The art of IT security audit response - Part 1: Introduction

Written by Jean-Camille LOISEAU | Published 20 November 2022

Companies IT systems are exposed to a plethora of risks. From cyber threats to data breaches, IT risk management is crucial to ensure the security, reliability, and resilience of IT infrastructure and the processes that support it.

The IT risk management process of identifying, assessing, and mitigating risks associated with information technology systems and operations has become essential to ensure the confidentiality, integrity, and availability of data and systems.

This is a process that helps organizations validate their security controls, compliance, and identify gaps in its armor to further improve the IT security posture.

Typically, organizations operate the IT risk management process with a “lines of defense” model where assessments and controls are layered into multiple lines:

1. The operational staff and managers: They should observe, identify and address deficiencies proactively

2. The Risk Management department: They carry out high level operational controls for established policies and ensure identified risks are addressed.

3. The independent Internal Audit (IA): They perform an independent assessment of departments and their processes through audit missions.

4. External Auditors and Regulators: They perform an independent assessment of business line and ensure the organization is compliant with regulatory standards and industry best practices.

Efforts carried out by the operational team as well as Risk Management departments are operational by nature and thus aren’t as time consuming and formalized as Independent Internal or External audits which follow specific method and procedure.

At the front line there are operational teams. There, the IT risk management process consist mainly of discovering and identifying issues and gaps within their daily activities or documentation and leveraging their BAU or Project financed staff to address those.

Operational team managers must maintain a Risk Register of all the issues and gaps they have already identified, what dependencies they have to resolve it and what they are doing to both mitigate the immediate impact and also to ultimately remediate the problems they discovered.

The manager should leverage the information in the register to escalate to their management for additional budget or resources to address challenges they cannot immediately resolve.

At the second line, Risk Management department through their operations control function. The department is usually composed of seasoned security and compliance professionals with both operational and audit prior experience.

The Risk Management department is responsible for formalizing the company’s IT security framework, policies and procedures. They also are in charge of communicating the requirements though to the organization.

The operations control teams are in permanent contact with all operational teams and their managers. They help them address issues identified in Risk Register such as errors, continuity disruptions, or compliance violations. They provide guidance and coordinate any transversal remediation actions with other departments.

In addition, they carry out regular (monthly/quarterly/yearly) reviews of operational teams’ overall compliance with the organization’s rules, policies, and procedures. Through these reviews, they seek to identify and assess operational risks across the organization. They also formalize reports on identified risks and collaborate with Internal Audit to ensure best possible risk management framework implementation.

The next line of defense in the Risk Management framework is Internal audit. It operates as an independent and objective assurance entity that examines and evaluates the organization's processes, its controls and its systems. The primary objective of internal audit is to provide assurance to senior management and stakeholders that the organization's operations are conducted efficiently, in accordance with laws and regulations, and in alignment with the organization's goals and objectives. It follows a very codified methodology.

The last line of defenses are External Audit and Regulator audits follow very much the same processes as Internal Audit. However external audits are conducted by independent, third-party audit firms and not employees of the organization.

External audits primarily focus on the of compliance with specific legal and regulatory requirements as well as industry best practices, not broader internal controls and policies that may go beyond that of the law and regulation of the particular country the auditor is operating in. External audits are designed to provide additional assurance to external stakeholders, such as shareholders, creditors, and government authorities where the organization operates.

IT risk management and IT audit are essential aspects to maintain a resilient and secure IT environment any organization. By implementing a robust IT risk management framework layered in lines of defense, companies can better protect their valuable assets and maintain the trust of their stakeholders and the regulators.