RSA ARCHER MATURITY MODEL: AUDIT MANAGEMENT

Similar documents
SOLUTION BRIEF RSA ARCHER AUDIT MANAGEMENT

MATURITY MODEL SNAPSHOT REGULATORY & CORPORATE COMPLIANCE MANAGEMENT

COMPLIANCE TRUMPS RISK

RSA. Archer Risk Intelligence Index

SOLUTION BRIEF EU GENERAL DATA PROTECTION REGULATION COMPLIANCE WITH RSA ARCHER

RSA ARCHER IT & SECURITY RISK MANAGEMENT

SOLUTION BRIEF EU GENERAL DATA PROTECTION REGULATION COMPLIANCE WITH RSA ARCHER

SOLUTION BRIEF RSA ARCHER PUBLIC SECTOR SOLUTIONS

SOLUTION BRIEF HELPING PREPARE FOR RISK ASSESSMENT & COMPLIANCE CHALLENGES FOR GDPR WITH RSA SECURITY ADDRESSING THE TICKING CLOCK OF GDPR COMPLIANCE

RSA Solution for egrc. A holistic strategy for managing risk and compliance across functional domains and lines of business.

SOLUTION BRIEF HELPING ADDRESS GDPR CHALLENGES WITH RSA SECURITY ADDRESSING THE TICKING CLOCK OF GDPR COMPLIANCE

SOLUTION BRIEF RSA ARCHER REGULATORY & CORPORATE COMPLIANCE MANAGEMENT

RSA ARCHER INSPIRE EVERYONE TO OWN RISK

RSA. Sustaining Trust in the Digital World. Gintaras Pelenis

SOLUTION BRIEF RSA IDENTITY GOVERNANCE & LIFECYCLE SOLUTION OVERVIEW ACT WITH INSIGHT TO DRIVE INFORMED DECISIONS TO MITIGATE IDENTITY RISK

WHITE PAPER THE RSA ARCHER BUSINESS RISK MANAGEMENT REFERENCE ARCHITECTURE

DATA SHEET RSA IDENTITY GOVERNANCE & LIFECYCLE SERVICES ACCELERATE TIME-TO-VALUE WITH PROFESSIONAL SERVICES FROM RSA IDENTITY ASSURANCE PRACTICE

Adding insight to audit Transforming Internal Audit through data analytics

Fraud Risk Management

IT Governance Overview

On the road(map) again. Balancing the emerging regulatory requirements in the Middle East public sector

A Multi- Dimensional Framework for Implementing Technology Business Management

PMO QUICK TIP GUIDE FOR ESTABLISHING, SUSTAINING, AND ADVANCING YOUR PMO. Quick Tip Guide compliments of PMO Symposium San Diego, California, USA

WHITE PAPER KEY PRINCIPLES OF INTEGRATED BUSINESS RESILIENCY

Reinforcing the Three Lines of Defense SAP software for risk management, process control, and audit management

OpenPages Internal Audit Management: Internal audit and its evolving role in GRC

Risk Advisory SERVICES. A holistic approach to implementing effective governance, managing risk and maintaining compliance

Modernizing compliance: Moving from value protection to value creation

Enterprise-Wide Security Transformation to Meet Escalating Regulatory Requirements

Operational Risk Management

A guide to assessing your risk data aggregation strategies. How effectively are you complying with BCBS 239?

Third Party Risk Management ( TPRM ) Transformation

23 rd IAAIA Conference Kuching, Sarawak, Malaysia 26 th to 29 th October 2014

ForeScout Professional Services Overview OUR TEAM OF EXPERT CONSULTANTS WILL HELP YOU ACHIEVE FULL VALUE FROM YOUR FORESCOUT IMPLEMENTATION

San Francisco Chapter. Presented by Scott Perry - Slalom Consulting

WHITE PAPER THE 6 DIMENSIONS (& OBSTACLES) OF RISK MANAGEMENT

Data & Analytics enabled Internal Audit

Preparing for the General Data Protection Regulation (GDPR)

RSA ADAPTIVE AUTHENTICATION FOR ECOMMERCE ANALYTICS APPLICATION

Improve GRC Maturity through Combined Assurance

From Dictionary.com. Risk: Exposure to the chance of injury or loss; a hazard or dangerous chance

Internal Oversight Division. Internal Audit Strategy

SAP at Accenture. The Journey of Running Accenture on a Single Global Instance

IBM Software Rational. Five tips for improving the ROI of your software investments

Boards and internal audit: Working together to strengthen risk management

IBM Service Management solutions To support your IT objectives. Create and manage value throughout the entire service management life cycle.

Information Management Strategy

Simplify and Secure: Managing User Identities Throughout their Lifecycles

EY Center for Board Matters Boards and internal audit

Automated Service Intelligence (ASI)

Reimagining the Risk Intelligent Enterprise

BCBS 239. Next Steps in the Journey to Compliance: Emergence of the Chief Data Officer ORACLE STRATEGY BRIEF NOVEMBER 2014

Working better by working together

The Merger and Acquisition Quandary

EY Center for Board Matters. Leading practices for audit committees

Internal controls over financial reporting

Key Questions for Your Functional Partners. Improving Cross-Functional Collaboration in Compliance Program Activities

4/26. Analytics Strategy

Why BSI? Our products and services. To find out more visit: bsigroup.com/en-au. Conclusion

Operational Risk Management (#DOpsRisk) Solutions suite

Successful ERM Program Standards. Definitions of Enterprise Risk Management (ERM)

IIA ERM Summit. August 22, 2010

Internal audit: Threading the needle Strategic insights on internal audit A KPMG benchmark survey on internal audit

Working better by working together

Inside of a ring or out, ain t nothing wrong with going down. It s staying down that s wrong. Muhammad Ali

Infosys: Treating Governance and Compliance Strategically with SAP Access Control

Using Archer to Monitor Security Compliance at AT&T

BCBS 239 Alignment with DCAM (Data Management Implications related to the Principles of Risk Data Aggregation) July 2015

Partnering for Change: Addressing Revenue Cycle with Interim Management

EXTENDING. THE DIGITAL THREAD WITH BLOCKCHAIN in Aerospace and Defense

Yphise portfolio of valuable projects

Four Strategies for Enabling Innovation in the Face of Risk and Compliance. By John A. Epperson and Clayton J. Mitchell

Maximizing value from your lines of defense

Developing an Integrated Anti-Fraud, Compliance, and Ethics Program

WHITE PAPER 5 THINGS TO KNOW WHEN RESEARCHING RISK MANAGEMENT PLATFORMS

Technology Assurance: A Challenge for RAFM in an Evolving Market. Jerusa Verasamy

Sarbanes-Oxley Act of 2002 Can private businesses benefit from it?

RSA Archer Compliance Management 5.2 Webcast

SOLUTION BRIEF BUSINESS-DRIVEN, OMNI-CHANNEL FRAUD MANAGEMENT RSA FRAUD & RISK INTELLIGENCE

ORACLE SOA GOVERNANCE SOLUTION

2017 Internal Controls Survey

Taking ERM to a. 6 GRC Today / October 2015

WHITE PAPER RSA RISK FRAMEWORK FOR DYNAMIC WORKFORCE MANAGING RISK IN A COMPLEX & CHANGING WORK ENVIRONMENT

ORGANIZED FOR BUSINESS: BUILDING A CONTEMPORARY IT OPERATING MODEL

Adopting automation in internal audit Using robotic process automation and cognitive intelligence to fortify the third line of defense

An Overview of the AWS Cloud Adoption Framework

The Value of Consulting Assuring Audit Committee & other Key Stakeholders of IA s Quality

Fulfilling CDM Phase II with Identity Governance and Provisioning

BUSINESS INTELLIGENCE & ANALYTICS

Enterprise risk management Protecting and enhancing value Advisory

Implementation Tips for Revenue Recognition Standards. June 20, 2017

Accenture and Salesforce. Delivering enterprise cloud solutions that help accelerate business value and enable high performance

PRESENTING ERM TO THE BOARD

Business Risk Intelligence

Internal controls over financial reporting

The bots are coming: Intelligent automation and the modern corporate treasury department

Welcome to the 404 Institute Webcast

CERT Resilience Management Model, Version 1.2

Lake County School District. Quality Assurance & Improvement Program. Internal Self-Assessment for. The Internal Audit Department

Mind the Gap Assuring Stakeholders of Internal Audit s Value. Anton van Wyk, CIA, QIAL, CRMA IIA Global Chairman 2014/2015

Transcription:

RSA ARCHER MATURITY MODEL: AUDIT MANAGEMENT OVERVIEW Internal Audit (IA) plays a critical role in mitigating the risks an organization faces. Audit must do so in a world of increasing risks and compliance obligations, while also coordinating with other groups like risk and control functions. The RSA Archer Maturity Model for Audit Management outlines RSA Archer s role in the critical stages in IA's journey from a standalone, compliance-based audit function to a collaborative, risk-driven strategic partner to the business. CONTENTS Why Audit Management?...2 Key Capabilities...2 The Maturity Journey...3 Maturity Model Crossover...6 Conclusion... 7 About RSA Archer Maturity Models... 7 RSA Whitepaper

WHY AUDIT MANAGEMENT? IA teams face an increasing challenge in their role as a company's third line of defense in understanding risks and evaluating controls. Organizations are becoming more complex. Risks are increasing and growing more complicated and impactful. Finally, regulators are imposing more laws and requirements. IA's role is to help improve their organization's risk posture and compliance with regulations, laws, policies and procedures through reviews of the organization s practices, services and activities. However, IA faces a rapidly changing regulatory and business risk landscape with a strategy that is not always positioned to meet these changes. Existing audit approaches are focused on compliance, more reactive than proactive and positioned around point-in-time, static audit plans. There are other challenges and opportunities IA must confront. Other assurance groups such as risk and compliance are evaluating risks and controls, but use different approaches than IA to evaluate risk and test compliance. As a result, risks are defined differently, coverage against critical risks is uncertain, and findings disclosed during compliance reviews, audits or risk projects are often duplicated, wasting management's time with conflicting remediation efforts. A lack of visibility into findings generated by other functions creates a difficult and time-consuming challenge for IA to ensure that risk mitigation efforts are occurring and then factor that into their audit planning. Finally, documentation captured by these separate groups is often both static and conflicting. These siloed approaches by different groups make it difficult to capture and distill integrated risk and control information into meaningful analysis and action. It becomes time consuming to report to the Audit Committee and senior management when information is dispersed throughout the organization or is stale as soon as the audit report is completed. In order to enhance its value within the organization, IA must begin to transition from simply compliance auditing to a risk-based approach that is coordinated with other risk and compliance functions. This risk-based approach also enables them to focus on the highest priorities based on risk coupled with compliance obligations. Coordinating risk and audit activities will: Improve communications between IA, risk and compliance teams Enable IA to place more reliance on risk and control evaluations performed by other groups Reduce internal costs and external audit fees by aligning approaches, creating efficiencies and improving metrics, reporting and documentation Allow IA to focus on strategic work that helps grow the business RSA Archer GRC Maturity Models focus on key capabilities enabled by the RSA Archer solution. As a technology enabler, RSA Archer provides the critical infrastructure to leverage processes, share data and establish common taxonomies and methodologies. KEY CAPABILITIES All businesses face challenges just in their efforts to operate successfully, not to mention having to be aware of and mitigate risks that impact them and ensure compliance. IA plays an integral role in helping evaluate risk and controls; however, they also need to be a strategic partner to management. Companies that can effectively build this relationship have a competitive advantage by being able to align risk, compliance and IA across the business, and to better focus on proactive opportunities versus reactive compliance. page 2

An effective IA organization focuses on the following capabilities: IA must have a dynamic view of organizational changes, risks and compliance status. Audit planning must be fluid to enable IA to address the most important risks, compliance obligations and strategic initiatives as they arise. Reporting and monitoring of key risk, compliance and performance metrics must be automated, updated, fluid and easily available. This enables IA to report to management or quickly change plans or scope if needed. Findings and remediation plans must be assigned ownership, tracked and reported centrally to allow IA to follow up and ensure resolution, and report status to executives, the Audit Committee, external auditors and regulators. Finally, IA must be able to better assume the role as "third line of defense" by helping management take on risk and control responsibilities and remediation in their respective areas. To achieve these goals, RSA Archer's Audit Management solution focuses on the following key capabilities: Establish business context for audit IA understands the organization, including the business hierarchy and infrastructure, which enables them to better identify their universe of auditable entities. Perform audit planning IA can perform audit universe risk assessments, compare with management s assessments of risk, create and approve dynamic audit plans, and scope and schedule their audits. Perform audit engagements and manage findings IA can consistently perform the entire lifecycle of audit engagements and document them, including creating and managing work papers, performing audit testing, documenting findings, drafting the audit report, and documenting and managing work paper review notes. THE MATURITY JOURNEY RSA Archer Maturity Models are segmented into five major stages: Siloed, Transition, Managed, Transform and Advantaged. page 3

The RSA Archer Maturity Model is designed to be pragmatic and attainable. Elimination of the "Level 0" that typical maturity models include avoids the unnecessary definition of a stage of maturity that will not meet today's audit challenges. The Siloed stage focuses on baseline activities that all audit organizations need to be doing to at least cover the basics of compliance auditing. The Transition stage depicts how the organizations begin to incorporate more risk assessment and risk-based audits into their plans. The Managed stage shows how risk-driven auditing takes precedence and quality assurance activities are incorporated. The Transform stage and Advantaged stage show how the organization "turns the corner" by leveraging and aligning with other risk and compliance groups, as well as incorporating dynamic risk-driven audits, metrics and reporting to begin to drive more strategic approaches. The RSA Archer Maturity Model for Audit Management focuses on building these capabilities over time, implementing the broad strategy with tactical, intelligently designed processes. Foundations Foundations are critical elements necessary for the overall success of the Maturity Journey for IA. Without these foundations in place, the organization will face difficulties throughout the journey based on lack of focus, commitment, resources or strategy. Any organization looking to improve its maturity for IA should discuss and address these foundations. Management commitment The degree and level of leadership commitment to a risk management culture, strategy and priorities should be established, as maturing processes takes time and resources. Performance and acceptable risk - Defined levels of performance and acceptable risk need to be established to set the target state for the IA function and ensure the business understands the level of commitment involved. Expectations and measurement - Clear expectations and success criteria defined for the IA function must be communicated by management to guide approach and strategies. Stakeholder involvement Key business stakeholders and constituents need to agree on the importance of continuous improvement and maturity of IA processes. Budget and resources Sufficient resources for the IA program must be committed to achieve success. page 4

The Siloed Stage: Laying the Foundation In the Siloed stage, IA begins to establish an understanding of the business by documenting what they know of the business hierarchy and infrastructure, which is usually limited to departments and IT systems. They might find this information documented at a high level in asset repositories or general ledger systems. However, this information is documented in separate and unconnected systems not accessible by IA. With this information, IA documents a basic list of audit entities, most often driven by regulatory requirements, and executes some amount of audit testing during the course of the year. IA does not work with other assurance groups and performs the audit testing alone. Additional audit scoping is limited due to a lack of information and often only performed once the team is onsite for the audit. The audit testing consists of IA performing basic compliance audit procedures using static audit programs. They don't perform risk-based audit procedures and are unaware of work done by other assurance groups. They document their testing, create basic findings and produce audit reports. IA documents issues and tracks remediation and performs basic follow up. The Transition Stage: Building the Context for Risk Auditing In the Transition stage, IA refines their understanding of the organization. They document additional areas such as business processes, business units, divisions and IT systems, and create an "audit universe" or listing of areas that could be audited during the year. IA implements a risk ranking process to evaluate these entities. For example, they may perform business impact analyses (BIA) or rudimentary risk assessments to understand their criticality to the business. Most entities are ranked based on compliance requirements, although some are now included in the audit plan based on their risk. The plan doesn't change during the year. IA executes audits against their basic risk ranked universe and staffs each engagement based on available resources. Audits and related procedures are still compliance driven but are a little more fluid based on the entity and risks identified. The audit plan and engagements may change based on urgent management requests. In the audit report, IA assigns findings to business owners but does not yet have a consistent process to follow up on resolution. The Managed Stage: Operationally Sound In the Managed stage, IA deepens their understanding of the business by documenting additional layers of the organization into their audit universe, such as IT applications and infrastructure, facilities and information assets. IA assesses the criticality of these areas employing a more advanced risk assessment exercise for audit prioritization and planning. IA begins to assign staff to audit engagements with the right mix of resources (internal and external) based on location, skills, experience and availability for the audit. IA also begins to implement quality assurance processes, such as performing project and department level quality assessments to identify gaps or issues in internal IA processes, and they begin to track their improvement plans. page 5

After their audit engagements, IA monitors and reports on all findings including tracking of remediation plan execution on a consistent basis. They also document exceptions for findings where the risk is accepted by the business with a risk analysis and sign-off from appropriate authorized/delegated authorities. The Transform Stage: Prioritization and Control The Transform stage is reached when IA joins their business and IT audit universes by mapping business and IT assets together to paint a consolidated view of the organization. IA includes both business and IT assets in their audit universe risk assessment and prioritization of audits. IT Audit may still evaluate IT entities separately, but a higher degree of coordination on integrated audits occurs. IA's quality assurance process drives improvement recommendations. IA acts on these by making improvements to the IA department or processes based on survey results. IA consistently tracks and drives resolution to findings and remediation plans. In addition, IA documents and tracks necessary policy changes resulting from issues arising from control testing and assessments, and they periodically review and reaffirm all exceptions. The Advantaged Stage: Optimized for Risk Management In the Advantaged stage of maturity, IA has fully coordinated and mapped business and IT asset information and cross references the information to auditable entities, including processes, systems, locations and topics, to give IA a robust, integrated and up-to-date view of the organization. IA aligns their audit entity risk assessments with management's operational or enterprise view of risk to ensure the highest risks are audited and mitigated. IA also incorporates more dynamic/real time risk and compliance metrics into annual and ongoing audit planning activities to drive audit work in the most impactful areas. IA also plans their audits with consideration of assurance work done by other compliance groups to "divide and conquer." They also coordinate the documentation, tracking and follow up of findings and remediation plans with all other risk and assurance groups. IA uses findings and policy exceptions as risk-driven sources for future testing or control validation purposes. They reconcile findings to policies, standards and procedures to identify and address underlying systemic issues. MATURITY MODEL CROSSOVER IA serves as the third line of defense in a company's risk and control environment, supporting management who acts as the first line of defense. IA has a vested interest in management taking an active role in treating risks and strengthening the control environment as part of their daily operating procedures. IA also needs to be able to rely on the risk and assurance groups as the second line of defense. page 6

Together, all three lines of defense should work together to align approaches in order to mitigate risks and strengthen controls. As such, other Maturity Models that apply to IA are Operational Risk Management and Regulatory and Corporate Compliance. Key risks most organizations today face involve Business Resiliency, IT Security Risk Management and Third Party Governance, making these Maturity Models applicable as well. CONCLUSION IA has a tremendous endeavor in trying to create audit plans that will satisfy regulators, keeping a finger on the pulse of the ever-increasing risks the organization faces, and evaluating control environments across the company while being a strategic partner to management. IA cannot accomplish all of this without partnering with management, external partners, other risk and assurance groups, and external partners toward common objectives. The Maturity Model stages described in this white paper provides IA with guidelines and an approach to not only mature as an IA function, but to also increase the aptitude and ability of other groups to manage the challenges facing organizations today. ABOUT THE RSA ARCHER MATURITY MODEL SERIES RSA Archer's vision is to help organizations transform compliance, manage risk and exploit opportunity with Risk Intelligence made possible via an integrated, coordinated GRC program. The RSA Archer Maturity Model white paper series outlines multiple segments of risk management that organizations must address to transform their GRC programs. ABOUT RSA RSA s Intelligence Driven Security solutions help organizations reduce the risks of operating in a digital world. Through visibility, analysis, and action, RSA solutions give customers the ability to detect, investigate and respond to advanced threats; confirm and manage identities; and ultimately, prevent IP theft, fraud and cybercrime. For more information on RSA, please visit www.rsa.com. www.rsa.com EMC 2, EMC, the EMC logo, RSA, Archer, FraudAction, NetWitness and the RSA logo are registered trademarks or trademarks of EMC Corporation in the United States and other countries. All other products or services mentioned are trademarks of their respective companies. Copyright 2015 EMC Corporation. All rights reserved. 3/15

2024 © businessdocbox.com Privacy Policy | Terms of Service | Feedback