Cybersecurity, privacy, confidentiality, and compliance are becoming the most discussed topics in the corporate world. However, many organizations are still trying to find the right balance in either adopting the practices or educating themselves and the workforce to align, assess, respond, and monitor with the nuances of cybersecurity and associated areas. In the whole process, the over-reliance by the organizations on just the auditors to help identify the deficiencies and implement counter-measures doesn’t always work. Auditors and evaluators may use various approaches and techniques to help plug the gaps. However, that doesn’t always help the organization meet its budgetary goal for the lack of business and IT coordination with auditors to this effect.
This is where the techno-process teams (GRC, risk, and compliance, or IT auditors) come in to bridge the gap between the business, IT, and the auditors. The techno-process team leads the overall effort in protecting the organizational assets, data, and information, and brings in the economies of scale to reflect in the internal and external perception improvement for the organization. Leading from the front and spearheading the enterprise risk management program (IT risk management included), the GRC team plays a significant role in improving the overall cybersecurity and cyber resilience posture of the organization.
An effective IT audit team carves out an efficient control design process alignment to adopt and support operations, control efficacy, and identify threats and risks to the organizational mission, vision, and objectives. They realign cybersecurity and allied strategies to manage the risks and ensure ongoing smooth business operations.
It is where the team also partners with internal and external auditors to drive the overall compliance programs on the lines of risk-based audits. It is imperative that with the ever-evolving technology and the associated risks on to the volumes of data and information, the risk management reviews must align with more focus on technological audits.
For an organization, the first step is to adopt risk-based internal audits along with the traditional compliance-based audits to achieve organizational objectives. Some might advocate on the need to better focus on compliance-based audits that ensure continued assertion of compliance with the industry standards and regulations. However, the focus of risk-based audits is to adopt a practice that helps reduce the frequency of cybersecurity incidents such as data breach and data compromise. The compliance-based audits provide alignment with the regulatory and industry standards where adherence and assertion conformance is the basis of audits and remediation efforts.
While both compliance-based audits and risk-based audits aim to support the organization in meeting its objectives and overall compliance requirements, the approach is where they differ.
Risk-based audits
Risk-based audits apply an organization’s risk appetite, risk tolerance, and expectations of compliance to the traditional compliance-based audits to provide a more progressive view of the organizational risk factors to the management and board. It also adopts industry frameworks to ascertain engaging support of organizational goals and assert external conformance and dependencies that may otherwise impact organizational performance.
It is the risk-based audit methodology that incorporates the requirements for auditors to:
- Review the risk and compliance trackers and the risk threshold with the respective business managers, and then establish the overall perspective and context of the audit.
- Engage with the subject matter experts (SMEs) to review the controls for expected v/s implied interpretation and ensure that the control language is validated to bring in accuracy of the interpretation of the controls.
- Review the risk factors that may impact the overall organizational vision, mission, and objectives.
- Communicate the risk factors that may affect the organization at the operational level, with the management and the board.
- Identify the technical and process layer “infrastructure” that supports the operations and the controls being performed.
- Understand the risk impact at various levels and where the overall “combined effect” of the risks are evident.
Automation and modernizing audits
Risk-based audits use a variety of approaches similar to the conventional compliance-focused audits. However, they provide a bigger and better avenue to use technology to the best of its use. With the adoption of the risk-based audit, the organization can actually move toward automating the majority of the questionnaire-based response approach.
Risk-based audits use the detailed evaluation of the responses and expectation mapping rather than the conventional binary approach of “yes” and “no”. This is where the automation of enterprise risk management and the audit workflow provides a better view of the operations as the auditors already know the basics of the expectation or the expected outcome. Combined with the automated system feeds that can be evaluated for the efficacy of the controls rather than relying on screenshots or manual exports, this increases the reliance of the audit outcome.
Risk management automation also uses the newer approaches of data analytics, continuous auditing (without impacting operations), and continuous monitoring. This, coupled with inputs from risk assessment results and risk evaluations, provides a better risk management strategy. Now, the management can make informed decisions with a real-time view of the controls’ maturity and residual risk.
A hybrid approach to audits
While external audits can be used for compliance assertion and attestation, an organization should adopt risk-based audits for internal audits and evaluation. The combination of the two will result in risk-aware management that can make better informed decisions. This can ensure that the organizational goals and objectives are not hindered by the inherent risks of technological advancement. The unknown factor can be well identified with this dual-approach evaluation of risk assessment combined with audits and reviews.
To aid the overall risk-based audit program, the organizations must deploy the techno-process team of GRC professionals and evaluate where the overall automation can help, using the latest and greatest techniques of data analytics, artificial intelligence, and cognitive reporting.
Risk-based audit aided by automation help bridge the gap in organizational performance by establishing expectations for both risk and compliance.
