Figuratively, today’s Internal Audit teams must track and herd zoo animals. Security pros can help.
Wednesday, May 12th 2010 @ 9:03 AM (not yet rated)
Recently, I was reviewing the Canadian Financial Administration Act (FAA) and Federal Accountability Act (FedAA, or sometimes also called the FAA) for an initiative I've taken on. As a result I couldn't help but notice the wide range of challenges faced by internal audit teams. It struck me that many people don’t realize the range of responsibilities and activities that are usually taken on by their internal audit team, and how this critical governance function has an important relationship to security and privacy. And like zoo keepers who track and herd different types of zoo animals, some parts of an organization are easier to work with than others; and the challenges include more than just the simple things we might expect, like counting them and feeding them.
While most people tend to think of an audit team as doing primarily financial audits, the push for accountability over the past decade, especially in government, means the audit team must work across many disciplines. Even as early as 2004, when the US General Accounting Office (GAO) changed its name to the General Accountability Office, only 15% of this body’s workload was related to financial audits. The following link to a GAO paper illustrates this point:
http://www.gao.gov/about/rollcall07192004.pdf
So, what else does an audit team have to do?
These days, there are audits not only for finance, but for privacy, security, regulatory compliance, IT Governance, “value for money”, “value and ethics” and performance management, etc. Each of these audits requires a different focus with different metrics and indicators to be gathered.
But the internal audit team’s work doesn’t stop there. Gathering the information is often the easy part (at least if you are working from a standard checklist). The real fun starts in the analysis. Where security audits are often criticized as not always being reflective of the organization’s actual performance, a good auditor actually works with management across the organization, digging deeper into the data to identify the outliers and find telltale evidence of areas that need to be addressed.
Once the analysis is done, reviewed and approved, a set of corrective actions are almost always required. Deciding on which corrective actions will provide the controls necessary to address the real problems found can also be challenging. Again, diverse areas of management must be consulted. Then, the corrective actions have to be incorporated not only into future program plans, but also into future audits to ensure the organization does not regress into bad habits again.
Internal Audit teams need all kinds of skills to fulfill their increasingly important mandates
Coordinating all of these responsibilities and activities across multiple functional areas of an organization could be likened to herding zoo animals – especially where each group’s management has concerns with everything from electronic service delivery, budgetary control, technical R&D, human skills development, facilities management, policy administration etc. Some groups may not realize or even care that the audit team is ultimately there to help improve their performance. The audit team must be able to draw on a depth of experience in business and technology to do the job efficiently and effectively.
I think it’s also important to note that with the latest changes to the Federal Accountability Act and the Financial Administration Act in Canada, each government department and agency is now required to have high level internal audit roles called Chief Audit Executives (CAE’s) who report directly to the Deputy Minister (or Deputy Head). This provides an added degree of objectivity and independence from operational pressures. The following links provides a summary of the new GoC Internal Audit requirements of the Canadian government's Federal Accountability Act (FedAA):
http://www.faa-lfi.gc.ca/fs-fi/16/12fs-fi-eng.asp
...and the Financial Administration Act:
http://www.tbs-sct.gc.ca/pol/doc-eng.aspx?id=16487§ion=text
Security professionals are an important element of the internal audit team
As I have often said, security is really just another aspect of quality. So, if your business processes are not quality processes, there are inevitable security implications. The experience of security professionals in looking for vulnerabilities in data flows and architectures, as well as analyzing and identifying safeguards and controls makes them good candidates for the contributing to internal audit teams. In fact, many of them have also worked in organizations that they might consider to be zoos.
Disclosure: Would it surprise you that I recently became a Certified Information Systems Auditor (CISA)?
| | I am now offering monthly briefings, tailored to organizations that want to build and sustain security awareness for staff. Just because your security team is too busy to do its own training and awareness doesn't mean you can't have an economical way to address human security risks. Please call or email me at the coordinates below...
Scott Wright
The Streetwise Security Coach
Join the Streetwise Security Zone at:
http://www.streetwise-security-zone.com/join.html
Phone: 1-613-693-0997
Email: scott@streetwise-security-zone.com
Twitter ID: http://www.twitter.com/streetsec
To receive weekly security tips and other notices about helpful content available on this site, please make sure you are on my list by clicking HERE, and entering your name and email address.
 |
