The Imperative of Risk Based Audit Planning

Joe Ryan | System Reform Group - HSE

ICT Audit???? For What??

Health and Social Care ICT Landscape in Ireland

HSE has 70,000 staff

35,000 Desktops, Laptops and Tablets

000,s of mobile phones and smart phones

50,000+ users of ICT Systems

Circ. 70 Server Sites

300,000 Support Calls Annually

At the time – 9 Separate Networks

1,700 Separate Applications!!!!!!

IT Audit in the Health Service

2008

Well Established Finance and Operational Audit units in place with strong methodologies

Prior to 2008 there was no ICT Audit unit in the Health Service

Highly regulated environment – HIQA, PHECC, C&AG, DPER/CMOD/OGCIO

Challenge

Establish ICT Audit unit

Decide on a standard to audit against - COBIT

Develop an audit plan

Get approval from the Audit Committee

Get on with it

Just yourself and 200 man days of external help!

Developing the Audit Plan

Temptation to start with financial and HR systems

Why? Because they are BIG and carry obvious financial risk

STOP! But is that the biggest risk to the organisation?

What is the Risk Landscape / Universe?

Confidentiality Probably the most sensitive data held by any organisation

Integrity Lives are at risk & large amounts of public money at risk

Availability Lives can depend on high availability systems

Developing the Audit Plan

Decision was made to adopt the National Institute of Standards and Technology methodology

1. System Characterization – Boundaries, Functions, Criticality and Sensitivity

2. Threat Identification – Hacking, Physical Environment, Crashes, Nature, Virus etc.

3. Vulnerability Identification – Untested BCP or DR, Access Weaknesses, External reliance etc.

4. Control Analysis – Was not in scope although a summary analysis informed a rating against the Control Maturity Model

Developing the Audit Plan

5. Likelihood Determination – Threat source motivation & capability, nature of the vulnerability

6. Impact Analysis – Factors = Purpose, Criticality, Sensitivity

7. Risk Determination – Adapted NIST approach to include HSE wide risk determination process ISO31000:2009

Developing the Audit Plan – Determining the Control Maturity

Stage 0

Non-existent

Stage 1

Initial

Stage 2

Repeatable but

Intuitive

Stage 3

Defined Process

Stage 4

Managed and

Measurable

Stage 5

Optimised

At this level, there is a complete lack of any recognizable control process or the existence of any related procedures. The

organization has not even acknowledged that there is an issue to be addressed; therefore, no communication about the issue is

generated.

There is some evidence that the organization recognizes that controls and related procedures are important and need to be

addressed. However, controls and related policies and procedures are not in place and documented. An event and disclosure

process does not exist. Employees are not aware of their responsibility for control activities. The operating effectiveness of control

activities is not evaluated on a regular basis. Control deficiencies are not identified.

Controls and related policies and procedures are in place but not always fully documented. An event and disclosure process is in

place but not documented. Employees may not be aware of their responsibility for control activities. The operating effectiveness of

control activities is not adequately evaluated on a regular basis and the process is not documented. Control deficiencies may be

identified but are not remedied in a timely manner.

Controls and related policies and procedures are in place and adequately documented. An event and disclosure process is in

place and adequately documented. Employees are aware of their responsibility for control activities. The operating effectiveness

of control activities is evaluated on a periodic basis (e.g., quarterly); however, the process is not fully documented. Control

deficiencies are identified and remedied in a timely manner.

Controls and related policies and procedures are in place and adequately documented, and employees are aware of their

responsibility for control activities. An event and disclosure process is in place and is adequately documented and monitored,

but it is not always re-evaluated to reflect major process or organizational changes. The operating effectiveness of control

activities is evaluated on a periodic basis (e.g., weekly), and the process is adequately documented. There is limited,

primarily tactical, use of technology to document processes, control objectives and activities.

Stage 5 meets all of the characteristics of stage 4. An enterprise wide control and risk management program exists such that

controls and procedures are well documented and continuously reevaluated to reflect major process or organizational changes. A

self-assessment process is used to evaluate the design and effectiveness of controls. Technology is leveraged to its fullest extent

to document processes, control objectives and activities; identify gaps; and evaluate the effectiveness of controls.

Developing the Audit Plan - Identify the Focus Areas

A review of the ICT Audit Universe identified 11 areas of focus in the risk assessment

1) Governance 2) Strategy & Planning

3) Organisation & Resources 4) Programme & Project Management

5) Procurement 6) 3rd Party Management

7) Data Protection / Information Governance 8) Security

9) BCP / DR 10) Network Management

11) Applications

Developing the Audit Plan – Categorise / Summarise / Prioritise / Test

List all risks against each focus area

Rate the risks according to the risk methodology

Prioritise ALL risks in all categories by degree of Likelihood x Impact

Summarise the overall risk status for each focus area

Review this list with;

Financial/Operational/Clinical Auditors – validation based on their observations

Senior ICT Management – Beware you will be their auditor – Bum Steers!

Audit Committee Chair – Make sure you test the water before diving in!

Developing the Audit Plan – Implementation

Now the task of balancing risk against the audit resource available

QUESTION – Start at the top of the entire list of high rated risks or start at the top of the overall “focus area” risks?

For HSE this trade-off was on the basis of available audit resource

DECISION – Start with the highest priority focus areas in a Pareto analysis form where 80% of audits came from the Highest prioritisedfocus areas and 20% from High rated individual risk systems /

infrastructures / projects contained in lower rated overall focus areas

What has been the experience?

Like all change it was difficult at the start

What is COBIT and why am I being audited against that standard when I haven't adopted that standard to my service?

Why are you auditing my hospital / office / system?

Risk – This system has been running for years without a problem – What risk??

It’s easy for you auditors, you don’t have to deal with the demands of the business every day!

Started to use ICT Audit in an Intervention Model manner

Policy/procedure development, early stage project review etc.

What has been the experience?

Needed to adjust to meet organisational needs of the HSE as it changed and developed

IT Audit has directly contributed to the development of more robust ICT Security and Information Governance policies and procedures

Compliance is increasing and repeated findings are decreasing

Major Programmes are being implemented successfully e.g. NIMIS

The Governance of ICT in the HSE is now clearly understood and the organisation now has a CIO at the top table with a major project underway to develop an operating model for ICT

The HSE is close to finalising an ICT Strategy focused on delivering the Government’s eHealth Strategy

Where to from here?

Implementing the National eHealth Strategy will see exponential growth in the use of ICT in Health

While the overall number of systems will reduce through rationalisation and consolidation of systems, the application of ICT will increase

Electronic Health Records

Personal Health Records

Telehealth

Self Management Apps

Health & Wellbeing Apps

Connected Health Devices

Where to from here? How will ICT Audit respond?

The Audit Landscape / Universe will be huge

More clinical systems raises the risk impact factor

Patient to Clinician interaction will increase the number of interfaces raising the likelihood factor

Health Service investing in ICT Audit – Trebling the internal staff

Legacy systems with associated weaknesses will slowly disappear

ICT Audit will need to assist in “building in” compliance into the architecture

Thank You

P.S.!!!!

HSE Recruiting the Head of ICT Audit right now!!

www.hse.ie