Presentation is loading. Please wait.

Presentation is loading. Please wait.

PERSONALLY IDENTIFIABLE INFORMATION: AUDIT CONSIDERATIONS

Published byΕκάτη Κόρακας Modified over 5 years ago

Similar presentations

Presentation on theme: "PERSONALLY IDENTIFIABLE INFORMATION: AUDIT CONSIDERATIONS"— Presentation transcript:

1 PERSONALLY IDENTIFIABLE INFORMATION: AUDIT CONSIDERATIONS
Virginia Local Government Auditors Association May 3, 2019

2 Introductions Matthew Simons, CPA, CIA, CGAP Ryan Kohan, CPA Principal
15 years of experience Performance audits, internal audits, internal control/SOX assessments, compliance assessments, business/process process strategy and improvement exercises, management and executive advisory Ryan Kohan, CPA Manager 9 years of experience Performance audits, internal audits, SOX assessments, internal control evaluations, business process assessments, compliance assessments, and fraud identification assessments PII: AUDIT CONSIDERATIONS

3 About sc&h Group PII: AUDIT CONSIDERATIONS

4 Regulatory Considerations Planning & Identification
Today’s Objectives 01. 02. 03. 04. 05. PII: Defined Regulatory Considerations Planning & Identification Testing Procedures Risks and Mitigation PII: AUDIT CONSIDERATIONS

5 Background What is PII? “Any information about an individual maintained by an agency, including (1) any information that can be used to distinguish or trace an individual's identity, such as name, social security number, date and place of birth, mother's maiden name, or biometric records; and (2) any other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information.” -NIST Special Publication Responsibility The organization is responsible for PII: Regulatory requirements, compliance, and maintenance PII: AUDIT CONSIDERATIONS

6 Division / Department Examples
Background Types / Locations Uses Storage / Disposal Internal (e.g. employees) External (e.g. citizens) Physical files / documentation System / electronic records Employee information Citizen records Student records Financial data File Cabinets Desks / Drawers Trash (Secure / Office) Computer Drives Servers Cloud Division / Department Examples Administration Accounting / Finance Audit Human Resources Information Technology Payroll Law Enforcement / Emergency Security Health Community Relations Schools PII: AUDIT CONSIDERATIONS

7 Organizational Risks Mitigating Practices
Relevance Organizational Risks Mitigating Practices Stakeholder Confidentiality Financial Exposure Fraud / Collusion Public Perception Reputation Legal / Regulatory (HIPAA) Centralized Governance Secure Disposal / Proper Deletion Organizational-Wide Policies Ongoing Training Departmental Specific Procedures Restricted Access (Physical and Electronic) Periodic Updates Periodic Monitoring and Self Assessments PII: AUDIT CONSIDERATIONS

8 The purpose of auditing PII
Identify documentation containing sensitive data Identify overall organizational risk and exposure Ensure that PII is being sufficiently managed, secured, and destroyed in order to protect the individuals associated with the PII Ensure compliance with applicable regulations PII: AUDIT CONSIDERATIONS

9 Regulations Applicable to PII
Federal regulations include, but may not be limited to: Health Insurance Portability and Accountability Act(HIPAA) Family Educational Rights and Privacy Act (FERPA) EU General Data Protection Regulation (GDPR) Code of Virginia Personal Information Privacy Act (selected sections) § Sale of purchaser information; notice required. § Recording date of birth as condition of accepting checks prohibited. § Restricted use of social security numbers. § Scanning information from driver's license or identification card; retention, sale, or dissemination of information. § Damages.

10 Regulations Applicable to PII
Code of Virginia § Breach of personal information notification. Code of Virginia § Students' personally identifiable information. Code of Virginia § Identity theft; penalty; restitution; victim assistance. Code of Virginia § :05. Breach of medical information notification. PII: AUDIT CONSIDERATIONS

11 Preparation and Information Gathering
Planning and Identification Preparation and Information Gathering Establish the definition of PII Consider two-tier planning approach Entity based PII based A risk based approach is used to prepare focused, impactful audit procedures Initial Procedures: Researching applicable regulations Compiling a list of all in-scope entities (departments, divisions, etc.) Request current PII related policies, procedures, and documentation inventories from in-scope entities PII: AUDIT CONSIDERATIONS

12 Preparation and Information Gathering
Planning and Identification Preparation and Information Gathering Manual method: Consider surveys and questionnaires Surveys should request process owners provide: Description/ list of documents held or used containing PII PII data types (e.g. SSN, address, credit card info) Storage methodology (e.g. physical filing cabinet, shared drive, database) Established retention periods and destruction methodology Communication and transportation methods (e.g. , mail, thumb drive) Internal training or policy related to PII Automated method: Data classification software may be used to identify electronic files containing PII PII: AUDIT CONSIDERATIONS

13 Planning and Identification
Risk Rank Entities Compile PII management procedures and documentation detail for side by side comparison to identify entities of higher risk Risk rank divisions and departments Consider different risk categories: Assessment of Management Procedures and Impact Level Assessment of Management Procedures: Process Controls: Controls are established and incorporated into procedures Policy and Training: Policy and training exist and are adhered to Security/ Application Access: Access to physical and digital PII is restricted PII: AUDIT CONSIDERATIONS

14 Planning and Identification
Risk Rank Entities Impact Level (NIST U.S. Department of Commerce Special Publication ) Identifiability: The ability to easily identify specific individuals or groups from the PII maintained by the organization. Quantity of PII: The number of PII records maintained (e.g. 10 vs. 10 million) by the organization. Data Field Sensitivity: The sensitivity of each PII data field, as well as the sensitivity of the data fields grouped together. Individuals' SSN, medical, and financial information is considered more sensitive than phone numbers and zip codes. Context of Use: The purpose for which PII is collected, stored, used, processed, disclosed, or disseminated to internal and external parties. Confidentiality Obligation: PII protection is required by laws, regulations, internal policies, or other mandates. PII: AUDIT CONSIDERATIONS

15 Planning and Identification
Risk Rank Entities Example of the ranking structure:

16 PII Inventory Creation and Criteria
Planning and Identification PII Inventory Creation and Criteria Meet with departments under audit to confirm and build out detailed PII documentation log, including the following information for each document: Documentation name PII Data types included The purpose/use of PII Storage method Associated retention period and destruction Apply data classification software results if used PII: AUDIT CONSIDERATIONS

17 PII Inventory Creation and Criteria
Planning and Identification PII Inventory Creation and Criteria Establish a criteria to identify higher risk documentation (e.g. SSN, medical information (HIPAA), financial information) Select documentation for testing based upon the risk criteria and your understanding of the entity under audit PII: AUDIT CONSIDERATIONS

18 Auditing Higher Risk Documentation
Testing Procedures Auditing Higher Risk Documentation Prepare an audit program for the processes around the selected documentation areas Auditing procedures of higher risk documentation may include: Perform a walkthrough of PII “life-cycle” from obtaining the information, dissemination, and disposal Perform a review of physical access Review electronic access to applications/databases Review document access logs to identify inappropriate access indicators Examine documentation to confirm that it is not held beyond retention periods PII: AUDIT CONSIDERATIONS

19 Possible Risks and Mitigation Techniques
Risk: Lack of centralized guidance/governance function Risk: Physical access to PII is not appropriately secured Risk: Electronic access is not secure or appropriate Potential Mitigation: Government wide policy/ expectation Centralized oversight and maintenance of policy Potential Mitigation: Locked shred bins, desks, or office areas Employee education Potential Mitigation: Restrict shared drives; lock critical spreadsheets Perform regular user access reviews to systems PII: AUDIT CONSIDERATIONS

20 Possible Risks and Mitigation Techniques
Risk: Communication methodology is not secure Risk: Unnecessary PII is collected and maintained Risk: Retention periods are not established/adhered to Potential Mitigation: Utilize encryption Restrict ability to communicate in non-secured methods Potential Mitigation: Periodically re-evaluate the need and purpose of sensitive PII Potential Mitigation: Develop retention schedules for all critical documentation Establish automated destruction of electronic documentation PII: AUDIT CONSIDERATIONS

21 Examples of Government PII Breaches
Why is this Important? Examples of Government PII Breaches US Postal Service (2017 through 2018) PII Breached: Name, addresses, account information Cost/Impact: 60 million users Georgia Secretary of State (2015) PII Breached: Names, SSN, DOB, driver’s license numbers Cost/Impact: All registered voters; approx. costs $395,000 for auditor, $1.2 million for credit monitoring Texas State Comptroller’s Office (2011) PII Breached: Names, addresses, SSN, DOB, driver’s license numbers Cost/Impact: 13.5 million residents; cost approximately $1.9 million not including lawsuits PII: AUDIT CONSIDERATIONS

22 Questions and Discussion

23 Contact information Matthew Simons, CPA, CIA, CGAP Principal  Ryan Kohan, CPA  Manager PII: AUDIT CONSIDERATIONS

Download ppt "PERSONALLY IDENTIFIABLE INFORMATION: AUDIT CONSIDERATIONS"

Similar presentations

University Data Classification Table* Level 5Level 4 Information that would cause severe harm to individuals or the University if disclosed. Level 5 information.

University Data Classification Table* Level 5Level 4 Information that would cause severe harm to individuals or the University if disclosed. Level 5 information.
Red Flags Rule BAS Forum August 18, 2010. What is the Red Flags Rule? Requires implementation of a written Identity Theft Prevention Program designed.

Red Flags Rule BAS Forum August 18, What is the Red Flags Rule? Requires implementation of a written Identity Theft Prevention Program designed.
Red Flag Rules: What they are? & What you need to do

Red Flag Rules: What they are? & What you need to do
Identification and Disposition of Official University Records University of Texas at Arlington Records Management.

Identification and Disposition of Official University Records University of Texas at Arlington Records Management.
Overview of the Privacy Act

Overview of the Privacy Act
Office of Health, Safety and Security

Office of Health, Safety and Security
HIPAA Privacy Training. 2 HIPAA Background Health Insurance Portability and Accountability Act of 1996 Copyright 2010 MHM Resources LLC.

HIPAA Privacy Training. 2 HIPAA Background Health Insurance Portability and Accountability Act of 1996 Copyright 2010 MHM Resources LLC.
Health Insurance Portability and Accountability Act (HIPAA)HIPAA.

Health Insurance Portability and Accountability Act (HIPAA)HIPAA.
HIPAA Regulations What do you need to know?.

HIPAA Regulations What do you need to know?.
Helping you protect your customers against fraud Division of Finance and Corporate Securities.

Helping you protect your customers against fraud Division of Finance and Corporate Securities.
Data Ownership Responsibilities & Procedures

Data Ownership Responsibilities & Procedures
Data Classification & Privacy Inventory Workshop

Data Classification & Privacy Inventory Workshop
Security Controls – What Works

Security Controls – What Works
Developing a Records & Information Retention & Disposition Program:

Developing a Records & Information Retention & Disposition Program:
1 Record Management Medical Center Administrative Group Fall Symposium November 15, 2000 University Audit.

1 Record Management Medical Center Administrative Group Fall Symposium November 15, 2000 University Audit.
Obtaining, Storing and Using Confidential Data October 2, 2014 Georgia Department of Audits and Accounts.

Obtaining, Storing and Using Confidential Data October 2, 2014 Georgia Department of Audits and Accounts.
Protecting Sensitive Information PA Turnpike Commission.

Protecting Sensitive Information PA Turnpike Commission.
Teresa Macklin Information Security Officer 27 May, 2009 Campus-wide Information Security Activities.

Teresa Macklin Information Security Officer 27 May, 2009 Campus-wide Information Security Activities.
Electronic Records Management: What Management Needs to Know May 2009.

Electronic Records Management: What Management Needs to Know May 2009.
HIPAA PRIVACY AND SECURITY AWARENESS.

HIPAA PRIVACY AND SECURITY AWARENESS.

Similar presentations

Ads by Google