The Evolution of IT Risk & Compliance

February 2012

Rosalyn Ellis, CRISC

Susan Hoffman, CISA,CGEIT

1

Achieving SOX Compliance

Developed set of control requirements Application Change Management Application & Data Security

Documented existing controls and processes Established new controls and processes

2

Issue at hand...

Review, assess, consider materiality of issues, priority, determine level of audit issues/complexity to close gaps

Evaluated and documented IT controls Clarified “ownership” for the controls New applications / solutions introduced to

environment requiring proper controls

3

Established a team… Purpose

implement according to policy audit to the policy

Partners with...Internal & External Audit teams

Determine needed IT controls Define how to test the controls

IT staff: Build compliance into IT solutions Determine ways to align compliance efforts with IT initiatives

4

IT Risk & Compliance…

Assembled list of IT controls according to policy identifying specific frequency and owners

Established Self-Audit Program Conduct self-audit test on each IT control Identifies gaps with the existing IT controls Provides for auditor reliance on self-audit

results

5

6

Benefits of Self-Audit Program

The IT Organization Assumes responsibility for the IT controls Gains confidence that IT controls and

processes are effective and efficient Identifies control weaknesses in advance of

Internal or External Audit tests Identifies process improvements with current

controls and processes

7

Benefits of Self-Audit Program

8

Beyond Self-Audit Concepts

Database Activity Monitoring (DAM) Explore other uses for current tool

Business Processes comply with eDiscovery requirements

Self Audit of Business Application SOA Architecture Self Audit of Mobile Applications

9

Expanding Self-Audit Concepts

Coordinate Assessments Internal Risk Assessments 3rd Party Assessments

Current Topics & Technology Cloud Computing PII PCI

10

Questions?

11