View
218
Download
0
Category
Tags:
Preview:
Citation preview
1
Internal Audit and the Virtual World of E-Services
Association of Credit Union Internal Auditors
ACUIA 2012
ACUIA 20122
E-Services Electronic funds transfer Automated teller machines Internet-accessible services
Lending Financial portals Account openings / closings Electronic bill pay And on and on and ….….
Mobile banking Expanding wireless services And on and on and ……..
ACUIA 20123
Developing an E-Strategy
ACUIA 20124
5
Back to the Basics
ACUIA 2012
ACUIA 2012
E-Services and Areas of Risk Management Credit risk Interest rate (market) risk Liquidity risk Transaction (fraud) risk Compliance (regulatory) risk Strategic risk (decisions) Reputation risk (impact of actions)
6
ACUIA 20127
Internal Audit’s Responsibility Identify the key risk management principles
that assist the credit union in expanding their existing risk management policies and processes to cover e-services activities
Promote safe and sound delivery of such services
Not fundamentally different from those applied to delivered through other distribution channels
ACUIA 20128
E-Strategy Decision Making Continuing technological innovation and
competition driving a wider array of products and services and delivery mechanisms Creates a “risk / reward” environment for credit
unions Unprecedented speed of change Global nature of open electronic networks Integration of e-services applications with legacy
computer systems Increasing dependence on third-party deliverers
ACUIA 20129
Board and Management Oversight The credit union’s board of directors and
executive management share responsibility for developing the credit union’s business strategy and establishing effective management oversight of risk, including the risk presented by e-services. Review and approval of the credit union’s security
control process Infrastructure - protection from both internal (primary
role of internal audit) and external threats Reliance on outsourced relationships and dependencies
ACUIA 201210
Reputation Risk Management E-services must be delivered on consistent
and timely basis High member expectations for availability and
high transaction demand Incident response mechanisms
Business continuity and contingency planning Communication strategies
ACUIA 201211
Internal Audit E-Services Challenges Speed of change (relative factor)
Shrinking implementation / testing times IA needs to be involved (heavily) to ensure that
adequate strategic assessment, risk analysis and security reviews are conducted PRIOR TO implementation of new applications
Transactional services (and third-party web sites) are now typically integrated as much as possible with legacy computer systems Reduces opportunities for human error and fraud Increases dependence on systems design,
architecture, system interoperability and operational scalability
ACUIA 201212
Internal Audit E-Services Challenges Increases credit union’s dependence on IT
Least understood operational area by those providing internal oversight
Again, third party arrangements with some vendors who may be unregulated
Creation of new business models Global accessibility (truly “global”)
ACUIA 201213
Internal Audit ConsiderationsE-Services Board and Management Oversight
Effective management oversight Establishment of a comprehensive security control
process Comprehensive due diligence and management
oversight for outsourcing relationships and other third-party dependencies
ACUIA 201214
Internal Audit ConsiderationsE-Services Security / Transaction Risk Controls
Authentication of e-services member-users Non-repudiation and accountability for e-services
transactions Appropriate measures to ensure segregation of
duties Proper authorization controls within e-services
systems, databases and applications Data integrity of e-services transactions, records
and information Establishment of clear audit trails fore-services
transactions Confidentiality of information
ACUIA 201215
Internal Audit ConsiderationsE-Services Compliance / Strategic / Reputation Risk
Factors Appropriate disclosures Privacy of member information Capacity, business continuity and contingency
planning to ensure availability of e-services systems
Incident response planning
ACUIA 201216
Internal Audit ConsiderationsBoard and Management Oversight Board of directors and senior management
should establish effective management oversight over the risks associated with e-services activities, including the establishment of specific accountability, policies and controls to management these risks. Major elements of the delivery channels (internet,
wireless and related technologies) are outside of the credit union’s direct control
Internet facilitates delivery of services across multiple national jurisdictions, including those not served through physical locations
Complexity of issues can be (far) outside the traditional experience of the Board and Management
ACUIA 201217
Internal Audit ConsiderationsBoard and Management Oversight Oversight factors the internal auditor should
consider: Ensure Board/Management have established the credit
union’s risk appetite in relation to e-services Ensure that key delegations and reporting mechanisms
are established for those incidents that impact: Safety and soundness Reputation
Ensure Board/Management have addressed any unique risk factors associated with ensuring security, integrity and availability of e-services Also, ensure that third-parties take similar measures
Ensure that appropriate due diligence and risk analyses are performed before e-services are developed and implemented
ACUIA 201218
Internal Audit ConsiderationsBoard and Management Oversight Board of directors and senior management should
review and approve the key aspects of the credit union’s security control process Infrastructure (including internal audit)
Both internal and external threats Authorization privileges Logical and physical access controls Appropriate boundaries and restrictions on both internal and
external user activity Policies and procedures Assignment of explicit responsibility for oversight Sufficient physical controls to protect access to computing
environment Sufficient logical controls to prevent access to applications
and data bases Regular review and testing of security measures and controls
ACUIA 201219
Internal Audit ConsiderationsBoard and Management Oversight Board of directors and senior management
should establish a comprehensive and ongoing due diligence and oversight process for managing the credit union’s outsourcing relationships and other third-party dependencies supporting e-services Historically, outsourcing was often limited to a
single service provider for a given functionality – HOWEVER – outsourcing relationships have increased in complexity as a direct result of advances in technology and the emergence of e-services
ACUIA 201220
Internal Audit ConsiderationsBoard and Management Oversight Oversight factors the internal auditor should consider:
Ensure that the credit union fully understands the risks associated with entering into an outsourcing or partnership arrangement for e-services systems or applications
Ensure due diligence review of the competency and financial viability of any third-party service provider is conducted PRIOR TO entering into any contracts for e-services
Ensure the contractual accountability of all parties to the outsourcing or partnership relationship is clearly defined
Ensure all outsourced e-services systems and operations are subject to risk management, security and privacy policies that meet the credit union’s standards
Ensure internal and/or external audits are conducted of outsourced operations (same level as if the operations were in-house)
Ensure contingency plans exist for outsourced e-services activities
ACUIA 201221
Internal Audit ConsiderationsSecurity / Transaction Risk Controls Authentication Non-repudiation Data and transaction integrity Segregation of duties Authorization controls Maintenance of audit trails Confidentiality
ACUIA 201222
Internal Audit ConsiderationsSecurity / Transaction Risk Controls Credit union should take appropriate
measures to authenticate the identity and authorization of members with whom it conducts business electronically Obviously, member verification during account or
e-service origination is important in reducing the risk of identity theft, fraudulent account applications, and money laundering
ACUIA 201223
Internal Audit ConsiderationsSecurity / Transaction Risk Controls Oversight factors the internal auditor should
consider: Ensure that authentication databases providing
access to e-services member accounts or sensitive systems are adequately protected and any tampering is detectable and documented
Ensure that any addition, deletion or change of an individual, agent or system to an authentication database is duly authorized by an authenticated source
Ensure that appropriate measures are in place to control the e-services system connection such that unknown third parties cannot displace known members
Ensure that authenticated e-services sessions remain secure throughout the full duration of the session
ACUIA 201224
Internal Audit ConsiderationsSecurity / Transaction Risk Controls Credit union should use transaction
authentication methods that promote non-repudiation and establish accountability for e-services transactions Non-repudiation involves creating proof of the
origin or delivery of electronic information to protect the sender against false denial by the recipient that the data has been received, or to protect the recipient against false denial by the sender that the data has been sent.
ACUIA 201225
Internal Audit ConsiderationsSecurity / Transaction Risk Controls Oversight factors the internal auditor should
consider: Ensure that e-services systems are designed to
reduce the likelihood that authorized users will initiate unintended transactions and that members fully understand the risks associated with any transactions they initiate
Ensure that all parties to the transaction are positively authenticated and that control is maintained over the authenticated channel
Ensure that financial transaction data are protected from alteration and any alteration is detectable
ACUIA 201226
Internal Audit ConsiderationsSecurity / Transaction Risk Controls Credit union should ensure that appropriate
measures are in place to promote adequate segregation of duties within e-services systems, databases and applications Obviously, a basic internal control measure
designed to reduce the risk of fraud in operational processes and systems and to ensure that transactions are credit union assets are properly authorized, recorded and safeguarded No one person should be in position to commit a theft
and cover that theft or create an error and cover that error
E-services may necessitate modifying the ways in which segregation of duties are established and maintained Access to poorly secured databases can be more easily
gained through internal and external networks – ensure adequate audit trails
ACUIA 201227
Internal Audit ConsiderationsSecurity / Transaction Risk Controls Oversight factors the internal auditor should
consider: Ensure that transaction processes and systems
are designed to ensure that no single employee/outsourced service provider could enter, authorize and complete a transaction
Ensure that segregation is maintained between those initiating static date (including web-page content) and those responsible for verifying its integrity
Ensure that e-services systems are tested to ensure segregation of duties cannot be bypassed
Ensure that segregation is maintained between those developing and those administering e-services systems
ACUIA 201228
Internal Audit ConsiderationsSecurity / Transaction Risk Controls Credit union should ensure that proper
authorization controls and access privileges are in place for e-services systems, databases and applications In e-services systems, authorizations and access
rights can be established in either a centralized or distributed manner and are generally stored in databases
Protection of those databases from tampering or corruption is essential
ACUIA 201229
Internal Audit ConsiderationsSecurity / Transaction Risk Controls Oversight factors the internal auditor should consider:
Ensure that specific authorization and access privileges are assigned to all individuals, third-parties or systems which conduct e-services activities
Ensure that all e-services systems are constructed to ensure that they interact only with valid authorization databases
Ensure that no individual or system should have the authority to change his or her own authority or access privileges in an e-services authorization database
Ensure that any authorization database that has been tampered with should not be used until replaced with a validated database
Ensure that controls are in place to prevent changes to authorization levels during e-services transaction sessions and any attempts to alter authorization should be logged and brought to the attention of management
ACUIA 201230
Internal Audit ConsiderationsSecurity / Transaction Risk Controls Credit union should ensure that appropriate
measures are in place to protect the data integrity of e-services transactions, records and information Data integrity refers to the assurance that
information that is in-transit or in storage is not altered without authorization
Failure to maintain data integrity, obviously, exposes the credit union to substantial reputation risk
ACUIA 201231
Internal Audit ConsiderationsSecurity / Transaction Risk Controls Oversight factors the internal auditor should consider:
Ensure that e-services transactions are conducted in a manner that makes them highly resistant to tampering throughout the entire process
Ensure that e-services records are stored, accessed and modified in a manner that makes them highly resistant to tampering
Ensure that e-services transactions and record-keeping processes are designed in such a manner as to make it virtually impossible to circumvent detection of unauthorized changes
Ensure that adequate change control policies are in place to protect against any e-services system changes that may erroneously or unintentionally compromise controls or data reliability
Ensure that any tampering with e-services transactions or records can be detected by transaction processing, monitoring and record keeping functions
ACUIA 201232
Internal Audit ConsiderationsSecurity / Transaction Risk Controls Credit union should ensure that clear audit
trails exist for all e-services transactions Much, if not all, of the credit union’s records and
evidence supporting e-services transactions are in an electronic format, potentially weakening the credit union’s internal control environment if it is unable to maintain clear audit trails
ACUIA 201233
Internal Audit ConsiderationsSecurity / Transaction Risk Controls Oversight factors the internal auditor should
consider: Ensure audit trails exist for:
The opening, modification or closing of a member’s account
Any transaction with financial consequences Any authorization granted to a member to exceed a
previously established limit Any granting, modification or revocation of systems
access rights or privileges
ACUIA 201234
Internal Audit ConsiderationsSecurity / Transaction Risk Controls Credit union should take appropriate
measures to preserve the confidentiality of key e-services information
Measures taken to preserve confidentiality should be commensurate with the sensitivity of the information being transmitted and/or stored in databases Obviously, the advent of e-services presents an
additional security challenge because it increases the exposure that information transmitted over public networks or stored in databases may be accessible by unauthorized or inappropriate parties
ACUIA 201235
Internal Audit ConsiderationsSecurity / Transaction Risk Controls Oversight factors the internal auditor should
consider: Ensure that all confidential credit union data and records
are only accessible by duly authorized and authenticated individuals or systems
Ensure that all confidential credit union data are maintained in a secure manner and protected from unauthorized viewing or modification during transmission over public, private or internal networks
Ensure that the credit union’s standards and controls for data use and protection must be met when third parties have access to the data through outsourcing relationships
Ensure that all access to restricted data is logged and appropriate efforts are made to ensure that access logs are resistant to tampering
ACUIA 201236
Internal Audit ConsiderationsCompliance/Strategic/Reputation Risk Factors Credit union should ensure that adequate
information is provided on its website to allow potential members to make an informed conclusion about the credit union’s identity and regulatory status of the credit union prior to entering into e-services transactions
ACUIA 201237
Internal Audit ConsiderationsCompliance/Strategic/Reputation Risk Factors Oversight factors the internal auditor should
consider: Ensure that the website contain such information
as the following: Name of the credit union and location of its head office Identity of the primary credit union supervisory
authorities How members can contact the credit union regarding
service problems, complaints, misuse of accounts, etc. How members can access and use applicable consumer
complaint sources Other information required by regulators
ACUIA 201238
Internal Audit ConsiderationsCompliance/Strategic/Reputation Risk Factors Credit union should take appropriate
measures to ensure adherence to member privacy requirements applicable to the jurisdictions to which the credit union is providing e-services Key responsibility of the credit union Huge exposure to legal and reputation risk
ACUIA 201239
Internal Audit ConsiderationsCompliance/Strategic/Reputation Risk Factors Oversight factors the internal auditor should
consider: Ensure that the credit union’s privacy policies and
standards take account of and comply with all privacy regulations and laws applicable to the jurisdictions to which it is providing e-services
Ensure that members are made aware of the credit union’s privacy policies and relevant privacy issues concerning use of e-services
Ensure that member data are not used for purposed beyond which they are specifically allowed or for purposes beyond which members have authorized
Ensure that the credit union’s standards for member data use are met when third parties have access to member data
ACUIA 201240
Internal Audit ConsiderationsCompliance/Strategic/Reputation Risk Factors Credit union should have effective capacity,
business continuity and contingency planning processes to help ensure the availability of e-services systems To protect the credit union, e-services must be
delivered on a consistent and timely basis in accordance with member expectations
ACUIA 201241
Internal Audit ConsiderationsCompliance/Strategic/Reputation Risk Factors Oversight factors the internal auditor should
consider: Ensure that current e-services system capacity
and future scalability are analyzed in light of the overall market dynamics for e-commerce and the projected rate of member acceptance of e-services
Ensure that e-services transaction processing capacity estimates are established, stress tested and periodically reviewed
Ensure that appropriate business continuity and contingency plans for critical e-services processing and delivery systems are in place and tested regularly
ACUIA 201242
Internal Audit ConsiderationsCompliance/Strategic/Reputation Risk Factors Sound business continuity practices for e-
services All e-services and applications, including those
provided by third-party service providers, should be identified and assessed for criticality.
A risk assessment for each critical e-service and application, including the potential implications of any business disruption on the credit union's credit, liquidity, operational and reputation risk should be conducted.
Performance criteria for each critical e-service and application should be established, and service levels should be monitored against such criteria.
ACUIA 201243
Internal Audit ConsiderationsCompliance/Strategic/Reputation Risk Factors Sound business continuity practices for e-
services Appropriate measures should be taken to ensure
that e-services systems can handle high and low transaction volume and that systems performance and capacity is consistent with the credit union’s expectations for future growth in e-services.
Consideration should be given to developing processing alternatives for managing demand when e-services systems appear to be reaching defined capacity checkpoints.
ACUIA 201244
Internal Audit ConsiderationsCompliance/Strategic/Reputation Risk Factors Sound business continuity practices for e-
services E-services business continuity plans should be
formulated to address any reliance on third-party service providers and any other external dependencies required achieving recovery.
E-services contingency plans should set out a process for restoring or replacing e-services processing capabilities, reconstructing supporting transaction information, and include measures to be taken to resume availability of critical e-services systems and applications in the event of a business disruption.
ACUIA 201245
Internal Audit ConsiderationsCompliance/Strategic/Reputation Risk Factors Credit union should develop appropriate
incident response plans to manage, contain and minimize problems arising from unexpected events, including internal and external attacks, that may hamper the provision of e-services systems Include communication strategies
ACUIA 201246
Internal Audit ConsiderationsCompliance/Strategic/Reputation Risk Factors Oversight factors the internal auditor should
consider: Ensure that incident response plans address recovery
of e-services systems and services under various scenarios, businesses and geographic locations. Scenario analysis should include consideration of the
likelihood of the risk occurring and its impact on the credit union. E-services systems that are outsourced to third-party service providers should be an integral part of these plans
Ensure that mechanisms are in place to identify an incident or crisis as soon as it occurs, assess its materiality, and control the reputation risk associated with any disruption in service
ACUIA 201247
Internal Audit ConsiderationsCompliance/Strategic/Reputation Risk Factors Oversight factors the internal auditor should
consider: Ensure that the credit union has a communication
strategy to adequately address external market and media concerns that may arise in the event of security breaches, online attacks and/or failures of e-services systems
Ensure that a clear process is in place for alerting the appropriate regulatory authorities in the event of material security breaches or disruptive incidents occur.
Ensure that incident response teams have been appointed with the authority to act in an emergency and are sufficiently trained in analyzing incident detection/response systems and interpreting the significance of related output.
ACUIA 201248
Internal Audit ConsiderationsCompliance/Strategic/Reputation Risk Factors Oversight factors the internal auditor should
consider: Ensure that a clear chain of command has been
established, encompassing both internal as well as outsourced operations, to ensure that prompt action is taken appropriate for the significance of the incident. In addition, escalation and internal communication
procedures should be developed and include notification of the Board where appropriate.
ACUIA 201249
Internal Audit ConsiderationsCompliance/Strategic/Reputation Risk Factors Oversight factors the internal auditor should
consider: Ensure that a process is in place to ensure all
relevant external parties, including credit union members, counterparties and the media, are informed in a timely and appropriate manner of material e-services disruptions and business resumption developments.
Ensure that a process is in place for collecting and preserving forensic evidence to facilitate appropriate post-mortem reviews of any e-services incidents as well as to assist in the prosecution of attackers.
ACUIA 201250
Questions? Any questions?
Recommended