THE AUDIT EXCHANGE Enterprise Risk / Internal Audit

THE AUDIT EXCHANGE Enterprise Risk / Internal Audit & Controls / Reporting Compliance Cybersecurity Risk Governance Imperatives for Boards and Management Third Party Vendor Risk Management March 22, 2018 Cybersecurity Risk Governance Imperatives for Boards and Management Third Party Vendor Risk Management Agenda Cybersecurity Guiding Principles for Boards & Management Third Party Life Cycle Five Components Review of SOC Reports Its not what you said, its what you didnt say. SOC Reports - Overview SOC 1 Reporting on an Examination of Controls at a Service Organization Relevant to User Entities Internal Control Over Financial Reporting (SSAE 18 AT-C Section 320) SOC 2 Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (Trust Services Principles - TSP section 100) SOC 3 Trust Services Criteria for General Use Report (subset of a SOC 2 report) Description Criteria for Managements Description of an Entitys Cybersecurity Risk Management Program

(commonly, unofficially referred as a SOC 4) THE AUDIT EXCHANGE LLC Enterprise Risk / Internal Audit & Controls / Reporting Compliance 2 National Association of Corporate Directors + AIG + Internet Security Alliance = Five Guiding Principles Cyber Risk Oversight By Larry Clinton President & CEO, Internet Security Alliance THE AUDIT EXCHANGE LLC Enterprise Risk / Internal Audit & Controls / Reporting Compliance 3 National Association of Corporate Directors + AIG + Internet Security Alliance = Five Guiding Principles Five Principles Boards seeking to enhance oversight of cyber risks I. Cybersecurity is an Enterprise Risk Management issue: Not just an Information Technology issue II. Boards should understand the legal implications of cyber risks IV. Board should set

expectation that management establish an ERM framework with adequate staffing & budget III. Boards should access cybersecurity expertise and discuss regularly standing agenda item V. Board & Management discussion of cyber risk strategies - avoidance, acceptance, mitigation or transfer with specific plans THE AUDIT EXCHANGE LLC Enterprise Risk / Internal Audit & Controls / Reporting Compliance 4 Cybersecurity: What the Board of Directors Need to Ask Institute of Internal Auditors (IIA) & Information Systems and Control Association (ISACA) 10 Board Imperatives via 5 Guiding Principles THE AUDIT EXCHANGE LLC Enterprise Risk / Internal Audit & Controls / Reporting Compliance

5 Cybersecurity: What the Board of Directors Need to Ask 1. Board must assume role of 4th line of defense against cyber risks. I. Cybersecurity is an Enterprise Risk Management issue: Not just an Information Technology issue THE AUDIT EXCHANGE LLC Enterprise Risk / Internal Audit & Controls / Reporting Compliance 6 Cybersecurity: What the Board of Directors Need to Ask 2. The board should understand the cyber risks associated with third-party service providers II. Boards should understand the legal implications of cyber risks. IT outsourcing

Business process Cloud solutions Chain of Trust with downstream providers 3. Most states have enacted a data breach law requiring notification upon a breach. The board should collect and understand: States the organization conducts business? States with strictest related laws? What constitutes a breach in these states? What are the reporting requirements? Safe harbor clauses under laws? 4. Board should be aware of major data breach attempts, as well as incidents. THE AUDIT EXCHANGE LLC Enterprise Risk / Internal Audit & Controls / Reporting Compliance 7 Cybersecurity: What the Board of Directors Need to Ask 5. Meet with the Chief Information Security Officer (CISO) annually at a minimum. III. Boards should access

cybersecurity expertise and discuss regularly standing agenda item Understand CISOs top of mind issues CISOs security strategy and current projects CISOs roadblocks (e.g. budget, politics, arrogance) Understand industry breaches and apply knowledge 6. Verify management has established relationships with national and local authorities responsible for cyber crime e.g., FBI/Infragard THE AUDIT EXCHANGE LLC Enterprise Risk / Internal Audit & Controls / Reporting Compliance 8 Cybersecurity: What the Board of Directors Need to Ask IV. Board should set expectation that management establish an ERM framework with adequate staffing & budget

7. Board must require management to communicate the ERM organization structure with staffing & budget details Board must review the total budget allocated to cybersecurity, including: IT budget vs. total revenue Security budget to total IT budget Security dollars per employee Corporate AND departmental IT security budgets 8. Boards must ensure the CISO is reporting at an appropriate level CISO agenda may conflict with the CIO CISO reporting lines may migrate to COO, GC, CRO or CEO THE AUDIT EXCHANGE LLC Enterprise Risk / Internal Audit & Controls / Reporting Compliance 9 Cybersecurity: What the Board of Directors Need to Ask 9. Meet with the CRO at least annually, review all risks that were avoided or accepted V. Board & Management discussion of cyber risk strategies - avoidance, acceptance, mitigation or transfer with specific plans Case Study: IT solution for a Business Unit may present an

extraordinary risk for the entire organization The need for the solution may outweigh the risk (i.e., CEOs acceptance of the risk) Risk Acceptance Report must be presented to the board 10. Board must verify cyber insurance coverage is sufficient Board must understand the cost per record per data breach, as well as the total potential impact of a major breach THE AUDIT EXCHANGE LLC Enterprise Risk / Internal Audit & Controls / Reporting Compliance 10 Third Party Service Providers Risk Management Lifecycle Components TERMINATION MONITORING CONTRACTING Office of the Comptroller of the Currency (OCC) - US Department of the Treasury October 30, 2013 Third Party Relationships Risk Management Guidance

Applies to many/all industries DUE DILIGENCE rd 3rd Party Selection THE AUDIT EXCHANGE LLC Enterprise Risk / Internal Audit & Controls / Reporting Compliance 11 DESIGN & PLANNING MONITORING MONITORING THE AUDIT EXCHANGE LLC 12 TERMINATION TERMINATION Enterprise Risk / Internal Audit & Controls / Reporting Compliance CONTRACTING CONTRACTING rd DUE DILIGENCE

DILIGENCE -3 -3rd DUE Party Selection Selection Party DESIGN & & PLANNING PLANNING DESIGN Inherent risk risk identification identification Inherent Gauge risk risk appetite appetite Gauge Complexity and inter-dependencies Complexity and inter-dependencies Customer and and vendor vendor interactions interactions Customer Security & confidentiality Security & confidentiality laws Regulations & laws

Regulations & Contingency planning planning Contingency Risk Management Lifecycle Design & Planning Third Party Service Providers MONITORING MONITORING THE AUDIT EXCHANGE LLC 13 TERMINATION TERMINATION Enterprise Risk / Internal Audit & Controls / Reporting Compliance CONTRACTING CONTRACTING rd DUE DILIGENCE DILIGENCE -3 -3rd Party Selection Selection DUE Party Alignment of of strategy

strategy & & goals goals Alignment Legal and regulatory compliance Legal and regulatory compliance stability Financial & operational stability Financial & operational Risk management management program program Risk Insurance Insurance SOC reporting reporting Internal controls // SOC Internal controls Experience & & reputation reputation Experience Use of of sub-contractors sub-contractors Use Fee structure

structure Fee Conflicts Conflicts DESIGN & & PLANNING PLANNING DESIGN Risk Management Lifecycle Due Diligence Third Party Service Providers MONITORING MONITORING THE AUDIT EXCHANGE LLC 14 TERMINATION TERMINATION Enterprise Risk / Internal Audit & Controls / Reporting Compliance CONTRACTING CONTRACTING Detailed nature nature & & scope scope of of arrangement arrangement Detailed

Benchmarking & performance measures measures Benchmarking & performance Communications and and records records management management Communications Notifications and and termination termination Notifications Right to to audit audit and and remediation remediation Right Regulations & laws Regulations & laws Fees and and other other costs costs Fees License & & ownership ownership License Confidentiality & integrity

Confidentiality & integrity Standard terms terms & & conditions conditions Standard rd DUE DILIGENCE DILIGENCE -3 -3rd DUE Party Selection Selection Party DESIGN & & DESIGN PLANNING PLANNING Risk Management Lifecycle - Contracting Third Party Service Providers THE AUDIT EXCHANGE LLC 15 TERMINATION TERMINATION

Enterprise Risk / Internal Audit & Controls / Reporting Compliance MONITORING MONITORING Identify internal internal expertise expertise and and Identify authority for for oversight oversight & & authority accountability accountability Periodic re-assessment re-assessment of of risks risks & & due due Periodic diligence inquiries diligence inquiries Periodic testing testing of of important important control control Periodic activities (e.g., SOC reporting) reporting)

activities (e.g., SOC Establish reporting protocols protocols and and Establish reporting escalation procedures procedures escalation CONTRACTING CONTRACTING rd DUE DILIGENCE DILIGENCE -3 -3rd DUE Party Selection Selection Party DESIGN & & PLANNING PLANNING DESIGN Risk Management Lifecycle - Monitoring Third Party Service Providers THE AUDIT EXCHANGE LLC

16 TERMINATION TERMINATION Contract termination termination rights rights Contract Contingency scenario planning planning Contingency scenario Capabilities & & resources resources Capabilities Legal Legal Regulatory Regulatory Customer Customer Timing Timing Data retention & destruction Data retention & destruction Communication and and access access control control Communication

Reputation Reputation Joint intellectual intellectual property property Joint Enterprise Risk / Internal Audit & Controls / Reporting Compliance MONITORING MONITORING CONTRACTING CONTRACTING rd DUE DILIGENCE DILIGENCE -3 -3rd DUE Party Selection Selection Party DESIGN & & PLANNING PLANNING DESIGN

Risk Management Lifecycle - Termination Third Party Service Providers Why Focus on SOC Reports? Convergence of Factors Proliferation of 3rd Party Processors Healthcare Life Sciences Financial Services Technology Distribution Workforce Screening Regulatory Compliance HIPAA HITECH GLB Meaningful Use Standards State laws International laws Privacy & Security Concerns Cybersecurity Financial data Personal data Intellectual data

THE AUDIT EXCHANGE LLC Enterprise Risk / Internal Audit & Controls / Reporting Compliance Fiduciary Responsibilities Management Board of Directors / Trustees Underwriters / Insurers Reputation 17 WHY Would I Focus on SOC Reports? Very Important Questions to Ask Who are you? What is your business? How do you do it? Who are your customers? THE AUDIT EXCHANGE LLC Enterprise Risk / Internal Audit & Controls / Reporting Compliance 18 ISAE 3402 to SOC Reporting International to US Standards AT 101 / TSP 100

THE AUDIT EXCHANGE LLC Enterprise Risk / Internal Audit & Controls / Reporting Compliance 19 SOC 1 / SSAE 18 Content Attestation of Control Objectives Healthcare Example 1. Provider Setup Controls provide reasonable assurance that providers are properly set up in the MedProvide system. 2. Insurer Setup Controls provide reasonable assurance that insurers are accurately set up in the MedInsure system. 3. Intake Controls provide reasonable assurance that billing information received is completely, accurately, and timely entered into the MedInsure System 4. Case Setup and Claim Authorization Controls provide reasonable assurance that claims are authorized prior to billing. 5. Billing Controls Provide reasonable assurance that all cases are reviewed to ensure billing information is correct and assigned to the correct case prior to processing. 6. Collections / Provider Payments Controls Provide reasonable assurance that payments are received and properly applied to the applicable claim and that the appropriate corresponding payment to the provider is made in a timely manner. 7. Logical Access Controls provide reasonable assurance that logical access to system resources is reasonable and restricted to properly authorized individuals. 8. Network Security Controls provide reasonable assurance that the network is protected from unauthorized access and service outages.

9. Change Management Controls provide reasonable assurance that changes to existing applications and implementation of new applications are authorized, tested, approved, properly implemented, and documented. 10. Computer Operations Controls provide reasonable assurance that processing is appropriately authorized and scheduled, and deviations from scheduled processing are identified and resolved. 11. Physical Security Controls provide reasonable assurance that physical access to computer equipment, storage media, and program documentation is restricted to properly authorized individuals. 12. Data Backup Controls provide reasonable assurance that backup procedures are in place to preserve the integrity of programs and data files. THE AUDIT EXCHANGE LLC Enterprise Risk / Internal Audit & Controls / Reporting Compliance 20 Proposed Revision to the Standard effective June 15, 2018 SOC 2 Trust Services Criteria Common Criteria Revision & Expansion of the Standard 17 Principles of COSO Includes 111 Points of Focus - Control Environment - Risk Assessment

- Information & Communication - Control Activities - Monitoring Old Standard Common Criteria (incl. Security) 28 Criteria Privacy 20 Criteria Notice Choice & Consent Collection Use, Retention & Disposal Access Disclosure & Notification Security for Privacy Quality Monitoring & Enforcement Confidentiality 8 Criteria Protected info. Access restricted Third-party

commitments and compliance Organization & Mgmt. Communications Risk Management and Design &Implementation of Controls Monitoring Logical & Phys. Access Systems Operations Change Management Supplemental Criteria Includes 84 Points of Focus - Logical and Physical Access - System operations - Change Management Availability 3 Criteria Capacity & Usage System Monitoring Backups & Recovery Testing Processing Integrity 6 Criteria Input & Output System Processing commitments Data Modification

and Storage Availability 14 Points of Focus Management of the Service Organization must decide which Criteria should be included in the SOC 2 Audit Processing Integrity 18 Points of Focus Confidentiality 4 Points of Focus Privacy 47 Points of Focus THE AUDIT EXCHANGE LLC Enterprise Risk / Internal Audit & Controls / Reporting Compliance 21 Components of a SOC Report Sections 1 through 5 Report Cover Index Section 1 Auditors Report Section 2 Managements

Assertion Section 3 Managements Description Section 4 Tests of Effectiveness The report may contain Section 5 that includes information provided by management that has not been audited. Such information may include an overview of the Service Organizations Business Continuity Policy/Program. THE AUDIT EXCHANGE LLC Enterprise Risk / Internal Audit & Controls / Reporting Compliance 22 Review of SOC Reports Important Questions for Users to Ask Its not what you said, its what you didnt say. Does the description of the 3rd partys processes within the SOC report sufficiently address the users needs? Are important controls described in Section 3 of the report, sufficiently identified and tested in Section 4?

Do the Controls Objectives and underlying controls identified in the SOC 1 report address the users needs? Do the exceptions in Section 4 of the report concern the user of the report? Does the users control environment address the Complementary User Entity Controls described within the SOC report? Is someone within the users organization sufficiently skilled to review SOC reports? THE AUDIT EXCHANGE LLC Enterprise Risk / Internal Audit & Controls / Reporting Compliance 23 Review of SOC Reports Important Questions for to Ask Who are you? What is your business? How do you do it? Who are your customers? Does the description of the 3rd partys processes within the SOC report sufficiently address the users needs? Are important controls described in Section 3 of the report, sufficiently identified and tested in Section 4? Do the Controls Objectives and underlying controls

identified in the SOC 1 report address the users needs? Do the exceptions in Section 4 of the report concern the user of the report? Does the users control environment address the Complementary User Entity Controls described within the SOC report? Is someone within the users organization sufficiently skilled to review SOC reports? THE AUDIT EXCHANGE LLC Enterprise Risk / Internal Audit & Controls / Reporting Compliance 24 2013 COSO Internal Control Framework Quick and Best Overview THE AUDIT EXCHANGE LLC Enterprise Risk / Internal Audit & Controls / Reporting Compliance 25 Cybersecurity Risk Governance Imperatives for Boards and Management Trust Services Criteria for SOC 2 Reporting TSP Section 100 THE AUDIT EXCHANGE LLC Enterprise Risk / Internal Audit & Controls / Reporting Compliance 26 Cybersecurity Risk Governance Imperatives for Boards and Management

Trust Services Criteria for SOC 2 Reporting Trust Services Criteria (formerly called the Trust Services Principles) for SOC 2 Reporting Proposed revision to the Standard effective December 15, 2018 (will supersede 2015 Description Criteria) Aligns with COSO Internal Control Frameworks 17 Principles Added supplemental criteria, including: Logical & Physical Access System Operations Change Management Comprised of Trust Services Categories Security (aka Common Criteria) Availability Processing Integrity Confidentiality Privacy Common Criteria, includes: 111 Points of Focus across Five COSO Components Control Environment Risk Assessment Information & Communication Control Activities Monitoring Supplemental Criteria, includes: Logical & Physical Access, System Operations, Change Management THE AUDIT EXCHANGE LLC Enterprise Risk / Internal Audit & Controls / Reporting Compliance 27 Cybersecurity Risk Governance Imperatives for Boards and Management Trust Services Criteria for SOC 2 Reporting Risks that the criteria will not be met for a variety of reasons, including:

Nature of operations The environment in which the organization operates The types of information created, used, stored The types of information commitments made to customers or other 3rd parties The responsibilities entailed in operating and maintaining systems The technologies, connection types, and delivery channels used Risks are addressed through the implementation of suitably designed controls Controls are referenced in The Description within Section 3 of a SOC 2 Report THE AUDIT EXCHANGE LLC Enterprise Risk / Internal Audit & Controls / Reporting Compliance 28 Cybersecurity Risk Governance Imperatives for Boards and Management Trust Services Criteria for SOC 2 Reporting Description Criteria (DC) will comprise Section 3 of the SOC 2 report and must address the following items DC 1: The types of services provided, for instance Customer Support Health claims management Enterprise IT outsourcing services Financial technology services Managed security DC 2: Commitments to Customers and System Requirementsto meet the Entitys objectives. The SOC 2 engagement will consider the Entitys objectives, including: Commitments refer to the details related to services the Entity agrees to provide to its customers. E.g., written contracts, service level agreements, public statements System Requirements how the system functions to meet the Entitys commitments to customers, relevant laws/regulations, or guidelines. DC 3: The system includes components: Infrastructure

Software People Processes THE AUDIT EXCHANGE LLC Enterprise Risk / Internal Audit & Controls / Reporting Compliance Data 29 Cybersecurity Risk Governance Imperatives for Boards and Management Trust Services Criteria for SOC 2 Reporting DC 4: Incident Reporting: Did the incident result in a significant impairment of the service organizations achievement of its service commitments and system requirements: Nature of the incident Timing surrounding the incident Extent (or effect) of those incidents and their disposition DC 5: The applicable Trust Services Criteria and related controls, for instance The Security Criteria (aka Common Criteria) Information systems are protected against: Unauthorized access or Unauthorized disclosure of information Damage to systems that could compromise availability, integrity, confidentiality, privacy Affect the Entitys ability to meet its objectives. Security refers to the protection of:

Information during its collection or creation, use, processing, transmission, and storage. Systems that use electronic information to: process, transmit or transfer, and store information Controls over security prevent or detect: Breakdown and circumvention of segregation of duties or System failure Incorrect processing or Theft or unauthorized removal of information or system resources Misuse of software or Improper access to or use of alteration, destruction, or disclosure of information. THE AUDIT EXCHANGE LLC Enterprise Risk / Internal Audit & Controls / Reporting Compliance 30 Cybersecurity Risk Governance Imperatives for Boards and Management Trust Services Criteria for SOC 2 Reporting

DC 6: The service organization assumes that certain controls will be implemented by User Entities Complimentary User Entity Controls (CUEC) DC 7: The service organization uses a subservice organization Are the controls at the Subservice organization necessary for the Service Organization to achieve its service commitments? Inclusive Method Carveout Method DC 8: Other information DC 9: Relevant details of changes to the service organizations system. Throughout the period of the examination THE AUDIT EXCHANGE LLC Enterprise Risk / Internal Audit & Controls / Reporting Compliance 31 Cybersecurity Risk Governance Imperatives for Boards and Management Cybersecurity Risk Management Program Description Criteria THE AUDIT EXCHANGE LLC Enterprise Risk / Internal Audit & Controls / Reporting Compliance 32 Cybersecurity Risk Governance Imperatives for Boards and Management Cybersecurity Risk Management Program Description Criteria The report will utilize the criteria described in TSP Section 100 (aka SOC 2) The report will have a similar structure to a SOC 2 (i.e., 4 sections)

SECTION 3 OF THE REPORT will contain DESCRIPTION CRITERIA (a.k.a., DC1, DC2, etc.) 18 Description Criteria are specific to a Cybersecurity Risk Management Program NATURE OF BUSINESS AND OPERATIONS (DC 1) NATURE OF INFORMATION AT RISK (DC 2) CYBERSECURITY RISK MANAGEMENT PROGRAM OBJECTIVES (CYBERSECURITY OBJECTIVES) (DC 3-4) FACTORS THAT HAVE A SIGNIFICANT EFFECT ON INHERENT CYBERSECURITY RISKS (DC 5-6) THE AUDIT EXCHANGE LLC Enterprise Risk / Internal Audit & Controls / Reporting Compliance 33 Cybersecurity Risk Governance Imperatives for Boards and Management Cybersecurity Risk Management Program Description Criteria SECTION 3 OF THE REPORT will contain DESCRIPTION CRITERIA, continued CYBERSECURITY RISK GOVERNANCE STRUCTURE (DC 7-10) CYBERSECURITY RISK ASSESSMENT PROCESS (DC 11-12) CYBERSECURITY COMMUNICATIONS AND QUALITY OF CYBERSECURITY INFORMATION (DC 13-14) MONITORING OF THE CYBERSECURITY RISK MANAGEMENT PROGRAM (DC 15-16) CYBERSECURITY CONTROL PROCESSES (DC 17 19) THE AUDIT EXCHANGE LLC Enterprise Risk / Internal Audit & Controls / Reporting Compliance 34 Where are SOC reports headed? How will the public accounting profession respond? THE AUDIT EXCHANGE LLC

Enterprise Risk / Internal Audit & Controls / Reporting Compliance 35 John McLaughlin, CPA, CRMA Executive Director & Founder The Audit Exchange, LLC [email protected] 1.610.304.3856 www.theauditexchange.com THE AUDIT EXCHANGE LLC Enterprise Risk / Internal Audit & Controls / Reporting Compliance 36

Recently Viewed Presentations

  • Presentazione standard di PowerPoint

    Presentazione standard di PowerPoint

    Canary seed, rape seed, black rape seed, peeled oats, flax, niger, hemp
  • Canada: WHERE PEOPLE LIVE & TRADE Lets ReviewPhysical

    Canada: WHERE PEOPLE LIVE & TRADE Lets ReviewPhysical

    In the Pacific region, the climate varies from mild, rainy weather along the coast to snow and ice in the mountains. This area receives over 100 inches of rainfall per year. ... The Canadian Shield provides many valuable minerals, including...
  • INTEGRATING SUPPLY CHAIN AND LOGISTICS MANAGEMENT  2002 McGraw-Hill

    INTEGRATING SUPPLY CHAIN AND LOGISTICS MANAGEMENT 2002 McGraw-Hill

    Third-Party Logistics Providers Firms that perform most or all of the logistics functions that manufacturers, suppliers, and distributors would normally perform themselves. Vendor-Managed Inventory An inventory management system whereby the supplier determines the product amount and assortment a ...
  • Biodiversity, Species Diversity, and Species Richness

    Biodiversity, Species Diversity, and Species Richness

    Species Richness & Diversity Species richness is the number of different species in an area. Species diversity is the same as species richness except that population sizes are considered. If population sizes are near equal, the area has a higher...
  • Marketing Messaging Training

    Marketing Messaging Training

    Cleveland Ave. from E. Long St. to Mt. Vernon - Creative Campus Project (Line 6, Line 9, CMAX) North Broadway & Olentangy River Road roadway & freeway improvements (Line 32, Line 72) Polaris Parkway from I-71 to Westerville Rd. improvements...
  • Dose Response to Exercise in Women aged 45-75 years--DREW

    Dose Response to Exercise in Women aged 45-75 years--DREW

    Cardiometabolic Syndrome The Synergy of Diet and Exercise A Continuing Education Program for Nursing and Nutrition Professionals Roberta Anding, MS, RD/LD,CSSD, CDE Baylor College
  • 1. dia - KSH

    1. dia - KSH

    Tájék. A bizottság informatikus tagja oldja meg. találják ki. Linked tables are tables derived from the same microdata where some of the cells are. in common. For example a table of geography and industry will have the same area. totals...
  • Acid-Base Equilibrium Chapter 18 Acids and Bases Arrhenius

    Acid-Base Equilibrium Chapter 18 Acids and Bases Arrhenius

    Times New Roman Wingdings Symbol Times Helvetica Azure Microsoft Equation 3.0 Microsoft Photo Editor 3.0 Photo Acid-Base Equilibrium Acids and Bases Slide 3 Slide 4 Slide 5 Conjugate acid-base pairs Slide 7 Slide 8 Strong and Weak Acids Slide 10...