Upload
others
View
2
Download
0
Embed Size (px)
Citation preview
Leveraging eDiscovery
Technology for Internal
Audit
2016 Houston IIA 7th Annual
Conference
April 11, 2016
kpmg.com
1 © 2016 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member
firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. NDPPS 540226
1. Survey said…
2. Leveraging eDiscovery technology to audit risk
a. IP threat assessment
b. PII management
c. Incident response
3. Questions?
Agenda
Seeking Value Through
Internal Audit
2016 KPMG/Forbes Survey
3 © 2016 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member
firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. NDPPS 540226
What makes Internal Audit
worthwhile?
What does Internal Audit need
in order to be successful?
KPMG/Forbes Survey Internal Audit through the lens of the stakeholder
4 © 2016 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member
firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. NDPPS 540226
KPMG/Forbes Survey Internal Audit insights
5 © 2016 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member
firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. NDPPS 540226
KPMG/Forbes Survey Internal Audit effectiveness
6 © 2016 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member
firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. NDPPS 540226
KPMG/Forbes Survey Internal Audit utilization
7 © 2016 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member
firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. NDPPS 540226
KPMG/Forbes Survey Internal Audit skill requirements
The Top 5 skills needed for IA professionals
Source: The future of Internal Audit through the lens of stakeholder needs, KPMG International, 2016
8 © 2016 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member
firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. NDPPS 540226
KPMG/Forbes Survey Enterprise use of data and analytics
9 © 2016 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member
firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. NDPPS 540226
KPMG/Forbes Survey Internal Audit through the lens of the stakeholder
IP Threat
Assessment
PII
Management
Incident
Response
IP Threat Assessment
11 © 2016 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member
firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. NDPPS 540226
IP Threat Assessment Protecting enterprise value
• Unstructured data (e.g., email, network shares, SharePoint, individual assets)
• Legacy systems
• Data migrations (e.g., Office 365)
Identify at-risk data sources
• In-place or collect to search
• Conceptual analysis to identify target data
Index and search
• Sampling and statistical analysis
• Leverage predictive coding to accelerate review
Evaluate results
• Defensible deletion
• Segregate and archive
• Move to secure repository
Disposition data
12 © 2016 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member
firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. NDPPS 540226
IP Threat Assessment Protecting enterprise value
13 © 2016 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member
firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. NDPPS 540226
IP Threat Assessment Protecting enterprise value
14 © 2016 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member
firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. NDPPS 540226
IP Threat Assessment Protecting enterprise value
15 © 2016 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member
firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. NDPPS 540226
IP Threat Assessment Protecting enterprise value
16 © 2016 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member
firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. NDPPS 540226
IP Threat Assessment Protecting enterprise value
17 © 2016 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member
firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. NDPPS 540226
IP Threat Assessment Protecting enterprise value
Identify IP Threats
• Review IP protection policies
• Interview business to identify types of IP
• Interview IT to understand data sources containing IP
Select IP Audit Target
• High risk repositories
• High value IP
Catalog IP Management
Characteristics
• Review data storage and backup protocols
• Determine user access controls
• Understand data movement inside and out
Assess Against Controls
• Retention and backup
• Access rights management
• Security and encryption in transit
PII Management
19 © 2016 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member
firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. NDPPS 540226
PII Management Protecting individual privacy
• Unstructured data (e.g., email, network shares, SharePoint, individual assets)
• Legacy systems
• Data migrations (e.g., Office 365)
Identify at-risk data sources
• In-place or collect to search
• Mask-based searching (e.g., XXX-XX-XXXX)
Index and search
• Sampling and statistical analysis
• Leverage predictive coding to accelerate review
Evaluate results
• Defensible deletion
• Segregate and archive
• Move to secure repository
Disposition data
20 © 2016 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member
firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. NDPPS 540226
PII Management Protecting individual privacy
21 © 2016 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member
firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. NDPPS 540226
PII Management Protecting individual privacy
22 © 2016 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member
firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. NDPPS 540226
PII Management Protecting individual privacy
23 © 2016 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member
firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. NDPPS 540226
PII Management Protecting individual privacy
Identify PII Risks
• Review PII protection policies
• Interview business to identify types of PII
• Interview IT to understand data sources containing PII
Select PII Audit Target
• High risk repositories
• High value IP
Catalog PII Management
Characteristics
• Review data storage and backup protocols
• Determine user access controls
• Understand data movement inside and out
Assess Against Controls
• Retention and backup
• Access rights management
• Security and encryption in transit
Incident Response
25 © 2016 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member
firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. NDPPS 540226
Incident Response Protecting enterprise reputation and resources
Incident Response Scenarios
Data breach
Natural and man-made disasters
Large-scale litigation
Regulatory investigation
26 © 2016 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member
firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. NDPPS 540226
Incident Response Protecting enterprise reputation and resources
27 © 2016 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member
firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. NDPPS 540226
Incident Response Protecting enterprise reputation and resources
Compliant • Managed by legal department
• Reflects leading practices
• Demonstrates good faith
Defensible • Documented procedures
• Consistent implementation
• Documented execution
Reasonable • Reflects litigation profile
• Balances cost and burden
• Good faith rather than perfection
28 © 2016 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member
firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. NDPPS 540226
Incident Response Protecting enterprise reputation and resources
Questions?
Priya Keshav, Managing Director
Dennis Kiker, Director
www.kpmg.com
KPMG Forensic is service of KPMG International.
This proposal is in all respects subject to the negotiation, agreement, and signing of a specific
engagement letter or contract.
This proposal is made by KPMG AG, a Swiss corporation and subsidiary of KPMG Holding
AG/SA, which is a subsidiary of KPMG Europe LLP and a member of the KPMG network of
independent firms affiliated with KPMG International Cooperative (“KPMG International”), a
Swiss legal entity. KPMG Europe LLP and KPMG International provide no client services. No
KPMG Europe LLP subsidiary or other member firm has any authority to obligate or bind KPMG
Europe LLP, KPMG International or any other member firm vis-à-vis third parties, nor does
KPMG Europe LLP or KPMG International have any such authority to obligate or bind any
subsidiary or member firm.
© 2016 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the
KPMG network of independent member firms affiliated with KPMG International Cooperative
(“KPMG International”), a Swiss entity. All rights reserved. NDPPS 540226
The KPMG name and logo are registered trademarks or trademarks of KPMG International.