PCI Compliance From an Internal Audit point of view

Transcription

1 PCI Compliance From an Internal Audit point of view University of Oklahoma Board of Regents, Internal Audit May 24, 2016 Tim Marley CPA CIA CISA CFE GSNA CISSP CIPP CISM PCI ISA PCIP IT Audit Director

2 The 3 Lines of Defense IIA Position Paper: The Three Lines of Defense In Effective Risk Management and Control, January 2013 EY Insights on Governance, Risk and Compliance Maximizing Value From Your Lines of Defense, December 2013 Chartered Institute of Internal Audit Governance of Risk: Three Lines of Defense, December 2015 Journal of Accountancy, Using Three Lines of Defense to Manage Internal Controls, July 2015

3 IIA Position Paper: The Three Lines of Defense In Effective Risk Management And Control, January 2013

4 The 3 Lines of Defense Model 1. Own and manage risk and control. 2. Monitor risk and control in support of management. 3. Provide independent assurance about effectiveness of risk management and control to the board and senior management. Operating Management Rick, Control, and Compliance functions put in place by management Internal Audit

5 Internal Audit in Higher Education Different reporting structures Different resources People Skills Experience Tools Systems vs. Non-systems

6 Identifying your IA function OU Charter example Mission Definition of Internal Auditing Authority and Organization Independence and Objectivity Responsibilities Quality Assurance and Improvement Program Fraud

7 Institute of Internal Auditors Mission of Internal Audit To enhance and protect organizational value by providing risk-based and objective assurance, advice, and insight International Professional Practices Framework (IPPF)

8 Mission The mission of University of Oklahoma Internal Audit is to assist management and staff of the universities under the governance of the University of Oklahoma Board of Regents in the effective discharge of its responsibilities by providing them and the Board with independent and objective analysis, appraisals, recommendations, and pertinent comments with reference to: the adequacy and effectiveness of the internal control structure, the safeguarding of assets, compliance with applicable laws, regulations and university policies, and the achievement of management s objectives.

9 Authority and Organization

10 ACUA A professional organization comprised of audit professionals from all over the globe. We strive to continually improve the internal operations and processes of the individual institutions we serve, through continued professional development and the dissemination of individual internal audit experiences in an open forum with friends and colleagues.

11 IA Roles in PCI Compliance 1. Assurance 2. Consultation 3. Validation

12 Developing the plan Mandatory audits Requested audits Risk-based assessment Change in management Potential for fraud (cash) Historical audit results Time elapsed since last audit Budget (hours), etc.

13 Nearly 1,500 audit committee members Top challenges Audit committee s increasing workload Corporate performance Effectiveness of CFO and finance organization Quality of information received about the company s key risks kpmg.com/globalaci.com

14 kpmg.com/globalaci.com

15 IT Audit Universe Enterprise IT Departmental IT ERP/Campus/University

16 Enterprise IT IT functions that service external departments Central or core IT Application responsibilities Network responsibilities Server responsibilities Datacenters Service Provider

17 Departmental IT Typically services a single department Not necessarily traditional roles or employees Facilities less sophisticated? under-resourced? less structured? Shadow IT

18 Approach 1. Determine level of validation 2. Determine scope 3. Large audits Identify responsible parties Assess efficiencies Assess effectiveness Report

19 Audit scope by merchant or by campus/university? Factors Who owns the compliance responsibility? How many owners do you have? How many merchants do you have? How complex is your environment? How mature is your compliance effort?

20 By campus/university Operational/Performance Audit Program - compliance owner CFO, CIO, Bursar, treasurer, cashier, registrar, IT, etc. Appropriate signature on the validation submission to the processor/acquiring bank Policy and procedures Efficiencies Effectiveness* *Compliance Audit Program merchants and compliance owner Split into logical populations, SAQ A, B, C, etc. for sampling purposes Perform a risk analysis/assessment similar to the annual audit plan? Achieve economies of scale

21 Operational/Performance David (CMMI) Scope Adequacy Policy Content Policy Coverage Entities Quality Program Integration Accountability and Ethics Program Oversight Direction Enablement Evaluation Reporting

22 Operational/Performance Andy (GRA) Program Governance Employee Training and Awareness Policies and Procedures Compliance with University Policies and Procedures IT Compliance with University Policies and Procedures Bursar Program Attributes

23 Merchant Sampling Statistical or Judgmental? Define your population By SAQ type? By Transaction count? Geographical? Reporting structure?

24 Verify Merchant audit process the scope for the cardholder data environment. the correctness of the validation form/media, etc. (i.e. did they use the proper SAQ if applicable) the accuracy and completeness of the merchant s submission. compliance with applicable organizational policies.

25 Control Sampling Not for validation purposes Risk-based assessment Depends on the SAQ Depends on the complexity of the CDE Depends on the confidence in the overall effort

26 Organizational Policy By campus standards Assign responsibilities Business Units Bursar Human Resources IT Support IT Security/Compliance CSIRT PCI DSS Cloud Computing Guidelines

27 Organizational Policy

28 See: Third-Party Security Assurance, Appendix B Organizational Policy

29 QUESTIONS Tim Marley CPA, CIA, CISA, CFE, GSNA, CISSP, CIPP, CISM, PCI ISA, PCIP IT Audit Director, University of Oklahoma desk