608 IT RiskAudit

1

Identifying, Assessing and Auditing IT Risks in Health

HCCA 22nd Compliance Institute

April 17 2018

Page 2 Identifying, Assessing and Auditing IT Risks

Agenda

Topic Page

Technology Risks 2.0 3

Internal Audit IT risk Assessment Approach 6

IT Audit Planning 9

Auditing EHR and ERP Implementations 12

Auditing Third-party Risk Management 15

Leveraging Data Analytics for a More Efficient and Effective audit 16

Robotics Process Automation (RPA) 19

Summary and Discussion 23

2


Technology Risk 2.0The Changing Landscape

Speed of innovation is outpacing the risk management capabilities creating exposed blind spot

Risk discussions without technology considerations are incomplete

Technology is no-longer just IT – The enterprise is now digital and connected

Technology has become ubiquitous in the business from strategy to execution

Third-party risk is now your risk

01

02

03

04

05

Technology stakeholders

► All business functions

► Information technology

► Cybersecurity

► Customers

► Vendors

► 3rd parties

► Regulators, governments

Technology trends

► B2B/B2C to Crowdsourcing/funding

► Social to Hyper-connected users

► Internet of Things

► Mobile

► Digital

► Intelligent/Cognitive technologies

► Data and analytics

► Cloud


Technology Risk 2.0Emerging Technology Risks

4

Emerging Technology

Risks

Mobile

Social Media

Cyber Security

Internet of

things

Cloud

BI & Analysts

Machine

Learning & AI

Digital

Blockchain

Robotics

Process

Automation

Is IA ready:

► to audit emerging risks?

► to lead the

‘digital journey’ for the

organization and

► to transform to

deliver more comprehensive solutions?

3


Internal Audit IT Risk Assessment Approach

Internal audit IT

risk assessment

Risk response and prioritization and develop audit plan

AssessIT risks

Identify IT risks

Executing audit plan

and monitoring risks in ERM

Plan IT risk assessment

Create and evaluate

a range of potential

occurrences of IT risk

to determine focus for

risk assessment

Identified IT risks are

analyzed against risk

identification criteria

to determine the level

of inherent risk; a

similar review against

the control

environment is used

to evaluate residual

risk

Identify potential IT

risk response and

engage the

business to

determine and

prioritize risk

response activities

Define a robust

internal audit plan

to provide

assurance risks are

being mitigated

within tolerance

levels and monitor

risks for ERM

Define a starting

point based on

the objectives

and determine

individuals to

engage


Top 10 IT risk

considerations

1. InfoSec/cyber

2. Business continuity

3. Mobile

4. Cloud

5. IT risk management

6. Program risk

7. Software/asset management

8. Social media risk management

9. Segregation of duties/identity access

management

10. Data loss prevention and privacy

Data

Compliance

Operations/

service

delivery

Infrastructure

Business

enablement

Talent

management

IT availability/

continuity

Security and

privacy

Program/

portfolio

management

Partner

collaboration

IT risk universe

► Natural disasters

► Labor strikes

► Environmental

sanctions

► Utilities failures

► Non-compliance with

policy or regulations

► Non-compliance with

software license

contracts

► Misalignment with

business

► Unsupported

applications

► System

issues/failures

► Inflexible IT

architecture

► Obsolete

technology

► Damage to servers

► Theft

► Failure to mine

information

► Lack of data integrity

► Disclosure of

sensitive data ► Lack service capability

► Breakdown of processes

► Operator errors during

backup or maintenance

► Loss of key IT resources

► Inability to recruit IT staff

► Mismatch of skills

► Lack of business

knowledge

► Intrusions of

malware

► Virus attacks

► Website attacks

► Poor patch

management

► Budget overruns

► Significant delays

► Benefits not realized

► Poor quality of

deliverables

► Inadequate integration

► Poor service levels

► Unauthorized outsourcers

► Lack of assurance

► Data leakage

IT Risk Universe and Emerging IT risks

4


Aligning Risk Universe and Requirements

Security

and Privacy

Third-party

suppliers and outsourcing Program and

change management

Legal and

regulatory

Staffing

Operations

Physical

environmentInfrastructure

Applications and

databases

Data

IT Risk Universe

IS Governance Data and Infrastructure

Applications and Databases

Legal and Regulatory

Program Change Management

Cybersecurity/Information security

Physical environmentThird Party Suppliers

and Outsourcing

IT Staffing IT Operations

IT Key Components

ProfessionalProfessionalProfessionalProfessional Standards/Regulatory FrameworksStandards/Regulatory FrameworksStandards/Regulatory FrameworksStandards/Regulatory Frameworks

COBIT Control Objectives for Information Related

Technology

ISO 27K/

NIST

Information Security Management Systems

Standards

TOGAF The Open Group Architecture Framework

COSO Committee of Sponsoring Organizations of the

Treadway Commission

ITIL Information Technology Infrastructure Library

HIPAA/

FISMA

Regulatory requirements

Regulatory IT Risk

ManagementDigital and the

Internet of thingsCyber

Security

We leverage the following professional standards and leading

practices on the design and development of the IT Audit

Methodology:


Recommended audit plan

mix

Process

compliance

ComplianceRotational

Special

projects

► Enterprise Risk Assessment► Cyber security threats

► Operation disruption & business continuity

► Key projects and internal initiatives

► Audit plan mix► Dynamic audit plan in lock-step

with risk

► Focus outside of compliance (“check the box” auditing)

► Considers upcoming changes to the IT environment

Developing the IT Audit PlanFactors to Consider

5


Developing the IT Audit Plan

High risk

1 Data Protection and Privacy

2 Cyber Security

3 Access Management

4 Vendor Risk Management

Medium risk

5 Business Continuity Management

6Enterprise Applications and Change Control

7 Globalization

8 Compliance and Risk Management

9 IT Asset Management

10 IT Program and Project Management

Low risk

11 Emerging Technologies

12 IT Governance and Strategy

13 Operations

14 IT Resource Management

Risk Driven Audits

Risk Driven Audits

Limited Audit Coverage

Risk driven audits

Risk driven audits

Limited audit coverage

High

Medium

Low

Mandatory

1 Regulatory Requirements HIPAA/FISMA/


Year 2

Illustrative Audits Map to technology layers to depict IT risk coverage

Year 5Year 1 Year 4Year 3

Ap

pli

cati

on

Se

curi

ty

Da

tab

ase

Se

curi

ty

Op

era

tin

g S

yst

em

Se

curi

ty

Ne

two

rk

Se

curi

ty

Inte

rne

t

Se

curi

ty

Ph

ysi

cal

Se

curi

ty

Badging

System

Review

Mobile Device

Monitoring

Two-factor

Authentication

Vendor RA & RSA

Token Mgmt

Firewall

Security

Wireless Network

Workstation

Patch

Management

Microsoft

Access DB

Governance

Exchange

(Email)Users’ Access

to Source Code

Database Deficiency

Remediation

Security

Enhancements

Implementation

OT Access

Mgmt

Oracle 12c Upgrade

Governance

UAR Tool

Access &

Workflow

Network Architecture

Components

Workstation

Admin Access

PKI Architecture

Security

Firewall Rules Change

Mgmt Process & Controls

Database

Patch Mgmt

Active

Directory

Security

OS/400 Security

SQL Security

Third Party

Application Mgmt

Mobile Applications

Security

Application A ITGCs

Primary Data

Center

Backup Data

Center

Application C ITGCs

Periodic

Access Review

Pe

rva

sive

au

dits in

clud

e In

cide

nt R

esp

on

se, S

ecu

rity A

wa

ren

ess, D

isaste

r Re

cov

ery

, Cy

be

rsecu

rity

Go

ve

rna

nce

, IT V

en

do

r Mg

mt, S

ecu

rity O

pe

ratio

ns C

en

ter, P

ub

lic Clo

ud

, PC

I, Te

chn

olo

gy

Go

ve

rna

nce

, Se

curity

Lo

gg

ing

& M

on

itorin

g

Server

Lifecycle Mgmt

Customer Website

Portal

Application B

Access

Single Sign-

on Tool

Security

Database

Segmentation

DMZ

(Perimeter)

Security

Network Patch

Process

SQL

Security

Unix/Linux

Security

SharePoint

Security

ERP Implementation

BU 1/2 Appl

Integration

Application

D Access &

Governance

Server Configuration

Mgmt

Attack &

Penetration

Primary Data

Center

Technology

Warehouse Storage

Customer Website

Portal

Application E

Readiness

Application E

Post-impl

Windows

Security

Oracle

Security

Offsite

Location A

Application F ITGCs

6


Auditing Topics


Auditing EHR and ERP Implementations

► ITGC governance and monitoring assessments

► Design and implementation of ITGCs

► Development and execution of test strategies

► SOC 1 / SOC 2 Reporting

IT General IT General IT General IT General

Controls (ITGCs)Controls (ITGCs)Controls (ITGCs)Controls (ITGCs)

Compliance designCompliance designCompliance designCompliance design

and and and and integrationintegrationintegrationintegration

Risk Risk Risk Risk and controls and controls and controls and controls

IndependentIndependentIndependentIndependent

Program ReviewProgram ReviewProgram ReviewProgram Review

Data Data Data Data migration migration migration migration

and and and and interfacesinterfacesinterfacesinterfaces

► Compliance controls, framework, and regulatory requirement assessments

► HIPAA/Privacy controls, framework, and regulatory requirement assessments

► Implementation and integration of the compliance framework with business process owners

► Risk, financial and operational controls assessments for EHR, ERPs and Bolt ons

► Test strategy development & testing validation

► Risk function and process owner education and enablement

► Continuous control monitoring and GRC (Archer, MetricStream etc)

► Evaluation of risks and issues between governance, project management, technical solutions and risk interdependencies

► Facilitate readiness assessment and go-live support

► Segregation of duties design and build

► Design and Implement security environment based on leading practice and access restrictions

► Continuous monitoring and GRC solutions

► Pre-live assessment to identify technical design gaps and data integrity issues prior to data migration

► Design of interface and IT testing strategies; and, testing validation

Security and accessSecurity and accessSecurity and accessSecurity and access

7


Project/Program Assessment Methodology

► A project assessment methodology is a multidimensional evaluation of the risk interdependencies between program governance, project management and technical solution factors.

► As illustrated in the framework diagram to the right, each dimension is divided into nine facets. Each facet focuses on a specific area of its associated dimension and

► Maturity descriptions comprised of five levels of maturity (initial, repeatable, defined, managed and optimized)


Planning Readiness Discovery Validation Build Testing Stabilization Optimization

EHR Implementation Program Risk Assessment Approach

EHR Implementation Phases 1 - 5

Complete ongoing milestone based point-in-time assessments across 5 workstreams:

GovernanceProgram

Management

Project Team Organization and

Resource Alignment

Program Budget and Financial Management

Implementation Roadmap, Schedule

and Project Plan

+Targeted deep dives on specific risk areas (illustrative)

Capacity and Scheduling

Revenue IntegrityAccounts

Receivable

Operational

ReadinessControls and Compliance

Robust assessments of an EHR implementation should be performed at key stages of the program's life

8


Vendors

Outsourced technology

Outsourced business operations

Contractors

Auditing Third-party Risk ManagementIT Vendors, contractors, outsourced business operations

Third-party breaches and outages continue to impact the marketplace and

expand the boundaries of the threat

environment outside the walls of the

organization itself.

Key questions when auditing TPRM

► Does the organization have an inventory of “all” third-parties supporting the enterprise?

► Is there a clearly defined expectation for how to risk profile, vet, select, engage, monitor and manage third-parties?

► Is right to audit enforceable

► Is the business (e.g., business lines, board, sr. leadership, etc.) aware of third-party risks and third parties considered critical to the organization?

Company

A third-party IT service provider is an entity that provides services to a company and maintains / processes / or otherwise is permitted access to nonpublic information through its IT provision of services


AnalyticsLeveraging data analytics for a more efficient and effective audit

9


Analytics and Shifting IA Landscape

► There is greater emphasis on risk management, fraud prevention and corporate governance.

► Stakeholders are placing a greater emphasis on how IA can play a role in evaluating and mitigating risk.

► The role of IA is shifting from an independent assurance function to that of a real-time management advisor.

► Companies are moving toward using the IA function for comprehensive, top-down enterprise risk assessments.

► IA will need more effective resources, capabilities and knowledge to contribute to the risk management needs of their organizations.

Shifting IA landscape

► Typically labor-intensive

► Limited samples

► Narrow time period or stressful remediation

► Test procedures are limited in scope

► Capabilities and benefits tend to lessen as internal audit needs become more complex

Traditional IA

Investment

Benefit

► Test 100% of transactions for many controls

► Use of data analysis for sample selection in cases where testing 100% of transactions is not possible

► Increased insights and root cause analyses

► Frees up resources (up to 20%) to focus on audits and insights, not data collection

► Faster, automated datacollection and evaluation

► Reduced travel expenses

IA leveraging analytics

Investment

Benefit

Risk

ValueCost

Investments in analytics can mitigate risk, reduce cost and add value to the business.


Analytics Touch Points Across the IA Life Cycle

Bring in analytics team to develop charter

Risk assessment

Audit planning

Audit execution

Audit reporting

BU action plan

Monitoring

Ou

tpu

tsK

ey a

cti

vit

y e

xam

ple

s

► Risk identification

► Journal entries

► Material transactions

► Significant account activity analysis

► Customer churn

► Product churn

► Segregation of duties

► Embed analytics in existing client risk assessment process

► Process analytics

► P2P, OTC, FSCP, inventory, fixed assets, HR/PR, T&E

► Contract analytics

► Analytic testing of other significant processes

► Interpretation of results

► “Special projects”

► KPI monitoring

► KRI monitoring

► Continuous controls monitoring

► Dashboards

► Scorecards

► Benchmarks

► Excel output

► Specific risk identification

► Scoping

► Communications

► Research current available data and information

► Coordinate lead time to execute

► Customize data requests

► Risk ranking

► Visibility into highest risks

► Identification of unknown risks

► Identification of audits to incorporate analytics

► Analytics execution ► Business insight

► Identification of process defects

► Action plan recommendations

► Repeatable analytics

► Thresholds

► Risk appetite

10


Robotics Process Automation


What is Robotics Process Automation (RPA)?

Cloud

Enterprise automation

Desktop automation

In-house mainframe

► Core account mgmt.

► Transaction processing

► Core accounting

► Reporting

► Third-party capabilities

► Industry utilities

► Internet / intranet capabilities

► Data storage

► Workflow and rules

► Imaging

► Digital channels

► Analytics / reporting

► Collaboration tools

► Spreadsheets

► Word documents

► PDFs

► Emails

► Collaboration

► Data and analytical tools

Robots use existing technologyRobots…

► Link and sit atop existing IT assets

► Work faster and with fewer errors

► Operate on their own or with people

► Scale to match varying loads

► Deliver value quickly

► Cost much less than human FTEs

► Speed and innovation for growth and competitive advantage

► Industrial-scale agility with lesser risk of privacy issues and data exposure

► Improved compliance and auditability

Enabling…

11


2. Process modifications

There is the potential for new risks to be introduced through RPA program or implementations. Organizations should consider the effect of RPA on process, controls, and reliability and accuracy of data.

1. Effective challenge of RPA program and robots

Organizations need to make efforts to be involved in the RPA strategy, so they can be better prepared for impacts on the internal audit plan, and help advise the organization through appropriate risk and control decisions.

RPA Internal Audit ImplicationsChallenges and Approach

Determine the balance for challenge of RPA program vs. implementations / controls

Implement efficient, repeatable RPA challenge processes

Continue to have a seat at the table at key forums

Develop a plan for the audit period

Internal audit organizations should be actively involved and have a seat at the table. RPA has the

opportunity to provide extensive value to the business, and the risk and control experience of internal

audit can help highlight the enabling technology and its potential impacts and considerations.

3. Impact to existing audit strategy

Executing an RPA challenge process will result in testing strategy modifications, affect availability and collection of audit evidence, and may require additional competencies to support assessments.


Identifying Potential RPA Opportunities

Audit process enhancement opportunities

► As expectations for internal audit functions increase, the ability to manage workload, increase efficiency and effectiveness, while meeting a changing regulatory landscape will be a differentiator

► Firms may look to technology to address new audit testing needs and increase efficiency. A number of technical approaches such as RPA can help achieve targeted automation of the audit process.

Key benefits of testing automation

► Deploying automation solutions allows the audit function to maintain a core team dedicated to interpret and review of audit testing results and minimize the highly transactional work of data collection, execution of test steps, tracking, and reporting.

Where automation can make a difference

► Reduce cycle time for heavily manual data collection and preparation for testing

► Reduce cost associated with non-decision making manual process

► Increase traceability test steps performed

► Increase consistency of test supporting documentation and execution

► Ability to execute a variety of tests by using/modifying previously built test steps

► Easily scalable and time to market is small

Robotic process automation (RPA) can play a critical role in allowing Internal Audit to meet its capacity, audit coverage, and efficiency objectives.

12


Summary and Discussion


EY | Assurance | Tax | Transactions | Advisory

About EY

EY is a global leader in assurance, tax, transaction and

advisory services. The insights and quality services we

deliver help build trust and confidence in the capital

markets and in economies the world over. We develop

outstanding leaders who team to deliver on our

promises to all of our stakeholders. In so doing, we play

a critical role in building a better working world for our

people, for our clients and for our communities.

EY refers to the global organization, and may refer to

one or more, of the member firms of Ernst & Young

Global Limited, each of which is a separate legal entity.

Ernst & Young Global Limited, a UK company limited by

guarantee, does not provide services to clients. For more

information about our organization, please visit ey.com.

Ernst & Young LLP is a client-serving member firm of

Ernst & Young Global Limited operating in the US.

© 2017 Ernst & Young LLP.

All Rights Reserved.

1706-2345891

ED None

This material has been prepared for general informational purposes

only and is not intended to be relied upon as accounting, tax or otherprofessional advice. Please refer to your advisors for specific advice.

ey.com

608 IT RiskAudit

Documents

Transcript of 608 IT RiskAudit