the role of public sector audit & risk committees in
TRANSCRIPT
©ISACA2016.AllRightsReserved.
The Role of Public Sector Audit and Risk Committees in Cybersecurity & Digital Transformation
©ISACA2016.AllRightsReserved.
Tichaona Zororo
CIA, CISA, CISM, CRISC, CRMA, CGEIT, COBIT 5 Certified Assessor
B.Sc. Honours Information Systems, PGD Computer Auditing
Accredited COBIT 5 & Certifications Trainer
©ISACA2016.AllRightsReserved.
Emerging & Merging Technologies - The 4th Industrial Revolution
©ISACA2016.AllRightsReserved.
Internet of Threats
Cloud Computing
Drones & Robotics
Artificial Intelligence
Blockchain
Predictive Analytics
DevOps
Mobility Social Media
Cybersecurity Augmented Reality
Smart Cities
©ISACA2016.AllRightsReserved.
©ISACA2016.AllRightsReserved.
©ISACA2016.AllRightsReserved.
©ISACA2016.AllRightsReserved.
2018 Active Social Media Users – 3.196
Billion
2017 Active Social Media Users – 2.789 Billion
2017 Internet Users – 3.78
Billion
2018 Unique Mobile Users – 5.135 Billion
2018 Global Internet Users –
4.021 Billion
2018 Global Active Mobile Social Users – 2.958 Billion
218 Million Unique Mobile
Users increase from 2017 to 2018
©ISACA2016.AllRightsReserved.
28.66 Million South Africans are active
Internet Users. 1.8 Million Increase
from 2016
There are 79.91 Mobile
Subscriptions in South Africa out of
55.21 South Africans
15 Million South Africans are active
Social Media Users. 2 Million Increase from
2016
©ISACA2016.AllRightsReserved.
2016 Active Social Media
Users in South Africa – 18
Million
2018 Active Mobile Social
Users – 16 Million
2018 South Africa Unique
Mobile Devices – 38 Million
2018 Monthly Active Facebook users in South
Africa – 18 Million
2018 South Africa Internet
Users - 30.81 Million
©ISACA2016.AllRightsReserved.
©ISACA2016.AllRightsReserved.
DevOps
Integration of product
development with IT
operations
IT operations staffers work
closely to test and launch new
software features quickly -
Breaking traditional barriers
Perpetual development
and improvement
model
Central to a company’s ability
to test new digital business capabilities and bring them to market rapidly
Teams would no longer have to wait for sign-
offs, handoffs, and preparation of test environments when writing code. Those
tasks would be managed within the team, with immediate input from
development and operations specialists.
Moving code to production
every 12 sections
Improved IT operations,
improve business efficiency to meet market demands
©ISACA2016.AllRightsReserved.
Stakeholders
Quality Assurance
DevOps
OperationsDevelopment
Security
©ISACA2016.AllRightsReserved.
The Business benefits of DevOps:
Reduced time to market Faster return on investment High performance – Amazon, Google Increased quality Customer satisfaction Reduced IT waste Improved supplier and business partner performance Human errors
Stakeholders
©ISACA2016.AllRightsReserved.
Risks
Conflicting roles leading to loss of segregation of duties and authentication Release rates faster than business established business metrics Non compliance with some regulations e.g., PCI DSS, HIPAA, Shadow adoption Lack of skills Resistance – Traditional assurance providers
Stakeholders
©ISACA2016.AllRightsReserved.
King IV TM on Digital Transformation Governance & Cybersecurity
©ISACA2016.AllRightsReserved.
Governing Body Responsibilities
Strategy Policy Oversight Accountability
17 Principles & 214 Recommended Practices
Governing Body Responsibilities
Ethical CultureGood
PerformanceEffective Control Legitimacy
©ISACA2016.AllRightsReserved.
Governance and Cybersecurity of Information and Technology has become critical issues Technology is no longer simply an enabler, the system created by an enterprise provide the platform to deliver its strategic (integrated development plan) and performance (service delivery and budget implementation plan) objectives Information and technology is now the source of many enterprise’s future opportunities and potential disruption - Risk and Opportunity are increasingly two sides of the same coin Information and Technology Governance and Cybersecurity should become a recurring item on Audit and Risk Committees’ agenda
©ISACA2016.AllRightsReserved.
Principle Number 12:
The governing body should governance technology and information in a way that supports the organisation setting and achieving its strategic objectives.
©ISACA2016.AllRightsReserved.
8 Practices
©ISACA2016.AllRightsReserved.
Exercise ongoing oversight of
information & technology
management
Delegate to Management the
responsibility to implement and
execute effective information and
technology management
Exercise ongoing
oversight of the management of
information
Assume responsibility for the
governance of information and
technology
©ISACA2016.AllRightsReserved.
Assume responsibility for the governance of
information and technology by setting the direction for how
information and technology should be
approached and addressed in the
organisation
Exercise ongoing
oversight of the management of technology
Consider the need to receive periodic
independent assurance on the effectiveness of
the organisation’s information and
technology arrangements including outsourced
services Related
disclosures
©ISACA2016.AllRightsReserved.
King III on IT Governance
9 Chapters and 75 Principles
©ISACA2016.AllRightsReserved.
Chapter 1
Ethical Leadership &
Corporate Citizenship
3 Principles
Chapter 3
Audit Committees
10 Principles
Chapter 2
Boards & Directors
27 Principles
Chapter 4
The Governance of Risk
10 Principles
Chapter 5
The Governance of Enterprise IT
7 Principles
Chapter 7
Internal Audit
5 Principles
Chapter 6
Compliance with Laws, Rules, Codes
and Standards
4 Principles
Chapter 8
Governing Stakeholder Relationships
6 Principles
Chapter 9
Integrated Reporting & Disclosure
3 Principles
©ISACA2016.AllRightsReserved.
Principle 5.4:
The board should monitor and
evaluate significant IT investments and
expenditure
The Governance of
Enterprise IT
Principle 5.5:
IT should form an integral part of the
company’s risk management
Principle 5.1:
The board should be responsible for
information technology (IT)
governance
Principle 5.6:
The board should ensure that
information assets are managed
effectively
Principle 5.2:
IT should be aligned with the
performance and sustainability
objectives of the company
Principle 5.7:
A risk committee and audit
committee should assist the board in carrying out its IT
responsibilities
Principle 5.3:
The board should delegate to
management the responsibility for the
implementation of an IT governance
framework
©ISACA2016.AllRightsReserved.
The 10 Core Principles for the Professional Practice of Internal Auditing
©ISACA2016.AllRightsReserved.
Demonstrates integrity
Demonstrates competence and due professional
care
Is objective and free from undue
influence (independent)
Is appropriately positioned and
adequately resourced
Demonstrates quality and continuous
improvement
©ISACA2016.AllRightsReserved.
Aligns with the strategies,
objectives, and risks of the organisation
Is insightful, proactive, and future-focused
Promotes organisational improvement
Communicates effectively
Provides risk-based assurance
©ISACA2016.AllRightsReserved.
Cultural Shift
©ISACA2016.AllRightsReserved.
Questions
©ISACA2016.AllRightsReserved.
@TichaonaZororo
Tichaona Zororo
+27 (0) 73 298 9606
EGIT | Enterprise Governance of IT (Pty) Ltd
+27 (0) 11 234 2597
tichaona.zororo
tichaonazororo
Tichaona Zororo
Tichaona Zororo
©ISACA2016.AllRightsReserved.
Thank you