Internal Audit and the Virtual World of E-Services Association of Credit Union Internal Auditors 1ACUIA 2012

1

Internal Audit and the Virtual World of E-Services

Association of Credit Union Internal Auditors

ACUIA 2012

ACUIA 20122

E-Services Electronic funds transfer Automated teller machines Internet-accessible services

Lending Financial portals Account openings / closings Electronic bill pay And on and on and ….….

Mobile banking Expanding wireless services And on and on and ……..

ACUIA 20123

Developing an E-Strategy

ACUIA 20124

5

Back to the Basics

ACUIA 2012

ACUIA 2012

E-Services and Areas of Risk Management Credit risk Interest rate (market) risk Liquidity risk Transaction (fraud) risk Compliance (regulatory) risk Strategic risk (decisions) Reputation risk (impact of actions)

6

ACUIA 20127

Internal Audit’s Responsibility Identify the key risk management principles

that assist the credit union in expanding their existing risk management policies and processes to cover e-services activities

Promote safe and sound delivery of such services

Not fundamentally different from those applied to delivered through other distribution channels

ACUIA 20128

E-Strategy Decision Making Continuing technological innovation and

competition driving a wider array of products and services and delivery mechanisms Creates a “risk / reward” environment for credit

unions Unprecedented speed of change Global nature of open electronic networks Integration of e-services applications with legacy

computer systems Increasing dependence on third-party deliverers

ACUIA 20129

Board and Management Oversight The credit union’s board of directors and

executive management share responsibility for developing the credit union’s business strategy and establishing effective management oversight of risk, including the risk presented by e-services. Review and approval of the credit union’s security

control process Infrastructure - protection from both internal (primary

role of internal audit) and external threats Reliance on outsourced relationships and dependencies

ACUIA 201210

Reputation Risk Management E-services must be delivered on consistent

and timely basis High member expectations for availability and

high transaction demand Incident response mechanisms

Business continuity and contingency planning Communication strategies

ACUIA 201211

Internal Audit E-Services Challenges Speed of change (relative factor)

Shrinking implementation / testing times IA needs to be involved (heavily) to ensure that

adequate strategic assessment, risk analysis and security reviews are conducted PRIOR TO implementation of new applications

Transactional services (and third-party web sites) are now typically integrated as much as possible with legacy computer systems Reduces opportunities for human error and fraud Increases dependence on systems design,

architecture, system interoperability and operational scalability

ACUIA 201212

Internal Audit E-Services Challenges Increases credit union’s dependence on IT

Least understood operational area by those providing internal oversight

Again, third party arrangements with some vendors who may be unregulated

Creation of new business models Global accessibility (truly “global”)

ACUIA 201213

Internal Audit ConsiderationsE-Services Board and Management Oversight

Effective management oversight Establishment of a comprehensive security control

process Comprehensive due diligence and management

oversight for outsourcing relationships and other third-party dependencies

ACUIA 201214

Internal Audit ConsiderationsE-Services Security / Transaction Risk Controls

Authentication of e-services member-users Non-repudiation and accountability for e-services

transactions Appropriate measures to ensure segregation of

duties Proper authorization controls within e-services

systems, databases and applications Data integrity of e-services transactions, records

and information Establishment of clear audit trails fore-services

transactions Confidentiality of information

ACUIA 201215

Internal Audit ConsiderationsE-Services Compliance / Strategic / Reputation Risk

Factors Appropriate disclosures Privacy of member information Capacity, business continuity and contingency

planning to ensure availability of e-services systems

Incident response planning

ACUIA 201216

Internal Audit ConsiderationsBoard and Management Oversight Board of directors and senior management

should establish effective management oversight over the risks associated with e-services activities, including the establishment of specific accountability, policies and controls to management these risks. Major elements of the delivery channels (internet,

wireless and related technologies) are outside of the credit union’s direct control

Internet facilitates delivery of services across multiple national jurisdictions, including those not served through physical locations

Complexity of issues can be (far) outside the traditional experience of the Board and Management

ACUIA 201217

Internal Audit ConsiderationsBoard and Management Oversight Oversight factors the internal auditor should

consider: Ensure Board/Management have established the credit

union’s risk appetite in relation to e-services Ensure that key delegations and reporting mechanisms

are established for those incidents that impact: Safety and soundness Reputation

Ensure Board/Management have addressed any unique risk factors associated with ensuring security, integrity and availability of e-services Also, ensure that third-parties take similar measures

Ensure that appropriate due diligence and risk analyses are performed before e-services are developed and implemented

ACUIA 201218

Internal Audit ConsiderationsBoard and Management Oversight Board of directors and senior management should

review and approve the key aspects of the credit union’s security control process Infrastructure (including internal audit)

Both internal and external threats Authorization privileges Logical and physical access controls Appropriate boundaries and restrictions on both internal and

external user activity Policies and procedures Assignment of explicit responsibility for oversight Sufficient physical controls to protect access to computing

environment Sufficient logical controls to prevent access to applications

and data bases Regular review and testing of security measures and controls

ACUIA 201219

Internal Audit ConsiderationsBoard and Management Oversight Board of directors and senior management

should establish a comprehensive and ongoing due diligence and oversight process for managing the credit union’s outsourcing relationships and other third-party dependencies supporting e-services Historically, outsourcing was often limited to a

single service provider for a given functionality – HOWEVER – outsourcing relationships have increased in complexity as a direct result of advances in technology and the emergence of e-services

ACUIA 201220

Internal Audit ConsiderationsBoard and Management Oversight Oversight factors the internal auditor should consider:

Ensure that the credit union fully understands the risks associated with entering into an outsourcing or partnership arrangement for e-services systems or applications

Ensure due diligence review of the competency and financial viability of any third-party service provider is conducted PRIOR TO entering into any contracts for e-services

Ensure the contractual accountability of all parties to the outsourcing or partnership relationship is clearly defined

Ensure all outsourced e-services systems and operations are subject to risk management, security and privacy policies that meet the credit union’s standards

Ensure internal and/or external audits are conducted of outsourced operations (same level as if the operations were in-house)

Ensure contingency plans exist for outsourced e-services activities

ACUIA 201221

Internal Audit ConsiderationsSecurity / Transaction Risk Controls Authentication Non-repudiation Data and transaction integrity Segregation of duties Authorization controls Maintenance of audit trails Confidentiality

ACUIA 201222

Internal Audit ConsiderationsSecurity / Transaction Risk Controls Credit union should take appropriate

measures to authenticate the identity and authorization of members with whom it conducts business electronically Obviously, member verification during account or

e-service origination is important in reducing the risk of identity theft, fraudulent account applications, and money laundering

ACUIA 201223

Internal Audit ConsiderationsSecurity / Transaction Risk Controls Oversight factors the internal auditor should

consider: Ensure that authentication databases providing

access to e-services member accounts or sensitive systems are adequately protected and any tampering is detectable and documented

Ensure that any addition, deletion or change of an individual, agent or system to an authentication database is duly authorized by an authenticated source

Ensure that appropriate measures are in place to control the e-services system connection such that unknown third parties cannot displace known members

Ensure that authenticated e-services sessions remain secure throughout the full duration of the session

ACUIA 201224

Internal Audit ConsiderationsSecurity / Transaction Risk Controls Credit union should use transaction

authentication methods that promote non-repudiation and establish accountability for e-services transactions Non-repudiation involves creating proof of the

origin or delivery of electronic information to protect the sender against false denial by the recipient that the data has been received, or to protect the recipient against false denial by the sender that the data has been sent.

ACUIA 201225


consider: Ensure that e-services systems are designed to

reduce the likelihood that authorized users will initiate unintended transactions and that members fully understand the risks associated with any transactions they initiate

Ensure that all parties to the transaction are positively authenticated and that control is maintained over the authenticated channel

Ensure that financial transaction data are protected from alteration and any alteration is detectable

ACUIA 201226

Internal Audit ConsiderationsSecurity / Transaction Risk Controls Credit union should ensure that appropriate

measures are in place to promote adequate segregation of duties within e-services systems, databases and applications Obviously, a basic internal control measure

designed to reduce the risk of fraud in operational processes and systems and to ensure that transactions are credit union assets are properly authorized, recorded and safeguarded No one person should be in position to commit a theft

and cover that theft or create an error and cover that error

E-services may necessitate modifying the ways in which segregation of duties are established and maintained Access to poorly secured databases can be more easily

gained through internal and external networks – ensure adequate audit trails

ACUIA 201227


consider: Ensure that transaction processes and systems

are designed to ensure that no single employee/outsourced service provider could enter, authorize and complete a transaction

Ensure that segregation is maintained between those initiating static date (including web-page content) and those responsible for verifying its integrity

Ensure that e-services systems are tested to ensure segregation of duties cannot be bypassed

Ensure that segregation is maintained between those developing and those administering e-services systems

ACUIA 201228

Internal Audit ConsiderationsSecurity / Transaction Risk Controls Credit union should ensure that proper

authorization controls and access privileges are in place for e-services systems, databases and applications In e-services systems, authorizations and access

rights can be established in either a centralized or distributed manner and are generally stored in databases

Protection of those databases from tampering or corruption is essential

ACUIA 201229

Internal Audit ConsiderationsSecurity / Transaction Risk Controls Oversight factors the internal auditor should consider:

Ensure that specific authorization and access privileges are assigned to all individuals, third-parties or systems which conduct e-services activities

Ensure that all e-services systems are constructed to ensure that they interact only with valid authorization databases

Ensure that no individual or system should have the authority to change his or her own authority or access privileges in an e-services authorization database

Ensure that any authorization database that has been tampered with should not be used until replaced with a validated database

Ensure that controls are in place to prevent changes to authorization levels during e-services transaction sessions and any attempts to alter authorization should be logged and brought to the attention of management

ACUIA 201230

Internal Audit ConsiderationsSecurity / Transaction Risk Controls Credit union should ensure that appropriate

measures are in place to protect the data integrity of e-services transactions, records and information Data integrity refers to the assurance that

information that is in-transit or in storage is not altered without authorization

Failure to maintain data integrity, obviously, exposes the credit union to substantial reputation risk

ACUIA 201231

Internal Audit ConsiderationsSecurity / Transaction Risk Controls Oversight factors the internal auditor should consider:

Ensure that e-services transactions are conducted in a manner that makes them highly resistant to tampering throughout the entire process

Ensure that e-services records are stored, accessed and modified in a manner that makes them highly resistant to tampering

Ensure that e-services transactions and record-keeping processes are designed in such a manner as to make it virtually impossible to circumvent detection of unauthorized changes

Ensure that adequate change control policies are in place to protect against any e-services system changes that may erroneously or unintentionally compromise controls or data reliability

Ensure that any tampering with e-services transactions or records can be detected by transaction processing, monitoring and record keeping functions

ACUIA 201232

Internal Audit ConsiderationsSecurity / Transaction Risk Controls Credit union should ensure that clear audit

trails exist for all e-services transactions Much, if not all, of the credit union’s records and

evidence supporting e-services transactions are in an electronic format, potentially weakening the credit union’s internal control environment if it is unable to maintain clear audit trails

ACUIA 201233


consider: Ensure audit trails exist for:

The opening, modification or closing of a member’s account

Any transaction with financial consequences Any authorization granted to a member to exceed a

previously established limit Any granting, modification or revocation of systems

access rights or privileges

ACUIA 201234

Internal Audit ConsiderationsSecurity / Transaction Risk Controls Credit union should take appropriate

measures to preserve the confidentiality of key e-services information

Measures taken to preserve confidentiality should be commensurate with the sensitivity of the information being transmitted and/or stored in databases Obviously, the advent of e-services presents an

additional security challenge because it increases the exposure that information transmitted over public networks or stored in databases may be accessible by unauthorized or inappropriate parties

ACUIA 201235


consider: Ensure that all confidential credit union data and records

are only accessible by duly authorized and authenticated individuals or systems

Ensure that all confidential credit union data are maintained in a secure manner and protected from unauthorized viewing or modification during transmission over public, private or internal networks

Ensure that the credit union’s standards and controls for data use and protection must be met when third parties have access to the data through outsourcing relationships

Ensure that all access to restricted data is logged and appropriate efforts are made to ensure that access logs are resistant to tampering

ACUIA 201236

Internal Audit ConsiderationsCompliance/Strategic/Reputation Risk Factors Credit union should ensure that adequate

information is provided on its website to allow potential members to make an informed conclusion about the credit union’s identity and regulatory status of the credit union prior to entering into e-services transactions

ACUIA 201237

Internal Audit ConsiderationsCompliance/Strategic/Reputation Risk Factors Oversight factors the internal auditor should

consider: Ensure that the website contain such information

as the following: Name of the credit union and location of its head office Identity of the primary credit union supervisory

authorities How members can contact the credit union regarding

service problems, complaints, misuse of accounts, etc. How members can access and use applicable consumer

complaint sources Other information required by regulators

ACUIA 201238

Internal Audit ConsiderationsCompliance/Strategic/Reputation Risk Factors Credit union should take appropriate

measures to ensure adherence to member privacy requirements applicable to the jurisdictions to which the credit union is providing e-services Key responsibility of the credit union Huge exposure to legal and reputation risk

ACUIA 201239


consider: Ensure that the credit union’s privacy policies and

standards take account of and comply with all privacy regulations and laws applicable to the jurisdictions to which it is providing e-services

Ensure that members are made aware of the credit union’s privacy policies and relevant privacy issues concerning use of e-services

Ensure that member data are not used for purposed beyond which they are specifically allowed or for purposes beyond which members have authorized

Ensure that the credit union’s standards for member data use are met when third parties have access to member data

ACUIA 201240

Internal Audit ConsiderationsCompliance/Strategic/Reputation Risk Factors Credit union should have effective capacity,

business continuity and contingency planning processes to help ensure the availability of e-services systems To protect the credit union, e-services must be

delivered on a consistent and timely basis in accordance with member expectations

ACUIA 201241


consider: Ensure that current e-services system capacity

and future scalability are analyzed in light of the overall market dynamics for e-commerce and the projected rate of member acceptance of e-services

Ensure that e-services transaction processing capacity estimates are established, stress tested and periodically reviewed

Ensure that appropriate business continuity and contingency plans for critical e-services processing and delivery systems are in place and tested regularly

ACUIA 201242

Internal Audit ConsiderationsCompliance/Strategic/Reputation Risk Factors Sound business continuity practices for e-

services All e-services and applications, including those

provided by third-party service providers, should be identified and assessed for criticality.

A risk assessment for each critical e-service and application, including the potential implications of any business disruption on the credit union's credit, liquidity, operational and reputation risk should be conducted.

Performance criteria for each critical e-service and application should be established, and service levels should be monitored against such criteria.

ACUIA 201243


services Appropriate measures should be taken to ensure

that e-services systems can handle high and low transaction volume and that systems performance and capacity is consistent with the credit union’s expectations for future growth in e-services.

Consideration should be given to developing processing alternatives for managing demand when e-services systems appear to be reaching defined capacity checkpoints.

ACUIA 201244


services E-services business continuity plans should be

formulated to address any reliance on third-party service providers and any other external dependencies required achieving recovery.

E-services contingency plans should set out a process for restoring or replacing e-services processing capabilities, reconstructing supporting transaction information, and include measures to be taken to resume availability of critical e-services systems and applications in the event of a business disruption.

ACUIA 201245

Internal Audit ConsiderationsCompliance/Strategic/Reputation Risk Factors Credit union should develop appropriate

incident response plans to manage, contain and minimize problems arising from unexpected events, including internal and external attacks, that may hamper the provision of e-services systems Include communication strategies

ACUIA 201246


consider: Ensure that incident response plans address recovery

of e-services systems and services under various scenarios, businesses and geographic locations. Scenario analysis should include consideration of the

likelihood of the risk occurring and its impact on the credit union. E-services systems that are outsourced to third-party service providers should be an integral part of these plans

Ensure that mechanisms are in place to identify an incident or crisis as soon as it occurs, assess its materiality, and control the reputation risk associated with any disruption in service

ACUIA 201247


consider: Ensure that the credit union has a communication

strategy to adequately address external market and media concerns that may arise in the event of security breaches, online attacks and/or failures of e-services systems

Ensure that a clear process is in place for alerting the appropriate regulatory authorities in the event of material security breaches or disruptive incidents occur.

Ensure that incident response teams have been appointed with the authority to act in an emergency and are sufficiently trained in analyzing incident detection/response systems and interpreting the significance of related output.

ACUIA 201248


consider: Ensure that a clear chain of command has been

established, encompassing both internal as well as outsourced operations, to ensure that prompt action is taken appropriate for the significance of the incident. In addition, escalation and internal communication

procedures should be developed and include notification of the Board where appropriate.

ACUIA 201249


consider: Ensure that a process is in place to ensure all

relevant external parties, including credit union members, counterparties and the media, are informed in a timely and appropriate manner of material e-services disruptions and business resumption developments.

Ensure that a process is in place for collecting and preserving forensic evidence to facilitate appropriate post-mortem reviews of any e-services incidents as well as to assist in the prosecution of attackers.

ACUIA 201250

Questions? Any questions?

Documents

Internal Audit and the Virtual World of E-Services Association of Credit Union Internal Auditors 1ACUIA 2012