IT Audit- Hospital Risks, Controls and Audit. AHIA Conference. Grant Thornton LLP. All rights reserved.

Transcription

1 IT Audit- Hospital Risks, Controls and Audit Approaches AHIA Conference Grant Thornton LLP. All rights reserved.

2 Agenda risk and organizational exposure understanding gyour information technology environment information technology risk assessment roadmap overview of information technology control activities discussion of IT Audit planning in a hospital discussion of IT Audit reporting Grant Thornton LLP. All rights reserved. 2

3 Risk and organizational exposure Grant Thornton LLP. All rights reserved.

4 Risk Definition A potential negative impact to an asset or some characteristic of value that may arise from some present process or future event. The probability of a loss. In information security, "risk" is defined as a function of three variables: the probability that there's a threat (a declaration of intent to inflict punishment or harm on another) the probability that there are any vulnerabilities (susceptibility to physical or emotional injury or attack) the potential impact (magnitude of the potential loss of seriousness of the event) Grant Thornton LLP. All rights reserved. 4

5 Risk Management Definition iti Risk management is the process used to identify, source and measure risk, and the development of strategies to manage it. Effective risk management strategies include: Policy and procedure Deployment of appropriate, skilled resources Preventative controls Technology architecture Regular or continuous monitoring Grant Thornton LLP. All rights reserved. 5

6 Information technology risk in the news Personal data of 1,000 UD students' exposed Dept. of Public Safety server was hacked into on April 8. delawareonline The News Journal, May 25, 2006 Hopkins data loss prompts legislative effort The loss of computer tapes containing personal information on more than 135,000 Johns Hopkins employees and patients - the data possibly tossed in a trash bin - is spurring consumer protection bills in Annapolis, including one to force prompt disclosure of such breaches. Baltimore Sun, February 11, 2007 Ohio University it suffers security breaches Data thieves may have plundered Social Security numbers and other private information--including health records--belonging to students and faculty at Ohio University following three separate computer intrusions at the school. CNET News.com, May 11, 2006 Grant Thornton LLP. All rights reserved. 6

7 Risk areas Operational risk "Our medication disbursement system is down." "Our donor files appear to have been copied." Financial & fraud risk "Our external auditor identified a $56,000 adjustment in our receivables sub-ledger." "Who authorized this $10,000 payment?" Compliance risk "There are control design gaps in our financial aid processing." Grant Thornton LLP. All rights reserved. 7

8 Risk areas Operational risk reputation risk availability of information integrity of information management decision adequacy of information and data communication timeliness of information customer/vendor relations; compliance with contractual agreements security and privacy; loss of intellectual property making, business operations Grant Thornton LLP. All rights reserved. 8

9 Risk areas Financial and fraud risk Financial risk accuracy of financial data completeness of financial data integrity of financial data Fraud risk theft misappropriation of assets Grant Thornton LLP. All rights reserved. 9

10 Risk areas Compliance risk Regulatory risk FERPA Family Education Rights & Privacy Act (Buckley Amendment) HIPAA Health Insurance Portability & Accountability Act OMB A-133 Office of Management and Budget Circular No. A-133 FISMA Federal Information Security Management Act State issued Information Security Breach and Identity Theft Prevention Acts Grant Thornton LLP. All rights reserved. 10

11 Risk areas Compliance risk (cont.) Accreditation risk institutional accreditation and specialized or programmatic accreditation agencies JCAHO - Joint Commission on Accreditation of Healthcare Organizations continuous quality improvement philosophy Grant Thornton LLP. All rights reserved. 11

12 Understanding your information technology environment Grant Thornton LLP. All rights reserved.

13 The key to a successful risk assessment Know your information technology environment 1. Physical layout of organization buildings and remote locations How many locations does our organization have? Where are these locations in comparison to each other (geographically)? How many of those locations use our IT resources? How many of those locations have IT resources on-site? Are these locations connected to each other? If so, how? Grant Thornton LLP. All rights reserved. 13

14 Know your information technology environment Telecommunications 2. How do we communicate within our organization and with others? What type of telephone system(s) do we use (analog, digital, Voice over Internet Protocol [VoIP])? Do we have modems? Do we know where they are? Are they active? Are they outbound only? Do we allow unrestricted long distance calling and transfers to outside telephone lines? Does our telephone system provide access to our computer systems? Grant Thornton LLP. All rights reserved. 14

15 Know your information technology environment Network architecture and design 3. How is our organization connected and how do our employees, students, patients, donors, etc. access information? What type of network(s) do we have? Is it wired, wireless or a combination of the two? Is it segmented to restrict access internally? How is it protected (firewall(s), intrusion detection/prevention systems, anti-virus software, etc.)? Grant Thornton LLP. All rights reserved. 15

16 Know your information technology environment Network architecture and design (cont.) 3. How is our organization connected and how do our employees, students, patients, donors, etc. access information? How are our locations connected to each other? Do we provide access to the Internet or have an organizational Intranet? Is it for informational use only or do we process "transactions" such as enrollment, payments, donations, etc.? Do we allow remote access to our network? Who has remote access and how is it protected? Grant Thornton LLP. All rights reserved. 16

17 Know your information technology environment User workstations and information sharing 4. What type of workstations and data sharing devices are used on our network? Do we support them? laptops, desktops, tablets personal digital assistant (PDA), handheld computers USB drive, external hard drive, flash disk, "thumb drive" Grant Thornton LLP. All rights reserved. 17

18 Know your information technology environment Information communication 5. What kind of information do we send to and receive from third parties? How do we do it? file transfer protocol (FTP) patient t / student t data electronic data interchange (EDI) information downloads electronic mail web-based classroom file encryption "pod-casts" claims clearinghouse digital signatures / electronic "handshakes" Grant Thornton LLP. All rights reserved. 18

19 Know your information technology environment Outsourced environments 6. What aspects of our information technology environment are outsourced? data center / server room telecommunications infrastructure management and administration network perimeter security information technology management application / software support desktop support / helpdesk inter-location connectivity disaster recovery / business continuity Grant Thornton LLP. All rights reserved. 19

20 Know your information technology environment Information systems 7. What are the information systems we use to run our organization? operating systemsstems Network databases applications Operating System Application Data Grant Thornton LLP. All rights reserved. 20

21 Know your information technology environment Information systems operating systems The system software responsible for the direct control and management of hardware and basic system operations. Additionally, it provides a foundation upon which to run application software such as word processing programs and web browsers. Examples: Microsoft Windows UNIX (Linux, Sun Solaris etc.) IBM Mainframe - OS/390, z/os OS/400 Apple Mac OS Microsoft MS-DOS Novell Netware Grant Thornton LLP. All rights reserved. 21

22 Know your information technology environment Information systems databases A collection of data elements stored in a computer in a systematic way, such that a computer program can query it to answer questions. Database Administration: A function involved in the coordination and control of data-related t d activities. iti Grant Thornton LLP. All rights reserved. 22

23 Know your information technology environment Information systems applications Single function: general ledger accounts payable fixed assets purchasing patient accounting fundraising Ad-hoc: MS Excel or Access Multi-function: ERP (Enterprise Resource Planning) Grant Thornton LLP. All rights reserved. 23

24 Know your information technology environment Information systems For each operating system, database and application, consider the following: Logical security How are users and IT authenticated and restricted to authorized areas? What is the type and nature of information available? Who administers access? What monitoring is available / performed? Change management What is the level of customization? How are changes initiated, authorized, tested, approved and implemented? Computer operations Is information processing monitored? Are backups performed and monitored regularly? Grant Thornton LLP. All rights reserved. 24

25 Know your information technology environment Information technology department 8. What is the structure, strategy and skillset of our information technology department? Who does the IT department t report to? Do the IT staff have the skills and experience necessary to support your IT environment? Is there an IT budget, IT strategy or IT steering committee? Has there been turnover in the IT department in the last 8-12 months? Has it impacted organizational support? Grant Thornton LLP. All rights reserved. 25

26 Know your information technology environment Documentation tools Tools to assist you in documenting your understanding of the information technology environment: systems interface map network topography map information flows by process technology inventory spreadsheet organizational chart IT vendor listing Grant Thornton LLP. All rights reserved. 26

27 Information technology risk assessment roadmap Grant Thornton LLP. All rights reserved.

28 Information technology risk assessment Assessment factors Criteria for assessing risk for the various aspects of your information technology environment: Impact If this IT area was compromised or became unavailable, what would the result to your organization be? Problems Have you experienced data integrity or data availability issues? Have you experienced inappropriate or unauthorized access? Have you experienced service issues with IT vendors? Grant Thornton LLP. All rights reserved. 28

29 Information technology risk assessment Assessment factors (cont.) Criteria for assessing risk for the various aspects of your information technology environment: Complexity Does this IT area require skilled professionals to support it? Relative to industry standards and your organizational peers, is this IT area more or less complex? Is this IT area standard/vanilla/"off-the-shelf" or customized? Is this environment relatively stable? Change Is this a new or modified system, application, device, utility, environment, etc.? Have you had turnover of the individual(s) who support this aspect of your IT environment? Have there been modifications to policy or procedure? Grant Thornton LLP. All rights reserved. 29

30 Information technology risk assessment Risk assessment format The network architecture example provided below illustrates how to perform risk analysis activities for the various aspects of your information technology environment. Sub Cycle Risk Type Risk Rating Impact Change Problems Complexity Preliminary perceptions on controls Network architecture t O Moderate F Moderate C Moderate Comp Moderate O - Operational Risk F - Financial Risk C - Compliance Risk Comp - Composite Score rated from 1 (low) to 5 (high) rated strong, moderate (default) or low Grant Thornton LLP. All rights reserved. 30

31 Information technology risk assessment Sample results Sub Cycle Risk Rating Preliminary perceptions on controls Network architecture 3.5 Moderate Network perimeter security 2.8 High Remote access to systems 3.3 Moderate Information technology organization 3.2 Moderate Application security administration 3.7 Moderate Application change management 3.3 High Information communication i with 3 rd parties Moderate Vendor management / monitoring 3.4 Low Telecommunications 2.3 Moderate Grant Thornton LLP. All rights reserved. 31

32 Information technology risk assessment Sample results (cont.) SWOT Analysis Strengths Highly positive "tone at the top" promotes attention to risk management activities and a strong overall control environment Tenured IT department Robust application change management process Use of independent consultants for security vulnerability assessments Ensure that all purchases of IT related hardware and software, and related IT projects are channeled through IT for approval Formalize disaster recovery and business continuity plans Opportunities Grant Thornton LLP. All rights reserved. Weaknesses Remote authentication ti ti criteria i Data center physical security Overall Information security / privacy strategy Increased demands on information sharing Pressure on ability to contain IT costs On-going compliance with federal and state requirements and changes in those requirements Increasing dependency on IT increases potential vulnerability to external attacks, worms, viruses, etc. Threats Internal Audit Plan Proposed Audit Area Network security and vulnerability assessment SDLC / Change management review HIPAA Security review Inherent Risk FY 08 Hours High 200 Medium 120 High 160 FY 09 Hours Antivirus software Medium 85 Disaster recovery / business continuity planning Estimated Annual Internal Audit Hours Medium Comments/ Rationale Recently redesigned network Custom applications and IT employee turnover New Compliance Officer Growth in virus attacks Information availability critical to remote student body 32

33 Overview of Information Technology (IT) controls IT general controls Automated / application / programmed controls IT dependent manual controls Grant Thornton LLP. All rights reserved.

34 Information technology controls Definition Information technology general controls Procedures pervasive to an organization or multiple segments/ environments of an organization that assure the secure, stable and reliable performance of computer hardware, software and IT personnel Automated / application / programmed controls Automated or programmed procedures performed by individual systems to ensure the validity, accuracy, completeness and availability of input, processed and stored data. Function as designed d and are not subject to intermittent error, unless modified. IT dependent manual controls Manual procedures that rely on output directly from an IT system Grant Thornton LLP. All rights reserved. 34

35 Information technology control structure Business Process A Business Process B Business Process C IT dependent manual controls Application / automated controls IT general controls Grant Thornton LLP. All rights reserved. 35

36 IT general controls Access to programs and data 1. logical access path 2. user administration 3. powerful authorities 4. segregation of duties 5. review of user access 6. physical security Grant Thornton LLP. All rights reserved. 36

37 Access to programs and data Logical access path System Users Security Resources Logon User Identification & Verification Transactions Access Request Resource Authorization Checking Access Files Data Access Violation Violation Logging & Access Reporting Event Logs Note: Powerful access can circumvent established security settings and procedures. Administration Report Grant Thornton LLP. All rights reserved. 37

38 IT general controls Application development and maintenance 1. program change process / SDLC 2. separation of IT environments 3. segregation of duties 4. importance of monitoring 5. configuration change management 6. emergency change control Grant Thornton LLP. All rights reserved. 38

39 IT general controls Computer operations and data processing 1. data processing - job scheduling - operations monitoring 2. antivirus 3. backup and recovery 4. business continuity and disaster recovery 5. data center environmental controls Grant Thornton LLP. All rights reserved. 39

40 Application / automated controls 1. Security access (i.e., user access to approve student financial aid application) 2. Calculations and programmed procedures (i.e., currency exchange automated calculated) 3. Edit / validation checks (i.e., no alpha characters allowed in numeric date field) 4. Tolerance limits or thresholds (i.e., automatically pay vendor invoice if within 2% of Purchase Order) 5. Application interfaces (i.e., automated reconciliation of donations entered/processed in fundraising subsystem and loaded into general ledger application) Grant Thornton LLP. All rights reserved. 40

41 IT dependent manual controls Key reports or output the organization relies upon that is produced directly from IT systems 1. Key reporting (i.e., A/R aging report) 2. Exception reporting (i.e., daily claims processing error report) 3. End user computing (i.e., validation and review of critical spreadsheets and ad-hoc reporting) Grant Thornton LLP. All rights reserved. 41

42 Information technology control resources The Information Systems Audit and Controls Association (ISACA), the IT Governance Institute (created by ISACA) and the Institute for Internal Auditors (IIA) have all created IT control frameworks and guidelines including: Control Objectives for Information and Related Technology (COBIT) IT Control Objectives for Sarbanes-Oxley Global Technology Audit Guide (GTAG) Effective IT governance helps ensure that IT supports business goals, maximizes i business investment t in IT and appropriately manages IT-related risks and opportunities Grant Thornton LLP. All rights reserved. 42

43 Contact information Scott D. Smith P E Scott.Smith@gt.com Pooja Walia P E Pooja.Walia@gt.com Grant Thornton LLP. All rights reserved. 43