PCI Compliance From an Internal Audit point of view

Similar documents
The Institute of Internal Auditors 247 Maitland Avenue Altamonte Springs, FL USA

Agenda Item: 7.6 Prepared by: Mark Majek, Kathy Thomas, Deborah Bell, Tamara Cowen and Jaye Stepp Meeting Date: October 2014

BOARD OF EDUCATION OF BALTIMORE COUNTY OFFICE OF INTERNAL AUDIT - OPERATIONS MANUAL INTERNAL AUDIT OPERATIONS MANUAL

Internal Audit and Advisory Services DRAFT

Comptroller of Public Accounts Effectiveness of Internal Engagement May 1997

Larry Laine, Deputy Land Commissioner and Chief Clerk. Annual Report on the Internal Audit Quality Assurance and Improvement Program

INTERNAL AUDIT CHARTER AND TERMS OF REFERENCE

Emerging Strategies for Performance Auditing

PCI Compliance and the Cloud: What You Can and What You Can t Outsource Presented By:

Internal Audit Quality Assessment. Presented To: World Intellectual Property Organization

Section 1: Assessment Information

Introduction Auditing Internal Controls in an IT Environment SOx and the COSO Internal Controls Framework Roles and Responsibilities of IT Auditors

PCI Compliance at The University of South Carolina. Failure is not an option. Rick Lambert PMP University of South Carolina

Internal Audit Charters

Information Security Governance:

Comprehensive Risk Assessment and Developing the Audit Plan

Internal Audit Activity Update

AHIA HCCA Auditing & Monitoring Focus Group Defining the Key Roles and Responsibilities Corporate Compliance and Internal Audit.

IS Audit and Assurance Guideline 2402 Follow-up Activities

CITY OF VAUGHAN EXTRACT FROM COUNCIL MEETING MINUTES OF MARCH 24, 2015

Effective Internal Audit in the Financial Services Sector

Domain 1 The Process of Auditing Information Systems

What a Processor Needs from a University to Validate Compliance

POLICY & PROCEDURE DOCUMENT NUMBER: DIVISION: Finance & Administration. TITLE: Policy & Procedures for Credit Card Merchants

GRINNELL COLLEGE CREDIT CARD PROCESSING AND SECURITY POLICY

CORPORATE AUDITOR SERIES

Practice guide. quality assurance and IMProVeMeNt PrograM

Merchant Card Processing Request Form

Establishing a Quality Assurance and Improvement Program

Information Security Management System for Microsoft s Cloud Infrastructure

Internal Audit Manual

Brown Smith Wallace, LLC

Payment Card Industry (PCI) Data Security Standard

Standards for the Professional Practice of Internal Auditing

Practice Guide COORDINATING RISK MANAGEMENT AND ASSURANCE

HOW SECURE IS YOUR PAYMENT CARD DATA?

Mobile Device Payment Card Processing: How Secure is It? Richard Poworski CISSP, ISP, ITCP, SCF, PCI QSA, PCIP Managing Consultant

PCI Policy Compliance Using Information Security Policies Made Easy. PCI Policy Compliance Information Shield Page 1

Payment Card Industry (PCI) Data Security Standard

Office of Internal Audit. Activity Report. For the period from March 16, 2014 to August 8, Internal Audit Team

policy D Reaffirmation of existing policy

University of Oregon Policy Statement Development Form

PCI DSS Security Awareness Training for University of Tennessee Credit Card Merchants. UT System Administration Information Security Office

Italy. EY s Global Information Security Survey 2013

INTERNATIONAL STANDARDS FOR THE PROFESSIONAL PRACTICE OF INTERNAL AUDITING (STANDARDS)

Title 4 - Codification of Board Policy Statements. Chapter 9 NEVADA SYSTEM OF HIGHER EDUCATION INTERNAL AUDIT, FINANCE AND ADMINISTRATION POLICIES

IS Audit and Assurance Guideline 2202 Risk Assessment in Planning

Administrative Guidelines on the Internal Control Framework and Internal Audit Standards

J u n e N a t i o n a l R e s e a r c h C o u n c i l C a n a d a. I n t e r n a l A u d i t, N R C. Audit of Risk Management.

PCI Compliance for Cloud Applications

LEVERAGING COSO ACROSS THE THREE LINES OF DEFENSE

IIA Position Paper: THE THREE LINES OF DEFENSE IN EFFECTIVE RISK MANAGEMENT AND CONTROL

Internal Audit Practice Guide

The Framework for Quality Assurance

UCSD Credit Card Processing Policy & Procedure

AMTRUST FINANCIAL SERVICES, INC. AUDIT COMMITTEE CHARTER

A Risk-Based Audit Strategy November 2006 Internal Audit Department

Case 2:13-cv ES-JAD Document Filed 12/09/15 Page 1 of 116 PageID: Appendix A

Internal Auditing: Assurance, Insight, and Objectivity

How quality assurance reviews can strengthen the strategic value of internal auditing*

INTERNATIONAL STANDARDS FOR THE PROFESSIONAL PRACTICE OF INTERNAL AUDITING (STANDARDS)

Compliance and Industry Regulations

SAS No. 70, Service Organizations

How To Understand The Role Of An Internal Audit

G13 USE OF RISK ASSESSMENT IN AUDIT PLANNING

MISSION STATEMENT OBJECTIVES IN ACCOMPLISHING OUR MISSION

2.0 PAYMENT CARD INDUSTRY DATA SECURITY STANDARDS (PCI-DSS)

PCI DSS 3.0 : THE CHANGES AND HOW THEY WILL EFFECT YOUR BUSINESS

Adding Value to the UK Community

University System of Maryland University of Maryland University College

Microsoft Confidential

TECK RESOURCES LIMITED AUDIT COMMITTEE CHARTER

INTERNAL CONTROL POLICIES

Transcription:

PCI Compliance From an Internal Audit point of view University of Oklahoma Board of Regents, Internal Audit May 24, 2016 Tim Marley CPA CIA CISA CFE GSNA CISSP CIPP CISM PCI ISA PCIP IT Audit Director

The 3 Lines of Defense IIA Position Paper: The Three Lines of Defense In Effective Risk Management and Control, January 2013 EY Insights on Governance, Risk and Compliance Maximizing Value From Your Lines of Defense, December 2013 Chartered Institute of Internal Audit Governance of Risk: Three Lines of Defense, December 2015 Journal of Accountancy, Using Three Lines of Defense to Manage Internal Controls, July 2015

IIA Position Paper: The Three Lines of Defense In Effective Risk Management And Control, January 2013

The 3 Lines of Defense Model 1. Own and manage risk and control. 2. Monitor risk and control in support of management. 3. Provide independent assurance about effectiveness of risk management and control to the board and senior management. Operating Management Rick, Control, and Compliance functions put in place by management Internal Audit

Internal Audit in Higher Education Different reporting structures Different resources People Skills Experience Tools Systems vs. Non-systems

Identifying your IA function OU Charter example Mission Definition of Internal Auditing Authority and Organization Independence and Objectivity Responsibilities Quality Assurance and Improvement Program Fraud http://www.ou.edu/content/audit/audit_charter.html

Institute of Internal Auditors Mission of Internal Audit To enhance and protect organizational value by providing risk-based and objective assurance, advice, and insight International Professional Practices Framework (IPPF)

Mission The mission of University of Oklahoma Internal Audit is to assist management and staff of the universities under the governance of the University of Oklahoma Board of Regents in the effective discharge of its responsibilities by providing them and the Board with independent and objective analysis, appraisals, recommendations, and pertinent comments with reference to: the adequacy and effectiveness of the internal control structure, the safeguarding of assets, compliance with applicable laws, regulations and university policies, and the achievement of management s objectives.

Authority and Organization

ACUA A professional organization comprised of audit professionals from all over the globe. We strive to continually improve the internal operations and processes of the individual institutions we serve, through continued professional development and the dissemination of individual internal audit experiences in an open forum with friends and colleagues.

IA Roles in PCI Compliance 1. Assurance 2. Consultation 3. Validation https://usa.visa.com/support/small-business/security-compliance.html

Developing the plan Mandatory audits Requested audits Risk-based assessment Change in management Potential for fraud (cash) Historical audit results Time elapsed since last audit Budget (hours), etc.

Nearly 1,500 audit committee members Top challenges Audit committee s increasing workload Corporate performance Effectiveness of CFO and finance organization Quality of information received about the company s key risks kpmg.com/globalaci.com

kpmg.com/globalaci.com

IT Audit Universe Enterprise IT Departmental IT ERP/Campus/University

Enterprise IT IT functions that service external departments Central or core IT Application responsibilities Network responsibilities Server responsibilities Datacenters Service Provider

Departmental IT Typically services a single department Not necessarily traditional roles or employees Facilities less sophisticated? under-resourced? less structured? Shadow IT

Approach 1. Determine level of validation 2. Determine scope 3. Large audits Identify responsible parties Assess efficiencies Assess effectiveness Report

Audit scope by merchant or by campus/university? Factors Who owns the compliance responsibility? How many owners do you have? How many merchants do you have? How complex is your environment? How mature is your compliance effort?

By campus/university Operational/Performance Audit Program - compliance owner CFO, CIO, Bursar, treasurer, cashier, registrar, IT, etc. Appropriate signature on the validation submission to the processor/acquiring bank Policy and procedures Efficiencies Effectiveness* *Compliance Audit Program merchants and compliance owner Split into logical populations, SAQ A, B, C, etc. for sampling purposes Perform a risk analysis/assessment similar to the annual audit plan? Achieve economies of scale

Operational/Performance David (CMMI) Scope Adequacy Policy Content Policy Coverage Entities Quality Program Integration Accountability and Ethics Program Oversight Direction Enablement Evaluation Reporting

Operational/Performance Andy (GRA) Program Governance Employee Training and Awareness Policies and Procedures Compliance with University Policies and Procedures IT Compliance with University Policies and Procedures Bursar Program Attributes

Merchant Sampling Statistical or Judgmental? Define your population By SAQ type? By Transaction count? Geographical? Reporting structure?

Verify Merchant audit process the scope for the cardholder data environment. the correctness of the validation form/media, etc. (i.e. did they use the proper SAQ if applicable) the accuracy and completeness of the merchant s submission. compliance with applicable organizational policies.

Control Sampling Not for validation purposes Risk-based assessment Depends on the SAQ Depends on the complexity of the CDE Depends on the confidence in the overall effort

Organizational Policy By campus standards Assign responsibilities Business Units Bursar Human Resources IT Support IT Security/Compliance CSIRT PCI DSS Cloud Computing Guidelines

Organizational Policy

See: Third-Party Security Assurance, Appendix B Organizational Policy

QUESTIONS Tim Marley CPA, CIA, CISA, CFE, GSNA, CISSP, CIPP, CISM, PCI ISA, PCIP IT Audit Director, University of Oklahoma tim.marley@ou.edu www.ou.edu/audit twitter: @timmarley desk 405.325.5418

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information