Does anyone have experience standing up a central organization that is responsible for resolving findings from audits? I am tasked with intaking findings from audits, organizing remediation projects/programs/teams to remediate those findings and track remediation to completion.


262 views22 Upvotes8 Comments

Sr. Managing Director in Finance (non-banking), 5,001 - 10,000 employees
Yes.. few pointers:
- prioritize findings
- estimate resolution timings
- take evidence/screen shots of current and future states ( after fixed)
- identify key stakeholders , point person in each areas
- have regular cadence for meetings/status updates
Manager in Services (non-Government), 10,001+ employees
You may follow the typical Findings Remdiation process: 
1. Identify the findings
2. Understand the findings
3. Determine the root cause
4. Develop an action plan that audits agree to make sure the action plan is on the right track
5. Implement corrective measures
6. Monitor progress
7. Validate effectiveness
8. Document and communicate
9. Continuous improvement/Follow-up audits 
Director IT in Software, 10,001+ employees
Audits will have multiple findings based area of audit done.
prioritize based on business critical, customer facing applications, data criticality, reputation impact findings.
Enterprise Security & Risk Management Architect in Insurance (except health), 10,001+ employees
This isnt a project planning issue, but more of a business priority understanding. You need to make sure you have the mandate so the areas with identified audit issues will correctly prioritize the work. Any business area will prioritize normal business delivery over any compliance issue unless it is seen as a company mandate to do so. You will be prioritizing business delivery with remediation work. Understanding the real costs of the issue and the remediation is crucial. 
Global Chief Cybersecurity Strategist & CISO in Healthcare and Biotech, Self-employed
Agree with what others have stated. You need to understand Enterprise Risk Tolerance and address issues that go beyond that by the most significant margin in risk to the company. They may manage in numerous ways, such as remediating, transferring risk, etc. Look at the COSO Framework, which is within SOC, ISO, and HITRUST to a small degree. NIST Risk Framework and others are built around COSO. Their 2023 Fraud Guidance was recently released. Link to their FREE documents: Guidance (coso.org)
1 2 Replies
Director of IT in Government, Self-employed

Thank you, Rebecca, but the link doesn't work.  It could be my VPN so I will try again later.

Global Chief Cybersecurity Strategist & CISO in Healthcare and Biotech, Self-employed

Sorry about that, may be the say they have the domain setup. This one works.
https://www.coso.org/SitePages/Guidance.aspx

Director in Manufacturing, 1,001 - 5,000 employees
Others have already supplied great advice.  I'll add a tip, that is very relevant when those who are doing the remediation, do not report to you and you have little to no influence on their performance reviews.  Ensure that the action takers, those doing the remediation, have goals tied measurably to remediation in the HR system that will be used to evaluate their performance and pay raises.  Likewise for their leadership.  If their pay raise and performance are not tied to specific  remediation measurables, and you don't control their performance ratings, you will not get anything done.

Content you might like

Very confident - they get it23%

Somewhat confident - they have some understanding72%

No confidence - sad, but true5%


81 PARTICIPANTS

530 views

Yes - Maine did the right thing. There are too many security risks with free versions of these tools. Not enough copyright or privacy protections of data.31%

No, but.... - You must have good security and privacy policies in place for ChatGPT (and other GenAI apps). My organization has policies and meaningful ways to enforce those policies and procedures for staff.52%

No - Bans simply don't work. Even without policies, this action hurts innovation and sends the wrong message to staff and the world about our organization.12%

I'm not sure. This action by Maine makes me think. Let me get back to you in a few weeks (or months).3%


354 PARTICIPANTS

9.3k views9 Upvotes1 Comment