Upload
others
View
6
Download
0
Embed Size (px)
Citation preview
Auditing Vendor Third-Party Risk
AHIA Southeastern RegionConference - December 7, 2018
What can your Audit Department do?
Mike Lisenby is the Managing Partner of Rausch Advisory Services. Mike has over 18+ years ofexperience in helping businesses manage their technology resources and compliance needseffectively. His experience includes consulting and co-sourcing, IT Security, IT audits, Regulatorycompliance, and technology security assessments, risk identification, assessment andevaluation; risk response; risk monitoring; IT control design and implementation; and IT controlmonitoring and maintenance. Mike has held leadership roles with Arthur Andersen and severalother National Consulting Firms, and has prior experience with Fortune Brands and Philip Morris.
SPEAKER – MICHAEL LISENBY2
He designed a Virtual Security Technology Center for aNational Consulting Firm and ran an ethical hacking /penetration testing team for Arthur Andersen.
He has served on the Board of Directors for theInformation Systems Audit and Control Association(ISACA/Atlanta & Milwaukee), and he holds a CRISC(Certified in Risk and Information Systems Control)Certification.
Scott Dwyer, Director in the Internal Audit practice at Rausch Advisory Services, has extensive Internal Audit experience as a former consulting auditor, Director of Internal Audit, and Chief Audit Executive.
Scott is an innovative executive who effects positive change by combining real leadership with strong collaborative skills and expertise in internal auditing, regulatory compliance, and risk management.
His 20+ years of experience have been heavily focused on the healthcare industry where Scott has provided a wide range of services to each of the three legs of the healthcare stool: providers, payers, and regulators. Most recently Scott had been the Chief Audit Executive for Independent Health Association, a $2 billion health insurance company in Buffalo, NY.
Scott earned his MBA at the University of Buffalo and is a Certified Information Systems Auditor.
SPEAKER – SCOTT DWYER3
Rausch recognizes not every client is the same, each has unique needs. We are committed to meeting those needs.
Rausch accomplishes this through providing experienced dedicated professionals that engage with our clients to achieve their objectives.
At Rausch we believe the most important thing is our employees, we treat them how we expect they will treat our clients.
Client First
Finance & Accounting – Internal Audit – Information Security
ABOUT US4
AGENDA5
02Third-Party BreachesLatest news on vendor breaches that are affecting
organizations today
01About UsMichael Lisenby & Scott Dwyer and brief introduction to
Rausch Advisory Services LLC.
03Audit ConsiderationsAddressing vendor risk management, why and how do you
need to evaluate your third-parties.
What is Audit’s role?
04Tools & Technologies
.
Tools to enable the process, building an effective survey and
defining the Vendor Assessment Process.
Law
Terms
Audit
Standards
Guideline
Policy
Transparency
Regulations
Requirements
Law
Audit
Terms
TPRM
VENDORCOMPLIANCE
VRM
Programs
• Vendor Risk Management
• Third Party Risk Management
• Supplier Relationship Management
6
Who Owns The Risk
“Information Security and Compliance typically don’t
control who the organization does business with. Business
owners do.”
7
8
THIRDPARTY
BREACH
THIRD PARTY BREACH - NEWS
VENDOR RISK MANAGMENT9
AUDIT CONSIDERATIONS
Have you audited your company’s vendor management program?
Does your company have a formalized due diligence process covering contracting, services review and the overall monitoring and management of vendor relationships?
Does your organization have the appropriate controls in place to mitigate risks that are present in the vendor management program framework?
AUDIT CONSIDERATIONS10
Is your organization considering risk and controls during the sourcing and onboarding of vendors?
Which departments participate in the review and approval of new vendors? (Finance? Compliance? Procurement? IT Security? Information Risk Office?)
Does your organization have a central repository for all its vendor contracts?
AUDIT CONSIDERATIONS11
12
Competencies Compliance
Categorize
3C’s
AUDIT CONSIDERATIONS
How does the organization identify its risk exposure to vendors? (Hint: Do not rely solely on spending levels!)
Does the organization risk rate its vendors?
13 AUDIT CONSIDERATIONS
CategorizeEstablishing risk assessment framework
Categorize your vendors by service typeand level of risk: Keep it simple: High, Medium, and Low Work with internal partners to determine risk
criteria to measure Perform initial assessment of each vendor
and repeat each year________________________________________________Who should perform these risk assessments?
14 AUDIT CONSIDERATIONS
CategorizeEstablishing risk assessment framework
Risk Assessment Qualitative Documentation:
Against which framework will vendors be measured?
Access needed to internal data?
Nature of data categorized by risk (PHI, PPI, proprietary, corporate financial, identifiers, passwords)
Data and information security expectations
15 AUDIT CONSIDERATIONS
CategorizeEstablishing risk assessment framework
Risk Assessment Quantitative Documentation:
Financial solvency baselines
Contract size
Beneficial owners of third-party's business
IT Security Ratings
16
ComplianceAre your vendors affecting
your regulatory or VRM
compliance program?
AUDIT CONSIDERATIONS
Is Internal Audit partnering with Compliance to evaluate vendors’ compliance activities and controls?
Does your company policy require evidence of third-party attestation: SOC, SOC2, PCI Certification, etc.?
Has the vendor developed strong HIPAA policies and controls?
What impact, if any, will the vendor have on your HITECH compliance?
17
ComplianceAre your vendors affecting
your regulatory or VRM
compliance program?
AUDIT CONSIDERATIONS
Your company’s Vendor Risk Management Policy should require the following:
Human resources security Physical and environmental security Baseline requirements for network and
system security Baseline requirements for data security Baselines requirements for access control Baseline requirements for IT acquisition and
maintenance
18
ComplianceAre your vendors affecting
your regulatory or VRM
compliance program?
AUDIT CONSIDERATIONS
Your company’s Vendor Risk Management Policy should require the following:
Require vendors to document their vendor management program Define the vendor's incident response
management responsibilities Define the vendor’s BCP and DR responsibilities Outline the vendor compliance requirements A strong right-to-audit clause!
19
CompetenciesOn-going evaluation of a vendor is
critical to the process. Evaluation
and measurement is critical.
AUDIT CONSIDERATIONS
Incorporate information security management when qualifying a vendor.
Review information security throughout the life of the contract.
Your Board of Directors should be kept informed regarding the company’s vendor risk management program.
20
CompetenciesOn-going evaluation of a vendor is
critical to the process. Evaluation
and measurement is critical.
AUDIT CONSIDERATIONS
What contingency plans does your organization have in place if a supplier for a critical process goes out of business?
Do your vendor contracts include a statement of work, delivery date, payment schedule, and information security requirements?
Does your program measure vendor performance against established SLA’s?
The Internal Auditor must be able to identify and assess the risks within each of the control activities reviewed during the audit of the vendor.
Additionally, mitigation plans need to be assigned and monitored for those risks that the audit has identified as needing remediation.
AUDIT CONSIDERATIONS21
Tools & Surveys22
Surveys
ExcelWord
Dedicated SoftwareSurvey Monkey
Frameworks
ISO, NISTCloud Security Alliance
COSO, Cobit
Evaluation
Automated Scoring Manual Audit Team Review
Interviews
Manual Intervention
Automation
Platform to deliver, secure, retain and
communicate
Flexibility
Ease of Use
VENDOR ASSESSMENT PROCESS23
01
02
03
04
06
05
07
Data Export Export assessments and evidence from tool or email collection into standardized framework so that can be
evaluated.
Standardize Assessment All assessments should be customized
to fit your environment.
DistributionInitiate an assessment to
the vendors
Communicate Maintain communication to ensure assessments are completed timely.
Annual Re-assessment Organizations should provide
ongoing governance throughout the vendor lifecycle.
Approval or Rejection of VendorsThe client can use all evidence
provided and any audits performed combined with the scoring dashboards to quickly approve or reject a vendor.
Vendor Review A review of the Vendors self-
assessment should be completed to ensure accuracy.
Succ
ess
Met
hods
ProcessCreate a repeatable process that collects and measures the relevant information
EngagementProactively engaged relationships which nurture vendors towards your business goals
EducationProactive insight driven campaigns which communicate the value of controls to mitigate risk
CommunityBuilding advocates and creating opportunities with your providers and peers to share and learn
RA
S Ve
ndor
360
Ease of use
Dedicated Portal
• Dedicated assessments• Branded for your company• Access through a browser• Mobile Friendly• Assessment can be sent in up to 46 languages• Start and stop at your pace• Intuitive logic
• One place for all reporting of a vendor• Efficiently assign assessments through invite forms• Comparison reporting • Auditor access• Access through a browser• Mobile Friendly
• Assessments are responsive to their screen size and supports 46 different languages dynamically!
• Branded to your environment, vendors see your branding with questions tailored and weighted to your requirements.
• Rausch utilizes RAS for internal audits, compliance reviews and enterprise risk assessments.
26
Address5825 Glenridge Drive, BLD 1 STE 212 Atlanta, GA
Contact Numbers:404.775.1151
Email Address:[email protected]
THANK YOU