Control Self-Assessment Advantages and Disadvantages

In my book, CISA Certified Information Systems Auditor All-In-One Exam Guide, control self-assessment is defined as follows:

“A methodology used by an organization to review key business objectives, risks, and controls. Control self-assessment is a self-regulation activity.”

Control self-assessment (CSA) is a tool used by internal audit, information security, and privacy professionals to better learn how internal controls are being operated. As the name implies, CSA consists of a directive sent to a control owner to ask him or her to answer specific questions about a particular control, and provide particular artifacts about the control to substantiate the answers to some of those questions.

While CSA can be conducted via e-mail, it is often a part of an integrated risk management (IRM) system, formerly known as a governance, risk, and compliance (GRC) system. An IRM can be used to collect information about controls and even score the results electronically.

Appropriately managed, CSA can extend the reach and visibility of internal audit activities, but it is not a silver bullet. I list some of the advantages and disadvantages of CSA here.

Advantages:

• Saves time. More controls can be assessed in a given period, versus traditional walkthrough sessions that consume meeting time and may be difficult to schedule.
• Extends visibility. Information about more controls can be obtained than through walkthrough sessions only.
• Reinforces control ownership responsibility. By having control owners answer questions and provide artifacts on their own, CSA supports the concept that control owners are responsible for the effectiveness of their controls.
• Digital record. Because CSA is usually performed electronically, it is not necessary to transcribe meeting notes.

Disadvantages:

• Integrity. Because a control owner is answering questions and providing artifacts away from internal audit personnel, there may at times be a question of whether it was the control owner who answered the questions, and whether they altered any of the provided evidence.
• Exploration. In a typical walkthrough, an internal auditor will ask follow-up questions based on responses to earlier questions. It can be exceedingly difficult to anticipate all possible responses to questions in a CSA questionnaire.
• Body language. In an in-person walkthrough, an internal auditor will observe the body language of the control owner as a part of the overall assessment. Body language provides additional information that may help an internal auditor better understand where control weaknesses might exist.
• Overburdening control owners. In an IRM (integrated risk management), it can be easy to “load up the CSA gun” and fire off numerous CSA assignments to control owners. Unlike in-person walkthroughs, which require a more equal time commitment between auditors and auditees, CSA’s require little up-front time for internal audit. Internal auditors need to be cognizant that the effort to complete a CSA is asymmetrical: the control owner may have to spend considerable time answering questions and gathering artifacts.
• Problem controls. A CSA should not be used alone for controls known to have problems. Controls with problems require deeper scrutiny in conversations that are difficult to script in a questionnaire.
• Relationship. In-person control assessments help to establish and deepen relationships between internal auditors and control owners. Since they are purely digital, CSAs do little in this regard. As a corporate function, Internal Audit (and information security and privacy) need to be established as collaborative relationships. Establishing a relationship based on the assignment of digital tasks may hinder this effort.

Planned properly, control self-assessments can extend the reach and visibility of internal audit, information security, and privacy functions. However, because relationships with auditees are vital to the long-term success of these programs, CSA needs to be applied thoughtfully.

Audit Seeding

Management may spend considerable time and energy making sure that personnel understand one thing when dealing with auditors: specifically answer the question that the auditor asked, not the question the auditor should have asked; and do not volunteer any information.

There is, however, a useful technique that management (and only management) sometimes uses when working with auditors. I prefer to call this seeding the audit results.  Similar to the technique of cloud seeding, where rain clouds are seeded with substances to cause them to release rain, management can use audit seeding as a way of ensuring that auditors are aware of specific situations that they are willing to include in their audit report. The purpose of audit seeding is generally the creation of an audit issue that will permit management to prioritize an initiative to improve the business.

For example, external auditors are examining access controls, an area where a security manager has had difficulty obtaining funds to make key improvements. While in a discussion with auditors, the security manager may choose to illuminate particular actions, inactions, or other situations in access control processes or technology that the auditor might not have otherwise noticed.

Persons who are considering audit seeding must have a thorough understanding of the subject matter, the controls being tested, the procedures and technologies in play, the auditing methodology in use, and a bit of grit. Audit seeding may be considered a daring move that may have unforeseen results. Finally, persons considering audit seeding must not make auditors feel they are being manipulated, as this could have greater consequences. Instead, management is simply making auditors aware of an important aspect of a control they are auditing.

— excerpt from CISM All-In-One Study Guide

CISA All-In-One Exam Guide published

The CISA Certified Information Systems Auditor All-In-One Exam Guide, published by Osborne McGraw-Hill, is now available in bookstores and from online merchants.

Written by Peter H. Gregory, this book is largest and most complete study guide available for the CISA (Certified Information Systems Auditor) professional certification.  Prior to Osborne McGraw-Hill’s decision to publish this book, the other study guides that were available are shorter and contain less detail. This difference is key for IT professionals who are studying for the CISA certification, which places high demands on the exam taker to be able to recall many details and specifications about information technology, key business processes, and IT auditing.

Despite its title, CISA Certified Information Systems Audit All-In-One Exam Guide is structured and designed to also be a desk reference for early- and mid-career security auditors and security specialists who need a reliable, easily-consumed reference guide for key information technologies and IT auditing practices.  The book contains two chapters that go beyond the CISA study material and include lengthy discussions of professional IT auditing and security and governance frameworks.

“The availability of this study guide represents a big step forward for IT professionals who are studying for the CISA exam and those who have IT security and audit responsibilities,” states Peter H. Gregory. “The IT industry has waited a long time for an All-In-One guide for this popular certification,” he adds, citing the enormous popularity of the CISSP All-In-One Study Guide that is written by Shon Harris and considered the best CISSP guide available.

About Peter H. Gregory

Peter Gregory, CISA, CISSP, DRCE is the author of twenty books on security and technology and has been a technical editor for twenty additional books on security and technology. He has over 25 years of experience in virtually every role in Business IT departments, including work in government, banking, non-profit, telecommunications and on-demand financial software businesses.

Gregory is on the board of advisors and the lead instructor for the University of Washington certificate program in information security, and a lecturer at the NSA-certified University of Washington Certificate Program in Information Assurance & Cybersecurity. He is also on the Board of Directors for the Evergreen State Chapter of InfraGard, and the Executive Steering Board for the SecureWorld Expo Conference in Seattle. A founding member of the Pacific CISO Forum, Mr. Gregory is a graduate of the FBI Citizens’ Academy and active in the FBI Citizens’ Academy Alumni Association.

About ISACA^®

With more than 86,000 constituents in more than 160 countries, ISACA® (www.isaca.org) is a leading global provider of knowledge, certifications, community, advocacy and education on information systems assurance and security, enterprise governance of IT, and IT-related risk and compliance. Founded in 1969, ISACA sponsors international conferences, publishes the ISACA^® Journal, and develops international information systems auditing and control standards. It also administers the globally respected Certified Information Systems Auditor™ (CISA^®), Certified Information Security Manager^® (CISM^®) and Certified in the Governance of Enterprise IT^® (CGEIT^®) designations.

ISACA developed and continually updates the COBIT^®, Val IT™ and Risk IT frameworks, which help IT professionals and enterprise leaders fulfill their IT governance responsibilities and deliver value to the business.

CISA Certified Information Systems Auditor All-In-One Study Guide by Peter H. Gregory; McGraw-Hill; October 2009; Hardback; $79.99; 10: 0071487557; 13: 978-0071487559

“All-in-One is All You Need.”

Auditors’ preferences for controls

Auditors and security professionals usually prefer preventive controls over detective controls because they actually block unwanted events and prefer detective controls to deterrent controls because detective controls record events while deterrent controls do not. However, there are often circumstances where cost, resource, or technical limitations force an organization to accept a detective control when it would prefer a preventive one. For example, there is no practical way to build a control that would prevent criminals from entering a bank, but a detective control (security cameras) would record anything they did.

Excerpt from CISA Certified Information Systems Auditor All-In-One Study Guide

Implementation of audit recommendations

The purpose of internal and external audits is to identify potential opportunities for making improvements in control objectives and control activities. The handoff point between the completion of the audit and the auditee’s assumption of control is in the portion of the audit report that contains findings and recommendations. These recommendations are the imperatives that the auditor recommends the auditee perform to improve the control environment.

Implementation of audit recommendations is the responsibility of the auditee. However, there is some sense of shared responsibility with the auditor, as the auditor seeks to understand the auditee’s business, so that the auditor can develop recommendations that can reasonably be undertaken and completed. In a productive auditor-auditee relationship, the auditor will develop recommendations using the fullest possible understanding of the auditee’s business environment, capabilities, and limitations, in essence saying, “here are my recommendations to you for reducing risk and improving controls.”  And the auditee, having worked with the auditor to understand his methodology and conclusions, and who has been understood by the auditor, will accept the recommendations and take full responsibility for them, in essence saying, “I accept your recommendations and will implement them.” This is the spirit and intent of the auditor-auditee partnership.

– from CISA Certified Information Systems Auditor All-In-One Study Guide – the last words written into the draft manuscript, completed a few hours after the last of the Fourth of July fireworks have burst in the night sky

IT auditing is more about people than technology

I was recently asked the following question in one of my forums:

“Some of the challenges I face pertain with the anxiety system administrator’s face before I come on-site. They are defensive from the time I walk in to the time I leave. They don’t take too well to people telling them a control may not have been properly implemented .”

IT auditing is not *really* about the technology at all, but about the *people* who design, build, and operate the technology. Servers don’t have feelings and egos, but people certainly do.

My advice is to do what I do – have a good “bedside manner” and put the patient at ease. Explain why you are there in a non-confrontational manner as possible. Say things like, “I’m here to help understand how things are done here and how I can help with these compliance needs.” Explain that the standards and audits have gotten a lot harder these days, which requires a lot of changes. Empathize with them, be there as a guide who is also learning.

I also suggest that you take the approach of your being there to learn what they do. Make yourself “less good” than them, in order to not be a threat to them. Say things like, “I’m here to learn about these systems that you built and manage,” not “I’m here to see what you’re doing wrong.”

Have a gentle touch. Be confident and friendly, but non-threatening.

I meet new colleagues all the time. This works, as long as your heart and your mind are in the same place. People can see through a facade and will distrust an auditor who is acting.

Multiple, overlapping audits

Are any of you on this group in organizations that are subject to multiple sets of internal or external audits that overlap? If so, how do you handle the duplication of work?

In my organization, we have external PCI audits, external ISO27001 audits, external SAS70 audits, external Sarbanes Oxley audits, plus we are required to do internal audits for ISO 27001 and Sarbanes Oxley – most of which concentrate on the same things: general computing controls, the protection of sensitive data, and the integrity of our applications.

What is particularly frustrating to control owners/operators is having to answer the same questions and produce the same evidence time after time for these different audits. One thing that is helping is automation of many of these audited tasks (or automating the recordkeeping), which makes evidence collection easier.

Are any of you experiencing this? Please share.

CISSP’s role in regulation

The major focus of the CISSP certification is centered on security technology and management, but the functional areas in the realm of regulation and compliance are “softer” areas that are somewhat removed from security itself.

However, there are compliance-related tasks for which the CISSP certification does not prepare its candidates. Activities such as business controls development, internal audits and the interpretation and application of regulations are barely touched on in the CISSP world. Other certifications, such as the Certified Information Systems Auditor (CISA), focus on controls and internal audits.

From an upcoming article on the adequacy of the CISSP certification in today’s new regulation-centric security environment

Use GAIT principles to ease Sec. 404 audits and controls

Submit:

The Institute of Internal Auditors (theiia.org) has released its final GAIT principles and methodology for Sarbanes-Oxley Section 404 IT general computing controls (GCCs). The principles and methodologies will help organizations to determine the right controls to implement in their environments to ensure integrity of financial reporting as required by the SEC.

Download principles here (PDF): http://www.theiia.org/download.cfm?file=14216

Download methodology here (PDF): http://www.theiia.org/download.cfm?file=83757