Tag: internal audit function

Team Development, Internal Audit & Control 101

The development of a company’s employees is of major importance. Ultimately, progress and growth are what everyone’s after, but in order for that to happen, processes, workflow, and ethnicity must be all under control.

In order to create a secure operations environment, an organization needs to build its structure and staff it in line with the proper approach to the human factor in Information Security. Failing to do so usually results in a lack of direction, misplaced responsibility, and ultimately, operational disruptions.

THE TOP-DOWN APPROACH

Information Security is never built from the bottom up. Do not assume that everyone in the organization is tuned in to what (and how) needs to be done regarding Information Security. The major roles are usually defined as:

Senior Management – creates information security program and ensures proper and adequate staffing and funding and has organizational priority. Responsible for ensuring organizational assets are protected.

Data Owner (aka information owner or business owner) – a management employee responsible for ensuring the protection of specific data. Data classification, sensitivity labels, and the frequency of data backup are determined by this role.

Custodian – a role responsible for the actual protection of assets, performing tasks such as data backups and restoration, patch systems, etc., under detailed orders – Custodians do not make critical decisions on how data is protected.

User – the largest in number, yet major information security role. Users follow rules. For Users, it is mandatory to comply with policies, procedures, standards, etc. Working to raise awareness you can tell people how to do the right things at times when their behavior can make a difference in the security of the company.

ADMINISTRATIVE PERSONNEL CONTROLS

These are fundamental operational security concepts that should be observed when organizing and structuring the staff of a company. These concepts are important because they do not only deal with personnel but permeate through multiple Information Security domains:

  • Least Privilege (aka Minimum Necessary Access) – dictates that all persons’ access is strictly bound to the minimum access required so they can perform their duties. This is the one, single, most important principle that administrative security controls revolve around.
  • Split-knowledge – a process in which certain portions of data have split access over multiple people, individually sharing no knowledge of the data in its entirety. Thus data can be subsequently inputted into, or output from, by the separate people to the extent they access to and can be combined to recreate the data in its entirety only by a person with access that would allow such actions.
  • Separation of duties – prescribes that multiple people are required to complete critical or sensitive transactions. The goal of separation of duties is to ensure that in order for someone to be able to abuse access to sensitive data or transactions, that person must convince another party to act in concert.
  • Rotation of duties/job rotation – a process in which staff members are required to perform the same duties interchangeably on a rotation schedule. By doing so, the company is more protected due to having varying people perform and review the work of their peers, who did the same job in the previous rotation. Rotation of duties helps mitigate a collision, where two or more people are in alliance to subvert the security of a system.
  • Mandatory leave/forced vacation – an additional operational control, closely related to a rotation of duties, with the primary security considerations being similar: reducing or detecting personnel single points of failure and the detection and deterrence of fraud. Forcing all employees to take leave can identify areas where the depth of coverage is lacking or can help reveal fraudulent or suspicious behavior.

TYPICAL STRUCTURE AND INTERACTIONS

 

While the diagram above provides a generic structure to illustrate how Information Security and Internal Audit are related both functionally and in terms of subordination and dependency, it is not to be applied blindly. When building one’s own structure, one should take into account the nature of the organization’s business, its existing structure as well as resource considerations. The Information Security Manager usually referred to as the Chief Information Security Officer (CISO) and their unit play a distinct role, which should not be confused with that of the Audit Committee (AKA The Internal Audit and Control Unit) as is further detailed below.

The CISO

The Chief Information Security Officer (CISO) is the highest-ranking executive responsible for the establishment and maintaining the fundamental business concept, the company’s strategy, and programs to ensure assets and information technology appropriately protected.

The CISO directs staff in the identification, development, implementation, and maintenance of processes across the organization to reduce the information and information technology (IT) risks.

The CISO, and its staff, respond to incidents, establish appropriate standards and controls, manage security technologies, and guide the development and implementation of policies and procedures.

The CISO is also usually responsible for compliance related to company information.

The Internal Audit & Control Unit

The Internal Audit & Control Unit holds an inextricably independent function. Otherwise, it can become dysfunctional with sub-standard performance. There are many degrees in the level of independence and effectiveness, so a clear understanding of the business needs and circumstances is required.

The unit’s function is to provide a third level of control in the organization, which should be independent of the control of the first level – that of the top management of the company and of other units, such as legal, human resources, financial control, etc.

The unit establishes appropriate policies and procedures to guide the internal audit function, and ensure the quality of the assurance services delivered – all aligned and are consistent with the company’s objectives and governance policies.

Outsourcing Your Internal Audit Function May Be a Viable Proposition

According to The Institute of Internal Auditors,

internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization’s operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.

OUTSOURCING?

Today, you can outsource almost everything. Including your internal audit function. There are two scenarios you may want to consider here, outsourcing and co-sourcing. With pure outsourcing, you’re looking at a comprehensive service, where the entire function is performed by the service provider with a focus on risk. With co-sourcing, some sharing occurs. Usually, you would employ this service if you need assistance with, say, non-routine engagements that could require deeper and more profound experience and expertise.

Through outsourcing your internal audit function, you benefit from a number of otherwise hard-to-get results. Your organization stands to be evaluated in a more independent and unrestricted manner, thus management will receive more objective and unbiased assistance and advice. You will also benefit from a new level of assurance and coverage of risks and will probably be able to reduce costs in the short and in the long run as well. If you want to align organizational governance with risk and compliance and be able to proactively identify and manage emerging risks, then you may want to consider outsourcing. Last, but not least, you may be able to free up some of your people to other, more important tasks.

KNOWLEDGE TRANSFER

Outsourcing is always good for situations when a broader skill set and deeper industry specialization are needed. You could receive additional intellectual capital that will give you insights and recommendations on leading practices through access to leading-edge tools and methodologies. All of these will effectively transfer new knowledge and build new capabilities into your company.

IS INTERNAL AUDIT OUTSOURCING NECESSARY?

There’s quite a debate over the pros and cons of outsourcing the Internal Audit function. The concerns are mainly derived from the risk, responsibility, and reliability issues connected with the choice of external consultants. And that’s exactly how it should be. A good team would address these concerns by giving you and fulfilling a checklist of things to demand from an outsourced internal audit service arrangement where:

  • All objectives are clearly defined;
  • The scope of the service will be transparent;
  • The expertise level needed will be properly identified;
  • You would be able to review and agree on the performance metrics;
  • Together you will be able to plan for and establish who does what for remediation and follow up;
  • You get assistance to create your own quality assurance and improvement programs;
  • Define clear rules for deliverables, i.e. the work papers when the service terminates;
  • You are in control to limit, if applicable, the work your vendor may do for your competitors.

With the right people, methodologies, and technologies, the process and the professionals involved in the outsourcing should represent a true and objective alternative to an in-house solution. Through a business approach and cost-efficiency, the service company you hire should become your partner in risk for your business.

THE PROCESS

A typical outsourced internal audit project will have five phases:

 

  • Selection – organization-wide or pre-selected area/project risk assessment to define audit surface and objective;
  • Planning – gather relevant information, stipulate chain of command/reporting, and draft plan with scope and timing;
  • Execution – fieldwork commences, with regular status meetings to discuss observations, potential findings, and recommendations;
  • Reporting – communicate draft and final report of findings, conclusions, and recommendations;
  • Follow-Up – on findings and approved remediation action plans; and re-audit where applicable.

WHAT TO LOOK FOR IN TERMS OF PRICING

The costs for an outsourced internal audit service will depend on the size, project complexity, and the industry sector of your company. Based on an initial and ongoing assessment, the vendor should provide flexible, tailored pricing to achieve and maintain internal audit standards.

The service ideology should be based on affordability with a maximized value-for-money approach. Depending on your company’s needs for internal audit involvement, and the complexity of one-time or ongoing projects, you should look for a vendor that will devise the most cost-effective plan to make sure your business model is adequately protected.