Poliksena Berisha - Governance, Risk and Compliance (GRC) and role of IT Auditing - BSides Prishtina

Poliksena Berisha - Governance, Risk and Compliance (GRC) and role of IT Auditing in the Republic of Kosovo Public Institutions - BSides Prishtina 2022

Governance, risk, and compliance or known as GRC – is a set of processes and procedures to help organizations achieve business objectives, address uncertainty, and act with integrity. The basic purpose of GRC is to instill good business practices into everyday life. GRC has grown in stature as risks have become more numerous, complex, and more damaging. GRC today spans multiple disciplines, including enterprise risk management, compliance, third-party risk management, internal audit, and more.

Governance stands for good governance with the core concepts of transparency, accountability and control. Successfully achieving goals can only be achieved if the frameworks are clear, the risk profile is known and the controls are effectively in place.
Risk. By definition, doing business requires taking risks. The balance between risk taking and control is essential in this regard. Risk management enables the organization to prioritize and steer with a healthy dose of guts.

Compliance. Complying with legal frameworks and standards increasingly plays a role in an organization. Integrity and reliability are requirements for customers, third parties and regulators to do business. Compliance offers the tools for this.

Audit. While the GRC abbreviation does not provide an A for audit, it is a fundamental part of Governance, Risk & Compliance. Audit can provide assurance that the other three GRC foundations are met. Audits provide proof of competence.

An IT Audit is an investigation and evaluation of IT systems, infrastructures, policies, and operations. Through IT audits, a company can determine if the existing IT controls protect corporate assets, ensure data integrity and align with the organization’s business and financial controls.

Assembly of Republic of Kosovo, has approved Law on Information Society Government Bodies, which law determines bodies responsible for development of information society services at the institutions of the Republic of Kosovo, and their competencies, responsibilities, organization and functioning.

This Law determines establishment of Agency for Information Society, as well as consolidation of functions and responsibilities in the field of Information and Communication Technology (ICT).
Responsible structures for information society in institutions of the Republic of Kosovo are: Agency for Information Society; and Relevant organizational structure or Official for ICT management.

Besides Governance of IT, Republic of Kosovo has started with conducting IT Audits since 2016, as part of its Supreme Audit Institution -National Audit Office.

Currently at the National Audit Office of the Republic of Kosovo are two IT Audit teams, which conducts around 4 audits per year.

Evaluation and identification of findings during these audits was carried out using:
• Control Objectives for Information and Related Technology (COBIT);
• Information Technology Infrastructure Library (ITIL);
• Handbook on IT Audit for Supreme Audit Institutions;
• IT Auditing Standards:
• ISSAI 5300;
• ISO 27001/2 etc.
• Laws and Regulations of the Republic of Kosovo;
• Internal Policies, procedures and regulations of the audited institutions;
• Referring to similar research models conducted by SAIs in different countries;
• Using digital and technological tools such as CAATs;
• Questionnaire prepared for the audit/evaluation process.