Though still very much a work in progress, with no enforcement expected before 2024, organizations would do well to start evaluating the impact of the draft NIS.2 directive proposal on their current security posture. The presentation of Mr. Pieter Byttebier (Centre for Cyber Security Belgium) is a very good start for this exercise.
GRC: Be Connected! – Turning audit into enablement
23 February 2021 – Cyber Security Coalition
GRC Be connected: about auditing
Who’s afraid of the big, bad internal auditor? Well, that should be no one who attended the fourth GRC: Be connected! webinar, with focus on auditing – the why, the how and the value to an organization. Do check this webinar for the best possible returns on audit efforts.
The first presentation, by Monique Garsoux, Head of the Audit Office at Belfius, provided an overview of the internal auditor mission. It is about “how to enhance and protect organizational value by providing risk-based, objective assurance, advice and insight.” This is the result of activities based on standards, core principles and a code of ethics by independent professionals, to provide value to all stakeholders in the ‘three lines model’, whether operational people, management, governance bodies, externals and/or regulators, “to improve things, not to find problems.”
Bluntly, the internal auditor should not be a bogeyperson, but a trusted advisor in a bi-directional relationship with the organization, participating in the everyday workings through joining workgroups, meetings etc. The purpose is to turn the audited parties into allies, with auditors being asked for advice. Rather than focusing on known risks, the function of the auditor should be the thought leader, anticipating future and emerging risks, by keeping abreast with new technologies and business evolutions.
Indeed, an audit is about benefits, for the auditor, the client and audit-savvy professionals – that is the mainstay of the presentation by Prof. Georges Ataya, Solvay Brussels School of Economics & Management. Why were audits invented? To offer comfort to persons wondering whether their organization is on par regarding risks and challenges, and to provide validated opinions on which decisions can be reliably based. An audit is about the relation between who requests an audit, the accountable party and the assurance professional. It is about the scope of the assurance initiative, including the subject matter over which assurance is to be provided; about understanding the subject, including suitable criteria against which the subject matter will be assessed; and about communicating the results. It is about providing the requested comfort statement to who needs it, as e.g. board of directors.
In this presentation, Prof. Ataya once again points out the advantages of mapping actions and requirements on the Cobit-approach!
Ultimately, an audit is about opportunities. For the auditor, this is a matter of focusing on the client’s request and to justify every conclusion. The audit-savvy professional will turn it to his advantage to prove the use of resources or to obtain arguments for additional efforts. The audit client will value the auditor as a source of a solid second opinion.
At the end of his presentation Prof. Ataya urged the attendees to check with ISACA, either ‘connected’ or as a member for the many advantages.
In the ‘Anatomy of an audit assignment’, Kelly Hogan, audit expert and trainer, provides an overview of the parts of an audit, with a focus on planning, performing the audit and communicating the results, based on the structure of the IIA audit model (Institute of Internal Auditors).
Of particular importance is the planning phase, with Kelly Hogan providing an overview of the basic steps, objectives, scope and – important – the use of a risk & control matrix. This phase is crucial for a successful audit, and a ‘must understand’ for the audited parties (e.g., explaining why this phase may consume 40 to 60% of the budget, because of a huge learning/’getting acquainted’ effort). She also points out the deliverables the audited parties should expect to receive, with possibly already some preliminary recommendations. A solid planning is money and effort well spent!
Next she explains how an auditor will be about performing the audit: the ‘field work’ for ‘collecting sufficient, reliable, relevant and useful information’. Test results must be documented, to confirm facts. Again, a list of deliverables is given.
The communication phase – reporting – is again a multi-step activity, starting with a draft report. Feedback for comments on the draft is a must (both regarding facts and tone), leading to a final report and a customer survey (how well did the auditor do?).
Other blog posts
The GOVERN&LAW experts share the do's and don'ts when setting up a whistleblowing system in your organization and demonstrate how such an effective and robust system can help you self-detect incidents before they become scandals.
In this GDPR anniversary webinar, three privacy experts focus on the challenges they face when assessing and implementing government measures adopted in the fight against COVID19. The Corona pandemic has risen awareness of the importance of privacy, not only in our private life but also in the employer-employee relationship, and the need for a broader democratic testing of privacy threatening technologies.
One main objective of the European Cyber Security Act is to inform business and consumers about the security of ICT products, processes and services, through certification schemes. This webinar provides solid information about the present status of the Act's implementation.
This session of the Privacy Focus Group provides a valuable and practical primer for acquiring more insight in the issue of international data transfers after Schrems II and Brexit.