Download presentation
Presentation is loading. Please wait.
Published byΕκάτη Κόρακας Modified over 5 years ago
1
PERSONALLY IDENTIFIABLE INFORMATION: AUDIT CONSIDERATIONS
Virginia Local Government Auditors Association May 3, 2019
2
Introductions Matthew Simons, CPA, CIA, CGAP Ryan Kohan, CPA Principal
15 years of experience Performance audits, internal audits, internal control/SOX assessments, compliance assessments, business/process process strategy and improvement exercises, management and executive advisory Ryan Kohan, CPA Manager 9 years of experience Performance audits, internal audits, SOX assessments, internal control evaluations, business process assessments, compliance assessments, and fraud identification assessments PII: AUDIT CONSIDERATIONS
3
About sc&h Group PII: AUDIT CONSIDERATIONS
4
Regulatory Considerations Planning & Identification
Today’s Objectives 01. 02. 03. 04. 05. PII: Defined Regulatory Considerations Planning & Identification Testing Procedures Risks and Mitigation PII: AUDIT CONSIDERATIONS
5
Background What is PII? “Any information about an individual maintained by an agency, including (1) any information that can be used to distinguish or trace an individual's identity, such as name, social security number, date and place of birth, mother's maiden name, or biometric records; and (2) any other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information.” -NIST Special Publication Responsibility The organization is responsible for PII: Regulatory requirements, compliance, and maintenance PII: AUDIT CONSIDERATIONS
6
Division / Department Examples
Background Types / Locations Uses Storage / Disposal Internal (e.g. employees) External (e.g. citizens) Physical files / documentation System / electronic records Employee information Citizen records Student records Financial data File Cabinets Desks / Drawers Trash (Secure / Office) Computer Drives Servers Cloud Division / Department Examples Administration Accounting / Finance Audit Human Resources Information Technology Payroll Law Enforcement / Emergency Security Health Community Relations Schools PII: AUDIT CONSIDERATIONS
7
Organizational Risks Mitigating Practices
Relevance Organizational Risks Mitigating Practices Stakeholder Confidentiality Financial Exposure Fraud / Collusion Public Perception Reputation Legal / Regulatory (HIPAA) Centralized Governance Secure Disposal / Proper Deletion Organizational-Wide Policies Ongoing Training Departmental Specific Procedures Restricted Access (Physical and Electronic) Periodic Updates Periodic Monitoring and Self Assessments PII: AUDIT CONSIDERATIONS
8
The purpose of auditing PII
Identify documentation containing sensitive data Identify overall organizational risk and exposure Ensure that PII is being sufficiently managed, secured, and destroyed in order to protect the individuals associated with the PII Ensure compliance with applicable regulations PII: AUDIT CONSIDERATIONS
9
Regulations Applicable to PII
Federal regulations include, but may not be limited to: Health Insurance Portability and Accountability Act(HIPAA) Family Educational Rights and Privacy Act (FERPA) EU General Data Protection Regulation (GDPR) Code of Virginia Personal Information Privacy Act (selected sections) § Sale of purchaser information; notice required. § Recording date of birth as condition of accepting checks prohibited. § Restricted use of social security numbers. § Scanning information from driver's license or identification card; retention, sale, or dissemination of information. § Damages.
10
Regulations Applicable to PII
Code of Virginia § Breach of personal information notification. Code of Virginia § Students' personally identifiable information. Code of Virginia § Identity theft; penalty; restitution; victim assistance. Code of Virginia § :05. Breach of medical information notification. PII: AUDIT CONSIDERATIONS
11
Preparation and Information Gathering
Planning and Identification Preparation and Information Gathering Establish the definition of PII Consider two-tier planning approach Entity based PII based A risk based approach is used to prepare focused, impactful audit procedures Initial Procedures: Researching applicable regulations Compiling a list of all in-scope entities (departments, divisions, etc.) Request current PII related policies, procedures, and documentation inventories from in-scope entities PII: AUDIT CONSIDERATIONS
12
Preparation and Information Gathering
Planning and Identification Preparation and Information Gathering Manual method: Consider surveys and questionnaires Surveys should request process owners provide: Description/ list of documents held or used containing PII PII data types (e.g. SSN, address, credit card info) Storage methodology (e.g. physical filing cabinet, shared drive, database) Established retention periods and destruction methodology Communication and transportation methods (e.g. , mail, thumb drive) Internal training or policy related to PII Automated method: Data classification software may be used to identify electronic files containing PII PII: AUDIT CONSIDERATIONS
13
Planning and Identification
Risk Rank Entities Compile PII management procedures and documentation detail for side by side comparison to identify entities of higher risk Risk rank divisions and departments Consider different risk categories: Assessment of Management Procedures and Impact Level Assessment of Management Procedures: Process Controls: Controls are established and incorporated into procedures Policy and Training: Policy and training exist and are adhered to Security/ Application Access: Access to physical and digital PII is restricted PII: AUDIT CONSIDERATIONS
14
Planning and Identification
Risk Rank Entities Impact Level (NIST U.S. Department of Commerce Special Publication ) Identifiability: The ability to easily identify specific individuals or groups from the PII maintained by the organization. Quantity of PII: The number of PII records maintained (e.g. 10 vs. 10 million) by the organization. Data Field Sensitivity: The sensitivity of each PII data field, as well as the sensitivity of the data fields grouped together. Individuals' SSN, medical, and financial information is considered more sensitive than phone numbers and zip codes. Context of Use: The purpose for which PII is collected, stored, used, processed, disclosed, or disseminated to internal and external parties. Confidentiality Obligation: PII protection is required by laws, regulations, internal policies, or other mandates. PII: AUDIT CONSIDERATIONS
15
Planning and Identification
Risk Rank Entities Example of the ranking structure:
16
PII Inventory Creation and Criteria
Planning and Identification PII Inventory Creation and Criteria Meet with departments under audit to confirm and build out detailed PII documentation log, including the following information for each document: Documentation name PII Data types included The purpose/use of PII Storage method Associated retention period and destruction Apply data classification software results if used PII: AUDIT CONSIDERATIONS
17
PII Inventory Creation and Criteria
Planning and Identification PII Inventory Creation and Criteria Establish a criteria to identify higher risk documentation (e.g. SSN, medical information (HIPAA), financial information) Select documentation for testing based upon the risk criteria and your understanding of the entity under audit PII: AUDIT CONSIDERATIONS
18
Auditing Higher Risk Documentation
Testing Procedures Auditing Higher Risk Documentation Prepare an audit program for the processes around the selected documentation areas Auditing procedures of higher risk documentation may include: Perform a walkthrough of PII “life-cycle” from obtaining the information, dissemination, and disposal Perform a review of physical access Review electronic access to applications/databases Review document access logs to identify inappropriate access indicators Examine documentation to confirm that it is not held beyond retention periods PII: AUDIT CONSIDERATIONS
19
Possible Risks and Mitigation Techniques
Risk: Lack of centralized guidance/governance function Risk: Physical access to PII is not appropriately secured Risk: Electronic access is not secure or appropriate Potential Mitigation: Government wide policy/ expectation Centralized oversight and maintenance of policy Potential Mitigation: Locked shred bins, desks, or office areas Employee education Potential Mitigation: Restrict shared drives; lock critical spreadsheets Perform regular user access reviews to systems PII: AUDIT CONSIDERATIONS
20
Possible Risks and Mitigation Techniques
Risk: Communication methodology is not secure Risk: Unnecessary PII is collected and maintained Risk: Retention periods are not established/adhered to Potential Mitigation: Utilize encryption Restrict ability to communicate in non-secured methods Potential Mitigation: Periodically re-evaluate the need and purpose of sensitive PII Potential Mitigation: Develop retention schedules for all critical documentation Establish automated destruction of electronic documentation PII: AUDIT CONSIDERATIONS
21
Examples of Government PII Breaches
Why is this Important? Examples of Government PII Breaches US Postal Service (2017 through 2018) PII Breached: Name, addresses, account information Cost/Impact: 60 million users Georgia Secretary of State (2015) PII Breached: Names, SSN, DOB, driver’s license numbers Cost/Impact: All registered voters; approx. costs $395,000 for auditor, $1.2 million for credit monitoring Texas State Comptroller’s Office (2011) PII Breached: Names, addresses, SSN, DOB, driver’s license numbers Cost/Impact: 13.5 million residents; cost approximately $1.9 million not including lawsuits PII: AUDIT CONSIDERATIONS
22
Questions and Discussion
23
Contact information Matthew Simons, CPA, CIA, CGAP Principal Ryan Kohan, CPA Manager PII: AUDIT CONSIDERATIONS
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.