In 2013, the Institute of Internal Auditors published a paper called “Three lines of defense in effective risk management and control.” At the time the paper brought an interesting view on the coordination of duties to assure that risk and control processes operate as intended. The paper advocates that risk management is strongest in organizations when there are three separate and clearly identified lines of defense such as operational management of controls, GRC and internal audit. More here.
I recently got a chance to sit down with auditor Steve Armstrong and probe the details of the audit process. I hope you find his responses as informative as I did.
Has the IIA risk position paper gained traction over the years?
Steve: Yes but perhaps somewhat slow. Not 100% of organizations are adopting this and are struggling in building out enterprise view of machines identities, such as SSH keys and TLS keys and certificates. It will take time in some areas.
What are some of the hurdles to adopt this approach?
Steve: In the past companies have created risk stripes or risk boundaries to simplify risk management and auditing. These risk stripes or risk lines have become blurred. Technology risk has become a problem for everyone not just info risk but also manufacturing, finance and of course IT Operations. The transition to an enterprise holistic risk management may create some friction as risk people may have created territories that they now need to share or rethink.
Also, organizations now need to transition to a more adaptive audit model observing all technologies like growth of machine identities and their risks across all areas of the enterprise. Just think of a large organization like IBM, technology risk touches all areas of the business not just services or software division. Same for Amazon AWS, technology is the root of the company and IT risk with touch the entire business. Again, traditional risk lines have become blurred …
So, which catalysts do you expect pushing this more?
Steve: Change needs to come from leadership. Senior staff need to manage risk across entire organization because technology has become everyone’s problem. To do this, they need to begin collaborating outside their traditional departments.
There will also be a push from regulators for enterprise-centric risk management across the organization. Regulators expect that management is taking a holistic approach. Simple example: JPMC risk could impact many others. As a result, audit is no longer a hard line in the sand but need to be an adaptive model where risk is continuously reviewed and entrenched in the IT and InfoSec Culture.
Who is typically executing the audit? Internal or external?
Steve: It is all over the board. A large organization will require a lot of resources and time to execute audits on a continuous basis. As a result, they may staff their own internal audit department teams and need to grow this. Smaller organizations will bring in external party to run an audit.
Most important here is that the audit function needs to be fully independent. Who is running this doesn’t really matter. As long as audit is done independent from incumbent InfoSec or GRC teams and the executive board is overseeing the result is what counts.
Threat risks in 2020 are different from those in 2013. How are auditors adopting new audit tests?
Steve: A first line of change will come from colleagues. Some of them have gained specific expertise on technical risks elements and should optimize this further.
A second set of influencers are audit communities and technology expertise organizations like ISACA or SANS. They continuously provide expertise and certify audit practitioners so businesses are able to maintain trust in the potential of technology.
Another influencer comes in the form of peer reviews. Like other enterprise functions, auditors must also be audited. Peer reviews stimulate proliferation of new critical test practices—even between the big 4 auditors. This also means that external auditors are moving somewhat faster in adoption of new tests. Auditing governing boards (like AICPA) also encourage peer reviews.
What should InfoSec or Risk Managers expect? Is an audit still mostly a questionnaire?
Steve: For medium and large organizations, they will need to document all controls in place and have them tested to ensure that they are working as designed.
It usually starts with; “Do you have an inventory of every machine that is protected by a machine identity or certificate”.
Next may be:
- “Show me where”
- “How does this inventory match to the topology of the enterprise”
- “Why only are only 500 of the 1000 assets protected with a certificate?”
- “Can you show that these 500 are not critical?”
- “Can you pivot from unprotected to protected assets?”
Bottom line: It all starts with an inventory and continues with drill down later in the process
For small organizations it may remain a questionnaire for a while and may take 2-3 days only. For large and regulated businesses, the process may take several months.
Bart: Where are ethical hacking or risk assessments in this process?
Steve: Ethical hacking is an individual element in the audit. It is about finding soft spots or areas where controls may be missing or are observed weak.
Risk assessment are similar—an element checked during an audit—but finding a specific soft spot it is about getting a global indication of imminent risks across an environment. Risk assessment are also very useful before an audit to get a quick benchmark on where audits may fail.
What are the typical process steps in an audit?
Steve: It usually starts with an entry meeting. Next will be a request documentation, evaluate the documentation. Auditors will afterwards meet with management for specific questions and then validate the effectiveness of controls. The process typically ends with meeting with board on discovered gaps and high-risk elements.
Is the rise of ransomware and payout by insurance companies driving new audits?
Steve: Sure, insurance companies may be asking for audit. However, in many cases, insurance companies will ask for “attestations of controls in place” which needs to be signed by senior management based on people, processes and technology in place. It is logical that senior management wants someone to verify their claim in the form of an audit. So again, everybody is on the hook.
How does your organization prepare for a risk audit that includes machine identities?