520 likes | 684 Views
Internal Audit and the Virtual World of E-Services. Association of Credit Union Internal Auditors. E-Services. Electronic funds transfer Automated teller machines Internet-accessible services Lending Financial portals Account openings / closings Electronic bill pay
E N D
Internal Audit and the Virtual World of E-Services Association of Credit Union Internal Auditors ACUIA 2012
E-Services ACUIA 2012 • Electronic funds transfer • Automated teller machines • Internet-accessible services • Lending • Financial portals • Account openings / closings • Electronic bill pay • And on and on and ….…. • Mobile banking • Expanding wireless services • And on and on and ……..
Developing an E-Strategy ACUIA 2012
Back to the Basics ACUIA 2012
E-Services and Areas of Risk Management Credit risk Interest rate (market) risk Liquidity risk Transaction (fraud) risk Compliance (regulatory) risk Strategic risk (decisions) Reputation risk (impact of actions) ACUIA 2012
Internal Audit’s Responsibility ACUIA 2012 Identify the key risk management principles that assist the credit union in expanding their existing risk management policies and processes to cover e-services activities Promote safe and sound delivery of such services Not fundamentally different from those applied to delivered through other distribution channels
E-Strategy Decision Making • Continuing technological innovation and competition driving a wider array of products and services and delivery mechanisms • Creates a “risk / reward” environment for credit unions • Unprecedented speed of change • Global nature of open electronic networks • Integration of e-services applications with legacy computer systems • Increasing dependence on third-party deliverers ACUIA 2012
Board and Management Oversight ACUIA 2012 • The credit union’s board of directors and executive management share responsibility for developing the credit union’s business strategy and establishing effective management oversight of risk, including the risk presented by e-services. • Review and approval of the credit union’s security control process • Infrastructure - protection from both internal (primary role of internal audit) and external threats • Reliance on outsourced relationships and dependencies
Reputation Risk Management ACUIA 2012 • E-services must be delivered on consistent and timely basis • High member expectations for availability and high transaction demand • Incident response mechanisms • Business continuity and contingency planning • Communication strategies
Internal Audit E-Services Challenges ACUIA 2012 • Speed of change (relative factor) • Shrinking implementation / testing times • IA needs to be involved (heavily) to ensure that adequate strategic assessment, risk analysis and security reviews are conducted PRIOR TO implementation of new applications • Transactional services (and third-party web sites) are now typically integrated as much as possible with legacy computer systems • Reduces opportunities for human error and fraud • Increases dependence on systems design, architecture, system interoperability and operational scalability
Internal Audit E-Services Challenges ACUIA 2012 • Increases credit union’s dependence on IT • Least understood operational area by those providing internal oversight • Again, third party arrangements with some vendors who may be unregulated • Creation of new business models • Global accessibility (truly “global”)
Internal Audit ConsiderationsE-Services ACUIA 2012 • Board and Management Oversight • Effective management oversight • Establishment of a comprehensive security control process • Comprehensive due diligence and management oversight for outsourcing relationships and other third-party dependencies
Internal Audit ConsiderationsE-Services ACUIA 2012 • Security / Transaction Risk Controls • Authentication of e-services member-users • Non-repudiation and accountability for e-services transactions • Appropriate measures to ensure segregation of duties • Proper authorization controls within e-services systems, databases and applications • Data integrity of e-services transactions, records and information • Establishment of clear audit trails fore-services transactions • Confidentiality of information
Internal Audit ConsiderationsE-Services ACUIA 2012 • Compliance / Strategic / Reputation Risk Factors • Appropriate disclosures • Privacy of member information • Capacity, business continuity and contingency planning to ensure availability of e-services systems • Incident response planning
Internal Audit ConsiderationsBoard and Management Oversight ACUIA 2012 • Board of directors and senior management should establish effective management oversight over the risks associated with e-services activities, including the establishment of specific accountability, policies and controls to management these risks. • Major elements of the delivery channels (internet, wireless and related technologies) are outside of the credit union’s direct control • Internet facilitates delivery of services across multiple national jurisdictions, including those not served through physical locations • Complexity of issues can be (far) outside the traditional experience of the Board and Management
Internal Audit ConsiderationsBoard and Management Oversight ACUIA 2012 • Oversight factors the internal auditor should consider: • Ensure Board/Management have established the credit union’s risk appetite in relation to e-services • Ensure that key delegations and reporting mechanisms are established for those incidents that impact: • Safety and soundness • Reputation • Ensure Board/Management have addressed any unique risk factors associated with ensuring security, integrity and availability of e-services • Also, ensure that third-parties take similar measures • Ensure that appropriate due diligence and risk analyses are performed before e-services are developed and implemented
Internal Audit ConsiderationsBoard and Management Oversight ACUIA 2012 • Board of directors and senior management should review and approve the key aspects of the credit union’s security control process • Infrastructure (including internal audit) • Both internal and external threats • Authorization privileges • Logical and physical access controls • Appropriate boundaries and restrictions on both internal and external user activity • Policies and procedures • Assignment of explicit responsibility for oversight • Sufficient physical controls to protect access to computing environment • Sufficient logical controls to prevent access to applications and data bases • Regular review and testing of security measures and controls
Internal Audit ConsiderationsBoard and Management Oversight ACUIA 2012 • Board of directors and senior management should establish a comprehensive and ongoing due diligence and oversight process for managing the credit union’s outsourcing relationships and other third-party dependencies supporting e-services • Historically, outsourcing was often limited to a single service provider for a given functionality – HOWEVER – outsourcing relationships have increased in complexity as a direct result of advances in technology and the emergence of e-services
Internal Audit ConsiderationsBoard and Management Oversight ACUIA 2012 • Oversight factors the internal auditor should consider: • Ensure that the credit union fully understands the risks associated with entering into an outsourcing or partnership arrangement for e-services systems or applications • Ensure due diligence review of the competency and financial viability of any third-party service provider is conducted PRIOR TO entering into any contracts for e-services • Ensure the contractual accountability of all parties to the outsourcing or partnership relationship is clearly defined • Ensure all outsourced e-services systems and operations are subject to risk management, security and privacy policies that meet the credit union’s standards • Ensure internal and/or external audits are conducted of outsourced operations (same level as if the operations were in-house) • Ensure contingency plans exist for outsourced e-services activities
Internal Audit ConsiderationsSecurity / Transaction Risk Controls ACUIA 2012 Authentication Non-repudiation Data and transaction integrity Segregation of duties Authorization controls Maintenance of audit trails Confidentiality
Internal Audit ConsiderationsSecurity / Transaction Risk Controls ACUIA 2012 • Credit union should take appropriate measures to authenticate the identity and authorization of members with whom it conducts business electronically • Obviously, member verification during account or e-service origination is important in reducing the risk of identity theft, fraudulent account applications, and money laundering
Internal Audit ConsiderationsSecurity / Transaction Risk Controls ACUIA 2012 • Oversight factors the internal auditor should consider: • Ensure that authentication databases providing access to e-services member accounts or sensitive systems are adequately protected and any tampering is detectable and documented • Ensure that any addition, deletion or change of an individual, agent or system to an authentication database is duly authorized by an authenticated source • Ensure that appropriate measures are in place to control the e-services system connection such that unknown third parties cannot displace known members • Ensure that authenticated e-services sessions remain secure throughout the full duration of the session
Internal Audit ConsiderationsSecurity / Transaction Risk Controls ACUIA 2012 • Credit union should use transaction authentication methods that promote non-repudiation and establish accountability for e-services transactions • Non-repudiation involves creating proof of the origin or delivery of electronic information to protect the sender against false denial by the recipient that the data has been received, or to protect the recipient against false denial by the sender that the data has been sent.
Internal Audit ConsiderationsSecurity / Transaction Risk Controls ACUIA 2012 • Oversight factors the internal auditor should consider: • Ensure that e-services systems are designed to reduce the likelihood that authorized users will initiate unintended transactions and that members fully understand the risks associated with any transactions they initiate • Ensure that all parties to the transaction are positively authenticated and that control is maintained over the authenticated channel • Ensure that financial transaction data are protected from alteration and any alteration is detectable
Internal Audit ConsiderationsSecurity / Transaction Risk Controls ACUIA 2012 • Credit union should ensure that appropriate measures are in place to promote adequate segregation of duties within e-services systems, databases and applications • Obviously, a basic internal control measure designed to reduce the risk of fraud in operational processes and systems and to ensure that transactions are credit union assets are properly authorized, recorded and safeguarded • No one person should be in position to commit a theft and cover that theft or create an error and cover that error • E-services may necessitate modifying the ways in which segregation of duties are established and maintained • Access to poorly secured databases can be more easily gained through internal and external networks – ensure adequate audit trails
Internal Audit ConsiderationsSecurity / Transaction Risk Controls ACUIA 2012 • Oversight factors the internal auditor should consider: • Ensure that transaction processes and systems are designed to ensure that no single employee/outsourced service provider could enter, authorize and complete a transaction • Ensure that segregation is maintained between those initiating static date (including web-page content) and those responsible for verifying its integrity • Ensure that e-services systems are tested to ensure segregation of duties cannot be bypassed • Ensure that segregation is maintained between those developing and those administering e-services systems
Internal Audit ConsiderationsSecurity / Transaction Risk Controls ACUIA 2012 • Credit union should ensure that proper authorization controls and access privileges are in place for e-services systems, databases and applications • In e-services systems, authorizations and access rights can be established in either a centralized or distributed manner and are generally stored in databases • Protection of those databases from tampering or corruption is essential
Internal Audit ConsiderationsSecurity / Transaction Risk Controls ACUIA 2012 • Oversight factors the internal auditor should consider: • Ensure that specific authorization and access privileges are assigned to all individuals, third-parties or systems which conduct e-services activities • Ensure that all e-services systems are constructed to ensure that they interact only with valid authorization databases • Ensure that no individual or system should have the authority to change his or her own authority or access privileges in an e-services authorization database • Ensure that any authorization database that has been tampered with should not be used until replaced with a validated database • Ensure that controls are in place to prevent changes to authorization levels during e-services transaction sessions and any attempts to alter authorization should be logged and brought to the attention of management
Internal Audit ConsiderationsSecurity / Transaction Risk Controls ACUIA 2012 • Credit union should ensure that appropriate measures are in place to protect the data integrity of e-services transactions, records and information • Data integrity refers to the assurance that information that is in-transit or in storage is not altered without authorization • Failure to maintain data integrity, obviously, exposes the credit union to substantial reputation risk
Internal Audit ConsiderationsSecurity / Transaction Risk Controls ACUIA 2012 • Oversight factors the internal auditor should consider: • Ensure that e-services transactions are conducted in a manner that makes them highly resistant to tampering throughout the entire process • Ensure that e-services records are stored, accessed and modified in a manner that makes them highly resistant to tampering • Ensure that e-services transactions and record-keeping processes are designed in such a manner as to make it virtually impossible to circumvent detection of unauthorized changes • Ensure that adequate change control policies are in place to protect against any e-services system changes that may erroneously or unintentionally compromise controls or data reliability • Ensure that any tampering with e-services transactions or records can be detected by transaction processing, monitoring and record keeping functions
Internal Audit ConsiderationsSecurity / Transaction Risk Controls ACUIA 2012 • Credit union should ensure that clear audit trails exist for all e-services transactions • Much, if not all, of the credit union’s records and evidence supporting e-services transactions are in an electronic format, potentially weakening the credit union’s internal control environment if it is unable to maintain clear audit trails
Internal Audit ConsiderationsSecurity / Transaction Risk Controls ACUIA 2012 • Oversight factors the internal auditor should consider: • Ensure audit trails exist for: • The opening, modification or closing of a member’s account • Any transaction with financial consequences • Any authorization granted to a member to exceed a previously established limit • Any granting, modification or revocation of systems access rights or privileges
Internal Audit ConsiderationsSecurity / Transaction Risk Controls ACUIA 2012 • Credit union should take appropriate measures to preserve the confidentiality of key e-services information • Measures taken to preserve confidentiality should be commensurate with the sensitivity of the information being transmitted and/or stored in databases • Obviously, the advent of e-services presents an additional security challenge because it increases the exposure that information transmitted over public networks or stored in databases may be accessible by unauthorized or inappropriate parties
Internal Audit ConsiderationsSecurity / Transaction Risk Controls ACUIA 2012 • Oversight factors the internal auditor should consider: • Ensure that all confidential credit union data and records are only accessible by duly authorized and authenticated individuals or systems • Ensure that all confidential credit union data are maintained in a secure manner and protected from unauthorized viewing or modification during transmission over public, private or internal networks • Ensure that the credit union’s standards and controls for data use and protection must be met when third parties have access to the data through outsourcing relationships • Ensure that all access to restricted data is logged and appropriate efforts are made to ensure that access logs are resistant to tampering
Internal Audit ConsiderationsCompliance/Strategic/Reputation Risk Factors ACUIA 2012 Credit union should ensure that adequate information is provided on its website to allow potential members to make an informed conclusion about the credit union’s identity and regulatory status of the credit union prior to entering into e-services transactions
Internal Audit ConsiderationsCompliance/Strategic/Reputation Risk Factors ACUIA 2012 • Oversight factors the internal auditor should consider: • Ensure that the website contain such information as the following: • Name of the credit union and location of its head office • Identity of the primary credit union supervisory authorities • How members can contact the credit union regarding service problems, complaints, misuse of accounts, etc. • How members can access and use applicable consumer complaint sources • Other information required by regulators
Internal Audit ConsiderationsCompliance/Strategic/Reputation Risk Factors ACUIA 2012 • Credit union should take appropriate measures to ensure adherence to member privacy requirements applicable to the jurisdictions to which the credit union is providing e-services • Key responsibility of the credit union • Huge exposure to legal and reputation risk
Internal Audit ConsiderationsCompliance/Strategic/Reputation Risk Factors ACUIA 2012 • Oversight factors the internal auditor should consider: • Ensure that the credit union’s privacy policies and standards take account of and comply with all privacy regulations and laws applicable to the jurisdictions to which it is providing e-services • Ensure that members are made aware of the credit union’s privacy policies and relevant privacy issues concerning use of e-services • Ensure that member data are not used for purposed beyond which they are specifically allowed or for purposes beyond which members have authorized • Ensure that the credit union’s standards for member data use are met when third parties have access to member data
Internal Audit ConsiderationsCompliance/Strategic/Reputation Risk Factors ACUIA 2012 • Credit union should have effective capacity, business continuity and contingency planning processes to help ensure the availability of e-services systems • To protect the credit union, e-services must be delivered on a consistent and timely basis in accordance with member expectations
Internal Audit ConsiderationsCompliance/Strategic/Reputation Risk Factors ACUIA 2012 • Oversight factors the internal auditor should consider: • Ensure that current e-services system capacity and future scalability are analyzed in light of the overall market dynamics for e-commerce and the projected rate of member acceptance of e-services • Ensure that e-services transaction processing capacity estimates are established, stress tested and periodically reviewed • Ensure that appropriate business continuity and contingency plans for critical e-services processing and delivery systems are in place and tested regularly
Internal Audit ConsiderationsCompliance/Strategic/Reputation Risk Factors ACUIA 2012 • Sound business continuity practices for e-services • All e-services and applications, including those provided by third-party service providers, should be identified and assessed for criticality. • A risk assessment for each critical e-service and application, including the potential implications of any business disruption on the credit union's credit, liquidity, operational and reputation risk should be conducted. • Performance criteria for each critical e-service and application should be established, and service levels should be monitored against such criteria.
Internal Audit ConsiderationsCompliance/Strategic/Reputation Risk Factors ACUIA 2012 • Sound business continuity practices for e-services • Appropriate measures should be taken to ensure that e-services systems can handle high and low transaction volume and that systems performance and capacity is consistent with the credit union’s expectations for future growth in e-services. • Consideration should be given to developing processing alternatives for managing demand when e-services systems appear to be reaching defined capacity checkpoints.
Internal Audit ConsiderationsCompliance/Strategic/Reputation Risk Factors ACUIA 2012 • Sound business continuity practices for e-services • E-services business continuity plans should be formulated to address any reliance on third-party service providers and any other external dependencies required achieving recovery. • E-services contingency plans should set out a process for restoring or replacing e-services processing capabilities, reconstructing supporting transaction information, and include measures to be taken to resume availability of critical e-services systems and applications in the event of a business disruption.
Internal Audit ConsiderationsCompliance/Strategic/Reputation Risk Factors ACUIA 2012 • Credit union should develop appropriate incident response plans to manage, contain and minimize problems arising from unexpected events, including internal and external attacks, that may hamper the provision of e-services systems • Include communication strategies
Internal Audit ConsiderationsCompliance/Strategic/Reputation Risk Factors ACUIA 2012 • Oversight factors the internal auditor should consider: • Ensure that incident response plans address recovery of e-services systems and services under various scenarios, businesses and geographic locations. • Scenario analysis should include consideration of the likelihood of the risk occurring and its impact on the credit union. E-services systems that are outsourced to third-party service providers should be an integral part of these plans • Ensure that mechanisms are in place to identify an incident or crisis as soon as it occurs, assess its materiality, and control the reputation risk associated with any disruption in service
Internal Audit ConsiderationsCompliance/Strategic/Reputation Risk Factors ACUIA 2012 • Oversight factors the internal auditor should consider: • Ensure that the credit union has a communication strategy to adequately address external market and media concerns that may arise in the event of security breaches, online attacks and/or failures of e-services systems • Ensure that a clear process is in place for alerting the appropriate regulatory authorities in the event of material security breaches or disruptive incidents occur. • Ensure that incident response teams have been appointed with the authority to act in an emergency and are sufficiently trained in analyzing incident detection/response systems and interpreting the significance of related output.
Internal Audit ConsiderationsCompliance/Strategic/Reputation Risk Factors ACUIA 2012 • Oversight factors the internal auditor should consider: • Ensure that a clear chain of command has been established, encompassing both internal as well as outsourced operations, to ensure that prompt action is taken appropriate for the significance of the incident. • In addition, escalation and internal communication procedures should be developed and include notification of the Board where appropriate.
Internal Audit ConsiderationsCompliance/Strategic/Reputation Risk Factors ACUIA 2012 • Oversight factors the internal auditor should consider: • Ensure that a process is in place to ensure all relevant external parties, including credit union members, counterparties and the media, are informed in a timely and appropriate manner of material e-services disruptions and business resumption developments. • Ensure that a process is in place for collecting and preserving forensic evidence to facilitate appropriate post-mortem reviews of any e-services incidents as well as to assist in the prosecution of attackers.
Questions? ACUIA 2012 Any questions?