Auditing Application User Account Security and Identity Management with Data Analytics



Similar documents
Leveraging Continuous Auditing / Continuous Monitoring in internal audit April 10, 2012

ISACA PROFESSIONAL RESOURCES

The Information Systems Audit

Using data analytics and continuous auditing for effective risk management

Using CAAT in Compliance

Our Data Analytics Journey, Methodology, and More. September 15, 2015

IT Vendor Due Diligence. Jennifer McGill CIA, CISA, CGEIT IT Audit Director Carolinas HealthCare System December 9, 2014

Prof. Dr. Nick Gehrke Alexander Rühle

Continuous Auditing and Monitoring Leveraging Your Data for Compliance

Auditing Application User Account Security and Identity Management with Data Analytics

Leveraging Data Analytics and Continuous Auditing. Internal Audit. January 9, 2014

Continuous Controls Monitoring. Virginia ISACA January Meeting 19 January 2010

Fraud and Role of Information Technology. September 2008

Big Data, Data Analytics, and Data Visualization building your knowledge and expertise. September 15, 2015

HIPAA and HITECH Compliance for Cloud Applications

Building for the Future

Current Uses and Trends in ACL and Data Mining

micros MICROS Systems, Inc. Enterprise Information Security Policy (MEIP) August, 2013 Revision 8.0 MICROS Systems, Inc. Version 8.

Performance Audit of the San Diego Convention Center s Information Technology Infrastructure JULY 2012

AUDITOR GENERAL WILLIAM O. MONROE, CPA

CONTINUOUS CONTROLS MONITORING

A Presentation to the IIA Jacksonville Chapter May 16, 2014

Leveraging data analytics and continuous auditing processes for improved audit planning, effectiveness, and efficiency. kpmg.com

Cyber Security Metrics Dashboards & Analytics

Proposed Audit Plan for Fiscal Year and Preliminary Audit Plan for Fiscal Year

Audit Report. Effectiveness of IT Controls at the Global Fund Follow-up report. GF-OIG-15-20b 26 November 2015 Geneva, Switzerland

Forensic Audit and Automated Oversight Federal Audit Executive Council September 24, 2009

Data Analytics in Internal Audit. Elizabeth Dunkerley

Great Expectations : How to Detect and Prevent Fraud using Data Analysis

KAREN E. RUSHING. AUDIT OF Human Capital Management System (HCMS) Application Controls

Certified Information Systems Auditor (CISA)

Continuous Controls Monitoring ISACA, Houston Chapter. August 17, 2006

SECURITY RISK MANAGEMENT

Spillemyndigheden s Certification Programme Information Security Management System

Lessons Learned from HIPAA Audits

Database Auditing & Security. Brian Flasck - IBM Louise Joosse - BPSolutions

Auditing Applications. ISACA Seminar: February 10, 2012

Real life experiences with Continuous Controls Monitoring (CCM) on Master Data. Pat Culpan Jeet Kadam

Audit Compliance and Internal Audit Analysis for Dynamics

ARBUTUS. Arbutus Audit Analytics ARBUTUS ANALYZER. ArbutusSoftware.com

ERP IMPLEMENTATION AND MAINTENANCE FOR A LARGE ENTERPRISE.

IT Enabled System : Opportunities & Challenges for Assurance Professionals

WEB-BASED TIME AND ATTENDANCE & DCAA COMPLIANCE

4 Testing General and Automated Controls

Data Analytics: Applying Data Analytics to a Continuous Controls Auditing / Monitoring Solution

Technology Risk Management

Best Practices for Managing Bank Transaction Risk Using a Continuous Data Analytics Approach

Establishing a Mature Identity and Access Management Program for a Financial Services Provider

Internal Audit Testing and Sampling Techniques. Chartered Institute of Internal Auditors May 2014

How to set up a people based. accounting system that makes your. small business work for you. Thomas G. Post. Certified Public Accountant

Feature. Multiagent Model for System User Access Rights Audit

LSF HEALTH SYSTEMS Information Technology Plan

CIIA South West Analytics in Internal Audit - Tackling Fraud

BEFORE THE BOARD OF COUNTY COMMISSIONERS FOR MULTNOMAH COUNTY, OREGON RESOLUTION NO

OVERVIEW OF THE ISSUE

Design of Database Security Policy In Enterprise Systems

Virtualization Impact on Compliance and Audit

ACL WHITEPAPER. Automating Fraud Detection: The Essential Guide. John Verver, CA, CISA, CMC, Vice President, Product Strategy & Alliances

Best Practices for Protecting Sensitive Data in an Oracle Applications Environment. Presented by: Jeffrey T. Hare, CPA CISA CIA

Continuous Auditing with Data Analytics

Information Security Incident Management Policy September 2013

PwC The Path Forward for Data Analysis and Continuous Auditing May 2011

Data Analytics Leveraging Data Visualization and Automation in Audit Real World Examples

Professional Position Description Section I Position Information Position Title

Defending the Database Techniques and best practices

When HHS Calls, Will Your Plan Be HIPAA Compliant?

PeopleSoft IT General Controls

Audit Committee Meeting

WEB-BASED TIME AND ATTENDANCE DCAA COMPLIANCE. White Paper

O L A. Department of Employee Relations Department of Finance SEMA4 Information Technology Audit OFFICE OF THE LEGISLATIVE AUDITOR STATE OF MINNESOTA

Table of Contents. Auditor's Guide to Information Systems Auditing Richard E. Cascarino Copyright 2007, John Wiley & Sons, Inc.

Survey of more than 1,500 Auditors Concludes that Audit Professionals are Not Maximizing Use of Available Audit Technology

3. Current Auditing Computerized Tools

Cloud Computing Thunder and Lightning on Your Horizon?

Transcription:

Auditing Application User Account Security and Identity Management with Data Analytics James Kidwell, JD, CISA Senior Information Systems Auditor Audit Services

Session Agenda and Learning Objectives Brief background and risk history Discuss continuous auditing/monitoring project design, planning and execution steps Describe continuous audit and data analytic project challenges Discuss approaches used to help management make enterprise application user account security and identity management process and control improvements Share lessons learned by auditing with data analytics 9/14/2015 2

Background About Carolinas HealthCare System (CHS) Audit Findings. Terminated users still had active application user accounts Active application user accounts could not be linked to enterprise identity management data sources Applications access, process, store and transmit Protected Health Information (PHI) and other confidential data Why? When some workforce members leave CHS or move jobs internally, their app user accounts are not promptly disabled? Does this occur across multiple enterprise applications? 9/14/2015 3

Why Use Data Analytics (DA) to Audit? Multiple process and control issue factors Complex application interfaces and infrastructures Broad geographical facility locations and remote users Coordination of remote user support and account management between Corporate and other health system entities Non-employee users, Contractors, Vendors, etc Multiple authoritative identity and user access security data sources Improve Critical Thinking with Technology Excel, Access, etc. are great CAAT tools, but sometimes a little more power is needed CHS strengthened ACL Desktop with Audit Exchange (AX) Server 9/14/2015 4

Using Repeatable Data Analytics 9/14/2015 5 Image Source: Data-Analytics_whp_Eng_0811.pdf (ISACA)

Why Use Continuous Auditing/Monitoring (CA/CM) to Mitigate Risk? Beyond Repeatable DA, other Benefits too: Advanced, pre-defined analytic scripting to support repeatability and automation Audit assurance/consultation skill/knowledge/experience increase Automated data source feeds to AX (as opposed to ad hoc IT extracts) Enhanced data file security on centralized server PHI in raw data and audit samples, Payroll, excecutive compensation, etc. AX Audit program data testing and scripting standards 9/14/2015 6

Key CA/CM Project Design Considerations Identify data owners, stakeholders and key players Learn where the data is maintained Determine the needed data (DB tables and fields) Define the purpose and scope of the testing Select audit tools to perform data analytic tests Define the data analytic processes and tests Establish the data request/delivery process Define audit/monitoring report distribution/timing Build client confidence in program 9/14/2015 7

CA/CM Project Execution/Challenges Primary client education and awareness Subject matter expert engagement Auditor education and awareness Long-term management acceptance and engagement Data source acquisition and management Segregation of duties Cultural realities Mapping business processes to workforce and software activities Audit communications 9/14/2015 8

CA/CM Project Lessons Learned Oh boy, where should we begin Audit project communications Mapping business processes to workforce and software activities Cultural realities Segregation of duties Data source acquisition and management Long-term management acceptance and engagement Auditor education and awareness Subject matter expert engagement Primary client education and awareness 9/14/2015 9

Q & A??? 9/14/2015 10

James Kidwell Senior Information Systems Auditor Audit Services James.Kidwell (at) CarolinasHealthCare.org O: 704 512 4773

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information