PERSONALLY IDENTIFIABLE INFORMATION: AUDIT CONSIDERATIONS Virginia Local Government Auditors Association May 3, 2019
Introductions Matthew Simons, CPA, CIA, CGAP Ryan Kohan, CPA Principal 15 years of experience Performance audits, internal audits, internal control/SOX assessments, compliance assessments, business/process process strategy and improvement exercises, management and executive advisory Ryan Kohan, CPA Manager 9 years of experience Performance audits, internal audits, SOX assessments, internal control evaluations, business process assessments, compliance assessments, and fraud identification assessments PII: AUDIT CONSIDERATIONS
About sc&h Group PII: AUDIT CONSIDERATIONS
Regulatory Considerations Planning & Identification Today’s Objectives 01. 02. 03. 04. 05. PII: Defined Regulatory Considerations Planning & Identification Testing Procedures Risks and Mitigation PII: AUDIT CONSIDERATIONS
Background What is PII? “Any information about an individual maintained by an agency, including (1) any information that can be used to distinguish or trace an individual's identity, such as name, social security number, date and place of birth, mother's maiden name, or biometric records; and (2) any other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information.” -NIST Special Publication 800-122 Responsibility The organization is responsible for PII: Regulatory requirements, compliance, and maintenance PII: AUDIT CONSIDERATIONS
Division / Department Examples Background Types / Locations Uses Storage / Disposal Internal (e.g. employees) External (e.g. citizens) Physical files / documentation System / electronic records Employee information Citizen records Student records Financial data File Cabinets Desks / Drawers Trash (Secure / Office) Computer Drives Servers Cloud Division / Department Examples Administration Accounting / Finance Audit Human Resources Information Technology Payroll Law Enforcement / Emergency Security Health Community Relations Schools PII: AUDIT CONSIDERATIONS
Organizational Risks Mitigating Practices Relevance Organizational Risks Mitigating Practices Stakeholder Confidentiality Financial Exposure Fraud / Collusion Public Perception Reputation Legal / Regulatory (HIPAA) Centralized Governance Secure Disposal / Proper Deletion Organizational-Wide Policies Ongoing Training Departmental Specific Procedures Restricted Access (Physical and Electronic) Periodic Updates Periodic Monitoring and Self Assessments PII: AUDIT CONSIDERATIONS
The purpose of auditing PII Identify documentation containing sensitive data Identify overall organizational risk and exposure Ensure that PII is being sufficiently managed, secured, and destroyed in order to protect the individuals associated with the PII Ensure compliance with applicable regulations PII: AUDIT CONSIDERATIONS
Regulations Applicable to PII Federal regulations include, but may not be limited to: Health Insurance Portability and Accountability Act(HIPAA) Family Educational Rights and Privacy Act (FERPA) EU General Data Protection Regulation (GDPR) Code of Virginia Personal Information Privacy Act (selected sections) § 59.1-442. Sale of purchaser information; notice required. § 59.1-443.1. Recording date of birth as condition of accepting checks prohibited. § 59.1-443.2. Restricted use of social security numbers. § 59.1-443.3. Scanning information from driver's license or identification card; retention, sale, or dissemination of information. § 59.1-444. Damages.
Regulations Applicable to PII Code of Virginia § 18.2-186.6. Breach of personal information notification. Code of Virginia § 22.1-287.02. Students' personally identifiable information. Code of Virginia § 18.2-186.3. Identity theft; penalty; restitution; victim assistance. Code of Virginia § 32.1-127.1:05. Breach of medical information notification. PII: AUDIT CONSIDERATIONS
Preparation and Information Gathering Planning and Identification Preparation and Information Gathering Establish the definition of PII Consider two-tier planning approach Entity based PII based A risk based approach is used to prepare focused, impactful audit procedures Initial Procedures: Researching applicable regulations Compiling a list of all in-scope entities (departments, divisions, etc.) Request current PII related policies, procedures, and documentation inventories from in-scope entities PII: AUDIT CONSIDERATIONS
Preparation and Information Gathering Planning and Identification Preparation and Information Gathering Manual method: Consider surveys and questionnaires Surveys should request process owners provide: Description/ list of documents held or used containing PII PII data types (e.g. SSN, address, credit card info) Storage methodology (e.g. physical filing cabinet, shared drive, database) Established retention periods and destruction methodology Communication and transportation methods (e.g. email, mail, thumb drive) Internal training or policy related to PII Automated method: Data classification software may be used to identify electronic files containing PII PII: AUDIT CONSIDERATIONS
Planning and Identification Risk Rank Entities Compile PII management procedures and documentation detail for side by side comparison to identify entities of higher risk Risk rank divisions and departments Consider different risk categories: Assessment of Management Procedures and Impact Level Assessment of Management Procedures: Process Controls: Controls are established and incorporated into procedures Policy and Training: Policy and training exist and are adhered to Security/ Application Access: Access to physical and digital PII is restricted PII: AUDIT CONSIDERATIONS
Planning and Identification Risk Rank Entities Impact Level (NIST U.S. Department of Commerce Special Publication 800- 122) Identifiability: The ability to easily identify specific individuals or groups from the PII maintained by the organization. Quantity of PII: The number of PII records maintained (e.g. 10 vs. 10 million) by the organization. Data Field Sensitivity: The sensitivity of each PII data field, as well as the sensitivity of the data fields grouped together. Individuals' SSN, medical, and financial information is considered more sensitive than phone numbers and zip codes. Context of Use: The purpose for which PII is collected, stored, used, processed, disclosed, or disseminated to internal and external parties. Confidentiality Obligation: PII protection is required by laws, regulations, internal policies, or other mandates. PII: AUDIT CONSIDERATIONS
Planning and Identification Risk Rank Entities Example of the ranking structure:
PII Inventory Creation and Criteria Planning and Identification PII Inventory Creation and Criteria Meet with departments under audit to confirm and build out detailed PII documentation log, including the following information for each document: Documentation name PII Data types included The purpose/use of PII Storage method Associated retention period and destruction Apply data classification software results if used PII: AUDIT CONSIDERATIONS
PII Inventory Creation and Criteria Planning and Identification PII Inventory Creation and Criteria Establish a criteria to identify higher risk documentation (e.g. SSN, medical information (HIPAA), financial information) Select documentation for testing based upon the risk criteria and your understanding of the entity under audit PII: AUDIT CONSIDERATIONS
Auditing Higher Risk Documentation Testing Procedures Auditing Higher Risk Documentation Prepare an audit program for the processes around the selected documentation areas Auditing procedures of higher risk documentation may include: Perform a walkthrough of PII “life-cycle” from obtaining the information, dissemination, and disposal Perform a review of physical access Review electronic access to applications/databases Review document access logs to identify inappropriate access indicators Examine documentation to confirm that it is not held beyond retention periods PII: AUDIT CONSIDERATIONS
Possible Risks and Mitigation Techniques Risk: Lack of centralized guidance/governance function Risk: Physical access to PII is not appropriately secured Risk: Electronic access is not secure or appropriate Potential Mitigation: Government wide policy/ expectation Centralized oversight and maintenance of policy Potential Mitigation: Locked shred bins, desks, or office areas Employee education Potential Mitigation: Restrict shared drives; lock critical spreadsheets Perform regular user access reviews to systems PII: AUDIT CONSIDERATIONS
Possible Risks and Mitigation Techniques Risk: Communication methodology is not secure Risk: Unnecessary PII is collected and maintained Risk: Retention periods are not established/adhered to Potential Mitigation: Utilize email encryption Restrict ability to communicate in non-secured methods Potential Mitigation: Periodically re-evaluate the need and purpose of sensitive PII Potential Mitigation: Develop retention schedules for all critical documentation Establish automated destruction of electronic documentation PII: AUDIT CONSIDERATIONS
Examples of Government PII Breaches Why is this Important? Examples of Government PII Breaches US Postal Service (2017 through 2018) PII Breached: Name, addresses, account information Cost/Impact: 60 million users Georgia Secretary of State (2015) PII Breached: Names, SSN, DOB, driver’s license numbers Cost/Impact: All registered voters; approx. costs $395,000 for auditor, $1.2 million for credit monitoring Texas State Comptroller’s Office (2011) PII Breached: Names, addresses, SSN, DOB, driver’s license numbers Cost/Impact: 13.5 million residents; cost approximately $1.9 million not including lawsuits PII: AUDIT CONSIDERATIONS
Questions and Discussion
Contact information Matthew Simons, CPA, CIA, CGAP Principal 410-403-1561 msimons@schgroup.com Ryan Kohan, CPA Manager 703-287-5971 rkohan@schgroup.com PII: AUDIT CONSIDERATIONS