The Evolution of IT Risk & Compliance February 2012 Rosalyn Ellis, CRISC Susan Hoffman, CISA,CGEIT 1 Achieving SOX Compliance Developed set of control requirements Application Change Management Application & Data Security Documented existing controls and processes Established new controls and processes 2 Issue at hand... Review, assess, consider materiality of issues, priority, determine level of audit issues/complexity to close gaps Evaluated and documented IT controls Clarified “ownership” for the controls New applications / solutions introduced to environment requiring proper controls 3 Established a team… Purpose implement according to policy audit to the policy Partners with... Internal & External Audit teams Determine needed IT controls Define how to test the controls IT staff: Build compliance into IT solutions Determine ways to align compliance efforts with IT initiatives 4 IT Risk & Compliance… Assembled list of IT controls according to policy identifying specific frequency and owners Established Self-Audit Program Conduct self-audit test on each IT control Identifies gaps with the existing IT controls Provides for auditor reliance on self-audit results 5 6 Benefits of Self-Audit Program The IT Organization Assumes responsibility for the IT controls Gains confidence that IT controls and processes are effective and efficient Identifies control weaknesses in advance of Internal or External Audit tests Identifies process improvements with current controls and processes 7 Benefits of Self-Audit Program 8 Beyond Self-Audit Concepts Database Activity Monitoring (DAM) Explore other uses for current tool Business Processes comply with eDiscovery requirements Self Audit of Business Application SOA Architecture Self Audit of Mobile Applications 9 Expanding Self-Audit Concepts Coordinate Assessments Internal Risk Assessments 3rd Party Assessments Current Topics & Technology Cloud Computing PII PCI 10 Questions? 11