[Owasp-board] Internal audit plan

Jim Manico jim.manico at owasp.org
Wed Nov 19 13:32:28 UTC 2014


I think this is rather prudent; we are a security organization after 
all. What's a reasonable budget for this for an organization with our 
income? I've had significant access to various OWASP services over the 
years, I'd be happy sit on this committee with you, Andrew.  This sounds 
like a lot of fun, frankly. I am sure it will only help the foundation.


On 11/18/14 4:33 PM, Andrew van der Stock wrote:
> Hi folks,
> I've had a discussion with Paul regarding the ad hoc requests 
> emanating from Board members.
> The ways that organisations deal with these sorts of requests is to 
> set up an internal audit committee, which is usually one or more 
> representatives from the Foundation, one or more representatives from 
> the Board (and usually includes the Chair or an interested board 
> member), and usually a representative from the internal auditor. We're 
> not large enough to have an internal auditor, but committee idea is 
> doable at our size without being too complex. There are ways to make 
> it work without being burdensome on us or the Foundation.
> Key considerations of an internal audit plan
> http://www.ey.com/Publication/vwLUAssets/EY_Key_considerations_for_your_internal_audit_plan_1/$FILE/ATT5QP7A.pdf
> Example internal audit plan (and you can find zillions of these - 
> every listed company has to have one)
> http://www.lwarb.gov.uk/UserFiles/File/Audit%20Committee%20Meetings/Internal%20Audit%20Plan%202010-11.pdf
> What I'd suggest is that we establish an internal audit committee, 
> which decides on an internal audit plan, staff days being budgeted to 
> Foundation staff or external parties to conduct the reviews, this plan 
> is to be approved by the Board, and then as the plan is executed, the 
> reports are received by the internal audit committee for addressing 
> the findings, and a report made to the Board summarising the findings 
> and the outcomes of addressing the findings.
> This way, important topics are covered at arms length by the Board, 
> the Foundation knows that they have X (usually 20-30, but typically no 
> more than 5% of the Foundation's total FTE) days per year budgeted for 
> internal audit activities, and the Board is providing effective 
> oversight (checks and balances) over the Foundation's operational 
> risk, use of finances, and key risks.
> What are key risks? Anything that is substantially a fundamental risk 
> to the organisation:
> Shareholder value (we don't have this), but I would substitute Member 
> value
> Financial
> Reputation
> Privacy and regulatory
> Compliance with tax and other laws
> So basically, I would suggest looking at topics like (and this is NOT 
> exhaustive):
> Review the governance of financial programs such as OOTM or Chapter 
> funding to ensure that it is effective and there are no issues with funds
> Reviewing the effectiveness of internal governance (usually, by 
> sampling a governance topic)
> Security reviews of our external or internal infrastructure
> Privileged access management
> etc etc.
> Generally, internal audit is a function that is run at arms length 
> from day to day operations so you don't have self-review. OWASP is not 
> really big enough for a full time staff member to do that, so I would 
> suggest that we might talk to Paul's organisation for a temporary 
> resource to be brought in, and we manage the budget that way. 
> Specialist tests could be done using external consultancies, such as 
> Bug Crowd to run a bug bounty on OWASP's infrastructure.
> If we decide the cost is too great, then basically, we need to come up 
> with an alternative that covers off the risk of self-review. We really 
> aren't big enough to justify a full time internal audit function, but 
> big enough that if we don't do something, we will have issues where 
> key risks are not being evaluated by the Board in a timely fashion 
> because we haven't planned properly.
> Thoughts?
> thanks
> Andrew
> _______________________________________________
> Owasp-board mailing list
> Owasp-board at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-board

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20141119/5b687223/attachment.html>

More information about the Owasp-board mailing list