Information Security Regulation,

Audit and Disclosure

Richard Baskerville

The Health Insurance Portability and

Accountability Act of 1996 (HIPAA) Privacy and Security Rules

• Covered entities

– Health Care Providers

– Health Plans

– Health Care Clearinghouses

• Protected health information (PHI) is all individually

identifiable health information.

• A covered entity must maintain reasonable and

appropriate administrative, technical, and physical

safeguards to prevent intentional or unintentional

use or disclosure of protected health information in

violation of the Privacy Rule and to limit its

incidental use and disclosure pursuant to otherwise

permitted or required use or disclosure.

Gramm-Leach-Bliley (1999)Mainly allowed commercial banks, investment

banks, securities firms, and `to merge

• Governs the collection and disclosure of customers’ personal financial information by financial institutions

• Requires

– Providing each consumer with a privacy notice

– A policy to protect the information from foreseeable threats in security and data integrity

– A written information security plan

– Designating an employee as safeguards manager

– Conducting thorough risk analyses on each privacy-relevant department

– Developing, monitoring, and testing a program to secure privacy information

– Changing the safeguards in keeping with changes in information collection, storage, and use

Public Company Audit Reforms

• Significant changes to securities

laws or practices

• The wake of corporate financial

scandals

• Examples

– European Union Council 8th

Directive (Expansion)

– Corporate Law Economic Reform

Program (CLERP 9) (Australia)

– Sarbanes-Oxley Act of 2002 (US)

Restore Investor Confidence in Capital Markets

EU 8th Directive• Establishes a new audit regulatory committee composed of

member states and chaired by a representative of the

European Commission (EC). The committee will assist the EC

in establishing the implementation measures of the directive

• Auditors or audit firms must:

– Be approved and registered in any member state.

– Meet continuous education requirements.

– Subject to robust professional ethics.

– Be independent from the audited company.

– Adhere to the International Standards on Auditing.

– Meet quality assurance standards.

– Be governed by the member state system of investigation and sanctions.

– Be subject to public oversight.

– Follow relationship procedures with an audited entity.

– Disclose an internal governance statement.

– Cooperate with the mandated audit committee in financial reporting

• Revised 2014 (Effective 2016)

– Mandatory audits of public interest entities

– Requires Public Interest Oversight Board (PIOB)

Austalian CLERP 9• Ethical purpose similar to Sarbox & EU 8, but softer

• Based on disclosure rather than criminalization

• Regulates auditor independence, periodic reporting, and corporate disclosure and certification of financial reports

• Two systems are similar enough to permit parallel compliance

– SarbOx compliance increases overhead

– Some issues in attorney-client confidentiality

• Executives are not required to certify the maintenance of internal controls to the public

– Required to certify to the directors of the company that the financial statements comply with accounting standards and represent the true and fair view of the current financial position of the company

US: Sarbanes-Oxley Act of 2002 (107 H.R. 3763)

• Enhanced Financial Disclosures

– Title IV (Sections 401-409)

• Deals with company responsibilities for periodic financial reports, assessment of internal controls, code of ethics, and other aspects of disclosures.

• Section 404: Management Assessment

Of Internal Controls.

• Requires an “internal control report”

– Establish and maintain adequate internal control structure and procedures

– Assess their effectiveness

(Sarbox or Sox)

Senator Paul Sarbanes and Representative Michael Oxley being congratulated on the 30 July 2002 signing of their act after approval by the House 423-3 and by the Senate 99-0.

Public Company Accounting Oversight

Board

Title I (Sections 101 - 109)

• Deals with the establishment of PCAOB that

registers and reviews Public Accounting Firms

under the oversight of SEC, with responsibility

for investigations and disciplinary actions for

breeches of accounting standards.

Auditor Independence

• Deals with conflicts of interest in business

relationships of audit firms and steps to

unveil such conflicts, like rotating firms and

audit partners, reporting to audit

committee, etc.

• Section 201: Services Outside The Scope Of

Practice Of Auditors; Prohibited Activities.

– This section outlaws an audit firm that provides “non-audit service” to companies during audits, e.g.,

• Bookkeeping

• Financial information systems design and

implementation

• Management functions or human resources

Title II (Sections 201-209) Corporate ResponsibilityTitle III (Sections 301-308)

• Deals with company audit committees, and

conduct all of officers and directors.

Enhanced Financial Disclosures

• Deals with company responsibilities for periodic financial reports, assessment of internal controls, code of ethics, and other aspects of disclosures.

• Section 404: Management Assessment Of Internal Controls.

• Requires an “internal control report”

– establish and maintain adequate internal control structure and procedures

– assess their effectiveness

Title IV (Sections 401-409) Analyst Conflicts of Interest

Title V (Section 501)

• Deals with conflict of interest rules

for exchanges and associations.

Commission Resources and Authority

• Deals with budget and authority.

Title VI (Sections 601-604)

Studies and Reports

• Deals with government reports.

Title VII (Sections 701-705)

Corporate and Criminal Fraud

Accountability

Title VIII (Sections 801-807)

• Deals with faked or destroyed documents,

retention of records, and criminal penalties.

White Collar Crime Penalty

Enhancements

Title IX (Sections 901-906)

• Increases some criminal penalties, criminalizes

record tampering and fraudulent financial

statements, etc.

Corporate Tax Returns

• CEO must sign tax returns

Title X (Section 1001)

Corporate Fraud and Accountability

Title XI (Sections 1101-1107)

• Deals with record tampering,

impeding officials, and SEC

authority to freeze payments and

exclude securities fraudsters as

company officers.

PCAOB Audit Standard 5

• Direction for audit of management's

assessment of the effectiveness of

internal control over financial reporting

(part of financial statements audit).

• Auditors learn how IT affects transaction

flow. The identification of risks and

controls within IT is part of a top-down

audit. Audits test controls and assess risk

of material weakness in disclosures.

PCAOB Audit Standard 12

• IT risks to a company's internal control over financial reporting

– Reliance on systems or programs that are inaccurately processing data, processing inaccurate data, or both;

– Unauthorized access to data that might result in destruction of data or improper changes to data;

– The possibility of IT personnel gaining access privileges beyond those necessary to perform their assigned duties, thereby breaking down segregation of duties;

– Unauthorized changes to data in master files;

– Unauthorized changes to systems or programs;

– Failure to make necessary changes to systems or programs;

– Inappropriate manual intervention; and

– Potential loss of data or inability to access data as required

Appendix B:Consideration of Manual and Automated Systems and Controls

Statement on Standards for Attestation Engagements

(SSAE) No. 16

• Service organization control reports

• An auditor opinion/report on a

service organization

– The description of its system fairly

presents its design and

implementation

– The controls related to the

described objectives are suitably

designed

– (Optional) Auditor's tests of

operating effectiveness of controls

• Driven by Sarbox Section 404

American Institute of Certified Public Accountants (AICPA)Replaced SAS 70

Generally Accepted Privacy

Principles (GAPP)IACPA

1. Management. The entity defines, documents, communicates, and assigns accountability for its privacy

policies and procedures.

2. Notice. The entity provides notice about its privacy policies and procedures and identifies the purposes

for which personal information is collected, used, retained, and disclosed.

3. Choice and consent. The entity describes the choices available to the individual and obtains implicit or

explicit consent with respect to the collection, use, and disclosure of personal information.

4. Collection. The entity collects personal information only for the purposes identified in the notice.

5. Use, retention, and disposal. The entity limits the use of personal information to the purposes

identified in the notice and for which the individual has provided implicit or explicit consent. The entity

retains personal information for only as long as necessary to fulfill the stated purposes or as required by

law or regulations and thereafter appropriately disposes of such information.

6. Access. The entity provides individuals with access to their personal information for review and update.

7. Disclosure to third parties. The entity discloses personal information to third parties only for the

purposes identified in the notice and with the implicit or explicit consent of the individual.

8. Security for privacy. The entity protects personal information against unauthorized access (both

physical and logical).

9. Quality. The entity maintains accurate, complete, and relevant personal information for the purposes

identified in the notice.

10. Monitoring and enforcement. The entity monitors compliance with its privacy policies and procedures

and has procedures to address privacy related complaints and disputes.

CIO Involvement

(PWC Guidance)Information Security Regulation,

Audit and Disclosure

Richard Baskerville