.jpg "ACCA-Day2-2 (21)")
That’s what most companies revert back with when you ask if they conduct regular IT audits. According to Aun Ali Motani, a CISA CISSP and Manager Technology & Security Risk Services at Ernst & Young, IT audits are important because of our dependency on automation and technology. “IT systems are automated, processes are computerized and operations are dependent on computers in today’s world. Audits should be taken as a proactive approach rather than a traditional one. It also highlights the control weaknesses currently present in the system which could be exploited if not addressed in time. Conducting audits regularly gives an independent assurance from time to time that systems are secure, meeting business objectives, and that frauds are detected at earlier stages.”
Should Information Security professionals be part of the team that selects a specific solution based on its interoperability with the existing network configuration? Does this usually happen?
Indeed, they should be, and I am sure good companies use these processes to involve IS experts while selecting any solution.
InfoSec experts give independent expert advice, otherwise every solution provider rates their product as the best.
What is the trend like for IT Audits amongst Pakistani corporations? Is there enough awareness in the local enterprise space?
At this stage, in corporations, operations do not like any form of auditors, IT or Finance. Audits are still treated like investigations. Depending on the situation, at times, audits are conducted to investigate events which could be a bad portrayal of the organization and so there is a trend that usually executives do not give much respect to auditors in Pakistan. I can quote multiple examples from my experience. Having said that, there are only a handful of companies who understand the need for regular IT Audits. That is where the IT Auditors are taken seriously. But there are very few organizations that do so. Perhaps the message is not clear (In other words,) , the management hire auditors but resist to disclose the information, and in the end, the objectives are not achieved completely. Sometimes one of the two parties have to compromise on their views, just to settle down the issue.
The attitude of the auditor also matters when going into the field to conduct an IT audit.
Sometimes if the auditors is successful in passing the message that the audits will help secure your job and company, the management may consider being more cooperative. This awareness is growing among executives. Specifically in the case of banks, the State Bank of Pakistan issues circulars to banks to conduct IS audits and secure the computer network and applications. This is helping greatly in the financial sector.
Are there any legal, insurance or financial reasons why Risk Assessment should be part of an organization’s Best Practice?
If it is Risk Assessment only and not IT Risk Assessment, the answer to the question is: yes to some extent. As mentioned in my earlier response concerning the financial industry in Pakistan, the SBP, FBR and SECP regulates them and ask banks to conduct risk assessments.
What are some methodologies used in enterprise Risk Assessment?
If it is IT Risk Assessment, then organizations use, ISO27001:2005, OCTAVE and Microsoft IT Risk Management Methodologies.
Is this something that should be part of the local IT department? Or is it better to outsource the process?
IT departments in companies in countries like Pakistan are already engaged in multiple tasks. First, carrying out IT Risk assessments is a specialized task and organizations may not have expertise in executing it. Secondly, it is highly recommended that the process be outsourced to experts who have experience. Another strategy would be to engage consultants in a first time exercise, learn from them, assess the risk individually, and learn how to reduce, make and adopt a methodology. Then, while re-conducting the exercise, the IT management may do it on their own. Meanwhile, they can set-up a small department for this as well.
In your experience, if SQA or RA is outsourced, do companies (as clients) respond to proposals promptly?
In organizations where is there is some kind of regulation and enforcement of deadlines, this does happen. Enforcement of the legislation or policy is central to getting the work done on time.
In your opinion, are there a lot of security experts in Pakistan offering these services?
Not too many. Companies such as Ernst & Young and PriceWaterhouseCoopers (PWC) have this expertise as part of their portfolio since they also have affiliations with their global companies. There are people who offer the services though they may not necessarily be experts. The exposure to the complex environments or lack thereof, is also a factor.
If you enjoyed this article, please consider sharing it!
3 Responses to The Benefits of Being an Audit, Err!?
Leave a Reply
Polls
Loading ...
What’s Playing on the CIO WebStudio?- Ep 22: E Panorama May 22, 2012
- The Time Is Now: Rethink the Client (Part 2) May 22, 2012
- OpenSV ’12 May 22, 2012
- HP Presents Virtual Desktop Infrastructure May 21, 2012
- Rethink The Client: Putting VDI To Work For You (Part 3) May 16, 2012
Managing technical strategy, architecture and compliance for quiet some time now, I can share my experiences and observations from the trenches.
The entire GRC (governance, risk and compliance) space is envisioned as a supporting activity in the IT value chain of most business. Developing the actual software being the primary. Pure play software houses would only be inclined to invest money in this activity area if pushed by their clients regulatory needs or their process improvement strategies. Even then they tend to go after processes which are more geared towards their central theme e.g. CMMI, TQM etc. Businesses using IT as process enabler have a very corporate view of the world and risk based evaluation of technical solution based on their domain needs is critical for them. Gov, Energy, Financial, Health and Telecom sectors for example, have their own set of regulations to abide by. Comes in COBIT, ITIL and ISO 27001/2!
Another aspect is the architectural and non-functional features constantly challenging the ways technology is maintained, supported and secured. SOA, private clouds and SaaS to name a few.
In essence it boils down to an Integrated Technology Management approach which encompasses Program Management, Architecture, RIsk and Compliance all integrated in a federated way and helping out streamlined product development/SDLC.
With respect to Pakistan, as rightly pointed out, certain sectors can readily benefit from the “Audit” aspect of risk and compliance whereas other may well have to catch up, most likely within a different context. Standardizing processes in a lean way will introduce cost efficiencies and reduce risks – and is a good elevator pitch for the bean counters.
I am myself a CISA CISSP and working in Big Four… I would like to inform the readers that ISO/IEC 27001:2005 is not a Risk Assessment standard or methodology but rather it is a complete standard on how to implement Information Security Management System aka ISMS.
27001 requires the companies to adopt a Risk Assessment Methodology but it itself does not say what to do and how to do.
Risk Assessment methodology varies from organization to organization, there is no one “Best” approach to it. There are some Best Practices available which could be embedded into what ever Risk Assessment approach the organization wishes to adopt.
If you want to conduct Risk Assessment and you are unsure on how to start and from where to start the usually the most followed approach is Facilitated Risk Analysis Process commonly known as FRAP.
Good one Aun Ali.. Readers Aun is a good friend of mine.
I would like to share my experiences of Pakistan. I worked for 20 years in KPMG, Deloitte, and Systems Ltd conducting IT Consultancy and IT Audits. Disappointed on the demand of IT audits, i left Pakistan for middle east, where i am setteled now.
having read the interview of Aun, i do agree with Aun on most of the points above.
Congrats Aun.