information security regulation, the health ... - cis.gsu.edu
TRANSCRIPT
Information Security Regulation,
Audit and Disclosure
Richard Baskerville
The Health Insurance Portability and
Accountability Act of 1996 (HIPAA) Privacy and Security Rules
• Covered entities
– Health Care Providers
– Health Plans
– Health Care Clearinghouses
• Protected health information (PHI) is all individually
identifiable health information.
• A covered entity must maintain reasonable and
appropriate administrative, technical, and physical
safeguards to prevent intentional or unintentional
use or disclosure of protected health information in
violation of the Privacy Rule and to limit its
incidental use and disclosure pursuant to otherwise
permitted or required use or disclosure.
Gramm-Leach-Bliley (1999)Mainly allowed commercial banks, investment
banks, securities firms, and `to merge
• Governs the collection and disclosure of customers’ personal financial information by financial institutions
• Requires
– Providing each consumer with a privacy notice
– A policy to protect the information from foreseeable threats in security and data integrity
– A written information security plan
– Designating an employee as safeguards manager
– Conducting thorough risk analyses on each privacy-relevant department
– Developing, monitoring, and testing a program to secure privacy information
– Changing the safeguards in keeping with changes in information collection, storage, and use
Public Company Audit Reforms
• Significant changes to securities
laws or practices
• The wake of corporate financial
scandals
• Examples
– European Union Council 8th
Directive (Expansion)
– Corporate Law Economic Reform
Program (CLERP 9) (Australia)
– Sarbanes-Oxley Act of 2002 (US)
Restore Investor Confidence in Capital Markets
EU 8th Directive• Establishes a new audit regulatory committee composed of
member states and chaired by a representative of the
European Commission (EC). The committee will assist the EC
in establishing the implementation measures of the directive
• Auditors or audit firms must:
– Be approved and registered in any member state.
– Meet continuous education requirements.
– Subject to robust professional ethics.
– Be independent from the audited company.
– Adhere to the International Standards on Auditing.
– Meet quality assurance standards.
– Be governed by the member state system of investigation and sanctions.
– Be subject to public oversight.
– Follow relationship procedures with an audited entity.
– Disclose an internal governance statement.
– Cooperate with the mandated audit committee in financial reporting
• Revised 2014 (Effective 2016)
– Mandatory audits of public interest entities
– Requires Public Interest Oversight Board (PIOB)
Austalian CLERP 9• Ethical purpose similar to Sarbox & EU 8, but softer
• Based on disclosure rather than criminalization
• Regulates auditor independence, periodic reporting, and corporate disclosure and certification of financial reports
• Two systems are similar enough to permit parallel compliance
– SarbOx compliance increases overhead
– Some issues in attorney-client confidentiality
• Executives are not required to certify the maintenance of internal controls to the public
– Required to certify to the directors of the company that the financial statements comply with accounting standards and represent the true and fair view of the current financial position of the company
US: Sarbanes-Oxley Act of 2002 (107 H.R. 3763)
• Enhanced Financial Disclosures
– Title IV (Sections 401-409)
• Deals with company responsibilities for periodic financial reports, assessment of internal controls, code of ethics, and other aspects of disclosures.
• Section 404: Management Assessment
Of Internal Controls.
• Requires an “internal control report”
– Establish and maintain adequate internal control structure and procedures
– Assess their effectiveness
(Sarbox or Sox)
Senator Paul Sarbanes and Representative Michael Oxley being congratulated on the 30 July 2002 signing of their act after approval by the House 423-3 and by the Senate 99-0.
Public Company Accounting Oversight
Board
Title I (Sections 101 - 109)
• Deals with the establishment of PCAOB that
registers and reviews Public Accounting Firms
under the oversight of SEC, with responsibility
for investigations and disciplinary actions for
breeches of accounting standards.
Auditor Independence
• Deals with conflicts of interest in business
relationships of audit firms and steps to
unveil such conflicts, like rotating firms and
audit partners, reporting to audit
committee, etc.
• Section 201: Services Outside The Scope Of
Practice Of Auditors; Prohibited Activities.
– This section outlaws an audit firm that provides “non-audit service” to companies during audits, e.g.,
• Bookkeeping
• Financial information systems design and
implementation
• Management functions or human resources
Title II (Sections 201-209) Corporate ResponsibilityTitle III (Sections 301-308)
• Deals with company audit committees, and
conduct all of officers and directors.
Enhanced Financial Disclosures
• Deals with company responsibilities for periodic financial reports, assessment of internal controls, code of ethics, and other aspects of disclosures.
• Section 404: Management Assessment Of Internal Controls.
• Requires an “internal control report”
– establish and maintain adequate internal control structure and procedures
– assess their effectiveness
Title IV (Sections 401-409) Analyst Conflicts of Interest
Title V (Section 501)
• Deals with conflict of interest rules
for exchanges and associations.
Commission Resources and Authority
• Deals with budget and authority.
Title VI (Sections 601-604)
Studies and Reports
• Deals with government reports.
Title VII (Sections 701-705)
Corporate and Criminal Fraud
Accountability
Title VIII (Sections 801-807)
• Deals with faked or destroyed documents,
retention of records, and criminal penalties.
White Collar Crime Penalty
Enhancements
Title IX (Sections 901-906)
• Increases some criminal penalties, criminalizes
record tampering and fraudulent financial
statements, etc.
Corporate Tax Returns
• CEO must sign tax returns
Title X (Section 1001)
Corporate Fraud and Accountability
Title XI (Sections 1101-1107)
• Deals with record tampering,
impeding officials, and SEC
authority to freeze payments and
exclude securities fraudsters as
company officers.
PCAOB Audit Standard 5
• Direction for audit of management's
assessment of the effectiveness of
internal control over financial reporting
(part of financial statements audit).
• Auditors learn how IT affects transaction
flow. The identification of risks and
controls within IT is part of a top-down
audit. Audits test controls and assess risk
of material weakness in disclosures.
PCAOB Audit Standard 12
• IT risks to a company's internal control over financial reporting
– Reliance on systems or programs that are inaccurately processing data, processing inaccurate data, or both;
– Unauthorized access to data that might result in destruction of data or improper changes to data;
– The possibility of IT personnel gaining access privileges beyond those necessary to perform their assigned duties, thereby breaking down segregation of duties;
– Unauthorized changes to data in master files;
– Unauthorized changes to systems or programs;
– Failure to make necessary changes to systems or programs;
– Inappropriate manual intervention; and
– Potential loss of data or inability to access data as required
Appendix B:Consideration of Manual and Automated Systems and Controls
Statement on Standards for Attestation Engagements
(SSAE) No. 16
• Service organization control reports
• An auditor opinion/report on a
service organization
– The description of its system fairly
presents its design and
implementation
– The controls related to the
described objectives are suitably
designed
– (Optional) Auditor's tests of
operating effectiveness of controls
• Driven by Sarbox Section 404
American Institute of Certified Public Accountants (AICPA)Replaced SAS 70
Generally Accepted Privacy
Principles (GAPP)IACPA
1. Management. The entity defines, documents, communicates, and assigns accountability for its privacy
policies and procedures.
2. Notice. The entity provides notice about its privacy policies and procedures and identifies the purposes
for which personal information is collected, used, retained, and disclosed.
3. Choice and consent. The entity describes the choices available to the individual and obtains implicit or
explicit consent with respect to the collection, use, and disclosure of personal information.
4. Collection. The entity collects personal information only for the purposes identified in the notice.
5. Use, retention, and disposal. The entity limits the use of personal information to the purposes
identified in the notice and for which the individual has provided implicit or explicit consent. The entity
retains personal information for only as long as necessary to fulfill the stated purposes or as required by
law or regulations and thereafter appropriately disposes of such information.
6. Access. The entity provides individuals with access to their personal information for review and update.
7. Disclosure to third parties. The entity discloses personal information to third parties only for the
purposes identified in the notice and with the implicit or explicit consent of the individual.
8. Security for privacy. The entity protects personal information against unauthorized access (both
physical and logical).
9. Quality. The entity maintains accurate, complete, and relevant personal information for the purposes
identified in the notice.
10. Monitoring and enforcement. The entity monitors compliance with its privacy policies and procedures
and has procedures to address privacy related complaints and disputes.
CIO Involvement
(PWC Guidance)Information Security Regulation,
Audit and Disclosure
Richard Baskerville