Post on 02-Apr-2018
Auditing Application User Account
Security and Identity Management
with Data Analytics
James Kidwell, JD, CISA
Senior Information Systems
Auditor
Audit Services
Tom Valiquette, MBA, CIA
Director, Corporate Compliance
Compliance Data Solutions
What is your end game?
1. Evaluate for key risks (one-time audit)
– Active user accounts of terminated
employees/contractors
2. Continuous Monitor – Audit Services’ tool
3. Build case for corporate identity
management solution
What else happened:
Continuous Audit – business unit tool
Key Considerations
• Decide your end-game
• What is your corporate standard
• Source of truth
• Data normalization
• Known data exceptions
• Error validation & process improvement
• Continuous auditing & monitoring
Example #1
User Accounts• Individual system
installations
• Individual systems do not
communicate with each
other.
• Not integrated with
Windows Active Directory
• Manual user account
administration managed at
each hospital
Hospital 1
Hospital 5
Hospital 6
Hospital 2
Hospital 3
Hospital 4
Hospital 7
Hospital 8
Example #2
Accounts
Receivable
System A
Accounts
Receivable
System B
Accounts
Receivable
System C
Electronic
Medical
Record
User Accounts• Primary applications for
Enterprise
• Some not integrated with
Windows Active Directory
• Manual user account
administration managed
within Information Services
• External service providers
Key Risks
Risks• External Regulator sanctions due to active
user account for terminated teammate;(JCAHO – Joint Commission on Accreditation of Healthcare Organizations)
• System access using terminated teammate
account;
• Transitioning to central Accounts Receivable
system.
Source of “Truth”
• Central list used to identify personnel
• Maintained to some standard
• Contains unique identifier
• Customer and Audit agree
Active Directory
Employee Roster
Contractor Roster
Analytic Process Flow
• Continuous analytic cycle
agreed to by Audit and
Customer
• Every application account
receives a result code for
each testing cycle
– Pass/Fail
– If Fail → High/Low risk
Data Preparation• Provision data on same schedule
• Remove application-specific known user ID
modifications
• Target and isolate approved administrative accounts
• Only ACTIVE target system user accounts
TargetSystem
User IDComputedID
(used for matching)
TargetSystem
User Last Name
TargetSystem
User First Name
5309 5309 JOHNSON ELLIOT
EJOHNS01 EJOHNS01 JOHNSON ELLIOT
EJOHNS01W EJOHNS01 JOHNSON TIM
ID Modification
Error ValidationUserID ErrorReason ErrorValidation ValidationReason
5309
Application userID not found in PeopleSoft EC99 - Valid Error RC99 - Remediation Plan
EJOHNS01
Application userID first name does not match first name in PeopleSoft EC01 - Not Error
RC02 - False Positive -Positive Teammate ID
• Allows customer opportunity to participate in audit
process
• Demonstrates to senior leadership the customers
willingness to correct problems
• Approved false-positives accounted for in continuous
auditing program
• Remediation plans confirmed by continuous auditing
program
Audited Results
Client-Audited ResultsTest if client provided acceptable responses to previous analytic cycle results
Teammate Identification - PS
Compare active accounts to Human Resources • Match Enterprise ID - Network ID or Employee ID;
• Match Name – First name characters, or Levenshtein
first name or Levenshtein last name
• Teammate active in HR data – yes/no
Teammate Identification - AD
Compare active accounts to Active Directory• Match Enterprise ID - Network ID or Employee ID;
• Match Name – First name characters, or Levenshtein
first name or Levenshtein last name
• Teammate active in AD data – yes/no
Teammate Identification - iTIM
Compare active accounts to iTIM• Match Enterprise ID - Network ID or Employee ID;
• Match Name – First name characters, or Levenshtein
first name or Levenshtein last name
• Teammate active in iTIM data – yes/no
Reports
• Identify primary audience (audit management, customer?)
• Summary vs. Detail
• Facilitate exception management process
Continuous Auditing Continuous Monitoring
Continuous Auditing/Monitoring
• Provides evidence for “end-game”
– Identify root cause(s)
– Monitor process improvement
– Need for central Identity Management System
• Transition auditing to business unit
• Monitor process improvement gains
– Monitoring provides re-audit signals
• Allows for key system comparison