the role of public sector audit & risk committees in

©ISACA2016.AllRightsReserved.

The Role of Public Sector Audit and Risk Committees in Cybersecurity & Digital Transformation

©ISACA2016.AllRightsReserved.

Tichaona Zororo

CIA, CISA, CISM, CRISC, CRMA, CGEIT, COBIT 5 Certified Assessor

B.Sc. Honours Information Systems, PGD Computer Auditing

Accredited COBIT 5 & Certifications Trainer

©ISACA2016.AllRightsReserved.

Emerging & Merging Technologies - The 4th Industrial Revolution

©ISACA2016.AllRightsReserved.

Internet of Threats

Cloud Computing

Drones & Robotics

Artificial Intelligence

Blockchain

Predictive Analytics

DevOps

Mobility Social Media

Cybersecurity Augmented Reality

Smart Cities

©ISACA2016.AllRightsReserved.

©ISACA2016.AllRightsReserved.

©ISACA2016.AllRightsReserved.

©ISACA2016.AllRightsReserved.

2018 Active Social Media Users – 3.196

Billion

2017 Active Social Media Users – 2.789 Billion

2017 Internet Users – 3.78

Billion

2018 Unique Mobile Users – 5.135 Billion

2018 Global Internet Users –

4.021 Billion

2018 Global Active Mobile Social Users – 2.958 Billion

218 Million Unique Mobile

Users increase from 2017 to 2018

©ISACA2016.AllRightsReserved.

28.66 Million South Africans are active

Internet Users. 1.8 Million Increase

from 2016

There are 79.91 Mobile

Subscriptions in South Africa out of

55.21 South Africans

15 Million South Africans are active

Social Media Users. 2 Million Increase from

2016

©ISACA2016.AllRightsReserved.

2016 Active Social Media

Users in South Africa – 18

Million

2018 Active Mobile Social

Users – 16 Million

2018 South Africa Unique

Mobile Devices – 38 Million

2018 Monthly Active Facebook users in South

Africa – 18 Million

2018 South Africa Internet

Users - 30.81 Million

©ISACA2016.AllRightsReserved.

©ISACA2016.AllRightsReserved.

DevOps

Integration of product

development with IT

operations

IT operations staffers work

closely to test and launch new

software features quickly -

Breaking traditional barriers

Perpetual development

and improvement

model

Central to a company’s ability

to test new digital business capabilities and bring them to market rapidly

Teams would no longer have to wait for sign-

offs, handoffs, and preparation of test environments when writing code. Those

tasks would be managed within the team, with immediate input from

development and operations specialists.

Moving code to production

every 12  sections

Improved IT operations,

improve business efficiency to meet market demands

©ISACA2016.AllRightsReserved.

Stakeholders

Quality Assurance

DevOps

OperationsDevelopment

Security

©ISACA2016.AllRightsReserved.

The Business benefits of DevOps:

Reduced time to market Faster return on investment High performance – Amazon, Google Increased quality Customer satisfaction Reduced IT waste Improved supplier and business partner performance Human errors

Stakeholders

©ISACA2016.AllRightsReserved.

Risks

Conflicting roles leading to loss of segregation of duties and authentication Release rates faster than business established business metrics Non compliance with some regulations e.g., PCI DSS, HIPAA, Shadow adoption Lack of skills Resistance – Traditional assurance providers

Stakeholders

©ISACA2016.AllRightsReserved.

King IV TM on Digital Transformation Governance & Cybersecurity

©ISACA2016.AllRightsReserved.

Governing Body Responsibilities

Strategy Policy Oversight Accountability

17 Principles & 214 Recommended Practices

Governing Body Responsibilities

Ethical CultureGood

PerformanceEffective Control Legitimacy

©ISACA2016.AllRightsReserved.

Governance and Cybersecurity of Information and Technology has become critical issues Technology is no longer simply an enabler, the system created by an enterprise provide the platform to deliver its strategic (integrated development plan) and performance (service delivery and budget implementation plan) objectives Information and technology is now the source of many enterprise’s future opportunities and potential disruption - Risk and Opportunity are increasingly two sides of the same coin Information and Technology Governance and Cybersecurity should become a recurring item on Audit and Risk Committees’ agenda

©ISACA2016.AllRightsReserved.

Principle Number 12:

The governing body should governance technology and information in a way that supports the organisation setting and achieving its strategic objectives.

©ISACA2016.AllRightsReserved.

8 Practices

©ISACA2016.AllRightsReserved.

Exercise ongoing oversight of

information & technology

management

Delegate to Management the

responsibility to implement and

execute effective information and

technology management

Exercise ongoing

oversight of the management of

information

Assume responsibility for the

governance of information and

technology

©ISACA2016.AllRightsReserved.

Assume responsibility for the governance of

information and technology by setting the direction for how

information and technology should be

approached and addressed in the

organisation

Exercise ongoing

oversight of the management of technology

Consider the need to receive periodic

independent assurance on the effectiveness of

the organisation’s information and

technology arrangements including outsourced

services Related

disclosures

©ISACA2016.AllRightsReserved.

King III on IT Governance

9 Chapters and 75 Principles

©ISACA2016.AllRightsReserved.

Chapter 1

Ethical Leadership &

Corporate Citizenship

3 Principles

Chapter 3

Audit Committees

10 Principles

Chapter 2

Boards & Directors

27 Principles

Chapter 4

The Governance of Risk

10 Principles

Chapter 5

The Governance of Enterprise IT

7 Principles

Chapter 7

Internal Audit

5 Principles

Chapter 6

Compliance with Laws, Rules, Codes

and Standards

4 Principles

Chapter 8

Governing Stakeholder Relationships

6 Principles

Chapter 9

Integrated Reporting & Disclosure

3 Principles

©ISACA2016.AllRightsReserved.

Principle 5.4:

The board should monitor and

evaluate significant IT investments and

expenditure

The Governance of

Enterprise IT

Principle 5.5:

IT should form an integral part of the

company’s risk management  

Principle 5.1:

The board should be responsible for

information technology (IT)

governance

Principle 5.6:

The board should ensure that

information assets are managed

effectively  

Principle 5.2:

IT should be aligned with the

performance and sustainability

objectives of the company

Principle 5.7:

A risk committee and audit

committee should assist the board in carrying out its IT

responsibilities

Principle 5.3:

The board should delegate to

management the responsibility for the

implementation of an IT governance

framework

©ISACA2016.AllRightsReserved.

The 10 Core Principles for the Professional Practice of Internal Auditing

©ISACA2016.AllRightsReserved.

Demonstrates integrity

Demonstrates competence and due professional

care

Is objective and free from undue

influence (independent)

Is appropriately positioned and

adequately resourced

Demonstrates quality and continuous

improvement

©ISACA2016.AllRightsReserved.

Aligns with the strategies,

objectives, and risks of the organisation

Is insightful, proactive, and future-focused

Promotes organisational improvement

Communicates effectively

Provides risk-based assurance

©ISACA2016.AllRightsReserved.

Cultural Shift

©ISACA2016.AllRightsReserved.

Questions

©ISACA2016.AllRightsReserved.

@TichaonaZororo

Tichaona Zororo

+27 (0) 73 298 9606

tichaona.zororo@egit.co.za

EGIT | Enterprise Governance of IT (Pty) Ltd

+27 (0) 11 234 2597

tichaona.zororo

tichaonazororo

Tichaona Zororo

Tichaona Zororo

©ISACA2016.AllRightsReserved.

Thank you