Friday, September 21, 2012

Insights from ISACA's EuroCACS ISRM Conference

Munich is always a popular place as October approaches, but I missed the wonders of the 'biergartens' in full flourish. Last week I joined a large gathering of IS Audit, Risk and Controls specialists at ISACA’s annual EuroCACS and ISRM conference at the Hilton by the Englischer Garten in the city.




The conference was well attended and some good discussions were had both in the conference sessions and in the breaks.


I met attendees from all across Europe, Middle East, Africa, North America and Asia. Many new faces but quite a few old friends and colleagues also.


My colleague Jan and I had been invited to present a conference session entitled “On the Road to Continuous Monitoring - Managing Risk in the most Efficient and Effective way’.

We had a large attendance and good interaction with the group. We had a discussion with the audience about why it is that user access controls and ‘segregation of duties’ (SoD) is such a common start point for ‘GRC’ and Continuous Monitoring initiatives. There was much agreement that this popularity was largely due to external audit focus as SoD in the largest and most widely used ERPs is an easy target.

There was less consensus over whether this reflected an objective balance of risk ! I have some strong opinions on this and there is a substantial body of evidence that shows even the most well engineered organisation, process and systems for SoD do not substantially eliminate the risk of misappropriation or mis-representation of financial statements . . . .

However, based on his experiences at a very large, well known German industrial company, Jan presented best practices and recommendations from an example of this most classic control and compliance focussed initiative. It was well received with lots of thought provoking questions. It was technology independent and practical, based on the real world experiences and challenges of such projects.

Jan concluded with some best practice documents that would help anyone in such an SoD endeavour, notably;

·         A compliance tool audit checklist click here . . .
·         Closing the loop on the remediation cycle – managing your compensating controls click here . . .
·         Risk-based segregation of duties remediation click here . . .

You can find additional resources here . . .

We discussed the Gordian Knot of challenges in implementing effective SoD. Just as the mythical knot could never be untied, we find many solutionsto SoD challenges just make the issues more intractable.  We then discussed the real nature of risk and why SoD can only be one stream of a balanced four pillar approach to risk and control monitoring. We advocated a strong risk-based balance in the effort across these streams. This has been illustrated in a previous post with my favourite picture . . . .

By monitoring a healthy balance of controls (including SoD), data, processes and real operational transactions, businesses today are raising the bar on risk management and assurance at a much more reasonable cost than has been the norm for SoD alone . . .  

By popular demand, Jan and I are presenting this session again via web conference and you can register for that here . . .

We also shared a white paper that further explores Continuous Monitoring / Continuous Audit and addresses the topic of balancing the types of risks to be managed, as we discussed in the session.

Through discussions with attendees and in our session, I was struck by how there has been a noticeable shift in the past year from a 'control and compliance' focus by many professionals to a much more balanced 'risk and performance' focus. This is an evolution that needs to continue. It is the best way to ensure that risk management becomes truly embedded in business thinking. I will develop this idea in a following post.

More details on the conference can be found here, together with access to the presentation materials.

Thank you ISACA for another great conference! Looking forward to EuroCACS 2013 in London.

Thanks for reading...


1 comments:

  1. I do like the manner in which you have presented this issue plus it does provide us some fodder for thought. Nonetheless, from everything that I have witnessed, I just wish good luck to you!
    santa monica venues

    ReplyDelete