[Owasp-board] Internal audit plan

Andrew van der Stock vanderaj at owasp.org
Tue Nov 18 23:33:53 UTC 2014

Hi folks,

I've had a discussion with Paul regarding the ad hoc requests emanating
from Board members.

The ways that organisations deal with these sorts of requests is to set up
an internal audit committee, which is usually one or more representatives
from the Foundation, one or more representatives from the Board (and
usually includes the Chair or an interested board member), and usually a
representative from the internal auditor. We're not large enough to have an
internal auditor, but committee idea is doable at our size without being
too complex. There are ways to make it work without being burdensome on us
or the Foundation.

Key considerations of an internal audit plan

Example internal audit plan (and you can find zillions of these - every
listed company has to have one)

What I'd suggest is that we establish an internal audit committee, which
decides on an internal audit plan, staff days being budgeted to Foundation
staff or external parties to conduct the reviews, this plan is to be
approved by the Board, and then as the plan is executed, the reports are
received by the internal audit committee for addressing the findings, and a
report made to the Board summarising the findings and the outcomes of
addressing the findings.

This way, important topics are covered at arms length by the Board, the
Foundation knows that they have X (usually 20-30, but typically no more
than 5% of the Foundation's total FTE) days per year budgeted for internal
audit activities, and the Board is providing effective oversight (checks
and balances) over the Foundation's operational risk, use of finances, and
key risks.

What are key risks? Anything that is substantially a fundamental risk to
the organisation:

Shareholder value (we don't have this), but I would substitute Member value
Privacy and regulatory
Compliance with tax and other laws

So basically, I would suggest looking at topics like (and this is NOT

Review the governance of financial programs such as OOTM or Chapter funding
to ensure that it is effective and there are no issues with funds
Reviewing the effectiveness of internal governance (usually, by sampling a
governance topic)
Security reviews of our external or internal infrastructure
Privileged access management
etc etc.

Generally, internal audit is a function that is run at arms length from day
to day operations so you don't have self-review. OWASP is not really big
enough for a full time staff member to do that, so I would suggest that we
might talk to Paul's organisation for a temporary resource to be brought
in, and we manage the budget that way. Specialist tests could be done using
external consultancies, such as Bug Crowd to run a bug bounty on OWASP's

If we decide the cost is too great, then basically, we need to come up with
an alternative that covers off the risk of self-review. We really aren't
big enough to justify a full time internal audit function, but big enough
that if we don't do something, we will have issues where key risks are not
being evaluated by the Board in a timely fashion because we haven't planned


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20141119/44f0b879/attachment.html>

More information about the Owasp-board mailing list