidential Information – All Rights Reserved Before After Internal Audit Data collection & processing Analysis of results Remediation Before After Line of Business/application manager Time to perform reviews Time to monitor reviews Before After IT Data collection Response to auditors Corrections Better relations between business, IT, internal audit, & external audit Gain in productivity across the organisation Increased value add
  • 26. 26 Share ! © Brainwave GRC – Proprietary and Confidential Information – All Rights Reserved Internal Audit IT Security Operational Risk Application owners Line of Business External Auditors Value added by analytics across the organisationDeliver value 30 to 90 days of effort to productionSpeed Autonomy to create controls and analyse resultsFlexibility / Agility Share results and benefits with:  More confidence and comfort  More value across the organisation  More operational and financial support
  • 27. Contacts Emmanuel Sol C: +1 514 647 6574 emmanuel.sol@brainwavegrc.com Eric In D: +1 437 836 3621 C: +1 647 544 6000 eric.in@brainwavegrc.com © Brainwave GRC – Proprietary and Confidential Information – All Rights Reserved 27 Graeme Hein C: +1 416 795 3858 graeme.hein@brainwavegrc.com

Editor's Notes

  1. Cloisonnement des données : différents systèmes hétérogènes Volumes à gérer : volume liés aux systèmes et la fréquence Complexité des contrôles : contrôle à travers différents systèmes, réconciliation. C’est déjà long en mode classique ! Identifier les bonnes solutions : beaucoup de technologies spécialisées Support financier et opérationnel des TI et lignes d’affaires : implication au-delà de l’audit interne
  2. On prend l’existant mais on fait immédiatement mieux avec un contrôle exhaustif et des possibilités d’analyse complémentaire
  3. Fini les surprises j’ai contrôlé tout le monde
  4. En absence de matrice de droits théoriques, il est possible d’itérer et de la mettre à jour au fur et à mesure en partant de la situation existante
  5. Captures d’écrans définition d’un contrôle dans le studio Présentation avec un tableau de bord plus fourni Construction de matrice et de contrôle en continu (mode agile)
  6. avec audit interne, sécurité TI, risques opérationnels, responsables d’applications et ligne d’affaires, auditeurs Partager les résultats et les bénéfices avec audit interne, sécurité TI, risques opérationnels, responsables d’applications et ligne d’affaires, auditeurs Plus de confiance et de confort Plus de valeur à travers l’organisation = plus de soutien opérationnel et financier Exemple client : plus de confort avec l’auditeur (capture d’écran recherche en langage naturel + rapports) Exemple valeur pour TI sur la recertification des accès Exemple valeur pour les lignes d’affaires, focus sur les vrais risques, gestion des exceptions qui font partie de la vraie vie