How to Audit Governance

Written by

Governance, risk, and compliance (GRC) have become buzzwords in cybersecurity. As governments and industry standards organizations respond to the data breach landscape by creating new compliance requirements, governance has become fundamental to creating an effective risk management program. Auditing governance requires organizations to communicate with internal and external stakeholders.

Auditing Governance

What is corporate governance?

To prove governance, companies need to establish rules, practices, and processes.  Even more critical, governance places responsibility on senior management and the Board of Directors to review risk knowledgeably.

What is corporate governance in cybersecurity?

In cybersecurity, corporate governance shifts slightly. While senior level executives and the Board do not make the security decisions, they need to understand the cybersecurity risks that may arise from business objectives.

Additionally, cybersecurity governance requires reviewing the effectiveness of internal controls.

What is the audit committee’s responsibility?

As cybersecurity compliance increasingly becomes a focus for many companies the audit committee acts as the bridge between the audit program and the Board of Directors.

Thus, while the audit committee members may not need to be technical, they do need to understand cyber risk more than others within the organization. To engage in more detailed conversations, the audit committee needs to incorporate the information technology (IT) leaders within the organization.

How to incorporate cyber risk as part of the audit plan

As companies increase their use of Infrastructure-as-a-Service (IaaS), Platform-as-a-Service (PaaS), and Software-as-a-Service (SaaS) vendors, their audit plans need to address the internal controls that protect from data breaches. Audit plans focus on how you determine key performance indicators (KPIs) for your compliance program. Thus, creating a cybersecurity audit plan becomes the roadmap for how you establish and prove governance.

Timing

Planning for internal audits should be a continuous process. Before setting out an audit plan, you need to review your previous audits for control deficiencies. Then, you can determine the scope.

For example, if your company lacked appropriate software and operating system patch management, then that needs to be considered as part of the scope for the next audit. However, if patching was excellent, but your previous audit found that several systems or networks retained their factory-preset logins, then you should focus on that.

In short, timing and planning should be a continuous process based on consistent improvements to your cybersecurity oversight.

Risk Assessment

Any audit plan needs to incorporate a holistic view of cybersecurity risk.

When creating an audit plan, you need to ensure that you have established a risk tolerance that incorporates data, location, data breach potential, and potential data breach cost.

When determining the audit plan scope, you need to focus on the information assets with the highest risk.

Compliance Committee

A compliance committee includes internal stakeholders who monitor and document internal controls.

The compliance committee, in conjunction with the audit committee, works to keep the company aligned with changes to standards and regulations. As such, they stand as the first line of defense for working to keep controls effective and provide governance over the program.

How internal auditors review cybersecurity governance

The audit plan sets out the scope and contains the needed steps for proving governance. Your internal audit acts as a second-set-of-eyes.

Internal auditing requires an independent individual to review and assess whether your cybersecurity program meets industry standard and regulatory compliance requirements. The internal auditor considers all the documentation related to your cybersecurity compliance program and then tests whether you maintained compliance with the internal controls defined.

In terms of governance, the internal auditor will review not only the controls defined by policies and processes but will also examine whether the compliance committee reports to the audit committee. For example, the internal auditor may review compliance committee and audit committee meeting notes to ensure that the two teams are communicating risk and monitoring effectively. Then, the auditor will compare those notes to the Board meeting notes to ensure that the information flows through all stakeholders.

In essence, documenting communications and activities provides the proof auditors need to audit governance over the cybersecurity program.

How to use automation to ease auditing governance

Automation facilitates internal auditing of governance by enabling stronger communication and documentation.

Depending on the organization’s size, coordinating communication across the compliance committee, audit committee, and Board of Directors can become burdensome. Moreover, best practices also suggest that audit committee materials include executive summaries needed for identifying risks, issues, and next steps.

Thus, automation provides a way to streamline the governance auditing process. Shared drives can ease some of the communications burdens. Unfortunately, shared drives update any changes automatically which makes finding historical documentation time-consuming. The automatic updates also limit the information’s integrity since anyone with access can make changes, undermining governance.

Thus, organizations need a single-source-of-information that allows them to not only document their compliance activities but provide control over who can edit and change documents.

How ZenGRC enable auditing governance

ZenGRC’s System-of-Record makes continuous auditing and reporting easy. By streamlining the workflow, organizations can eliminate emails while tracing outstanding tasks. Additionally, the unified control management feature allows organizations to map controls across multiple frameworks, standards, and regulations to determine whether compliance gaps exist. This mapping capability enables organizations to ensure consistency that leads to stronger audit outcomes.

For example, as part of the System-of-Record dashboard, organizations have at-a-glance insight into the percentage of controls finalized and a portion of controls mapped to a particular framework.

ZenGRC’s streamlined workflow shows task managers the date on which a vendor provided a response and a status. These details mean that compliance managers no longer need to spend time following up with the organization’s multitudinous vendors.

GRC automation enables organizations to focus on the fundamental issues of compliance while eliminating the tedious tasks that often make compliance feel like a burden. Not only does this help compliance officers feel more effective at their jobs, but it also makes organizations more efficient at the ongoing task of governance and continuous monitoring.

For more information about how ZenGRC can streamline your GRC process, contact us for a demo today.