Thursday, April 25, 2013

Dallas hosts 2013 ISACA NACACS Conference - IS, Audit, Risk & Control


Last week saw hundreds of IS, Risk, Control and Audit professionals descend on the Hyatt Regency in downtown Dallas, just two short blocks from the grassy knoll where JFK was assassinated in a different time.

With 63 sessions and 90 presenters the 2013 ISACA North American CACS Conference was a hive of networking and learning. There were sessions addressed at a wide spectrum of risk topics including perspectives on audit, enterprise applications, security in a changing world, cloud, mobile, social, BYOD and more. There were also challenging sessions which addressed business preoccupation for security and control in a world where there is no 100% protection.

My role there was to co-present a session on balancing risk and control with business performance with Gonzalo Cuatrecasas, former Head of IT Audit at Colgate Palmolive and former CIO at Applus.


The 'drumbeat' of the conference was that of technology step-changes and the implication that now technology, more than ever before, is the business woven into the fabric of every process. Interestingly, this focus on technology gave rise to much discussion and the assertion that there is no longer any such thing as IT risk, only BUSINESS RISK!

Some video highlights from the conference can be viewed here . . . and all the presentations from the conference are available to download here . . .

The keynote speaker, David Pogue of the New York Times, was sharp, energetic, entertaining, enlightening and even musical. He took us through the changes of technology which are shaping today's millennial generation with some humour, referring to his own kids in many stories. As classical musician, he also raised the energy of the auditorium with amusing renditions of famous songs with revised lyrics to poke fun at the world of Twitter, Youtube, Facebook et al.

The ISACA group has a motto 'Trust in, and value from, Information Systems'. I sense we are moving towards a time of 'trust in, and value from, business process'. This was reflected in a number of the talks.

Gonzalo and I presented session 124 - 'Exception Analytics - Balancing Risk & Control'. You can find the presentation material here . . .


Gonzalo shared many powerful stories form his time at Colgate, relating to ERP implementation, audit findings, compliance and process variation across regions. The presentation themes included:

- The landscape of Risk Assurance
- Managing risk and managing control
- The role of exception analytics
- Approach to exception analytics
- Real life case study examples
- Risk & business performance
- Pitfalls and critical success factors

Gonzalo left us all with three key takeaways:

1 - Controls can leave us with a false sense of security. There are no 100% effective preventive controls. Focus on the business risk.

2 - Continuous Improvement is the order of the day. Driving out process exceptions is the key.

3 - Manage by facts not anecdote. Data analytics on 100% of relevant business transactions drives a fact based discussion. Exceptions have a monetary value as well as risk impact.

I took some key thoughts from the conference;

- Despite, or perhaps because of the accelerating adoption of smart technology today, the term 'IT risk' is no longer a valid concept. It's all business risk.

- This means that we need to focus all risk and control effort, including audit, as common, integrated business initiatives. If there is no IT risk, why do we need IT audit? Surely, all audit will address relevant technology.

- Social, mobile technologies will become part of the fabric of enterprise applications and processes - get ready for it!

- Assume all preventive security and control is already compromised. Some of the biggest brains in geekdom illustrated hacking corporate application servers in a matter of minutes.

- The one thing that is a constant, in addition to change, is the need for developing the soft professional skills around communication, business analysis, critical thinking and dealing with conflict. Perhaps next year we should have some more focus on change management and people skills?

After the conference, Gonzalo and I travelled to New York for further meetings. After saying our goodbyes, I continued my trip to Houston, New Orleans, Orlando and Chicago, from where I am writing this now.

Thanks for reading . . . .









Posted by Dan French at 8:58 PM

2 comments:

  1. UnknownSeptember 10, 2013 at 7:44 AM

    Soon after look at a pair of of the weblog posts on your internet site now, and I actually like your signifies of blogging. I bookmarked it to my bookmark web internet site record and will most likely be examining yet again shortly. Make sure you check out out my internet web site as properly and permit me know what you consider.

    moving from dallas
    fort worth moving

    ReplyDelete
  2. UnknownJanuary 31, 2018 at 4:13 AM

    I wish this will last for ages. Because development is what we really need right now, especially to water restorations. If you happen to have this kind of problem. I recommend rmr 86 rapid mold remover. You can check them on this link

    ReplyDelete

Subscribe to: Post Comments (Atom)