Does anyone have experience standing up a central organization that is responsible for resolving findings from audits? I am tasked with intaking findings from audits, organizing remediation projects/programs/teams to remediate those findings and track remediation to completion.
Sort By:
Oldest
Vice President in Bankinga year ago
You may follow the typical Findings Remdiation process: 1. Identify the findings
2. Understand the findings
3. Determine the root cause
4. Develop an action plan that audits agree to make sure the action plan is on the right track
5. Implement corrective measures
6. Monitor progress
7. Validate effectiveness
8. Document and communicate
9. Continuous improvement/Follow-up audits
Director IT in Softwarea year ago
Audits will have multiple findings based area of audit done.prioritize based on business critical, customer facing applications, data criticality, reputation impact findings.
Enterprise Security & Risk Management Architect in Insurance (except health)a year ago
This isnt a project planning issue, but more of a business priority understanding. You need to make sure you have the mandate so the areas with identified audit issues will correctly prioritize the work. Any business area will prioritize normal business delivery over any compliance issue unless it is seen as a company mandate to do so. You will be prioritizing business delivery with remediation work. Understanding the real costs of the issue and the remediation is crucial. Global Chief Cybersecurity Strategist & CISO in Healthcare and Biotecha year ago
Agree with what others have stated. You need to understand Enterprise Risk Tolerance and address issues that go beyond that by the most significant margin in risk to the company. They may manage in numerous ways, such as remediating, transferring risk, etc. Look at the COSO Framework, which is within SOC, ISO, and HITRUST to a small degree. NIST Risk Framework and others are built around COSO. Their 2023 Fraud Guidance was recently released. Link to their FREE documents: Guidance (coso.org)Director of IT in Governmenta year ago
Thank you, Rebecca, but the link doesn't work. It could be my VPN so I will try again later.
Global Chief Cybersecurity Strategist & CISO in Healthcare and Biotecha year ago
Sorry about that, may be the say they have the domain setup. This one works.
https://www.coso.org/SitePages/Guidance.aspx
- prioritize findings
- estimate resolution timings
- take evidence/screen shots of current and future states ( after fixed)
- identify key stakeholders , point person in each areas
- have regular cadence for meetings/status updates