Sign in

IT Security, GRC, IT Audit

Alberta, Canada
February 04, 2010

Contact this candidate

Sharan Khurana MBA, CISA, CGEIT

***-**** ***. **, ***. 2005, Calgary AB T2R 0A3;; 403-***-****


• An IT Security, Governance and Compliance professional with 8+ years of experience and knowledge of IT Security and IT Governance practices, Auditing Standards (IIA and ISACA), processes, methodologies and audit software tools (ACL and CAATS), reputed for having an eye for finer details without losing the bigger picture. Has always met the time schedules and business budgets.

• Designed and implemented revenue leakage process for Internal Auditors and IT Auditors and detected revenue leakage of $ 220,000 in one year.

• Used communication, interviewing, analytical, problem solving conceptual abilities and COSO for documentation of IT and Business Processes/controls, to re-engineer and develop new processes and controls for risk mitigation and for making corporations SOX/Bill 198 compliant.

• Designed and prepared Risk Based Audit Policy, Information System Audit Policy, Corporate Audit Report Template and revised Internal Audit Manual and IS Audit Manual of an international Bank

• Regularly delivered lectures in Bank’s training college on “Information system Security Policy”, “Risk Management”; “Audit Process” and “Improvement in Audit Risk Rating”

• Strong people management skills, effective team leader and a team player capable of managing multiple tasks/teams and projects. Known for developing strong and lasting relationships.

• Excellent communicator, coach, mentor, influencer and facilitator capable of conducting meetings and making presentation to senior management and influencing stake holders.

• Won 5 awards for meeting business budgets and 3 promotions for high performance.

Skills/Areas of expertise


• Implementation of COBIT/ISO. Completing evaluation of effectiveness of existing operational security controls i.e. “As-Is” assessment, envisioning “To-Be” processes/controls

• Preparing gap analysis, implementation plan for mitigation of risks and executing the plan

• Designing and implementing new processes and controls, improving existing processes/controls

• Developing and maintaining information security policy, standards and procedures.

• Designing and implementing Key Goal Indicators (KGIs) and Key Performance Indicators (KPIs) for enterprise wide infrastructure and systems like servers, DBs, networks etc. for measuring the maturity level of various processes/controls and for sustaining these processes/ controls

• Designing and implementing processes for sustaining Maturity Model (MM) Level 3 and improving to MM Level 4

• Preparing and delivering training and awareness programs on IT Security process.

• Preparing IT security policies, standards, processes, procedures

• Delivering knowledge transfer sessions for internalizing the processes/controls.

• Review of access rights, RBAC (Role Based Access Control) and segregation of duties


• Planning, risk control analysis, risk rating, scoping, executing, monitoring, finding deficiencies (design and operating effectiveness)

• Conducting risk assessment, assessing vulnerabilities and prioritizing risks/controls

• Mapping with ISO/COBIT, preparing and presenting gap analysis, and remediation plan.

• Auditing IT Infrastructure, ITGC and Application Controls.

• Preparing quality audit reports with practical recommendations, presenting deficiencies to stakeholders and audit committee

• Auditing Branch Banking Solutions (ERP), Data Centre and Disaster Recovery Site; Audit of Credit Card Department for PCI –DSS Compliance.


• Risk Analysis and Impact Analysis for BCP/DRP.

• Preparation of BCP/DRP Framework

• Preparation, walkthrough and testing of BCP/DRP

Page 1 of 3

Sharan Khurana MBA, CISA, CGEIT

Professional experience

AltaGas, Calgary 2009

IT Auditor

• Identified and evaluated risk areas and provided input in developing the annual audit plan

• Performed IT audit procedures, including identifying and defining issues, developing criteria, reviewing and analyzing evidences, and documenting client processes and procedures

• Conducted interviews, reviewed documents, developed and administered surveys, composed summary memos, prepared working papers, recommendations and audit reports.

CSI Consulting, Toronto 2006 - 2008

Direct Energy, Toronto –IT Audit (Team Lead, team size 2, duration 3 months)

• Audited 6 critical IT Applications (LAWSON, KIODEX, NMARKET, ENDUR etc.) covering

o Access Controls in Windows, Sybase, Oracle environments

o Change Controls, Systems Development Life Cycle controls,

o Input Controls and

o Computer Operations Controls.

Result: The security level of the applications increased giving better assurance to the management.

Sherritt Intl Corp., Calgary – Bill 198 Compliance (Project Lead, Team size 2, duration 6 months)

• Scoped, Documented Process Narratives and VISIO flowcharts both for Business Processes (Month/quarter/year end close, Purchase, Sales, AP, AR) and IT Processes.

• Performed Risk Control Analysis, Documented gaps and communicated with process owners

• Prepared gap analysis and RCM (Risk Control Matrices)

• Designed controls, undertook walk through, and redesigned processes and controls.

• Tested design and operational effectiveness of key business process controls and IT controls.

Result: The Company became Bill 198 compliant.

Kinross Gold Corp., Toronto – SOX Compliance (Duration 3 months)

• Reviewed documentation prepared for SOX compliance and advised on process changes for control effectiveness and quality improvement.

• Designed tests, performed walkthroughs, tested design and operational effectiveness of controls at locations in US and Canada.

• Recorded test results and significant deficiencies on company’s web based SOX application for corrective action.

• After this project the company met with the requirement of quarterly testing of SOX controls

Result: Company improved their control framework and met with the statutory requirement of quarterly testing of SOX controls

Toronto Hydro, Toronto – COBIT, BCP/DRP (Team lead, Team size 3, duration 12 months)

• Implemented COBIT, DS5

• Completed “As-Is” assessment and envisioned the “To-Be” process

• Designed, developed and implemented Key Goal Indicators (KGIs) and Key Performance Indicators (KPIs) for enterprise wide infrastructure and systems like servers, databases, networks, help desk etc. for measuring the maturity level of various processes/controls for sustaining these processes/controls. Resulting in quality improvement of processes/controls and metrics.

• Designed Process for sustaining Maturity Model Level 3 and moving ahead for MM Level 4.

• Prepared Risk Analysis, Impact Analysis and BCP/DRP framework.

• Conducted Threat Risk Analysis (TRA), Impact Analysis and prepared BCP/DRP framework.

• Reviewed access control rights (RBAC) and cleaned up access control list for critical applications.

• Designed process for regular review of access control rights of privileged users.

Result: The Company successfully implemented and sustained MM level 3 of COBIT

In House Professional Development Sessions delivered on:

• Auditing Standard 5 of PCAOB

• ISACA guidelines of IT Control Objectives of SOX


Page 2 of 3

Sharan Khurana MBA, CISA, CGEIT

Bank of India, (Asset Size $50 Billion) 2001 - 2006

Chief Manager, Information Systems Audit and Internal audit, Mumbai/Bhopal

• Prepared Corporate Annual Audit Plan, Detailed Audit Plan and implemented it

• Prepared Risk Based Audit Policy, Information System Audit Policy and Information System Security Policy.

• Conducted internal audit, Risk Based Audit and Risk Analysis, Prepared Gap Analysis and Remediation Plan for Bank’s domestic and foreign branches.

• Conducted Management Audit of 4 Regional Rural Banks (300 to 500 branches) and 14 Zonal Offices (200 to 250 branches)of Bank of India for verifying the effectiveness of Management and compliance to:

o Corporate objectives, plan, policies and budgets

o Legal, HR and regulatory requirements of Reserve Bank of India (Banking Regulator- equivalent of OSFI)

• Audited Branch Banking Solutions (ERP), Data Centre and Disaster Recovery Site.

Result: The implementation of the audit recommendations got ISO certification for the Data Centre

• Audited Credit Card Operations of the Bank for PCI Compliance

• Conducted IT Audit and Internal Audit of 9 exceptionally Large branches of the bank (asset base of each branch $10 Million and above)

• Lead 5 culturally diversified teams of 15 Auditors and reviewed their audit work.

• Coached, counseled and trained 20 Internal and IT auditors.

• Regularly delivered Lectures in Bank’s training college on “Information System Security Policy”; “Risk Management”; “Audit Process” and “Improvement in Audit Rating”

• Followed up for compliance of deficiencies.

• Prepared quality audit reports with recommendations and placed deficiencies to stakeholders and Audit Committee

Bank of India, New Delhi, Khandwa (Madhya Pradesh) 1997-2001

Chief Manager

• Ensured compliance with Audit Reports.

• Managed cluster of 60 bank branches having business of $50+ Million.

• Successfully managed fully computerized branch with annual increase in business of 30%

Magadh Stock Exchange, Patna, INDIA 1997

Executive Director

• Implemented compliance with policies and capital adequacy requirements of SEBI (Equivalent of SEC in India)

• Prepared and implemented annual action plan.

Prior to 1997 held various positions like Branch Manager, Credit Manager in Bank of India

Education and certifications

• CGEIT (Certified in Governance of Enterprise IT) in 2009 from ISACA, Chicago, USA

• CISA in 2004 from ISACA, Chicago, USA.

• CAIIB 1985- (Highest Banking Certification in India)

• MBA (Finance) Panjab University. B. Sc from Panjab University.

• Working towards PMP and IFRS (International Financial Reporting Standard)

Trainings completed for professional development:

• IT Audit of Computerized branches

• IT Audit of Data center, Disaster Recovery site and Core Banking Solutions

• Risked Based Audit; Information System Audit for risk Management

• Training in UNIX and C computer language

• 15 in house training courses ranging from Leadership Development to proprietary software

Professional memberships/ affiliations:

• ISACA, Chicago, USA; Indian Institute of Banking and Finance; SOX User group of ISACA

• ICATS (Indo Canada Association of Technology and Software; ICCC (Indo Canada Chamber of Commerce)

Page 3 of 3

Contact this candidate