Zero Day Response: Strategies for the Security Innovation in Corporate Defens...
Auditing Internal Challenges
1. Text einsetzen Text einsetzen Text einsetzen Text einsetzen Text einsetzen
The challenges for the internal auditor
Rodoljub Kajganić, Wiener Osiguranje Vienna Insurance Group
VIG Internal Audit Group Workshop
November 2015
2. Text einsetzen Text einsetzen Text einsetzen Text einsetzen Text einsetzen
Agenda
Introduction
Successful internal auditor
Compliance
Case study: How to audit compliance with group policies
Information system audit
Case study: How to do a project audit
Fraud
Case study: How to do fraud investigation
Observations
Q&A
3. Text einsetzen Text einsetzen Text einsetzen Text einsetzen Text einsetzen
Introduction
Experienced Insurance/Banking Internal Auditor,
Information Systems Auditor, Compliance Specialist,
Fraud Investigator, AML Professional
Head of Security&Compliance&AML department
Professional Certificate of Competency in the field of
Compliance ALCO, IFBL: L'Institut, ATTF Luxembourg
Management Program, IEDC Bled School of Management
Audit Committee, IT Steering Committee, Outsourcing
Committee member, FATCA, ISMS project team member...
ISACA member
Enjoy road and mountain biking, traveling, reading,
practice Krav maga
Presenter biography:
4. Text einsetzen Text einsetzen Text einsetzen Text einsetzen Text einsetzen
“Success always comes when
preparation meets opportunity”
Henry Hartman
Introduction - personal mission statement
Change. Adapt. Grow. Learn.
Repeat process.
6. Text einsetzen Text einsetzen Text einsetzen Text einsetzen Text einsetzen
Successful internal auditor
Knowledge
Lifelong Learning, Regulatives, Market Rules
7. Text einsetzen Text einsetzen Text einsetzen Text einsetzen Text einsetzen
Company
Strategy
Legal
Framework
Audit
Resources
Successful internal auditor
Value and risk based auditing
Find balance between control and
productivity
From compliance to risk management
Learn to speak the language of
business
9. Text einsetzen Text einsetzen Text einsetzen Text einsetzen Text einsetzen
COMPLIANCE
10. Text einsetzen Text einsetzen Text einsetzen Text einsetzen Text einsetzen
Compliance-definition
Compliance means adherence to, or conformance
with, rules, laws, standards, and policies. It also
implies a sense of accountability and an obligation
to uphold pertinent codes of conduct.
Corporate compliance entails devising a formal
internal system of policies, procedures, controls,
and actions to detect and prevent violations of
laws, regulations, rules, standards, and policies.
11. Text einsetzen Text einsetzen Text einsetzen Text einsetzen Text einsetzen
Audit legality,
propriety,
expediency
InternalAudit
Forecast,
plans,
measure
risk
Controlling,
Actuary
Evaluating
insurance
portfolio
EnterpriseRisk
Management
Manage
regulatory
obligations
Compliance Third line
of defence
ExternalAudit
Board
Risk Management
12. Text einsetzen Text einsetzen Text einsetzen Text einsetzen Text einsetzen
Compliance with laws and regulations-policies and
procedures
Structuring the compliance deptment- independence,
reporting lines
Compliance program- risk assessment, mitigating
risk, monitoring, reporting, training
Tone at the top and whistle-blowing (hot line)
Dealing with ethical challenges - compliance with
laws/local regulations, non-discrimination, corruption
and bribery, data privacy, insider trading, AML,
protection of the environment
Compliance
13. Text einsetzen Text einsetzen Text einsetzen Text einsetzen Text einsetzen
Compliance audit – compliance audit deals with the degree to which the audited
entity follows rules, laws and regulation, policies, established codes, standards.
Compliance
Potential threats:
Legal impact: regulatory or legal action brought against the organization or its
employees that could result in fines, penalties, litigation...
Financial impact: negative impacts with regard to share price, potential future
earnings, or loss of investor confidence.
Reputational impact: damage to the organization’s reputation or brand (bad press
or social media discussion, loss of customer trust, decreased employee morale).
To succeed you must know what success looks like, to succeed you must
measure success, to succeed you must verify you measures.
14. Text einsetzen Text einsetzen Text einsetzen Text einsetzen Text einsetzen
How to audit compliance with group policies
Applicable for all types of audits
Risk based approach
Compliance - case study issue
15. Text einsetzen Text einsetzen Text einsetzen Text einsetzen Text einsetzen
Compliance - case study analysis
The up-to-date version of all Group guidelines is
available in the VIG Intranet:
https://intranet.vig.com/en/infos-guidelines/guidelines.html
Upon request the guidelines can be provided in
paper form or via email.
Contact: Sabine Stiller (sabine.stiller@vig.com)
16. Text einsetzen Text einsetzen Text einsetzen Text einsetzen Text einsetzen
Compliance - case study analysis
Prepare an audit plan
Make a compliance risk assessments
Collect evidence by using interviews,
questionnaires,review of documents
Obtain copies of departmental procedures for
each area you intend to audit
Cross-reference internal procedures with
group regulations
Verify compliance with local regulations, best
practice and relevant standards
Check reports from regulators, inspections,
external auditor
17. Text einsetzen Text einsetzen Text einsetzen Text einsetzen Text einsetzen
Compliance - case study analysis
Possibilities for improving efficiency and effectiveness in
implementation of regulations.
The effectiveness of internal controls.
Is there a system for monitoring new regulations?
Is information communicated on a timely basis in the organisation?
Deviation from Group guidelines need a reasonable legal ground.
If activities are outsourced, how is compliance and performance
monitored?
Consider materiality for reporting purpose (amount of potential fines).
The final goal is to determine whether the internal procedures compliant and
properly implemented in the processes
18. Text einsetzen Text einsetzen Text einsetzen Text einsetzen Text einsetzen
INFORMATION SYSTEM AUDIT
19. Text einsetzen Text einsetzen Text einsetzen Text einsetzen Text einsetzen
Any audit that encompasses review and
evaluation (wholly or partly) of automated
information processing systems, related
non-automated processes and the interfaces
between them.
Information system audit - definition
20. Text einsetzen Text einsetzen Text einsetzen Text einsetzen Text einsetzen
Information system audit:
General control examination or facility audit
Application audit
System development audit
Technical or special topic audit
Information system audit
21. Text einsetzen Text einsetzen Text einsetzen Text einsetzen Text einsetzen
Compliance with legal and regulatory requirements
Confidentiality
Integrity
Reliability
Availability
Information system audit - goals
22. Text einsetzen Text einsetzen Text einsetzen Text einsetzen Text einsetzen
Governance:
Responsibility and accountability for risk
Risk appetite and tolerance
Awareness and communication
Risk culture
Risk Evaluation:
Risk scenarios
Business impact descriptions
Risk Response
Key risk indicators (KRIs)
Risk response definition and prioritisation
Information system audit - IT risk
IT risk:
The business risk
associated with the use,
ownership, operation,
involvement, influence and
adoption of IT within an
enterprise.
23. Text einsetzen Text einsetzen Text einsetzen Text einsetzen Text einsetzen
Information system audit - Internal controls
Administrative
Technical
Physical
24. Text einsetzen Text einsetzen Text einsetzen Text einsetzen Text einsetzen
Understanding of the audit area
Risk assessment/audit plan
Evaluating audit area
Verifying and evaluating controls
Compliance testing/substantive testing
Reporting/follow-up
Information system audit - audit procedures
25. Text einsetzen Text einsetzen Text einsetzen Text einsetzen Text einsetzen
Auditing security checklist
IS audit - resources
Auditing systems development
26. Text einsetzen Text einsetzen Text einsetzen Text einsetzen Text einsetzen
IS audit - case study issue
How to do a project audit
Projects related to information system
Purchase or own development
New service or new products
27. Text einsetzen Text einsetzen Text einsetzen Text einsetzen Text einsetzen
Audit project areas:
Intergation
Scope,time&cost
Quality, procurement
Risk management
Human resources, communication
IS audit - case study analysis
Project risk:
Never be delivered or be delivered late
Exceed budget
Not deliver the required functionality
Contain errors, fail frequently
Be unfriendly, difficult and costly to operate
28. Text einsetzen Text einsetzen Text einsetzen Text einsetzen Text einsetzen
Success criterion Relative importance
User involvement 19%
Executive management support 16%
Clear statement of requirements 15%
Proper planning 11%
Realistic expectations 10%
Smaller project milestones 9%
Competent staff 8%
Ownership 6%
Clear visions and objectives 3%
Hardworking, focused staff 3%
Total 100%
IS audit - case study analysis
29. Text einsetzen Text einsetzen Text einsetzen Text einsetzen Text einsetzen
Audit plan:
Identify the audit scope, determine audit objectives, gather basic information
about project, determine materiality, assess risk, and evaluate internal
controls.
IS audit - case study analysis
Check:
IT strategies, plans and budgets
Feasibility study, requirements, RFP
Security policy
Organization charts, job descriptions
Steering committee reports
Program change procedures
Operations procedures, quality assurance
procedures
30. Text einsetzen Text einsetzen Text einsetzen Text einsetzen Text einsetzen
IS audit - case study analysis
Feasibility study
Well documented and clear?
Have departments recommendations been included?
Has the feasibility analysis report been submitted to the management steering
committee for action?
User Requirement Analysis
Efficiency/Effectiveness
Have the user executives approved the requirements?
Is the new system compatible with other applications/systems?
Could the new system recover after failure?
Do user requirements include security, controls and privacy measures?
Is there clear segregation of duties among those who build, test and operate the
system?
31. Text einsetzen Text einsetzen Text einsetzen Text einsetzen Text einsetzen
Purchased software
IS audit - case study analysis
Are there vendor evaluation criteria/selection procedures?
Contract – remedy, backup and recovery controls, user manuals, audit trail
Does the contract provide how the user will request changes to software?
Can the organisation terminate the contract at any time?
Does vendor have a high probability of being in business during the duration of the
contract?
Is the level of internal controls satisfactory?
Has all data been transferred to the new system in a controlled manner?
32. Text einsetzen Text einsetzen Text einsetzen Text einsetzen Text einsetzen
The optimal way to ensure a successful IT project is to do an effective
analysis of the risks associated with that particular project and develop a plan
to manage the identified and substantial risks.
IT risks are managed, IT delivers value to the business
Postimplementation phase
IS audit - case study analysis
Review of the project success
Financial review of the feasibility study vs. results
Lessons learned and improvements for the future
33. Text einsetzen Text einsetzen Text einsetzen Text einsetzen Text einsetzen
IS audit - case study analysis
34. Text einsetzen Text einsetzen Text einsetzen Text einsetzen Text einsetzen
FRAUD
35. Text einsetzen Text einsetzen Text einsetzen Text einsetzen Text einsetzen
Fraud - definition
Fraud is generally defined in the law as an
intentional misrepresentation of material
existing fact made by one person to
another with knowledge of its falsity and
for inducing the other person to act, and
upon which the other person relies with
resulting injury or damage.
Which is the biger risk?
External attacker vs. employee frauds
36. Text einsetzen Text einsetzen Text einsetzen Text einsetzen Text einsetzen
Fraud - statistics
37. Text einsetzen Text einsetzen Text einsetzen Text einsetzen Text einsetzen
Fraud – cyber attacks
38. Text einsetzen Text einsetzen Text einsetzen Text einsetzen Text einsetzen
General red flags
Often first in and last out of the office
Lots of unused holiday
Changes in lifestyle –spending, socializing,
married status
Resigned,working out redundancy
Passed over for promotion or pay review
Pending HR disciplinary
Fraud - statistics
39. Text einsetzen Text einsetzen Text einsetzen Text einsetzen Text einsetzen
Fraud - resources
Red flags of insurance fraud
40. Text einsetzen Text einsetzen Text einsetzen Text einsetzen Text einsetzen
Anti-fraud policy is most effective when applied with a clear methodology
and implementation plan as opposed to random reviews which seek to rely
primarily on a chance discovery of fraud or wrongdoing.
Anti-fraud policy proactively look for fraud (rather than focussing on specific
known types or incidents).
Anti-fraud policy
Roles&responsibilities
Fraud risk assessment
Prevention, detection, investigation
Fraud - anti fraud framework
41. Text einsetzen Text einsetzen Text einsetzen Text einsetzen Text einsetzen
Fraud - case study issue
How to do fraud investigation
Fraud risk assessments
Checking transaction accounts of employees
Investigation
42. Text einsetzen Text einsetzen Text einsetzen Text einsetzen Text einsetzen
Do we have internal controls?
Are they are sufficient and effective?
Fraud – internal controls
43. Text einsetzen Text einsetzen Text einsetzen Text einsetzen Text einsetzen
Risk based audit-follow the money
Appoint a fraud protection officer
Regular fraud risk assessments
Enforce separation of duties
Four eyes controls, use red flags, black list
Automatic preventive controls in the information system
Fraud - case study analysis
44. Text einsetzen Text einsetzen Text einsetzen Text einsetzen Text einsetzen
Perform background checks
Institute a policy of job rotation, mandatory vacation policy
Have employees bonded with the proper insurance policies
Create annual financial disclosure policies for the people in the organizational
process
Separate the authorization of the transactions from their recording
Require multiple signatures-formal signatures!
Define the trust levels with the appropriate checks
Whistle-blowing — make sure you hear the bad news first
Fraud - case study analysis
45. Text einsetzen Text einsetzen Text einsetzen Text einsetzen Text einsetzen
Work on attitude,
knowledge
and skills
Change, adapt,
grow, learn,
repeat process.
Consider whether IT
risks are managed, IT
delivers value to the
business. Analyze
project risks, ensure
you have a plan to
manage the identified
and significant risks.
Ensure you have a Anti-
fraud policy, fraud
protection officer and
fraud risk assessments,
follow the money.
Determine whether the internal
procedures compliant and properly
implemented in the processes.
46. Text einsetzen Text einsetzen Text einsetzen Text einsetzen Text einsetzen
QUESTIONS & ANSWERS
rkajganic@wiener.ba
+387 (0)65 422 242
https://ba.linkedin.com/in/rodoljubkajganic
47. Text einsetzen Text einsetzen Text einsetzen Text einsetzen Text einsetzen
Thank you for your attention