Internal audit and the virtual world of e services
This presentation is the property of its rightful owner.
Sponsored Links
1 / 50

Internal Audit and the Virtual World of E-Services PowerPoint PPT Presentation


  • 68 Views
  • Uploaded on
  • Presentation posted in: General

Internal Audit and the Virtual World of E-Services. Association of Credit Union Internal Auditors. E-Services. Electronic funds transfer Automated teller machines Internet-accessible services Lending Financial portals Account openings / closings Electronic bill pay

Download Presentation

Internal Audit and the Virtual World of E-Services

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Internal audit and the virtual world of e services

Internal Audit and the Virtual World of E-Services

Association of Credit Union Internal Auditors

ACUIA 2012


E services

E-Services

ACUIA 2012

  • Electronic funds transfer

  • Automated teller machines

  • Internet-accessible services

    • Lending

    • Financial portals

    • Account openings / closings

    • Electronic bill pay

    • And on and on and ….….

  • Mobile banking

  • Expanding wireless services

  • And on and on and ……..


Developing an e strategy

Developing an E-Strategy

ACUIA 2012


Internal audit and the virtual world of e services

ACUIA 2012


Back to the basics

Back to the Basics

ACUIA 2012


E services and areas of risk management

E-Services and Areas of Risk Management

Credit risk

Interest rate (market) risk

Liquidity risk

Transaction (fraud) risk

Compliance (regulatory) risk

Strategic risk (decisions)

Reputation risk (impact of actions)

ACUIA 2012


Internal audit s responsibility

Internal Audit’s Responsibility

ACUIA 2012

Identify the key risk management principles that assist the credit union in expanding their existing risk management policies and processes to cover e-services activities

Promote safe and sound delivery of such services

Not fundamentally different from those applied to delivered through other distribution channels


E strategy decision making

E-Strategy Decision Making

  • Continuing technological innovation and competition driving a wider array of products and services and delivery mechanisms

    • Creates a “risk / reward” environment for credit unions

      • Unprecedented speed of change

      • Global nature of open electronic networks

      • Integration of e-services applications with legacy computer systems

      • Increasing dependence on third-party deliverers

ACUIA 2012


Board and management oversight

Board and Management Oversight

ACUIA 2012

  • The credit union’s board of directors and executive management share responsibility for developing the credit union’s business strategy and establishing effective management oversight of risk, including the risk presented by e-services.

    • Review and approval of the credit union’s security control process

      • Infrastructure - protection from both internal (primary role of internal audit) and external threats

      • Reliance on outsourced relationships and dependencies


Reputation risk management

Reputation Risk Management

ACUIA 2012

  • E-services must be delivered on consistent and timely basis

    • High member expectations for availability and high transaction demand

  • Incident response mechanisms

    • Business continuity and contingency planning

    • Communication strategies


Internal audit e services challenges

Internal Audit E-Services Challenges

ACUIA 2012

  • Speed of change (relative factor)

    • Shrinking implementation / testing times

    • IA needs to be involved (heavily) to ensure that adequate strategic assessment, risk analysis and security reviews are conducted PRIOR TO implementation of new applications

  • Transactional services (and third-party web sites) are now typically integrated as much as possible with legacy computer systems

    • Reduces opportunities for human error and fraud

    • Increases dependence on systems design, architecture, system interoperability and operational scalability


Internal audit e services challenges1

Internal Audit E-Services Challenges

ACUIA 2012

  • Increases credit union’s dependence on IT

    • Least understood operational area by those providing internal oversight

    • Again, third party arrangements with some vendors who may be unregulated

    • Creation of new business models

  • Global accessibility (truly “global”)


Internal audit considerations e services

Internal Audit ConsiderationsE-Services

ACUIA 2012

  • Board and Management Oversight

    • Effective management oversight

    • Establishment of a comprehensive security control process

    • Comprehensive due diligence and management oversight for outsourcing relationships and other third-party dependencies


Internal audit considerations e services1

Internal Audit ConsiderationsE-Services

ACUIA 2012

  • Security / Transaction Risk Controls

    • Authentication of e-services member-users

    • Non-repudiation and accountability for e-services transactions

    • Appropriate measures to ensure segregation of duties

    • Proper authorization controls within e-services systems, databases and applications

    • Data integrity of e-services transactions, records and information

    • Establishment of clear audit trails fore-services transactions

    • Confidentiality of information


Internal audit considerations e services2

Internal Audit ConsiderationsE-Services

ACUIA 2012

  • Compliance / Strategic / Reputation Risk Factors

    • Appropriate disclosures

    • Privacy of member information

    • Capacity, business continuity and contingency planning to ensure availability of e-services systems

    • Incident response planning


Internal audit considerations board and management oversight

Internal Audit ConsiderationsBoard and Management Oversight

ACUIA 2012

  • Board of directors and senior management should establish effective management oversight over the risks associated with e-services activities, including the establishment of specific accountability, policies and controls to management these risks.

    • Major elements of the delivery channels (internet, wireless and related technologies) are outside of the credit union’s direct control

    • Internet facilitates delivery of services across multiple national jurisdictions, including those not served through physical locations

    • Complexity of issues can be (far) outside the traditional experience of the Board and Management


Internal audit considerations board and management oversight1

Internal Audit ConsiderationsBoard and Management Oversight

ACUIA 2012

  • Oversight factors the internal auditor should consider:

    • Ensure Board/Management have established the credit union’s risk appetite in relation to e-services

    • Ensure that key delegations and reporting mechanisms are established for those incidents that impact:

      • Safety and soundness

      • Reputation

    • Ensure Board/Management have addressed any unique risk factors associated with ensuring security, integrity and availability of e-services

      • Also, ensure that third-parties take similar measures

    • Ensure that appropriate due diligence and risk analyses are performed before e-services are developed and implemented


Internal audit considerations board and management oversight2

Internal Audit ConsiderationsBoard and Management Oversight

ACUIA 2012

  • Board of directors and senior management should review and approve the key aspects of the credit union’s security control process

    • Infrastructure (including internal audit)

      • Both internal and external threats

      • Authorization privileges

      • Logical and physical access controls

      • Appropriate boundaries and restrictions on both internal and external user activity

    • Policies and procedures

    • Assignment of explicit responsibility for oversight

    • Sufficient physical controls to protect access to computing environment

    • Sufficient logical controls to prevent access to applications and data bases

    • Regular review and testing of security measures and controls


Internal audit considerations board and management oversight3

Internal Audit ConsiderationsBoard and Management Oversight

ACUIA 2012

  • Board of directors and senior management should establish a comprehensive and ongoing due diligence and oversight process for managing the credit union’s outsourcing relationships and other third-party dependencies supporting e-services

    • Historically, outsourcing was often limited to a single service provider for a given functionality – HOWEVER – outsourcing relationships have increased in complexity as a direct result of advances in technology and the emergence of e-services


Internal audit considerations board and management oversight4

Internal Audit ConsiderationsBoard and Management Oversight

ACUIA 2012

  • Oversight factors the internal auditor should consider:

    • Ensure that the credit union fully understands the risks associated with entering into an outsourcing or partnership arrangement for e-services systems or applications

    • Ensure due diligence review of the competency and financial viability of any third-party service provider is conducted PRIOR TO entering into any contracts for e-services

    • Ensure the contractual accountability of all parties to the outsourcing or partnership relationship is clearly defined

    • Ensure all outsourced e-services systems and operations are subject to risk management, security and privacy policies that meet the credit union’s standards

    • Ensure internal and/or external audits are conducted of outsourced operations (same level as if the operations were in-house)

    • Ensure contingency plans exist for outsourced e-services activities


Internal audit considerations security transaction risk controls

Internal Audit ConsiderationsSecurity / Transaction Risk Controls

ACUIA 2012

Authentication

Non-repudiation

Data and transaction integrity

Segregation of duties

Authorization controls

Maintenance of audit trails

Confidentiality


Internal audit considerations security transaction risk controls1

Internal Audit ConsiderationsSecurity / Transaction Risk Controls

ACUIA 2012

  • Credit union should take appropriate measures to authenticate the identity and authorization of members with whom it conducts business electronically

    • Obviously, member verification during account or e-service origination is important in reducing the risk of identity theft, fraudulent account applications, and money laundering


Internal audit considerations security transaction risk controls2

Internal Audit ConsiderationsSecurity / Transaction Risk Controls

ACUIA 2012

  • Oversight factors the internal auditor should consider:

    • Ensure that authentication databases providing access to e-services member accounts or sensitive systems are adequately protected and any tampering is detectable and documented

    • Ensure that any addition, deletion or change of an individual, agent or system to an authentication database is duly authorized by an authenticated source

    • Ensure that appropriate measures are in place to control the e-services system connection such that unknown third parties cannot displace known members

    • Ensure that authenticated e-services sessions remain secure throughout the full duration of the session


Internal audit considerations security transaction risk controls3

Internal Audit ConsiderationsSecurity / Transaction Risk Controls

ACUIA 2012

  • Credit union should use transaction authentication methods that promote non-repudiation and establish accountability for e-services transactions

    • Non-repudiation involves creating proof of the origin or delivery of electronic information to protect the sender against false denial by the recipient that the data has been received, or to protect the recipient against false denial by the sender that the data has been sent.


Internal audit considerations security transaction risk controls4

Internal Audit ConsiderationsSecurity / Transaction Risk Controls

ACUIA 2012

  • Oversight factors the internal auditor should consider:

    • Ensure that e-services systems are designed to reduce the likelihood that authorized users will initiate unintended transactions and that members fully understand the risks associated with any transactions they initiate

    • Ensure that all parties to the transaction are positively authenticated and that control is maintained over the authenticated channel

    • Ensure that financial transaction data are protected from alteration and any alteration is detectable


Internal audit considerations security transaction risk controls5

Internal Audit ConsiderationsSecurity / Transaction Risk Controls

ACUIA 2012

  • Credit union should ensure that appropriate measures are in place to promote adequate segregation of duties within e-services systems, databases and applications

    • Obviously, a basic internal control measure designed to reduce the risk of fraud in operational processes and systems and to ensure that transactions are credit union assets are properly authorized, recorded and safeguarded

      • No one person should be in position to commit a theft and cover that theft or create an error and cover that error

    • E-services may necessitate modifying the ways in which segregation of duties are established and maintained

      • Access to poorly secured databases can be more easily gained through internal and external networks – ensure adequate audit trails


Internal audit considerations security transaction risk controls6

Internal Audit ConsiderationsSecurity / Transaction Risk Controls

ACUIA 2012

  • Oversight factors the internal auditor should consider:

    • Ensure that transaction processes and systems are designed to ensure that no single employee/outsourced service provider could enter, authorize and complete a transaction

    • Ensure that segregation is maintained between those initiating static date (including web-page content) and those responsible for verifying its integrity

    • Ensure that e-services systems are tested to ensure segregation of duties cannot be bypassed

    • Ensure that segregation is maintained between those developing and those administering e-services systems


Internal audit considerations security transaction risk controls7

Internal Audit ConsiderationsSecurity / Transaction Risk Controls

ACUIA 2012

  • Credit union should ensure that proper authorization controls and access privileges are in place for e-services systems, databases and applications

    • In e-services systems, authorizations and access rights can be established in either a centralized or distributed manner and are generally stored in databases

    • Protection of those databases from tampering or corruption is essential


Internal audit considerations security transaction risk controls8

Internal Audit ConsiderationsSecurity / Transaction Risk Controls

ACUIA 2012

  • Oversight factors the internal auditor should consider:

    • Ensure that specific authorization and access privileges are assigned to all individuals, third-parties or systems which conduct e-services activities

    • Ensure that all e-services systems are constructed to ensure that they interact only with valid authorization databases

    • Ensure that no individual or system should have the authority to change his or her own authority or access privileges in an e-services authorization database

    • Ensure that any authorization database that has been tampered with should not be used until replaced with a validated database

    • Ensure that controls are in place to prevent changes to authorization levels during e-services transaction sessions and any attempts to alter authorization should be logged and brought to the attention of management


Internal audit considerations security transaction risk controls9

Internal Audit ConsiderationsSecurity / Transaction Risk Controls

ACUIA 2012

  • Credit union should ensure that appropriate measures are in place to protect the data integrity of e-services transactions, records and information

    • Data integrity refers to the assurance that information that is in-transit or in storage is not altered without authorization

    • Failure to maintain data integrity, obviously, exposes the credit union to substantial reputation risk


Internal audit considerations security transaction risk controls10

Internal Audit ConsiderationsSecurity / Transaction Risk Controls

ACUIA 2012

  • Oversight factors the internal auditor should consider:

    • Ensure that e-services transactions are conducted in a manner that makes them highly resistant to tampering throughout the entire process

    • Ensure that e-services records are stored, accessed and modified in a manner that makes them highly resistant to tampering

    • Ensure that e-services transactions and record-keeping processes are designed in such a manner as to make it virtually impossible to circumvent detection of unauthorized changes

    • Ensure that adequate change control policies are in place to protect against any e-services system changes that may erroneously or unintentionally compromise controls or data reliability

    • Ensure that any tampering with e-services transactions or records can be detected by transaction processing, monitoring and record keeping functions


Internal audit considerations security transaction risk controls11

Internal Audit ConsiderationsSecurity / Transaction Risk Controls

ACUIA 2012

  • Credit union should ensure that clear audit trails exist for all e-services transactions

    • Much, if not all, of the credit union’s records and evidence supporting e-services transactions are in an electronic format, potentially weakening the credit union’s internal control environment if it is unable to maintain clear audit trails


Internal audit considerations security transaction risk controls12

Internal Audit ConsiderationsSecurity / Transaction Risk Controls

ACUIA 2012

  • Oversight factors the internal auditor should consider:

    • Ensure audit trails exist for:

      • The opening, modification or closing of a member’s account

      • Any transaction with financial consequences

      • Any authorization granted to a member to exceed a previously established limit

      • Any granting, modification or revocation of systems access rights or privileges


Internal audit considerations security transaction risk controls13

Internal Audit ConsiderationsSecurity / Transaction Risk Controls

ACUIA 2012

  • Credit union should take appropriate measures to preserve the confidentiality of key e-services information

  • Measures taken to preserve confidentiality should be commensurate with the sensitivity of the information being transmitted and/or stored in databases

    • Obviously, the advent of e-services presents an additional security challenge because it increases the exposure that information transmitted over public networks or stored in databases may be accessible by unauthorized or inappropriate parties


Internal audit considerations security transaction risk controls14

Internal Audit ConsiderationsSecurity / Transaction Risk Controls

ACUIA 2012

  • Oversight factors the internal auditor should consider:

    • Ensure that all confidential credit union data and records are only accessible by duly authorized and authenticated individuals or systems

    • Ensure that all confidential credit union data are maintained in a secure manner and protected from unauthorized viewing or modification during transmission over public, private or internal networks

    • Ensure that the credit union’s standards and controls for data use and protection must be met when third parties have access to the data through outsourcing relationships

    • Ensure that all access to restricted data is logged and appropriate efforts are made to ensure that access logs are resistant to tampering


Internal audit considerations compliance strategic reputation risk factors

Internal Audit ConsiderationsCompliance/Strategic/Reputation Risk Factors

ACUIA 2012

Credit union should ensure that adequate information is provided on its website to allow potential members to make an informed conclusion about the credit union’s identity and regulatory status of the credit union prior to entering into e-services transactions


Internal audit considerations compliance strategic reputation risk factors1

Internal Audit ConsiderationsCompliance/Strategic/Reputation Risk Factors

ACUIA 2012

  • Oversight factors the internal auditor should consider:

    • Ensure that the website contain such information as the following:

      • Name of the credit union and location of its head office

      • Identity of the primary credit union supervisory authorities

      • How members can contact the credit union regarding service problems, complaints, misuse of accounts, etc.

      • How members can access and use applicable consumer complaint sources

      • Other information required by regulators


Internal audit considerations compliance strategic reputation risk factors2

Internal Audit ConsiderationsCompliance/Strategic/Reputation Risk Factors

ACUIA 2012

  • Credit union should take appropriate measures to ensure adherence to member privacy requirements applicable to the jurisdictions to which the credit union is providing e-services

    • Key responsibility of the credit union

    • Huge exposure to legal and reputation risk


Internal audit considerations compliance strategic reputation risk factors3

Internal Audit ConsiderationsCompliance/Strategic/Reputation Risk Factors

ACUIA 2012

  • Oversight factors the internal auditor should consider:

    • Ensure that the credit union’s privacy policies and standards take account of and comply with all privacy regulations and laws applicable to the jurisdictions to which it is providing e-services

    • Ensure that members are made aware of the credit union’s privacy policies and relevant privacy issues concerning use of e-services

    • Ensure that member data are not used for purposed beyond which they are specifically allowed or for purposes beyond which members have authorized

    • Ensure that the credit union’s standards for member data use are met when third parties have access to member data


Internal audit considerations compliance strategic reputation risk factors4

Internal Audit ConsiderationsCompliance/Strategic/Reputation Risk Factors

ACUIA 2012

  • Credit union should have effective capacity, business continuity and contingency planning processes to help ensure the availability of e-services systems

    • To protect the credit union, e-services must be delivered on a consistent and timely basis in accordance with member expectations


Internal audit considerations compliance strategic reputation risk factors5

Internal Audit ConsiderationsCompliance/Strategic/Reputation Risk Factors

ACUIA 2012

  • Oversight factors the internal auditor should consider:

    • Ensure that current e-services system capacity and future scalability are analyzed in light of the overall market dynamics for e-commerce and the projected rate of member acceptance of e-services

    • Ensure that e-services transaction processing capacity estimates are established, stress tested and periodically reviewed

    • Ensure that appropriate business continuity and contingency plans for critical e-services processing and delivery systems are in place and tested regularly


Internal audit considerations compliance strategic reputation risk factors6

Internal Audit ConsiderationsCompliance/Strategic/Reputation Risk Factors

ACUIA 2012

  • Sound business continuity practices for e-services

    • All e-services and applications, including those provided by third-party service providers, should be identified and assessed for criticality.

    • A risk assessment for each critical e-service and application, including the potential implications of any business disruption on the credit union's credit, liquidity, operational and reputation risk should be conducted.

    • Performance criteria for each critical e-service and application should be established, and service levels should be monitored against such criteria.


Internal audit considerations compliance strategic reputation risk factors7

Internal Audit ConsiderationsCompliance/Strategic/Reputation Risk Factors

ACUIA 2012

  • Sound business continuity practices for e-services

    • Appropriate measures should be taken to ensure that e-services systems can handle high and low transaction volume and that systems performance and capacity is consistent with the credit union’s expectations for future growth in e-services.

    • Consideration should be given to developing processing alternatives for managing demand when e-services systems appear to be reaching defined capacity checkpoints.


Internal audit considerations compliance strategic reputation risk factors8

Internal Audit ConsiderationsCompliance/Strategic/Reputation Risk Factors

ACUIA 2012

  • Sound business continuity practices for e-services

    • E-services business continuity plans should be formulated to address any reliance on third-party service providers and any other external dependencies required achieving recovery.

    • E-services contingency plans should set out a process for restoring or replacing e-services processing capabilities, reconstructing supporting transaction information, and include measures to be taken to resume availability of critical e-services systems and applications in the event of a business disruption.


Internal audit considerations compliance strategic reputation risk factors9

Internal Audit ConsiderationsCompliance/Strategic/Reputation Risk Factors

ACUIA 2012

  • Credit union should develop appropriate incident response plans to manage, contain and minimize problems arising from unexpected events, including internal and external attacks, that may hamper the provision of e-services systems

    • Include communication strategies


Internal audit considerations compliance strategic reputation risk factors10

Internal Audit ConsiderationsCompliance/Strategic/Reputation Risk Factors

ACUIA 2012

  • Oversight factors the internal auditor should consider:

    • Ensure that incident response plans address recovery of e-services systems and services under various scenarios, businesses and geographic locations.

      • Scenario analysis should include consideration of the likelihood of the risk occurring and its impact on the credit union. E-services systems that are outsourced to third-party service providers should be an integral part of these plans

    • Ensure that mechanisms are in place to identify an incident or crisis as soon as it occurs, assess its materiality, and control the reputation risk associated with any disruption in service


Internal audit considerations compliance strategic reputation risk factors11

Internal Audit ConsiderationsCompliance/Strategic/Reputation Risk Factors

ACUIA 2012

  • Oversight factors the internal auditor should consider:

    • Ensure that the credit union has a communication strategy to adequately address external market and media concerns that may arise in the event of security breaches, online attacks and/or failures of e-services systems

    • Ensure that a clear process is in place for alerting the appropriate regulatory authorities in the event of material security breaches or disruptive incidents occur.

    • Ensure that incident response teams have been appointed with the authority to act in an emergency and are sufficiently trained in analyzing incident detection/response systems and interpreting the significance of related output.


Internal audit considerations compliance strategic reputation risk factors12

Internal Audit ConsiderationsCompliance/Strategic/Reputation Risk Factors

ACUIA 2012

  • Oversight factors the internal auditor should consider:

    • Ensure that a clear chain of command has been established, encompassing both internal as well as outsourced operations, to ensure that prompt action is taken appropriate for the significance of the incident.

      • In addition, escalation and internal communication procedures should be developed and include notification of the Board where appropriate.


Internal audit considerations compliance strategic reputation risk factors13

Internal Audit ConsiderationsCompliance/Strategic/Reputation Risk Factors

ACUIA 2012

  • Oversight factors the internal auditor should consider:

    • Ensure that a process is in place to ensure all relevant external parties, including credit union members, counterparties and the media, are informed in a timely and appropriate manner of material e-services disruptions and business resumption developments.

    • Ensure that a process is in place for collecting and preserving forensic evidence to facilitate appropriate post-mortem reviews of any e-services incidents as well as to assist in the prosecution of attackers.


Questions

Questions?

ACUIA 2012

Any questions?


  • Login