[Owasp-board] Internal audit plan
tobias.gondrom at owasp.org
Thu Nov 20 04:59:48 UTC 2014
Sounds good. Would support that.
There are three things I would like to ensure:
0. that this does not become "a board within a board"
1. that every board member (whether on this audit team or not) can
continue to make direct requests for information to fulfil their
2. to make sure we are considerate when using the time from our staff
for this and do not overly burden them with audits.
Just my 2cents.
Best wishes, Tobias
On 19/11/14 03:32, Jim Manico wrote:
> I think this is rather prudent; we are a security organization after
> all. What's a reasonable budget for this for an organization with our
> income? I've had significant access to various OWASP services over the
> years, I'd be happy sit on this committee with you, Andrew. This
> sounds like a lot of fun, frankly. I am sure it will only help the
> On 11/18/14 4:33 PM, Andrew van der Stock wrote:
>> Hi folks,
>> I've had a discussion with Paul regarding the ad hoc requests
>> emanating from Board members.
>> The ways that organisations deal with these sorts of requests is to
>> set up an internal audit committee, which is usually one or more
>> representatives from the Foundation, one or more representatives from
>> the Board (and usually includes the Chair or an interested board
>> member), and usually a representative from the internal auditor.
>> We're not large enough to have an internal auditor, but committee
>> idea is doable at our size without being too complex. There are ways
>> to make it work without being burdensome on us or the Foundation.
>> Key considerations of an internal audit plan
>> Example internal audit plan (and you can find zillions of these -
>> every listed company has to have one)
>> What I'd suggest is that we establish an internal audit committee,
>> which decides on an internal audit plan, staff days being budgeted to
>> Foundation staff or external parties to conduct the reviews, this
>> plan is to be approved by the Board, and then as the plan is
>> executed, the reports are received by the internal audit committee
>> for addressing the findings, and a report made to the Board
>> summarising the findings and the outcomes of addressing the findings.
>> This way, important topics are covered at arms length by the Board,
>> the Foundation knows that they have X (usually 20-30, but typically
>> no more than 5% of the Foundation's total FTE) days per year budgeted
>> for internal audit activities, and the Board is providing effective
>> oversight (checks and balances) over the Foundation's operational
>> risk, use of finances, and key risks.
>> What are key risks? Anything that is substantially a fundamental risk
>> to the organisation:
>> Shareholder value (we don't have this), but I would substitute Member
>> Privacy and regulatory
>> Compliance with tax and other laws
>> So basically, I would suggest looking at topics like (and this is NOT
>> Review the governance of financial programs such as OOTM or Chapter
>> funding to ensure that it is effective and there are no issues with
>> Reviewing the effectiveness of internal governance (usually, by
>> sampling a governance topic)
>> Security reviews of our external or internal infrastructure
>> Privileged access management
>> etc etc.
>> Generally, internal audit is a function that is run at arms length
>> from day to day operations so you don't have self-review. OWASP is
>> not really big enough for a full time staff member to do that, so I
>> would suggest that we might talk to Paul's organisation for a
>> temporary resource to be brought in, and we manage the budget that
>> way. Specialist tests could be done using external consultancies,
>> such as Bug Crowd to run a bug bounty on OWASP's infrastructure.
>> If we decide the cost is too great, then basically, we need to come
>> up with an alternative that covers off the risk of self-review. We
>> really aren't big enough to justify a full time internal audit
>> function, but big enough that if we don't do something, we will have
>> issues where key risks are not being evaluated by the Board in a
>> timely fashion because we haven't planned properly.
>> Owasp-board mailing list
>> Owasp-board at lists.owasp.org
> Owasp-board mailing list
> Owasp-board at lists.owasp.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Owasp-board