Other Blogs
There are no items in this list.
Knowledge & Insights > ISACA Now > Categories
Persuasion: A Core Competency for GRC Professionals

Brian TremblayImagine this as a GRC professional. It’s April 2016. The European Parliament passes the General Data Protection Regulation (GDPR) with an enforcement date of May 2018. Your organization is impacted.  You are going to own this.

At first, you ask yourself – should I get going on this now? The answer is yes; the reality is you won’t. A year passes and the media pipes up about the clock ticking. You start to hear in your peer groups that people are starting to think about what they are going to do, but there’s little action. The clock strikes Q4 2017, your anxiety elevates, the consulting firms and professional organizations inundate your inbox with updates, trainings, services, etc., so you start your journey (late). You get organized, start reaching out to HR, IT, anyone who could be impacted. Crickets. A month passes. Two months pass, and it’s Q1 2018. You follow up. Finally, a response, maybe two come in. Finally, some momentum!

You re-engage your stakeholders, you email, call, try and set up meetings. Crickets. Q1 earnings come around. Analysts are asking. Your CEO says you are all over it and ready for the go live. Senior leadership is looking for an update. You’re working on it as best you can. The emails get responded to, finally. It’s a fire drill. You work tirelessly. GDPR goes live. You’re not quite there, but close enough that you finish by your Q2 earnings release. It’s been a disaster, but it’s over (until the next time).

GRC professionals, a lot of them, live this awful cycle every time there’s a new regulation, accounting standard, etc. Why is this? Our jobs should be simple. We carry the big stick! Most of what we support is tied to law, standards and regulations. Our organizations have to comply or face potentially stiff penalties and reputational damage. Why don’t they? They claim no resources, or budget, or time.  We’ve heard it all.

Why aren’t they listening? I argue that we don’t leverage persuasion and build the skills to persuade.

The reality we live in as GRC professionals is that we simply can’t be successful in our job if we don’t persuade, and if we can’t persuade, we risk insufficiently addressing or failing to address risks to the organization. The repercussions could be severe. We could hinder our own and our teams’ careers and damage our reputations. In the narrative above, we all know who’s going to be on the hook if there’s a problem. And it won’t be those who ignored us for the better part of a year.

Persuasion is a skill. Some of it can be taught; most of it we already know (or could be defined as common sense). We simply need to be aware of this and implement some simple (in most cases) techniques to tilt the scales:

  1. Rapport is critical. If they don’t like you, send in someone else they do.  We can’t persuade someone who doesn’t like us.
  2. Acknowledge the stigma that may be attached to your title and role. Let’s be honest – colleagues not may really enjoy getting a visit from a GRC colleague. Acknowledging this might help remove the first barrier.
  3. Recognize the impact of mood. Having a bad day? Your counterpart having a bad day? Move the meeting; it simply won’t be productive. 
  4. Get out of a negative environment. The workplace can be a source of stress, so go grab a coffee or lunch or a drink. This is the real reason so many folks utilize “let’s grab a coffee” or similar approach to get things done.
  5. In person is always better. Smile a lot and use your colleagues’ name when you see them – people like hearing their name. Keep your tone of voice positive and upbeat. And while you’re at it, avoid using the word “I” – it will turn them off.
  6. Use how, not why, when requesting support. To most people, “why?” feels like an accusation.  Don’t believe me? Think about how you feel when your boss or your spouse ask “why” you didn’t do something. It puts most people right on the defensive. “How” invites both parties to strive toward a common goal. The simple statement “GDPR goes live in 6 months – how do we ensure our organization is prepared?” invites both potential solutions and a sense of ownership in both parties.
  7. Listen. I mean it. Really listen. Can you do it? I can’t. Why? Because when I’m not talking, I’m thinking about what I am going to say next. Is that really listening? Bring someone with you to important meetings, and make it their job, and only job, to listen (take note of tone), watch body language, take notes, etc. Review that feedback after the meeting.

This seems easy enough, but the reality is if you don’t thoughtfully leverage some of these steps routinely, you’ll never reap the rewards. These won’t work all the time, but they’ll help increase the chance of success in your GRC role.
Have they helped me? You tell me – ever convinced a subsidiary to upgrade their ERP as part of an audit report? I have. And it was by using these tactics.

I’ll be discussing this topic further at the GRC conference next week in Nashville, Tennessee, USA. Track me down at GRC; I’d love to speak about these topics and lend a hand if I can.

Data Governance Is Becoming More Complicated – Enablers Can Help

Peter TessinEnterprises are becoming increasingly digital. Consider a bank that refers to itself as an information technology firm that happens to process financial transactions. Or, perhaps a manufacturer that likewise refers to itself as a technology company. The management of data is critical to all enterprises. 

A breach can cause enormous harm outside of the core business of the enterprise. Target had a significant data breach that caused the company material damage. Technology firms are obviously at risk. Witness the recent breach at Equifax – the repercussions of that event are still being measured.

The short story is that no matter what business you’re in, data must be cared for!

The Getting Started with Data Governance using COBIT 5 paper looks at these issues from the perspective of using enablers to put goals and internal controls in place that will assist in the good shepherding of data. The paper extends the application of the COBIT 5 framework to the practice of data governance. The practice of data governance is described, and then elements of COBIT 5: Enabling Information are explored. Specific examples are provided against each of the COBIT 5 enablers.

Data maintenance and management are becoming ever more complicated. Data environments (e.g., the cloud) change rapidly, and so do internal enterprise data requirements. COBIT 5 provides definitions, good practices and modeling to assist practitioners in dealing with the critical role of data within the enterprise. Strong management provides the underpinning of good data governance.

Corporate governance and IT governance are credited with putting frameworks and standards in place to assist enterprises in using their resources effectively and efficiently to create and deliver value to their stakeholders. Data governance uses the same concepts, but applies them more narrowly to the protection and use of data. Enterprises must still define their needs for data and what resources will be available to accomplish those goals.

Once the right resources are in place, there needs to be performance measurement mechanisms put in place to ensure that the newly created, or altered, processes are functioning as needed. Reporting on the performance of data governance processes completes the data governance cycle. The governing body can then make additional, or new, directives to accomplish the enterprise’s data governance needs.

COBIT 5/DMM Practices Pathway Tool Enables More Impactful Data Management and Governance

Melanie MeccaCMMI Institute became a subsidiary of ISACA in 2016, and the organizations focused attention on the synergies between the current offerings in their combined suite of products. The first joint project was to map COBIT 5, with its enterprise-wide IT governance focus, to the CMMI’s Development reference model for software development and delivery.

Employing a similar approach, ISACA and CMMI Institute engaged in mapping COBIT 5 to the Data Management Maturity (DMM)SM Model. The DMM is a reference model of fundamental data management best practices. It focuses on management of data as an enterprise asset, emphasizing the ownership and activities of business line staff over the data they create and manage. Data governance is a very important element of the DMM; 104 of the model’s 414 functional practices address approvals, decisions, and collaborative efforts concerning enterprise data. Since data governance is an important component of overall IT governance for an organization, one can view the DMM as extending the scope of COBIT to focus in detail on the data layer.

The COBIT 5/DMM Practices Pathway Tool, built in Excel for ease in navigation and end-user modification, is available for download on ISACA’s website. It is designed to be applied bi-directionally.  Users of COBIT 5 can search for aligned practices in the DMM, and users of the DMM can search for aligned practices found in COBIT 5.

For instance, if starting from the DMM’s Data Quality category, the user can select a statement identifier from the DMM and retrieve COBIT-specific guidance. Conversely, if starting from the COBIT 5 Build, Acquire, and Implement domain, the user can select a specific practice and retrieve DMM-specific guidance.

Editor’s note: For more information on this topic, view an archived version of the “Leveraging COBIT 5 and DMM” webinar, which addresses  scope and conceptual affinities between COBIT 5 and the DMM; how we approached creating this mapping tool; and a demonstration of how it can be applied from either the COBIT 5 or the DMM perspective.

Cyber Security and Risk Should Be Standing Items on Board Agendas

Emily Manganyi AmukelaniThe world has seen a surge of attention regarding cyber activity, and it has not been in a positive light.

Many organizations have experienced the threat that accompanies the adverse intentions these activities come with, especially organizations that have not prioritized nor made cyber risk part of their risk management agenda.  Being exposed to cyber threats is no longer something that only affects big multinationals with massive data centers. Cyber threats are applicable to any organization that operates on, and is connected to the Internet grid.  A cyber breach, which almost always would have adverse impact to an organization, is no longer a matter of if; it is a matter of when.

The question that leadership of organizations should be asking is how prepared they are from a risk management perspective to deal with risks that come with the use of information and technology. Is this a prominent and standing agenda item on the board’s and executive committee’s meetings? If the answer to each of these questions in not affirmative, then the organization is more exposed to the risk of a cyberattack, and of not being able to recover operations as quickly as would be required to enable business to carry on as usual.

To ensure the continuity of business, the board should ensure that the organization’s risk management framework addresses cyber risks. Cyber risks must be identified, quantified in relation to the organization’s environment, and appropriate actions taken to minimize the impact of cyber-related incidents.  The leadership of the organization should ensure that business continuity plans and arrangements are in place for incidents that may result from a cyberattack.

It is no longer the responsibility of only the operational staff in the IT department to deal with cyber risks. Cyber threats are too great to not afford them the level of attention they require at board and senior leadership levels.

Cyber security, risk management and business continuity planning must be standing items on the board and executive committee’s agendas. This will ensure that appropriate attention is given to areas where gaps may exist. This way, commitment will be afforded to enable the implementation of the required processes and solutions to address identified gaps and minimize risk exposure, as well as the impact that risk poses to the business.

Editor’s note: See more commentary on this topic from Emily, as well as from several other leading industry experts, at www.isaca.org/tech-governance-impact.

A Cyber Perception Gap? What Directors Want to Believe about Cyber Security vs. Real Cyber Risk

Dottie SchindlingerDirectors and executives want to believe their companies are adequately protected against cyber threats. ISACA’s recent survey of leadership teams reinforces the notion that most corporate leadership teams recognize cyber risk is a material threat to their businesses. As the research points out, 55% of respondents agree that their organization’s leadership team or board is doing everything it can to safeguard the organization’s digital assets. But, does this perception represent reality?

In a recent study conducted earlier this year by NYSE Governance Services and Diligent, 381 directors of public companies were surveyed regarding their secure communication practices and their level of awareness of how those practices might impact the company’s level of cyber risk. The results were sobering – and indicate a disconnect between what directors and executives believe about cyber security and the cyber risk created by their own communication practices.

To illustrate this point, consider that 92% of respondents use personal email accounts – including unsecured systems like Yahoo! Mail, Gmail, and AOL – at least occasionally to conduct board business.  While 74% reported using secure board communication software to receive and transmit sensitive documents, 54% regularly download these documents onto personal devices or drives. Even when companies use secure board communication software, only 8% ask the IT, IS or data security team to sanction directors’ communication methods. Worse still, 62% indicated their company doesn’t require directors to participate in any cyber security training, and in ISACA’s new research, only 15% of respondents expect their organizations will fund an increase in cyber security training for board members in the next year.

Why does this matter? The job of a director requires access to extremely sensitive company data. Yet, directors don’t often receive direct oversight from the IT or data security team. Hackers have clearly figured this out. Consider this report on China’s APT 10 hacking group, which specifically targets corporate directors as an easy entry point to high-value information. Even someone as sophisticated as former Secretary of State Colin Powell, a director of Salesforce, was successfully hacked when a slide deck for an upcoming Salesforce board meeting was stolen from a personal email account. The data from the slide deck was leaked to the Wall Street Journal in advance of the board meeting, negatively impacting both Salesforce’s business strategy and its share price.

Meanwhile, a number of new regulations are cracking down on corporate negligence on cyber security and data privacy, and are holding directors and executives responsible for breaches. In March 2017, new regulations took effect with the New York State Department of Financial Services that require board members (or senior officers) to personally certify that the company has adequate cyber security programs in place, and that those programs are regularly tested and reviewed. While this regulation is at the state level, it applies to any financial services firm – and any vendors serving those firms – that conducts business in New York. Another case in point is the EU’s new General Data Protection Regulation (GDPR) – set to take full effect in May 2018. This new regulation includes fines as high as 4% of annual worldwide turnover in the event of a major breach, as well as potential jail time for the directors or executives who are responsible. GDPR doesn’t just apply to EU companies; rather, any company that stores, processes, or accesses the data of EU citizens is liable.

Both of these regulations reinforce the idea that directors and top executives hold the ultimate responsibility for overseeing cyber security and risk management for their organizations. Not only must they be aware of the cyber security programs and risk profile of their companies, they must also set the right tone for the rest of the company’s employees – demonstrating by their adherence to secure communication policies and practices that cyber security is important enough to warrant the regular time and attention of the company’s leaders.

This all begs the question … why are corporate leaders so bullish on their level of cyber security? Perhaps one culprit is the approach we generally take to raising cyber security issues in our boardrooms.  Most board discussions on cyber risk include a “briefing” by the CSO/IT security team on what the company is doing to secure customer data and internal systems. Rarely do these briefings include a review of director communication methods, raising directors’ awareness of their own cyber risk, and training on how to handle sensitive data.

It’s time for us to help directors understand their real level of cyber risk and provide them with the secure tools, training and support to keep their communication – and our companies’ data – safe. An easy first step is to provide this article to your directors and add some time on the next board meeting agenda to discuss it. Get directors’ concerns out in the open. Only by candidly reviewing what’s happening now – and what should be happening – can any change be implemented.

Board Leadership Critical in Effectively Leveraging Technology

Robert ClydeThere is little doubt that better governance of technology leads to better business outcomes. More than 9 in 10 respondents in ISACA’s new Better Tech Governance is Better for Business research affirmed that reality.

But how can organizations ensure that they’re leveraging technology successfully, beginning with effective oversight from the board of directors?

The majority of ISACA’s survey respondents identified ensuring alignment between IT and stakeholder needs and establishing a clearer connection between business goals and IT goals as leading priorities that should drive organizations’ governance of technology.

That starts with a firm commitment to strong governance at the board level. This approach is an absolute necessity for all enterprises that intend to compete – and survive – in today’s technology-driven business landscape.

It can be challenging, however, for organizations to bring in board directors with the level of technology savvy needed to make sure that the right issues are being addressed and the right questions are being asked when it comes to making technology-related investments, and addressing key business imperatives such as cyber security, risk management and digital transformation.

Finding at least one board member with technology expertise can be a real difference-maker for the organization. This will naturally become easier over time, as digital natives grow into leadership positions, but can be a real challenge for now. Organizations should aggressively leverage their networks and tap into industry professional associations to find prospective board directors with much sought-after technology backgrounds.

What organizations must not do is bring aboard a “token geek” – that is, a person who is well-versed in technology but otherwise thoroughly unqualified to serve as a board director. Companies that have tried going this route end up with somebody who is ill-suited to be a board director and needs to be educated around the majority of discussions, detracting from the board’s overall efficiency and leadership capabilities.

A better option, provided an organization is struggling to secure quality board directors who are tech-savvy, is to work with outside experts who can bring that level of expertise to the board room. Organizations seeking technology consultants with instant credibility often turn to large, global firms that regularly provide this type of guidance to boards of directors.

An encouraging trend in enterprise governance of technology has been the evolution of CIOs and CISOs. In recent years, these leaders have elevated beyond technology honchos to become true business leaders, as well as excellent resources for boards of directors. The CIO or CISO should regularly be updating the board of directors about front-burner technology threats and opportunities that require board oversight. With the explosion of cyber security and emerging technology risks in recent years, the relationship between the CIO or CISO and the board of directors is one that organizations have to get right, or the consequences can be dire.

Aside from the board’s composition, organizations striving toward that critical connection between business goals and IT goals can benefit from governance frameworks such as COBIT. ISACA research participants identified risk management, cyber security and business and IT integration as the top three areas that benefit from a governance framework.

Effectively leveraging technology is the common denominator in today’s global economy. Beginning at the board level, organizations must determine their path to strong governance and prepare for the flurry of technology-centered challenges and opportunities that will only accelerate in the years to come.

Managing IT in Clinical Environments

Raef MeeuwisseWorking in healthcare technology is about as exciting as IT gets. Between the rapid evolution in healthcare technology and the increase in cyber threats, there has never been a sector with a greater need to balance effective governance with lean but agile delivery of new technologies.

You might have noticed that most of us now carry or wear devices capable of accurately measuring our physical activity, heart rate, blood oxygen levels and more. Most of us wear these for fun or to help promote a healthier lifestyle. However, have you ever stopped to consider the consequences if critical technologies in clinical environments were not functioning or became unavailable when they were needed?

Just how much care has to go into designing, developing and delivering a modern pacemaker? How robust does a pharmacy software system need to be to help ensure that nobody is given the wrong prescription due to the technology?

Managing information technology in clinical environments is somewhat different to other environments because the consequences of errors can be much greater. It may seem overly dramatic to state that people sometimes die when clinical technology does not function as it should or when it should, but that is the reality. It’s a statistical fact measured by various regulatory agencies around the world.

Just what are the potential consequences if a hospital has its vital systems taken down by ransomware or any other form of cyber attack?

To find out how different the governance of enterprise information technology (GEIT) in clinical environments can be, ISACA recently commissioned a new paper on clinical GEIT. It aims to provide ISACA members with a concise introduction to this topic.

What can you expect to learn if you read this new ISACA paper? GEIT for Health Care aims to provide an overview of the principles behind the key regulations and standards that the management of a clinical environment often has to consider. After all, clinical environments can be dealing with life critical equipment, highly sensitive medical information and even financial transactions. That means these environments can find their governance needing to efficiently comply with clinical, financial and privacy regulations, sometimes within a single system.

For example, remember that pharmacy system? That could easily be required to manage the prescription of life critical drugs, the personal details of the people they are prescribed to and the financial information required to take payments.

All clinical technologies are expected to be fit for their intended purpose. The paper includes a summary of the principles of Good Clinical Practice (GCP) – the rules that help to ensure processes and technologies are appropriate. It also looks at how the use of electronic signatures is regulated, as well as efficiency tips on how some organizations manage their governance model.

How do the small clinical environments cope? Well, they mostly buy in commoditized technologies that are designed to meet the required standards. The more a clinical environment develops, designs and utilizes technology innovatively, the greater the amount of due diligence required to ensure those technologies are fit for purpose.

The ISACA paper can also be useful for people working in other highly regulated environments. It provides some valuable insight for all ISACA members into just how complex and sensitive some IT environments can be. The clinical GEIT publication also sets out to demonstrate how a controlled and efficient approach, using policies and procedures, is a fundamental requirement to effective compliance in highly regulated environments.

Many people fear the complexity of environments where large amounts of regulation exist. The reality is that by applying a structured but efficient governance model, regulatory standards can be met with far more efficiency than you might think. After all, the difference between the controls we use for safe financial processing and for managing human health are more closely related than you might think.

If you want to find out the basics of how to manage the governance of enterprise information technology in clinical environments, this new ISACA guidance is well worth a read (and I’d say that even if I weren’t the author).

Build a Small Business with GEIT and Security in Mind

Ammett WilliamsDespite the prominence of larger companies, the growth of small businesses and entrepreneurs also is critical to a society’s development. Entrepreneurship can drive the growth of new businesses, provide solutions for various market niches, foster innovation and generate job creation. The entrepreneurial activities of today can impact the Fortune 500 of tomorrow.

Small businesses or start-ups serve as the beginning point for many who are seeking to navigate the complexities of modern enterprise. One of the things that may be overlooked at the beginning are the implications of IT governance and security on an enterprise’s future health. Regardless of the sector, both factors have important roles to play in continued success. Below are some standard considerations for both areas.

General security perspectives needing consideration:

  • What industry/market sector is being entered? It helps to understand the product/service to be developed.
  • What are the sector’s regulations? It is critical to understand compliance and mandatory obligations.
  • What are the risks? Understanding existing constraints and future possibilities provides essential context.
  • What is the overall strategy and security strategy? Understand and build the risk appetite at the start. 

General IT perspectives needing consideration:

  • What existing technologies can we leverage at this time? Cloud; small, in-house data centers; and outsourcing options—all are considerations.
  • What type of information is needed from customers? Basic information required to create mailing lists, personally identifiable information (PII) and or payment information may be required.
  • How can IT work with and support the business plan/strategy? Ensure the correct investment is made based on business requirements.
  • How does IT grow with the business? Explore digital avenues that can enhance the customer experience and increase the customer base.

There is a certain excitement for an entrepreneur entering into the market–the joys of prospects unknown and the hope of building a satisfied, stable customer base. However, cash flow can be a major challenge, so many things can be overlooked in order to get the business off the ground. This can be problematic and result in problems down the road, such as regulatory fines, data breaches and compliance issues, just to name a few.

The alignment of the entrepreneurial vision, security and IT can provide a strong foundation to build out the enterprise. GEIT principles can be helpful in the smallest of enterprises since they can be tailored as business expands and provide the necessary checks and balances to mitigate risk. A little time at the start can be helpful in the long run to face the digital disruption roller coaster of the future.

COBIT 5 and the NIST Cybersecurity Framework – A Simplified Framework Solution

Picking the right frameworks to support your organization’s governance, risk, compliance and cyber security efforts is overwhelming. Do you pick the most popular framework for each area, or assemble a collection of applicable frameworks that all drive toward a common goal? There are literally dozens of frameworks to choose from, but the common underlying theme is this: create value for the enterprise.  A realistic solution is to create a common core governing model that can link to the myriad standards, models and best practices available while meeting stakeholder needs.

As a former CIO of a managed service provider in North America, I’ve experienced the above. Our company provided outsourced IT services to more than 100 client companies, and we experienced some major issues. Chief among those issues was navigating through the multitude of standards, requirements and compliance needs for each of our tenant organizations. Everyone had different needs, and our charter was to satisfy those needs. Enter the growing demand for a strong cyber security program, and the formula became even more complicated.

We had a gap in our framework architecture that was exposing vulnerabilities in our cyber security posture. At the enterprise level, we used the balanced scorecard and COSO to determine the correct balance of performance and conformance, which was good. Now, skip down to the operational level.  Here, we were haphazardly applying ‘checklists’ from the various popular frameworks and guidance.  These included NIST Special Publications, ISO/IEC 27001, and the CIS Critical Security Controls. As you can probably guess, this is where we became overwhelmed. We had duplicate controls, wasted resources and pressure to meet every part of every security checklist.

There was a gap between enterprise governance and operations; we were missing a vital link. This was the perfect spot to consider the governance of enterprise IT, or GEIT. We needed a mechanism to link the frameworks between the enterprise level and operational level. From our cyber security perspective, we needed this link to be a “framework to manage our frameworks,” and that solution was leveraging the COBIT 5 and NIST Cybersecurity frameworks. This was important because by using risk scenarios as a driver, we could use COBIT and the NIST framework as the critical link, or what I call ‘middleware’ between our enterprise drivers and operational tasks.

This solution allowed our organization to focus our cyber security practices that supported stakeholder needs based on key areas that created value by optimizing our risks and resources. By following the implementation guidance in both COBIT and NIST, we were able to effectively govern and manage our cyber security risks and resources. What were the key benefits to adopting these two frameworks together? Here are the three top reasons for our organization: 

  1. Both have solid implementation guidance. Although each framework has a suggested implementation methodology, they are easily mapped to each other and would be best used together for cyber security adoption. The COBIT implementation method offers a step-by-step approach to adopting good governance practices, while the NIST Cybersecurity Framework implementation guidance focuses specifically on the cyber security-related practices.
  2. The frameworks reference each other. Each of these frameworks notes where the other complements them. COBIT refers to the appropriate NIST publications at the process level, and NIST refers to COBIT practices as informative references. This allows for better mapping, reduced duplication, and a broader view of a cyber security program as a part of an overall GEIT initiative.
  3. They both provide a holistic approach. One of the COBIT principles is called “Applying a Holistic Approach,” and focuses on a set of enablers. Think about these enablers as the ingredients to a holistic GEIT program. The NIST Cybersecurity Framework, on the other hand, is what I consider a holistic approach to a solid cyber security program by providing a framework core consisting of five functions (Identify, Protect, Detect, Respond and Recover), and includes activities, desired outcomes, and applicable references.

If you are overwhelmed with all of the cyber security options facing your organization and you’re not quite sure where to start, give this formula some thought. You may find that it is a great way to get a central governing model for your cyber security efforts.

Editor’s note: For more guidance on implementing the NIST Cybersecurity Framework using COBIT 5, view a new ISACA white paper here.

Internal Control System – Whose System Is It Anyway?

Auditors have a wealth of knowledge acquired through engagement with employees at all levels of the organization, but they can never replace the role management and the business process owner play in ensuring that controls are adequately designed, implemented and are continuously functioning. No matter how many ‘red’ audit reports auditors issue, as long as management is not on board, the role of an auditor is of no value to the organization.

It is quite interesting to evaluate the significant impact that each of the players in the three lines of defense have in ensuring a sound system of internal controls. To analyse this and dispel some of the myths about the role of auditors in the internal control system, I reviewed the COBIT 5 process MEA02 – Monitor, Evaluate and Assess System of Internal Controls. I will first start by defining the RACI model, which shows the pieces each player has.

The RACI model outlines the roles and responsibility of each actor in the process being reviewed. I will describe it the way I tell my auditees. This is, to simplify and get them to clearly understand how our work affects one another (see Table 1)

Table 1

RACI Acronyms


Responsible The guy or girl whose hands get dirty.
Accountable The wind breaker or simply the fall guy or girl.
Consulted I am not getting my hands dirty but I can share my knowledge.
Informed Just want to know what you are up to.

See Table 2 below for proposed roles and responsibility of actors in internal control systems

COBIT 5 MEA02 Monitor, Evaluate and Assess System of Internal Controls

Table 2

Management Practice
Chief Executive Officer Business Executive Business Process Owners Chief Risk Officer Audit Chief Information Officer
Monitor internal controls
 I     R   R   R   A 
Review business process controls effectiveness
 I   A   R   I   R   C 
Perform control self-assessments
 I     R   R   R   A 
Identify and report control deficiencies
 I     R    I   R   A 
Ensure that assurance providers are independent and qualified
     R     A   R 
Plan assurance initiatives
 A     R     C   R 
Scope assurance initiatives
     R     A   R 
Execute assurance initiatives
     R     A   R 

To analyze the internal control system, I will discuss five keys about the responsibility of audit, risk and management.

Internal auditors are not accountable for ensuring that controls are monitored. Auditors are only responsible for ascertaining that controls have been adequately designed, implemented and are operating effectively, thus including assurance on the monitoring of controls by IT management. It’s a fact that auditors can get their hands dirty but they are not the fall people. The accountability and responsibility role in monitoring of controls does not seem to be clear. The majority of controls relating to monitoring of certain controls by management are almost always in the audit report; for example, the monitoring of user access, audit logs and activities carried out by users with high privileges. The accountability of management over internal controls should not be considered mitigating control, as many have relegated it to be.

Auditors and business process owners share the same responsibility of reviewing the effectiveness of the controls. Refer to table two above, MEA02.02. A prudent manager always carries out a self-audit and reports on the department’s weaknesses. I have sat in meetings where the manager of a division would say, “I am worried about this area. Could you ensure that you focus on it?” It’s not wrong for management to request internal audit to scrutinize a certain area in his or her division, but it’s always worrying when the tone appears to suggest that the manager has no idea of the processes followed in that particular area. That shows that the manager is not aware of his or her responsibility to ensure effective controls. The auditor’s role in assuring effectiveness is only for reporting purposes, while the process owner’s role is for operational purposes and is far more imperative than the auditor’s report. Likewise, self-control assessments coordinated by the risk division are the responsibility of the process owner.

IT management has a right to ensure that qualified internal auditors carry out audit assignments in a professional manner. A balance needs to be found when training auditors, especially on complex assignments. I know this is potentially stepping on my own toes, but after management gives time and resources to the auditor to carry out their work, it is disappointing for management to receive a report that does not show that the auditor understood the process being audited. It is not surprising then, when reviewing Table 2 above MEA02.05, to note that the process owner and IT management have been tasked with responsibility of ensuring that qualified assurers are engaged.

The business process owners’ fingerprints are all over the entire internal control system. From Table 2 above, it is clear that the process owner is responsible for all controls within the process of monitoring the internal control system. This why it’s imperative for internal auditors to work hand-in-hand with the process owner, as the latter’s input is required in all aspects of the system. The notion that we will only disclose information that the auditors ask for does not hurt the internal auditor but, rather, hurts the process owner. Auditors merely provide feedback on the status of the system while the process owner builds the system.

In an analysis of the roles that audit, risk, process owner and chief information officer play in monitoring the internal control system, it is clear that all players have their hands dirty. Those with a quantitative mindset can count the R’s listed in table 2 under each player. It then becomes quite clear that all actors have a role to play. For the internal control system to mature, each player needs to understand their role and support others where their input is required, even if it is just to receive information. The goal of the system is not to police, expose gaps, or show faults but rather to ensure that collective efforts lead to a more sustainable operation environment.

1 - 10 Next