@ISACA Volume 3  7 February 2018

Enhancing the Effectiveness of Audit Presentations


Sunil Bakshi IS auditors need to finalize audit reports based on the analysis of objective evidence and conduct an exit meeting with auditee management. The exit meeting helps uncover gaps in the audit findings. Senior management in many organizations are interested in meeting auditors to get input on the effectiveness of controls in their IS environment.

During one such audit, my team was asked to present to the board of directors and senior management. Just a few minutes before the meeting, we were informed that the board only allotted 5 minutes for us to present. In preparation for this meeting, we had created process flow diagrams for major controls areas using 3 colors—red, amber and green—indicating “missing activities,” “activities not performed as per objectives” and “activities performed properly.” We took our 5 minutes to present these process flow diagrams and then we were asked to elaborate and provide details. The presentation continued for another half an hour.

During the presentation, we highlighted the weaknesses of controls implemented in the IT environment and the business impact due to these weaknesses. For example, one missing control in the IT environment required the business function to initiate a reconciliation process resulting in service delivery delays and additional cost for manual control implementation. This helped the members of the board and senior management to understand the impact in business terms.

We learned 2 things in this meeting:

  1. Always relate the audit findings to control processes. This helps management understand the impact of control weakness.
  2. Always present the impact on control weakness with reference to the business function rather than the technology.

Some tips for presenting control processes include:

  1. Understand the complete control process. For example, the access control process consists of:
    • Access request
    • Access request approval by assets/data owner
    • Granting of request using access control matrix
    • Periodically reviewing access
    • Revoking access
    • Modifying access
    • Monitoring access (e.g., successful logins, login failures)
  2. Draw the process flow as implemented in the auditee area and use the appropriate colors to indicate weak activities.
  3. Explain the weaknesses while presenting.
  4. Understand the impact of a weak control on the business function. For example, highlight how a weak control will result in a failure to meet service level objectives.

To emphasize the effectiveness or weaknesses of controls to senior management, IS auditors need to relate audit findings to control processes and show their relevant impact to concerned business functions. The exit meeting helps senior management to gain auditor input and uncover gaps in the audit findings.

Sunil Bakshi, CISA, CRISC, CISM, CGEIT, ABCI, AMIIB, BS 25999 LI, CEH, CISSP, ISO 27001 LA, MCA, PMP, is a consultant and trainer in IT governance and information security.


Webinar: Learn Where Cyberrisk and GDPR Intersect


Source: Stas_V;
Getty Images

Cyberrisk can translate into noncompliance with laws and regulations. The new EU General Data Protection Regulation (GDPR) must be implemented in a healthy cybersecurity environment. This is especially important because of GDPR’s global impact and prescriptive nature.

For a deeper dive into how GDPR's mandates map to vulnerabilities, technical controls and requirements for overall cybersecurity posture, ISACA and SecurityScorecard present the “Where Do Cyber-Risks and GDPR Compliance Meet?” webinar. This webinar will enable you to walk away with a deeper understanding of how GDPR requires your organization to have robust cybersecurity health and what controls need to be in place to ensure compliance by design. This webinar takes place on 20 February at 11AM CST (UTC -6 hours). ISACA members can earn 1 continuing professional education (CPE) hour by attending this webinar and completing a related survey.

Fouad Khalil, head of compliance at SecurityScorecard, will present the webinar. His extensive experience with internal and external compliance in the technology space allows him to guide you and your enterprise toward a greater understanding of the intersection between cyberrisk and GDPR.

To learn more about this webinar or to register for it, visit the Where Do Cyber-Risks and GDPR Compliance Meet? page of the ISACA website.


Learn to Build a Better Security Foundation in This Webinar


Source: Paul Taylor;
Getty Images

Building a better security foundation begins with reviewing the current risk and security standards. Strong security programs adapt and change, utilizing the US National Institutes of Standards and Technology (NIST) Risk Management Framework (RMF), NIST Special Publication (SP) 800-53 (Revision 5), and the NIST Cybersecurity Framework (NIST CSF).

To help explain the recent changes in these guidelines and show where your organization’s security and privacy program need to adapt, ISACA presents the “Security and Privacy: Building a Stronger Foundation” webinar. This webinar will also provide an alternate privacy plan. This webinar takes place on 22 February at 11AM CST (UTC -6 hours). ISACA members can earn 1 continuing professional education (CPE) hour by attending this webinar and completing a related survey.

Larry G. Wlosinski, CISA, CRISC, CISM, CAP, CAPM, CBCP, CCSP, CDP, CISSP, PMP, ITIL v3, will lead the webinar. Wlosinski is a senior consultant at Coalfire-Federal with more than 42 years of experience, the last 18 of which have been dedicated to information security. He will use his extensive IT security background to clearly demonstrate how to use current standards to develop your organizations security program.

To learn more about this webinar or to register for it, visit the Security and Privacy: Building a Stronger Foundation page of the ISACA website.


Discover the Ins and Outs of GDPR Implementation With This Book


The EU General Data Protection Regulation (GDPR) is the result of extensive cultural, legal and practical discussions around the privacy of personal data and information. While the GDPR itself is relatively straightforward in its wording and stipulations, its introduction has created many practical challenges for enterprises. EU member states and enterprises that process EU citizens’ information need to create or adapt the requisite administrative agencies, offices and departments, and establish stable processes and adequate provisions for supervised and controlled personal data processing. Because of this, both government entities and private enterprises are facing challenges implementing GDPR in a short span of time.

The Implementing the General Data Protection Regulation online book offers practical advice on implementing GDPR and achieving an adequate level of compliance by May 2018. It makes use of the COBIT 5 framework and related publications to provide an effective, reliable and proven foundation for GDPR projects in commercial and not-for-profit enterprises. The book further includes insights into transitioning an initial GDPR implementation to a full data protection management system (DPMS).

You can purchase this ISACA online book on the Implementing the General Data Protection Regulation page of the ISACA website. It is US $25 for members and US $50 for non-members. For more information on GDPR readiness, assessments and compliance, please visit www.isaca.org/GDPR.


Learn the Importance of Workforce Diversity


Source: Yuri Arcurs
Getty Images

Diversity in the workforce is crucial as men, women, and people from different backgrounds and cultures all have different perspectives and skills to offer. The ISACA SheLeadsTech program specifically seeks to increase the representation of women in technology leadership roles and the technology workforce. This increase in diversity benefits organizations, teams and individuals.

To help explain how workforce diversity affects you, your organization and your career, ISACA presents “The Benefits of a Diverse Workforce” webinar. This webinar will feature a panel discussion on the experiences of women in technology and the benefits of workforce diversity. This webinar takes place on 15 February at 11AM CST (UTC -6 hours). ISACA members can earn 1 continuing professional education (CPE) hour by attending this webinar and completing a related survey.

Sarah Ahmad Abedin, CISA, CGEIT, CRISC, Sarah Orton and Shan Senanayake, CISA, CRISC, CISSP, will be the panelists in this webinar. They will use their combined experience in IT management and background as ISACA women in tech to provide insights into what women leaders can provide to the workforce.

To learn more about this webinar or to register for it, visit The Benefits of a Diverse Workforce page of the ISACA website.


The Top 4 Security Vulnerabilities You Might Be Overlooking


Data breaches and vulnerabilities are an ever-present threat in today’s society. Almost everything we do is linked to data storage, and this means that more of our sensitive information is subject to attack or identification. The Nexus author Tyler Hardison CISSP, PCI Qualified Security Assessor, illustrates what security vulnerabilities you may be overlooking in his article “The Top 4 Security Vulnerabilities You Might Be Overlooking.”

Daily news headlines scream high-profile information security failures and consequences—Hacked! Attacked! Ransomware!—reinforcing that the severity of risk posed to sensitive information is unprecedented. Security threats can put your organization and your customers’ sensitive information at risk, costing you in customer loss, diminished trust in your brand and regulatory fines. Where are our data? What are our security holes? What are our risk scenarios?

Over numerous client engagements, our firm’s findings indicate that a basic networking error or an older version of software that is rarely used could, in fact, be the vehicle a hacker needs to break in, exposing customer data and sensitive information.

Data are everywhere and so are data breaches—and breaches are occurring with increasing frequency and volume. In today’s complex cyberworld, cybersecurity risk and incidents are part of doing business. Chances are, your organization’s data will be—or already have been—breached.

Read Tyler Hardison’s full article, “The Top Four Security Vulnerabilities You Might Be Overlooking” in The Nexus. To subscribe to The Nexus, visit the Subscribe to The Nexus page of the ISACA website.