Professional Documents
Culture Documents
Internal Audit Framework by Mahendra Joshi - Rebit
Internal Audit Framework by Mahendra Joshi - Rebit
INTERNAL AUDIT
FRAMEWORK
Mahendra S. Joshi
Vertical Head – Systems Audit
Internal Audit
Three Lines of Defense
2
3
Cyber Risk Management across Three lines of Defense
• Business/Operations
o Direct accountability for owning, understanding and managing cyber risks
o “Business best knows its own data flows and business processes.”
o Cyber risks need be woven into the fabric of the first line’s risk and control self-assessment and into
fraud, crisis management and resiliency processes
• Control Groups
o Independent authority to effectively challenge the first line’s approach to cyber risks
o Cyber risk should be embedded into the broader second-line risk management framework.
o Compare cyber risks to other risks using the same financial and probability benchmarks, to justify
investment on cyber risk prevention and remediation.
o Develop a comprehensive picture of cyber exposures, vulnerabilities, and risks. Generate metrics to
inform decision-making and to establish the risk/return trade-offs involved with investments in
cybersecurity.
• Internal Audit
o Evaluation of the design and operating effectiveness of cyber risk management across the first and
second lines of defence
o Perform assessments/Validate applications and connections/Evaluate third-party risk/Conduct
independent penetration tests and vulnerability assessments/Enhance regular audit procedures with
cyber risk considerations/Stay abreast of threat intelligence
4
Internal Audit
5
Audit Committee of the Board - Requirement
Source: Working Group on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds- Implementation of recommendations
RBI/2010-11/494 - DBS.CO.ITC.BC.No. 6/31.02.008/2010-11
6
Audit Committee of the Board - Responsibilities
Source: Working Group on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds- Implementation of recommendations
RBI/2010-11/494 - DBS.CO.ITC.BC.No. 6/31.02.008/2010-11
7
Audit Committee of the Board – Responsibilities Contd.,
Performance of IS Audit
A Board or its Audit Committee members should seek training to fill any
gaps in the knowledge, related to IT risks and controls
Source: Working Group on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds- Implementation of recommendations
RBI/2010-11/494 - DBS.CO.ITC.BC.No. 6/31.02.008/2010-11
8
Audit Committee of the Board – Key Focus Areas
Source: Working Group on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds- Implementation of recommendations
RBI/2010-11/494 - DBS.CO.ITC.BC.No. 6/31.02.008/2010-11
9
NACD Principles for the Board
10
IS Audit - Scope and Responsibilities
Determining effectiveness of planning and oversight of IT activities
Source: Working Group on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds- Implementation of recommendations
RBI/2010-11/494 - DBS.CO.ITC.BC.No. 6/31.02.008/2010-11
12
Cyber Security Incident
IS Audit:
o Review the sufficiency of the anti-malware solution and security
controls
o Review of the configuration of infrastructure, network and security
devices (servers, desktops, routers, firewall etc.)
o Review of the security operations center
o Review of the incident management plan.
13
Cyber Security Incident
Board of Directors:
o Pursue the Root Cause Analysis (RCA) for critical incident
o Time taken to detect, respond and act upon the incident
o Deficiency due to which the incident occurred
o Steps taken to improve the current processes and security posture
14
Risk-based Internal Audit (RBIA)
15
What is expected of C-Suite
Board/Senior Management support is the key pillar in strengthening an organization’s
security posture.
Collaboration
17
RBI - Cyber Security Framework
2) Preventing
1) Inventory 4) Network 6) Application
execution of 3) Environmental 5) Secure
Management of Management and Security Life Cycle
18) Vulnerability
13) Advanced Real- 16) Maintenance,
15) Data Leak assessment and
time Threat 14) Anti-Phishing Monitoring, and 17) Audit Log settings
prevention strategy Penetration Test and
Management Analysis of Audit Logs
Red Team Exercises
Security Operations
Centre (SOC)
18
To which Board Committee - Systems
Audit report will be placed as an agenda?
19
Who is accountable for owning,
understanding and managing cyber risks?
20
Audit Committee of the Board – Key Focus
Areas
21
Thank You
23