608 it riskaudit
TRANSCRIPT
1
Identifying, Assessing and Auditing IT Risks in Health
HCCA 22nd Compliance Institute
April 17 2018
Page 2 Identifying, Assessing and Auditing IT Risks
Agenda
Topic Page
Technology Risks 2.0 3
Internal Audit IT risk Assessment Approach 6
IT Audit Planning 9
Auditing EHR and ERP Implementations 12
Auditing Third-party Risk Management 15
Leveraging Data Analytics for a More Efficient and Effective audit 16
Robotics Process Automation (RPA) 19
Summary and Discussion 23
2
Page 3 Identifying, Assessing and Auditing IT Risks
Technology Risk 2.0The Changing Landscape
Speed of innovation is outpacing the risk management capabilities creating exposed blind spot
Risk discussions without technology considerations are incomplete
Technology is no-longer just IT – The enterprise is now digital and connected
Technology has become ubiquitous in the business from strategy to execution
Third-party risk is now your risk
01
02
03
04
05
Technology stakeholders
► All business functions
► Information technology
► Cybersecurity
► Customers
► Vendors
► 3rd parties
► Regulators, governments
Technology trends
► B2B/B2C to Crowdsourcing/funding
► Social to Hyper-connected users
► Internet of Things
► Mobile
► Digital
► Intelligent/Cognitive technologies
► Data and analytics
► Cloud
Page 4 Identifying, Assessing and Auditing IT Risks
Technology Risk 2.0Emerging Technology Risks
4
Emerging Technology
Risks
Mobile
Social Media
Cyber Security
Internet of
things
Cloud
BI & Analysts
Machine
Learning & AI
Digital
Blockchain
Robotics
Process
Automation
Is IA ready:
► to audit emerging risks?
► to lead the
‘digital journey’ for the
organization and
► to transform to
deliver more comprehensive solutions?
3
Page 5 Identifying, Assessing and Auditing IT Risks
Internal Audit IT Risk Assessment Approach
Internal audit IT
risk assessment
Risk response and prioritization and develop audit plan
AssessIT risks
Identify IT risks
Executing audit plan
and monitoring risks in ERM
Plan IT risk assessment
Create and evaluate
a range of potential
occurrences of IT risk
to determine focus for
risk assessment
Identified IT risks are
analyzed against risk
identification criteria
to determine the level
of inherent risk; a
similar review against
the control
environment is used
to evaluate residual
risk
Identify potential IT
risk response and
engage the
business to
determine and
prioritize risk
response activities
Define a robust
internal audit plan
to provide
assurance risks are
being mitigated
within tolerance
levels and monitor
risks for ERM
Define a starting
point based on
the objectives
and determine
individuals to
engage
Page 6 Identifying, Assessing and Auditing IT Risks
Top 10 IT risk
considerations
1. InfoSec/cyber
2. Business continuity
3. Mobile
4. Cloud
5. IT risk management
6. Program risk
7. Software/asset management
8. Social media risk management
9. Segregation of duties/identity access
management
10. Data loss prevention and privacy
Data
Compliance
Operations/
service
delivery
Infrastructure
Business
enablement
Talent
management
IT availability/
continuity
Security and
privacy
Program/
portfolio
management
Partner
collaboration
IT risk universe
► Natural disasters
► Labor strikes
► Environmental
sanctions
► Utilities failures
► Non-compliance with
policy or regulations
► Non-compliance with
software license
contracts
► Misalignment with
business
► Unsupported
applications
► System
issues/failures
► Inflexible IT
architecture
► Obsolete
technology
► Damage to servers
► Theft
► Failure to mine
information
► Lack of data integrity
► Disclosure of
sensitive data ► Lack service capability
► Breakdown of processes
► Operator errors during
backup or maintenance
► Loss of key IT resources
► Inability to recruit IT staff
► Mismatch of skills
► Lack of business
knowledge
► Intrusions of
malware
► Virus attacks
► Website attacks
► Poor patch
management
► Budget overruns
► Significant delays
► Benefits not realized
► Poor quality of
deliverables
► Inadequate integration
► Poor service levels
► Unauthorized outsourcers
► Lack of assurance
► Data leakage
IT Risk Universe and Emerging IT risks
4
Page 7 Identifying, Assessing and Auditing IT Risks
Aligning Risk Universe and Requirements
Security
and Privacy
Third-party
suppliers and outsourcing Program and
change management
Legal and
regulatory
Staffing
Operations
Physical
environmentInfrastructure
Applications and
databases
Data
IT Risk Universe
IS Governance Data and Infrastructure
Applications and Databases
Legal and Regulatory
Program Change Management
Cybersecurity/Information security
Physical environmentThird Party Suppliers
and Outsourcing
IT Staffing IT Operations
IT Key Components
ProfessionalProfessionalProfessionalProfessional Standards/Regulatory FrameworksStandards/Regulatory FrameworksStandards/Regulatory FrameworksStandards/Regulatory Frameworks
COBIT Control Objectives for Information Related
Technology
ISO 27K/
NIST
Information Security Management Systems
Standards
TOGAF The Open Group Architecture Framework
COSO Committee of Sponsoring Organizations of the
Treadway Commission
ITIL Information Technology Infrastructure Library
HIPAA/
FISMA
Regulatory requirements
Regulatory IT Risk
ManagementDigital and the
Internet of thingsCyber
Security
We leverage the following professional standards and leading
practices on the design and development of the IT Audit
Methodology:
Page 8 Identifying, Assessing and Auditing IT Risks
Recommended audit plan
mix
Process
compliance
ComplianceRotational
Special
projects
► Enterprise Risk Assessment► Cyber security threats
► Operation disruption & business continuity
► Key projects and internal initiatives
► Audit plan mix► Dynamic audit plan in lock-step
with risk
► Focus outside of compliance (“check the box” auditing)
► Considers upcoming changes to the IT environment
Developing the IT Audit PlanFactors to Consider
5
Page 9 Identifying, Assessing and Auditing IT Risks
Developing the IT Audit Plan
High risk
1 Data Protection and Privacy
2 Cyber Security
3 Access Management
4 Vendor Risk Management
Medium risk
5 Business Continuity Management
6Enterprise Applications and Change Control
7 Globalization
8 Compliance and Risk Management
9 IT Asset Management
10 IT Program and Project Management
Low risk
11 Emerging Technologies
12 IT Governance and Strategy
13 Operations
14 IT Resource Management
Risk Driven Audits
Risk Driven Audits
Limited Audit Coverage
Risk driven audits
Risk driven audits
Limited audit coverage
High
Medium
Low
Mandatory
1 Regulatory Requirements HIPAA/FISMA/
Page 10 Identifying, Assessing and Auditing IT Risks
Year 2
Illustrative Audits Map to technology layers to depict IT risk coverage
Year 5Year 1 Year 4Year 3
Ap
pli
cati
on
Se
curi
ty
Da
tab
ase
Se
curi
ty
Op
era
tin
g S
yst
em
Se
curi
ty
Ne
two
rk
Se
curi
ty
Inte
rne
t
Se
curi
ty
Ph
ysi
cal
Se
curi
ty
Badging
System
Review
Mobile Device
Monitoring
Two-factor
Authentication
Vendor RA & RSA
Token Mgmt
Firewall
Security
Wireless Network
Workstation
Patch
Management
Microsoft
Access DB
Governance
Exchange
(Email)Users’ Access
to Source Code
Database Deficiency
Remediation
Security
Enhancements
Implementation
OT Access
Mgmt
Oracle 12c Upgrade
Governance
UAR Tool
Access &
Workflow
Network Architecture
Components
Workstation
Admin Access
PKI Architecture
Security
Firewall Rules Change
Mgmt Process & Controls
Database
Patch Mgmt
Active
Directory
Security
OS/400 Security
SQL Security
Third Party
Application Mgmt
Mobile Applications
Security
Application A ITGCs
Primary Data
Center
Backup Data
Center
Application C ITGCs
Periodic
Access Review
Pe
rva
sive
au
dits in
clud
e In
cide
nt R
esp
on
se, S
ecu
rity A
wa
ren
ess, D
isaste
r Re
cov
ery
, Cy
be
rsecu
rity
Go
ve
rna
nce
, IT V
en
do
r Mg
mt, S
ecu
rity O
pe
ratio
ns C
en
ter, P
ub
lic Clo
ud
, PC
I, Te
chn
olo
gy
Go
ve
rna
nce
, Se
curity
Lo
gg
ing
& M
on
itorin
g
Server
Lifecycle Mgmt
Customer Website
Portal
Application B
Access
Single Sign-
on Tool
Security
Database
Segmentation
DMZ
(Perimeter)
Security
Network Patch
Process
SQL
Security
Unix/Linux
Security
SharePoint
Security
ERP Implementation
BU 1/2 Appl
Integration
Application
D Access &
Governance
Server Configuration
Mgmt
Attack &
Penetration
Primary Data
Center
Technology
Warehouse Storage
Customer Website
Portal
Application E
Readiness
Application E
Post-impl
Windows
Security
Oracle
Security
Offsite
Location A
Application F ITGCs
6
Page 11 Identifying, Assessing and Auditing IT Risks
Auditing Topics
Page 12 Identifying, Assessing and Auditing IT Risks
Auditing EHR and ERP Implementations
► ITGC governance and monitoring assessments
► Design and implementation of ITGCs
► Development and execution of test strategies
► SOC 1 / SOC 2 Reporting
IT General IT General IT General IT General
Controls (ITGCs)Controls (ITGCs)Controls (ITGCs)Controls (ITGCs)
Compliance designCompliance designCompliance designCompliance design
and and and and integrationintegrationintegrationintegration
Risk Risk Risk Risk and controls and controls and controls and controls
IndependentIndependentIndependentIndependent
Program ReviewProgram ReviewProgram ReviewProgram Review
Data Data Data Data migration migration migration migration
and and and and interfacesinterfacesinterfacesinterfaces
► Compliance controls, framework, and regulatory requirement assessments
► HIPAA/Privacy controls, framework, and regulatory requirement assessments
► Implementation and integration of the compliance framework with business process owners
► Risk, financial and operational controls assessments for EHR, ERPs and Bolt ons
► Test strategy development & testing validation
► Risk function and process owner education and enablement
► Continuous control monitoring and GRC (Archer, MetricStream etc)
► Evaluation of risks and issues between governance, project management, technical solutions and risk interdependencies
► Facilitate readiness assessment and go-live support
► Segregation of duties design and build
► Design and Implement security environment based on leading practice and access restrictions
► Continuous monitoring and GRC solutions
► Pre-live assessment to identify technical design gaps and data integrity issues prior to data migration
► Design of interface and IT testing strategies; and, testing validation
Security and accessSecurity and accessSecurity and accessSecurity and access
7
Page 13 Identifying, Assessing and Auditing IT Risks
Project/Program Assessment Methodology
► A project assessment methodology is a multidimensional evaluation of the risk interdependencies between program governance, project management and technical solution factors.
► As illustrated in the framework diagram to the right, each dimension is divided into nine facets. Each facet focuses on a specific area of its associated dimension and
► Maturity descriptions comprised of five levels of maturity (initial, repeatable, defined, managed and optimized)
Page 14 Identifying, Assessing and Auditing IT Risks
Planning Readiness Discovery Validation Build Testing Stabilization Optimization
EHR Implementation Program Risk Assessment Approach
EHR Implementation Phases 1 - 5
Complete ongoing milestone based point-in-time assessments across 5 workstreams:
GovernanceProgram
Management
Project Team Organization and
Resource Alignment
Program Budget and Financial Management
Implementation Roadmap, Schedule
and Project Plan
+Targeted deep dives on specific risk areas (illustrative)
Capacity and Scheduling
Revenue IntegrityAccounts
Receivable
Operational
ReadinessControls and Compliance
Robust assessments of an EHR implementation should be performed at key stages of the program's life
8
Page 15 Identifying, Assessing and Auditing IT Risks
Vendors
Outsourced technology
Outsourced business operations
Contractors
Auditing Third-party Risk ManagementIT Vendors, contractors, outsourced business operations
Third-party breaches and outages continue to impact the marketplace and
expand the boundaries of the threat
environment outside the walls of the
organization itself.
Key questions when auditing TPRM
► Does the organization have an inventory of “all” third-parties supporting the enterprise?
► Is there a clearly defined expectation for how to risk profile, vet, select, engage, monitor and manage third-parties?
► Is right to audit enforceable
► Is the business (e.g., business lines, board, sr. leadership, etc.) aware of third-party risks and third parties considered critical to the organization?
Company
A third-party IT service provider is an entity that provides services to a company and maintains / processes / or otherwise is permitted access to nonpublic information through its IT provision of services
Page 16 Identifying, Assessing and Auditing IT Risks
AnalyticsLeveraging data analytics for a more efficient and effective audit
9
Page 17 Identifying, Assessing and Auditing IT Risks
Analytics and Shifting IA Landscape
► There is greater emphasis on risk management, fraud prevention and corporate governance.
► Stakeholders are placing a greater emphasis on how IA can play a role in evaluating and mitigating risk.
► The role of IA is shifting from an independent assurance function to that of a real-time management advisor.
► Companies are moving toward using the IA function for comprehensive, top-down enterprise risk assessments.
► IA will need more effective resources, capabilities and knowledge to contribute to the risk management needs of their organizations.
Shifting IA landscape
► Typically labor-intensive
► Limited samples
► Narrow time period or stressful remediation
► Test procedures are limited in scope
► Capabilities and benefits tend to lessen as internal audit needs become more complex
Traditional IA
Investment
Benefit
► Test 100% of transactions for many controls
► Use of data analysis for sample selection in cases where testing 100% of transactions is not possible
► Increased insights and root cause analyses
► Frees up resources (up to 20%) to focus on audits and insights, not data collection
► Faster, automated datacollection and evaluation
► Reduced travel expenses
IA leveraging analytics
Investment
Benefit
Risk
ValueCost
Investments in analytics can mitigate risk, reduce cost and add value to the business.
Page 18 Identifying, Assessing and Auditing IT Risks
Analytics Touch Points Across the IA Life Cycle
Bring in analytics team to develop charter
Risk assessment
Audit planning
Audit execution
Audit reporting
BU action plan
Monitoring
Ou
tpu
tsK
ey a
cti
vit
y e
xam
ple
s
► Risk identification
► Journal entries
► Material transactions
► Significant account activity analysis
► Customer churn
► Product churn
► Segregation of duties
► Embed analytics in existing client risk assessment process
► Process analytics
► P2P, OTC, FSCP, inventory, fixed assets, HR/PR, T&E
► Contract analytics
► Analytic testing of other significant processes
► Interpretation of results
► “Special projects”
► KPI monitoring
► KRI monitoring
► Continuous controls monitoring
► Dashboards
► Scorecards
► Benchmarks
► Excel output
► Specific risk identification
► Scoping
► Communications
► Research current available data and information
► Coordinate lead time to execute
► Customize data requests
► Risk ranking
► Visibility into highest risks
► Identification of unknown risks
► Identification of audits to incorporate analytics
► Analytics execution ► Business insight
► Identification of process defects
► Action plan recommendations
► Repeatable analytics
► Thresholds
► Risk appetite
10
Page 19 Identifying, Assessing and Auditing IT Risks
Robotics Process Automation
Page 20 Identifying, Assessing and Auditing IT Risks
What is Robotics Process Automation (RPA)?
Cloud
Enterprise automation
Desktop automation
In-house mainframe
► Core account mgmt.
► Transaction processing
► Core accounting
► Reporting
► Third-party capabilities
► Industry utilities
► Internet / intranet capabilities
► Data storage
► Workflow and rules
► Imaging
► Digital channels
► Analytics / reporting
► Collaboration tools
► Spreadsheets
► Word documents
► PDFs
► Emails
► Collaboration
► Data and analytical tools
Robots use existing technologyRobots…
► Link and sit atop existing IT assets
► Work faster and with fewer errors
► Operate on their own or with people
► Scale to match varying loads
► Deliver value quickly
► Cost much less than human FTEs
► Speed and innovation for growth and competitive advantage
► Industrial-scale agility with lesser risk of privacy issues and data exposure
► Improved compliance and auditability
Enabling…
11
Page 21 Identifying, Assessing and Auditing IT Risks
2. Process modifications
There is the potential for new risks to be introduced through RPA program or implementations. Organizations should consider the effect of RPA on process, controls, and reliability and accuracy of data.
1. Effective challenge of RPA program and robots
Organizations need to make efforts to be involved in the RPA strategy, so they can be better prepared for impacts on the internal audit plan, and help advise the organization through appropriate risk and control decisions.
RPA Internal Audit ImplicationsChallenges and Approach
Determine the balance for challenge of RPA program vs. implementations / controls
Implement efficient, repeatable RPA challenge processes
Continue to have a seat at the table at key forums
Develop a plan for the audit period
Internal audit organizations should be actively involved and have a seat at the table. RPA has the
opportunity to provide extensive value to the business, and the risk and control experience of internal
audit can help highlight the enabling technology and its potential impacts and considerations.
3. Impact to existing audit strategy
Executing an RPA challenge process will result in testing strategy modifications, affect availability and collection of audit evidence, and may require additional competencies to support assessments.
Page 22 Identifying, Assessing and Auditing IT Risks
Identifying Potential RPA Opportunities
Audit process enhancement opportunities
► As expectations for internal audit functions increase, the ability to manage workload, increase efficiency and effectiveness, while meeting a changing regulatory landscape will be a differentiator
► Firms may look to technology to address new audit testing needs and increase efficiency. A number of technical approaches such as RPA can help achieve targeted automation of the audit process.
Key benefits of testing automation
► Deploying automation solutions allows the audit function to maintain a core team dedicated to interpret and review of audit testing results and minimize the highly transactional work of data collection, execution of test steps, tracking, and reporting.
Where automation can make a difference
► Reduce cycle time for heavily manual data collection and preparation for testing
► Reduce cost associated with non-decision making manual process
► Increase traceability test steps performed
► Increase consistency of test supporting documentation and execution
► Ability to execute a variety of tests by using/modifying previously built test steps
► Easily scalable and time to market is small
Robotic process automation (RPA) can play a critical role in allowing Internal Audit to meet its capacity, audit coverage, and efficiency objectives.
12
Page 23 Identifying, Assessing and Auditing IT Risks
Summary and Discussion
Page 24 Identifying, Assessing and Auditing IT Risks
EY | Assurance | Tax | Transactions | Advisory
About EY
EY is a global leader in assurance, tax, transaction and
advisory services. The insights and quality services we
deliver help build trust and confidence in the capital
markets and in economies the world over. We develop
outstanding leaders who team to deliver on our
promises to all of our stakeholders. In so doing, we play
a critical role in building a better working world for our
people, for our clients and for our communities.
EY refers to the global organization, and may refer to
one or more, of the member firms of Ernst & Young
Global Limited, each of which is a separate legal entity.
Ernst & Young Global Limited, a UK company limited by
guarantee, does not provide services to clients. For more
information about our organization, please visit ey.com.
Ernst & Young LLP is a client-serving member firm of
Ernst & Young Global Limited operating in the US.
© 2017 Ernst & Young LLP.
All Rights Reserved.
1706-2345891
ED None
This material has been prepared for general informational purposes
only and is not intended to be relied upon as accounting, tax or otherprofessional advice. Please refer to your advisors for specific advice.
ey.com