[Owasp-board] Internal audit plan

Andrew van der Stock vanderaj at owasp.org
Thu Nov 20 23:18:43 UTC 2014


Being on an internal audit committee is not a lot of fun. It finalises the
Board's review agenda, works out the best folks to perform a review and
thus providing sufficient time and resources to get reviews done, and makes
sure that reviews are delivered on time for the Board's timely review of
results. It will never be a board within a board, as Board decisions aren't
made there.

That's the idea of the internal audit committee, the Board sets the
direction for the next 12-36 months (we can decide on the plan's duration
and topics), and the Foundation or outside help executes it. The idea is
that the more time consuming BAU review activities are planned. Ad hoc
requests are still possible, but the internal audit plan is there to ensure
BAU checks and balances takes place.

By detailing what needs to be reviewed and by when, I think it's fairer on
the Foundation staff as they don't have to jump at every request, but are
well aware of what's in the pipeline. We can decide the number of days to
allocate based upon staff workload and activities requested.


On Thu, Nov 20, 2014 at 3:59 PM, Tobias <tobias.gondrom at owasp.org> wrote:

>  Sounds good. Would support that.
> There are three things I would like to ensure:
> 0. that this does not become "a board within a board"
> 1. that every board member (whether on this audit team or not) can
> continue to make direct requests for information to fulfil their fiduciary
> duties.
> 2. to make sure we are considerate when using the time from our staff for
> this and do not overly burden them with audits.
> Just my 2cents.
> Best wishes, Tobias
> On 19/11/14 03:32, Jim Manico wrote:
> Andrew,
> I think this is rather prudent; we are a security organization after all.
> What's a reasonable budget for this for an organization with our income?
> I've had significant access to various OWASP services over the years, I'd
> be happy sit on this committee with you, Andrew.  This sounds like a lot of
> fun, frankly. I am sure it will only help the foundation.
> Aloha,
> Jim
> On 11/18/14 4:33 PM, Andrew van der Stock wrote:
> Hi folks,
>  I've had a discussion with Paul regarding the ad hoc requests emanating
> from Board members.
>  The ways that organisations deal with these sorts of requests is to set
> up an internal audit committee, which is usually one or more
> representatives from the Foundation, one or more representatives from the
> Board (and usually includes the Chair or an interested board member), and
> usually a representative from the internal auditor. We're not large enough
> to have an internal auditor, but committee idea is doable at our size
> without being too complex. There are ways to make it work without being
> burdensome on us or the Foundation.
>  Key considerations of an internal audit plan
> http://www.ey.com/Publication/vwLUAssets/EY_Key_considerations_for_your_internal_audit_plan_1/$FILE/ATT5QP7A.pdf
>  Example internal audit plan (and you can find zillions of these - every
> listed company has to have one)
> http://www.lwarb.gov.uk/UserFiles/File/Audit%20Committee%20Meetings/Internal%20Audit%20Plan%202010-11.pdf
>  What I'd suggest is that we establish an internal audit committee, which
> decides on an internal audit plan, staff days being budgeted to Foundation
> staff or external parties to conduct the reviews, this plan is to be
> approved by the Board, and then as the plan is executed, the reports are
> received by the internal audit committee for addressing the findings, and a
> report made to the Board summarising the findings and the outcomes of
> addressing the findings.
>  This way, important topics are covered at arms length by the Board, the
> Foundation knows that they have X (usually 20-30, but typically no more
> than 5% of the Foundation's total FTE) days per year budgeted for internal
> audit activities, and the Board is providing effective oversight (checks
> and balances) over the Foundation's operational risk, use of finances, and
> key risks.
>  What are key risks? Anything that is substantially a fundamental risk to
> the organisation:
>  Shareholder value (we don't have this), but I would substitute Member
> value
> Financial
> Reputation
> Privacy and regulatory
> Compliance with tax and other laws
>  So basically, I would suggest looking at topics like (and this is NOT
> exhaustive):
>  Review the governance of financial programs such as OOTM or Chapter
> funding to ensure that it is effective and there are no issues with funds
> Reviewing the effectiveness of internal governance (usually, by sampling a
> governance topic)
> Security reviews of our external or internal infrastructure
> Privileged access management
> etc etc.
>  Generally, internal audit is a function that is run at arms length from
> day to day operations so you don't have self-review. OWASP is not really
> big enough for a full time staff member to do that, so I would suggest that
> we might talk to Paul's organisation for a temporary resource to be brought
> in, and we manage the budget that way. Specialist tests could be done using
> external consultancies, such as Bug Crowd to run a bug bounty on OWASP's
> infrastructure.
>  If we decide the cost is too great, then basically, we need to come up
> with an alternative that covers off the risk of self-review. We really
> aren't big enough to justify a full time internal audit function, but big
> enough that if we don't do something, we will have issues where key risks
> are not being evaluated by the Board in a timely fashion because we haven't
> planned properly.
>  Thoughts?
>  thanks
> Andrew
> _______________________________________________
> Owasp-board mailing listOwasp-board at lists.owasp.orghttps://lists.owasp.org/mailman/listinfo/owasp-board
> _______________________________________________
> Owasp-board mailing listOwasp-board at lists.owasp.orghttps://lists.owasp.org/mailman/listinfo/owasp-board
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20141121/36d62604/attachment.html>

More information about the Owasp-board mailing list