Auditing Application User Account

Security and Identity Management

with Data Analytics

James Kidwell, JD, CISA

Senior Information Systems

Auditor

Audit Services

Tom Valiquette, MBA, CIA

Director, Corporate Compliance

Compliance Data Solutions

What is your end game?

1. Evaluate for key risks (one-time audit)

– Active user accounts of terminated

employees/contractors

2. Continuous Monitor – Audit Services’ tool

3. Build case for corporate identity

management solution

What else happened:

Continuous Audit – business unit tool

Key Considerations

• Decide your end-game

• What is your corporate standard

• Source of truth

• Data normalization

• Known data exceptions

• Error validation & process improvement

• Continuous auditing & monitoring

Example #1

User Accounts• Individual system

installations

• Individual systems do not

communicate with each

other.

• Not integrated with

Windows Active Directory

• Manual user account

administration managed at

each hospital

Hospital 1

Hospital 5

Hospital 6

Hospital 2

Hospital 3

Hospital 4

Hospital 7

Hospital 8

Example #2

Accounts

Receivable

System A

Accounts

Receivable

System B

Accounts

Receivable

System C

Electronic

Medical

Record

User Accounts• Primary applications for

Enterprise

• Some not integrated with

Windows Active Directory

• Manual user account

administration managed

within Information Services

• External service providers

Key Risks

Risks• External Regulator sanctions due to active

user account for terminated teammate;(JCAHO – Joint Commission on Accreditation of Healthcare Organizations)

• System access using terminated teammate

account;

• Transitioning to central Accounts Receivable

system.

Source of “Truth”

• Central list used to identify personnel

• Maintained to some standard

• Contains unique identifier

• Customer and Audit agree

Active Directory

Employee Roster

Contractor Roster

Analytic Process Flow

• Continuous analytic cycle

agreed to by Audit and

Customer

• Every application account

receives a result code for

each testing cycle

– Pass/Fail

– If Fail → High/Low risk

Data Preparation• Provision data on same schedule

• Remove application-specific known user ID

modifications

• Target and isolate approved administrative accounts

• Only ACTIVE target system user accounts

TargetSystem

User IDComputedID

(used for matching)

TargetSystem

User Last Name

TargetSystem

User First Name

5309 5309 JOHNSON ELLIOT

EJOHNS01 EJOHNS01 JOHNSON ELLIOT

EJOHNS01W EJOHNS01 JOHNSON TIM

ID Modification

Layered Testing Algorithm

Target SystemIdentify inactive, template, system, and deleted accounts

Error ValidationUserID ErrorReason ErrorValidation ValidationReason

5309

Application userID not found in PeopleSoft EC99 - Valid Error RC99 - Remediation Plan

EJOHNS01

Application userID first name does not match first name in PeopleSoft EC01 - Not Error

RC02 - False Positive -Positive Teammate ID

• Allows customer opportunity to participate in audit

process

• Demonstrates to senior leadership the customers

willingness to correct problems

• Approved false-positives accounted for in continuous

auditing program

• Remediation plans confirmed by continuous auditing

program

Audited Results

Client-Audited ResultsTest if client provided acceptable responses to previous analytic cycle results

Teammate Identification - PS

Compare active accounts to Human Resources • Match Enterprise ID - Network ID or Employee ID;

• Match Name – First name characters, or Levenshtein

first name or Levenshtein last name

• Teammate active in HR data – yes/no

Teammate Identification - AD

Compare active accounts to Active Directory• Match Enterprise ID - Network ID or Employee ID;

• Match Name – First name characters, or Levenshtein

first name or Levenshtein last name

• Teammate active in AD data – yes/no

Teammate Identification - iTIM

Compare active accounts to iTIM• Match Enterprise ID - Network ID or Employee ID;

• Match Name – First name characters, or Levenshtein

first name or Levenshtein last name

• Teammate active in iTIM data – yes/no

Analytic Results

Report Results

Audit finding detailDashboards

Reports

• Identify primary audience (audit management, customer?)

• Summary vs. Detail

• Facilitate exception management process

Continuous Auditing Continuous Monitoring

Continuous MonitoringSingle Application with Multiple Installations

Continuous MonitoringTier 1 Applications

Continuous MonitoringTier 1 Applications – Drill Down

Continuous Auditing/Monitoring

• Provides evidence for “end-game”

– Identify root cause(s)

– Monitor process improvement

– Need for central Identity Management System

• Transition auditing to business unit

• Monitor process improvement gains

– Monitoring provides re-audit signals

• Allows for key system comparison

Questions?

Tom Valiquette, Director

Compliance Data Solutions

Corporate Compliance

Tom.Valiquette@CarolinasHealthCare.org

O: 704-512-5903