brainwave grc - continuous audit and controls at isaca event

BRAINWAVE GRCHow Machine Learning makes continuous audit and control possible

2

Continuous Audit combined continuous evaluation of risks and controls on IT systems. Continuous audit allows the internal auditor to communicatehis analysis of the object under consideration far faster than in the traditionalretrospective approach.

Continuous Control process executed by management thatenables them to verify that controls are functioning effectively (MPA 2320-4 : Continuous assurance).

GTAG3, Institute of Internal Auditors

Continuous Audit & Control?

© Brainwave GRC – Proprietary and Confidential Information – All Rights Reserved

Rapid adaptation to evolution of the enterprise:More interactions with partners and outside providers

Evolution of systems, consolidation, cloud adoption

More sharing of data

Evolution of work: employees, consultants, outsourced operations

Reduce the impact of risk

Efficiency (Automation)

3

Why put in place continuous audit and controls?


Proactive vs Reactive

Add value to Line of Business

You?

Data silos

Data volume to manage

Complexity of controls

Identify best solutions

Financial and operational support from IT and Line of Business

What are the hurdles?

4

Hurdles to deploying continuous audit and controls –Technology


Computing power

Progress of analytics

Reliability and traceability

Productivity (automation)

Availability

Capabilities of technology

5

The following is based on real deployment cases with clients Details have been anonymized

What approach to adopt?


Step 1 Step 2 Step 3 Step 4 Step 5

Exhaustive controls on

existing perimeter

Add new controlsand extendperimeter

Implement more sophisticated

controls

Controls on business processes

Behavioralanalytics

6

Internal Audit– Preparation I take a sample

Get results

Remediate

External Audit – Big day New sample

Unpleasant surprise !

In-depth control (SoX), select more data and askdetailed questions of IT, internal audit…

Motivation 1


1

Reducesurprises !

7

1Calendar

Audit launched in February, results in August, corrections in September

In between, no visibility

Organization and risks change rapidly Reorganization / Acquisition / Sale

New systems, partners

New risks, new regulations

Motivation 2


Be more proactive

8

1 I manage valuable data for my clients

Very competitive and sensitive sector

New client > new applications > new controls

Explosive growth in cost of implementing a new control

This is unsustainable, I do not want to be a permanent roadblock to business!

Motivation 3


Enable business

9

Step 1 : Exhaustive controls on existing perimeter


Define audit frequency

Automate collection process

Resume data extracts

Sample -> Comprehensive controls

1 2 3 4 5 1. Exhaustive controls on existing perimeter

Controls Dashboard

10


11

No more surprises : I have control over everyone



12

I have the answers to questions from my auditor



13

Complete view of access to applications


Individualsand entities

Applications & permissions


14

Step 2 : Add new controls and extend the perimeter


The right automation solutions allows the addition of new controls withminimal effort & no coding

Agile construction of control and rule matrix

1 2 3 4 5 2. Add new controls and extend the perimeter

Add new controls

15© Brainwave GRC – Proprietary and Confidential Information – All Rights Reserved


16

Visualization of data access


Individualsand entities

Shared folders and type of access


17

Step 3 : Implement more sophisticated controls


Sophisticated control: FRAUD

SoD + multiple operational steps across several applications

Based on a fraud scenario

Object : Trader on mandatory vacation must not access trading platform

Data : vacation/time-tracking application (HR), physical accesscontrol system (badge swipe), trading platform

Results : List of suspects sent to manager in charge of control for investigation

1500 controls

450 applications

2 times/ week

1 2 3 4 5 3. Implement more sophisticated controls

18

Residual access in real life, situation that must betemporary



Sophisticated controls : INTERNAL MOBILITY

Manufacturing client

Temporary exception on SoD matrix: internal transfer

Track deviations with a custom tolerance threshhold(x%)

Alert temporarily suppressed (x days)

1 million identities

65 million testedpermissions

19

Pareto : identify priorities for remediation


Resolving conflicts on these 6 SoD rules wouldeliminate 80% of problems.


20

Step 4 : Business process controls


Add financial dimension to IT risks

Additional level of confort for internal & external auditors

SoD on complete business processes

1 2 3 4 5 4. Business process controls


End-to-end view of fraud risk in the « Purchase to Pay » process

Detect intra application fraudsDetect inter application frauds

Model segregation of duties conflicts1 2 3 4 5 4. Business process controls


Allocation of potential fraud risks by business process Impact of proven fraud by business process

Valuation of fraud risks on business processes1 2 3 4 5 4. Business process controls

23

Details of dangerous transactions


Why did an ASSISTANT performthese dangerous

transactions ?

1 2 3 4 5 4. Business process controls

24

Detect unknown risksStep 5: Behavioral Analytics


Individuals with abnormal behavior

Accessed files abnormally high for

an IT consultant

1 2 3 4 5 5. Behavioral analytics

25

Benefits


Before

After

Internal Audit

Data collection &processing

Analysis of results

Remediation

Before

After

Line of Business/application manager

Time to perform reviews

Time to monitor reviews

Before

After

IT

Data collection

Response to auditors

Corrections

Better relations between business, IT, internal audit, & external audit

Gain in productivity across the organisation

Increased value add

26

Share !


Internal Audit

IT Security

Operational Risk

Application owners

Line of Business

External Auditors

Value added by analytics across the organisationDeliver value

30 to 90 days of effort to productionSpeed

Autonomy to create controls and analyse resultsFlexibility / Agility

Share results and benefits with: More confidence and comfort

More value across the organisation

More operational and financial support

ContactsEmmanuel Sol

C: +1 514 647 6574

[email protected]

Eric In

D: +1 437 836 3621C: +1 647 544 [email protected]

© Brainwave GRC – Proprietary and Confidential Information – All Rights Reserved 27

Graeme Hein

C: +1 416 795 [email protected]

brainwave grc - continuous audit and controls at isaca event

Software