Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Confessions of an Internal Auditor: IT Edition


Published on

In-depth technical knowledge and experience isn’t necessary when auditing and accessing risks related to information technology and systems. Learn from a former internal auditor how remove barriers preventing meaningful IT reviews.

Published in: Business
  • Be the first to comment

  • Be the first to like this

Confessions of an Internal Auditor: IT Edition

  1. 1. 1 TODAY’S OBJECTIVES • Review risks related to information technology facilities, system access, data integrity, and system maintenance. • Describe techniques for the non-technical professional to evaluate controls of information technology and systems. 2
  2. 2. ABOUT VANDERBILT UNIVERSITY MEDICAL CENTER • $2.3 Billion Annual Healthcare Operating Expenses (excludes academics and research) • $471.6 Million Annual Sponsored Research Budget • $843.6 Million Annual Charity Care, Community Benefits, and other Unrecovered Costs 3 4
  3. 3. INTEGRATED IT AUDITING FOCUSED IT AUDITS 5 IT AUDIT PLANNING - REQUESTS • HIPAA Security Risk Assessment • External auditor’s report and management letter • Consulting reports • IT policies and procedures 6
  4. 4. SYSTEM/APPLICATION LIST • System or application name • Vendor • System purpose • The business and IT owners • Location(s) where the system is physically housed • Service Criticality (they can’t all be Mission Critical) C S M K T Z A L S M I T E R F M V L N B P P D O O E A E E I E I I N S D I C M C E R T O O A L I E E L C E S R S I N I R C S C L C S T M S N A L H O I E Y O S E R L T R M T S A P R O A H O C S I C M E ALLSCRIPTS AVAILITY CERNER CISCO EMC EPIC IBM ITIL KRONOS MEDASSETS MEDITECH MICROSOFT OMNICELL ORACLE SAP SIEMENS 7 THE CLAW HAS SPOKEN 8
  5. 5. USER SECURITY & ADMINISTRATION • Account administration • User authentication and passwords • Session controls Audit Objectives 9 ACCOUNT ADMINISTRATION • Process to request and approve accounts • How are accounts inactivated or deleted • Documentation of requests • Monitoring for non-use, change in employment status, etc. 10
  6. 6. USER AUTHENTICATION & PASSWORDS • Minimum password length and composition • Periodic password changes • Multi-factor authentication • Lockouts and resets 11 SESSION CONTROLS • Session length • Maximum inactivity • Concurrent logins 12
  7. 7. CHANGE MANAGEMENT • Documented processes and policies (including emergency changes) • Segregated environment and testing • Production access Audit Objectives 13 AN ICQ FOR EACH APPLICATION • Are change requests logged? • Is version control software used? • What logical environments exist? • Are all changes required to be tested? • Who is responsible for migrating changes? • Are back-out procedures required prior to implementation? • How are emergency changes communicated to business owners? 14
  8. 8. TESTING CHANGE • Emergency Change • Tech Approval • Business Approval • CAB Approval • Programmed in Dev • Tested Outside Production • Testing Completed • User Testing Complete • Programmer Deployed Change • Back-out Procedures • Documentation Updated • # of Resulting Issues 15 DATA CENTER PHYSICAL SECURITY • Physical access for both individuals and equipment • Power configurations • Environmental controls and monitoring Audit Objectives 16
  9. 9. ACCESS CONTROLS • Access logs - who, when, and why • Approvals and pre- approvals • Monitoring and oversight 17 POWER • Sources and configurations • Redundancy and back-up • Capacity Planning • Joint Commission 18
  10. 10. ENVIRONMENT • Cooling • Humidity • Fire suppression • Water (and other wet stuff) • Raised floors 19 INTEGRATING IT INTO FINANCIAL AND OPERATIONAL AUDITS 20
  11. 11. COMMON ISSUES: IT • Storage of PHI on unsecured media • CD/DVD with Medical Images • Department File Servers, Local PCs, Laptops, etc. • Inadequate Password Policy/Enforcement • Unsecured/Sharing of Clinic Workstations • Disaster Recovery • Documented Downtime Procedures • Oversight/Security of Portable Devices (e.g., iPads) 21 ADDITIONAL READING 512 pages 1.8 pounds 696 pages 3.0 pounds 2,000 pages 7.6 pounds 22
  12. 12. QUESTIONS Brad Adams, CPA (615) 875-9554 23