Tips for Moving From a Controls-Based Approach to a Risk-Based Approach
In today’s modern and dynamic environment, the audit profession must evolve continuously and synergistically with the business and technology changes that occur every day. Professionals who are innovative, forward-thinking and fearless in the face of mental model adjustments will be the leaders of tomorrow. Mental models are the paradigms, or lenses, through which we view the world, and they can serve to limit our thinking if we are not receptive to hearing new views or thinking critically about our current practices.
At the North America and European CACS Conferences, ISACA holds 2 invitation-only IT Audit Leaders Forums and publishes the results for those who were not in attendance. This article contains my interpretation and guidance in applying one of the IT Audit Leader forum’s discussion topics to your enterprise. Challenges in the audit field are not only limited to the audit field; they are shared across many other disciplines and professional domains. If you are a security, governance, risk management or IT professional, consider these tips and how this challenge applies to your enterprise. The first challenge is moving from a controls-based, or checklist, approach to a risk-based approach:
- The controls-based approach—This approach is well-defined in the audit and assurance discipline. Audit and assurance roles are focused on the inspection, verification or conformance to a set of practices or controls to ensure guidance is being followed, records are accurate and effectiveness targets are being met. I know there are some nuances between types of engagements, but for the purposes of this article, it is assumed that audit and assurance professionals are tasked with ensuring and evaluating that things are operating according to a prescribed or bounded set of criteria. Many of the criteria that are audited or for which assurance is provided have already occurred, meaning that we look to the past to evaluate what has previously happened. This means that the online transaction has been performed, the security control is implemented and operating, or the financial statement has been attested to. There is no uncertainty in the result of the transaction (pass or fail), if the control is implemented or not, or if the financial statement is finalized. The primary risk in audit and attestation is in reaching an incorrect conclusion from the engagement or the risk of noncompliance if controls and practices are not operating as intended. Organizations spend a lot of time and money on implementing and testing controls rather than managing risk.
- The risk-based approach—This is a forward-looking view of uncertainty. In the landscape in which an organization operates, there are many things that impede an enterprise from accomplishing its objectives, achieving its financial or operational targets, or meeting its mission. A risk-based approach is best paired with a strategic view of the organization to understand which potential uncertainties or risk factors have the highest potential to prevent the organization from meeting its intended targets, objectives, mission, etc. A thoughtful risk assessment will consider the general things that can affect all organizations (about 80% of an enterprise risk) and will also consider those things that are specific to your individual type of business or organization (about 20% of an enterprise risk). The reason there are so many compliance regulations, control catalogs or best practices is that many organizations do not perform risk assessments with the rigor, depth or thoughtful analysis (qualitative and quantitative) that is needed to really understand where to focus the appropriate resources to manage the uncertainties that may materialize in a given day.
Implementing a set of prescribed controls or compliance regulations will generally protect an organization from about 75-85% of the risk in the environment, and it can be put into effect without the benefit of a comprehensive risk assessment. It is far easier to report on gaps in controls, security incidents or phishing attempts as risk events because they have already happened. Reporting on the uncertainty of what might or might not happen is a discipline that takes an investment of education, time and resources to report to management in a way that improves decision-making and does not rely solely on guessing, previous audit findings or reporting realized risk.
So, in the absence of a mature risk management program and process, the organization can be generally effective in preventing realized risk with a robust compliance or controls program. However, to ensure that you are managing the risk factors that have the most relevance to your organization, thoughtful risk identification, risk analysis, risk management and risk monitoring processes must be defined, implemented and measured for effectiveness. In general, an effective risk management process is comprised of the following components:
- Establish the organizational context—What are the mission, objectives and strategy?
- Identify risk—To meeting the objectives, mission and strategy
- Analyze risk—Qualitative and quantitative; not guesswork
- Evaluate and prioritize risk—Based on analysis, not on what is in the news
- Respond to or treat risk—With projects that are managed to completion
- Measure and control the risk management process—By defining the processes and procedures and using standard templates and measurement scales
Here is one example to sum up the recommendations in this article:
- Conclusion: Looking backward, as a result of [audit finding], the company lost US $3 million in revenue during the third quarter.
- Risk: Looking forward, without a strategic plan to correct [audit finding], the company could potentially lose an additional US $3 million in the fourth quarter and US $4 million in the first quarter of the new year.
If you are interested in learning more about risk management, there are many quality ISACA publications that cover the topic in more detail. I will also be delivering a workshop on risk assessment and risk management at the upcoming 2018 North America CACS in Chicago, Illinois, USA.
Lisa Young, CISA, CISM, is the past president of the ISACA West Florida (Tampa, Florida, USA) Chapter and a frequent speaker at information security conferences worldwide.
Discover Why You Should Move Security to the Cloud
As organizations move workloads and infrastructure to the cloud, security solutions need to be updated. Legacy security solutions do not sufficiently detect and prevent today’s modern threats. Cybercriminals can quickly compromise and infiltrate organizations by using stolen credentials and exploiting vulnerabilities in misconfigured systems.
To help aid your enterprise move its security to the cloud for safety, ISACA and Oracle present the “Top 5 Reasons to Move Security to the Cloud” webinar. It will cover the reasons to move security functions to the cloud and new cloud technologies, including artificial intelligence, machine learning and adaptive analytics. These new technologies help to monitor and prevent attacks that traditional tools cannot. This webinar takes place on 9 November at Noon CDT (UTC -5 hours). ISACA members can earn 1 continuing professional education (CPE) hour by attending this webinar and completing a related survey.
Sridhar Karnam, senior director of security product marketing and global traffic manager at Oracle, will present the webinar. As a leader for Oracle cloud security, Karnam is helping to change the way customers detect, prevent, predict and respond to today’s innovative cyberthreats. He will present the webinar using his extensive IT security experience to illustrate the best and safest ways to implement cloud security for your enterprise.
To learn more about this webinar or to register for it, visit the Top 5 Reasons to Move Security to the Cloud page of the ISACA website.
Understand Risk Trends by Attending Virtual Summit
Join fellow IS/IT professionals, particularly those in IT risk management, in a free, half-day virtual summit that dynamically discusses critical issues affecting your organization’s risk universe. By attending this virtual summit, you can access live presentations; connect with peers around the world; and gain insights on evolving IT risk, enterprise threats and vulnerabilities trends. You will also:
- Learn recommendations and insights from experts to improve your organization’s IT risk management strategy.
- Engage with a panel of top professionals in a round-table discussion centered on risk management.
- Earn up to 4 free continuing professional education (CPE) hours.
ISACA, Lockpath, Rapid7 and Adobe will present the 2017 Virtual Summit: Understanding Risk. The event takes place on 30 November at 9AM CDT (UTC -5 hours), and ISACA members can earn CPE hours by attending the summit.
To learn more about this event or to register for it, visit the 2017 Virtual Summit: Understanding Risk page of the ISACA website.
An Audit Program to Keep Your Data Safe
Information is one of an organization’s most precious intangible assets. Computer software is necessary to protect, process and support business-critical information. As such, computer software needs to be dependable and predictable. If software systems fail, devastating business interruptions could occur. This could include incorrect or interrupted information processing and security violations resulting in the unintended disclosure of sensitive or restricted information. With consequences so great, the need for a software assurance audit is high.
ISACA’s Software Assurance Audit/Audit Program will provide management with the means to assess the maturity and effectiveness of the enterprise’s policies and procedures relating to the development, acquisition and deployment of software. It can be used to help identify deficiencies in internal controls that may negatively affect various enterprise compliance components. It can also be used to identify control weaknesses in the processes to develop, acquire and deploy software that could affect the reliability, accuracy, stability and security of the enterprise’s information. This audit program specifically focuses on the policies and processes used to control the development, acquisition and deployment of software across the organization. The maturity of these controls, or the degree of their organizational integration, will also be assessed.
Conducting a formal assessment of an enterprise’s software development, acquisition and deployment allows an enterprise to know where controls are working and where they may be deficient. ISACA’s Software Assurance Audit/Audit Program provides IT auditors with the tools needed to successfully assess the risk associated with software that protects an enterprise’s valuable, intangible data. To download this audit program, visit the Software Assurance Audit/Audit Program page of the ISACA website.
White Paper: Explore Your Enterprise’s Use of Shadow IT
Lurking in the shadows of your enterprise is an IT application, tool, service or system being used to collaborate, develop software, share content, store and manipulate data that has not been tested or approved by IT or IS functions. While these applications can help drive disruptive innovation, they can also expose the enterprise to a significant amount of risk.
The white paper Shadow IT Primer examines the threats and advantages associated with shadow IT. It also provides professionals with a matrix of mitigating controls, implementation steps and assessment guidance that represent a variety of today’s approaches and are applicable to almost any industry regardless of size, type of business or geographic location.
In addition to this white paper, ISACA has also produced a Sample Policy for Technology Purchasing, which will help your enterprise increase its transparency in the software and technologies it uses and supplies. You can access the complimentary ISACA white paper and companion piece on the Shadow IT Primer page of the ISACA website.
Welcome New ISACA Trivandrum Chapter
The ISACA Trivandrum (India) Chapter is the latest addition to ISACA’s network of chapters. There are now 217 chapters around the globe. The new chapter officially launches on 11 November 2017. IT professionals in Trivandrum have formed this new chapter of ISACA to serve the information and cyber security, audit and assurance, risk and governance professionals in the local Trivandrum, Kollam, Nagercoil and Kanyakumari districts. The chapter has 50 members. (ISACA has more than 130,000 members in 188 countries).
ISACA Trivandrum Chapter President Vijaya Valiathan, CISA, stated that, “With Trivandrum being responsible for almost 80% of the state’s software exports, it only made sense to establish an ISACA chapter. Launching an ISACA chapter has been a cherished dream for almost 10 years. We are excited to bring the association’s offerings to our IT professionals to continue the growth of our IT hub.”
Trivandrum is home to India’s first technology park, the first capability maturity model integration (CMMI) Level 4-assesed Technopark. The technology park hosts more than 290 IT and IT-enabled services companies, making the opening of a Trivandrum chapter even more vital. These local professionals and businesses will benefit from ISACA’s resources and guidance provided by the new chapter, including its certifications and educational opportunities. A chapter inauguration and 1-day conference on “Cloud Security—Risk and Opportunities” will be held on 11 November as the chapter’s first event.