Information system security and audit Solution

Please answering the following questions thoroughly based on the knowledge you gained from the course.

 

1.       Ethics and the IT Auditor | Jill Mathews, an IT audit senior for a global insurance company, was recently asked to perform an IT audit of the company’s new cloud computing and virtualization migration plan.  Her Manager asks that she perform the audit in the next four weeks.  She is not familiar with these new technologies, and is worried about being able to complete the requirements of this audit.  What are the ethical considerations and professional standards Jill should consider?  How would you approach this situation? 

[Type your answer here]

Limit your answer to approximately 300 words

 

 

 

 

 

 

 

 

 
 

 

2.       The IT Audit Planning Memorandum | A well thought out audit planning memorandum provides for an orderly, structured approach to perform the audit.  Describe the key components of an audit planning memorandum and why each component is important. 

[Type your answer here]

Limit your answer to approximately 600 words

 

 

 

 

 

 

 

 

 

 
 

 

 

 

Develop the following from reading the case:

·        Risk Assessment

·        Brief the board of directors with the audit universe, risk profile, and how they can start managing that.

 

Introduction
The ABC Corporation (ABC) is a Federal Business Unit of MAIN COMPANY Insurance that acts as a Federal Government subcontractor.  Headquartered in Chicago, Illinois, ABC administers the second largest plan in the Federal Government.  The MAIN COMPANY is committed to providing comprehensive health benefits and freedom of choice to over 1 million federal employees.

ABC employs approximately 1,050 ABC employees among its offices in the following cities:  Chicago, Rockville, Maryland; Jacksonville, Florida; San Antonio, Texas; Mesa, and Arizona. ABC decentralized operations in 1995, distributing support to the Jacksonville, San Antonio, and Mesa regional offices, then establishing a data center in Jacksonville in 1997.

To ensure ongoing customer service from its distributed operating offices, ABC decided to implement a business recovery program that includes documented business recovery plans.  When the plans are fully implemented, ABC will be in a position to continue operating if and when a disruption occurs.  Without plans and accommodations for contingencies, ABC may not be able to fully recover from a significant disruption since critical information needed for its business may not be available.  Listed below are areas that ABC is interested in accommodating:

·         LAN servers and midrange systems to house critical applications

·         PCs for employees to access third party and LAN applications

·         Connectivity to the mainframe for critical applications and transfer protocols to/from Chicago MAIN COMPANY Home Office

·         Mail sorters and other mail handling equipment

·         Work space for key employees

·         Voice communications

·         Data transmission

·         Vital records

·         Various office automation mechanisms and supplies (printers, copiers, fax machines, etc.)

 

To better understand the impact of a business disruption to ABC and how this would affect its constituents, ABC engaged the XYZ Consulting Company (XYZ) to conduct a Business Impact Analysis (BIA).  The BIA focuses on ABC’s computer systems and work area recovery, and addresses two major objectives:

·         Determine operational impacts to ABC that would result from a worst case scenario business disruption – the complete loss of a regional office or of the Jacksonville Technology Center.

·         Assist ABC in the development of a recovery strategy that will satisfy ABC’s Recovery Time Objectives (RTOs), which is the length of time from disaster declaration to full information system functionality.

Objectives
This study obtained business and system information to assess the impact to ABC’s operations from the sudden and unplanned loss of the Rockville headquarters, a regional office (Mesa, San Antonio, and Jacksonville) or the Jacksonville Technology Center.  This study is essential to developing an effective business continuity strategy for ABC, since it outlines all of the background information required to justify further plan development.  A recovery/continuity strategy will ensure that critical company functions and supporting systems will be restored within acceptable time frames after a disruption.  The study was designed to answer the following questions:

 
Scope
ABC’s Request for Proposal (RFP) identified the following “critical” business functions that were the focus of our study, although a review of other business functions was necessary because they were integral components of the ABC business process flow:

·         Customer Service

·         Mail and Print Services

·         Underwriting/Pricing

·         Claims

·         Eligibility and Enrollment

·         Utilization Management

·         Payroll and Human Resources Processing

·         Facilities

·         Purchasing

·         Accounts Payable

·         Financial Reporting

·         Cash Management

·         Treasury Services

As a result of our discussions, we conducted 32 interviews, gathering information from employees representing both business and technical/operations support functions.  Four major steps were performed in this study:

·         Assessed the impact on ABC’s employees and customers if claims administration capabilities are lost or severely interrupted.

·         Recommended target RTOs, which represent the amount of time a company function can operate without computer or business function support while recovery efforts are underway.

·         Summarized the hardware and work areas required to support critical company operations during recovery.

·         Recommended appropriate recovery strategies that supply required resources within acceptable time frames to support critical operations in an economical manner.

Computer Systems/Locations Included
The following computer systems were included in the project scope:

·         Mainframe

·         LAN servers and midrange systems

·         Electronic Data Interchange (EDI) systems

·         Selected applications provided by third parties that were determined to be “critical” to the aforementioned business functions. (MetraHealth, DRG Pricing, Multi-Plan, FACETS, PHCS, etc.)

·         Scanning systems and OCR

·         CAS, CRW, and all supporting systems

·         Mail preparation systems

·         Mainframe interface protocols (file transfer, application access, and other communications)

The following locations were included in the project scope:

·         Rockville Headquarters (15400 Calhoun Drive)

·         Jacksonville Regional Office

·         Jacksonville Technology Center

·         San Antonio Regional Office

·         Mesa, Arizona Regional Office

·         Chicago MAIN COMPANY Group Operations Home Office and Data Center (MAIN COMPANY Plaza)

Note:  XYZ Consulting Company visited all of the above sites except for San Antonio and Mesa.  It was assumed that the business functions performed at Jacksonville were similar to both San Antonio and Mesa and that our recommendations would be valid and apply to all three offices.

Assumptions
The following assumptions were made in the execution of the project:

·         Data on the network, database and application mid-range servers are backed up, even though some systems do not have an off-site tape rotation methodology in place.

·         The primary business disruption scenario that XYZ Consulting Company used, occurs either at one of ABC’s regional offices, the Jacksonville Technology Center, or the Rockville HQ.  Because of the distance between the regional offices, it is assumed multiple regional offices will not be affected simultaneously by a disruption.  By using this realistic scenario as our model, the recovery plan recommendation can include the use of ABC branch offices.

·         ABC’s need for restoring computer systems and other supporting processes are the basis for selecting appropriate continuity strategy, since the primary ABC business processes are critically dependent on technology and technology-related entities.

Organization
Interviewees/Survey Participants
All of the following employees completed project surveys; those with asterisks next to their names were interviewed by XYZ Consulting Company:

Employee(s) who Completed the Form or Was Interviewed
Department
Location
Janet L. *
Planning and Reporting
Rockville
Dave R.*
Technology Center
Jacksonville
Carolyn R.*
Customer Service
Jacksonville
Bill S.*
Customer Service
Jacksonville
Kevin V.*
Imaging Center
Jacksonville
Greg N.*
Imaging Center
Jacksonville
Margaret L.*
Imaging Center Operations
Jacksonville
Gary F.*
Technology Center
Jacksonville
Ron H.*
Systems Security/Help Desk
Rockville
Harriet G.*
Audit Services
Rockville
Gene R.*
Marketing
Rockville
Mike S.*
Facilities
Rockville
Cyndi J.*
Mail/Retrieval
Rockville
Linda O.*
Human Resources
Rockville
Angie G.*
Accounting/Treasury Services
Rockville
Denise H.*
Purchasing
Rockville
Debbie Y.*
Corporate Training & Development
Rockville
Debbie H.*
Payroll
Rockville
Gloria G.*
Exception Processing

Eligibility/Eligibility Reconciliations
Rockville
Nancy M.*
Accounts Payable
Rockville
Bonnie V.*
Unix
Chicago
Steve P.*
Unix
Chicago
Howie P.*
Unix
Chicago
Mary P.*
EDI
Chicago
June S.*
CAS
Chicago
Ben L.*
CAS
Chicago
Nate P.*
Corp. Recovery/CSC
Chicago
Terry C.*
Capacity Planning
Chicago
John B.*
Print Management
Chicago
Dave G.*
Cash Management
Chicago
Kelly F.*
Underwriting and Reporting
Chicago
Vicki H.*
PCS, G/L Interfaces
Chicago
Project Team Members
Project team members from ABC and XYZ Consulting Company included the following:

·         Jim B., Project Lead, MAIN COMPANY

·         Jim H., Project Manager, MAIN COMPANY

·         Ron H., ABC, Rockville

·         Jack S., Assistant Vice President, ABC, Rockville

·         Mary S., Project Manager, XYZ Consulting Company

·         Henry G., Sr. Consultant, XYZ Consulting Company

·         Michael A., Managing Consultant, XYZ Consulting Company

Methodology/Approach
The XYZ Consulting Company project team completed the following tasks for the BIA:

·         Conducted a project kickoff session with ABC senior managers to discuss the project and the information that would be collected.

·         Distributed interview questionnaires to the ABC departmental key contacts for gathering information.

·         Conducted interviews with key ABC employees to validate the information on the questionnaires and to discuss critical continuity-related issues.

·         Evaluated the recovery capability of ABC’s current environment, outlining issues and risks.

·         Analyzed and documented ABC’s information systems.

·         Mapped systems and applications to ABC’s critical business processes.

·         Analyzed business impacts, resource requirements, existing capabilities, and risks.

·         Recommended Recovery Time Objectives (RTOs) and documented them in Section IV, Impact Analysis.

·         Recommended appropriate recovery strategies capable of meeting ABC’s requirements.

 


II.  Impact Analysis
Introduction
A Recovery Strategy is based on the fact that when “critical” computer and support systems are not available to users; important company processes cannot be performed in a timely and efficient manner.  The length of time from declaring a disaster until computer resources are operational to support the most “critical” business processes is commonly referred to as Recovery Time Objective (RTO).  “Critical” is defined as anything (process, computer or resource) required to continue operations (even in a “degraded” mode) should a business area, computer, or company facility be destroyed or inaccessible for a period of time as deemed unacceptable to ABC.  The result of an interruption is generally a financial and/or operational impact to the business function that is affected.  When a business function is unable to complete its work, ABC’s ability to support enrollees and providers is at risk.

Longer RTO time frames are frustrating to everyone especially since they will have significant impact on enrollee/provider service.  Recovery time and data integrity requirements were developed by analyzing the impact information supplied by the business managers we interviewed.  Major systems were assigned RTO time frames from four hours to greater than one month.  RTOs were assigned based on analysis of the following criteria:

·         Governmental/regulatory requirements

·         System availability to regional offices (Mesa, San Antonio, Jacksonville, Rockville)

·         Timeliness of providing financial information (the letter of credit, etc.) to the government and ABC corporate, while meeting reporting deadlines to regulatory agencies

·         Timeliness of customer claims resolution

·         Existence and effectiveness of alternate processing procedures.

In addition to RTOs, we also examined Recovery Point Objectives (RPOs), which is the amount of data that departments are willing to lose if a disruption occurs.  The information in this section will show that the RPO for most of the departments we interviewed is 1 day.  This means that they would like to have the previous day’s backup restored on the system if a disruption occurs.  In this situation, data that was entered during the time between when the backup was taken to the point of the disruption is lost and would need to be re-entered into the system to be current.  This assumes that data is backed up daily and that tapes are being sent to an offsite storage vendor every day.

The above-noted information was gathered by surveying and interviewing resources identified by ABC’s project team.

Financial Impacts
We gathered financial data by survey and interviews.  We asked employees to estimate losses by category, over eight points in time ranging from four hours to one month.  Dollar losses were expressed in 14 loss ranges extending from zero to $50+ million.  These are ABC’s estimates developed by line managers and reviewed by CH.  Listed on the following page are the financial categories along with their descriptions:

 

FINANCIAL IMPACT CATEGORY
DESCRIPTION
Revenue Loss
Dollar impact of revenue that results from the inability to take and process new customer orders, need to direct customers to other insurance providers, loss of opportunity to sell/provide insurance.
Asset Loss
Dollar impact of ABC’s assets that would result from a business disruption such as, work in progress, systems development, proprietary systems, etc.
Regulatory/Legal
Dollar impacts from contractual agreements, suits brought by members/providers/U.S. Office of Personnel Management, sanctions, fines, penalties for failure to properly provide services or fulfill obligations, not fulfilling service level agreements, etc.
Human Resources
Dollar impact that would result from idle employees’ payroll, health or profit sharing benefits which, if not provided, may result in employee hardship, the loss of employee support, penalties, strikes, etc.
Control
Dollar impact that would result from:  the use of alternate manual procedures; the lack of information related to cash management, investment management; the inability to manage risk; or the inability to determine quantities within inventory.
Additional Expense
Dollar impact that would result from any additional expenses incurred with the start-up and continuation of business or company operations:  necessity to purchase supplies; expenses incurred with the start-up and operation of a manual system; "stop gap" equipment and staff; and overtime to recover backlogged transactions.
Total Financial Losses for the entire company are on the next page.  HOWEVER, IT DOES NOT CONTAIN FINANCIAL LOSSES FOR THE DIVISION/DEPARATMENTS THAT ARE INCLUDED IN THE CASE STUDY.  AS A RESULT, DO NOT USE ANY OF THE FINANCIAL LOSS INFORMATION ON THE NEXT PAGE FOR JUSTIFYING ANY OF YOUR STRATEGIES IN THE CASE STUDY.


THE FOLLOWING LOSSES DO NOT INCLUDE LOSSES FOR THE DIVISION AND ITS DEPARTMENTS IN THE CASE STUDY. THUS, YOU CANNOT USE THE FIGURES BELOW FOR ANY JUSTIFICATION.

Financial Impacts of a Disruption to ABC

Type of Loss
4 Hours
8 Hours
1 Day
2 Days
3 Days
1 Week
2 Weeks
1 Month
Revenue Loss
$0
$0
$0
$0
$0
$200,000
$450,000
$812,500
Asset Loss
$75,000
$75,000
$75,000
$75,000
$75,000
$75,000
$75,000
$77,500
Regulatory/Legal
$0
$0
$0
$0
$0
$208,000
$510,000
$925,000
Human Resources
$207,500
$210,000
$220,000
$220,000
$1,320,000
$1,355,000
$1,385,000
$1,450,000
Control
$0
$0
$0
$0
$2,500
$202,500
$452,500
$802,500
Additional Expenses
$7,500
$17,500
$17,500
$23,500
$27,000
$79,000
$153,000
$373,500
Total
$290,000
$302,500
$312,500
$318,500
$1,424,500
$2,119,500
$3,025,500
$4,441,000
In addition to the detailed loss information shown above, the figure below shows the same data in chart format.

 




The information in the above charts indicate that financial losses are minimal at the beginning of a business disruption.  However, the financial losses increase and continue to do so the longer the disruption continues.

Impacts of an Outage for “Critical” Departments
This section summarizes the findings associated with the loss of key business functions and support systems for ABC; it provides a detailed summary of the departments where XYZ interviewed key contacts or from whom we received questionnaires.  This information is also detailed in Appendix 1, Department RTOs.

The analysis of each department’s criticality was based upon the information in Appendix 1.  The third column of the chart in Appendix 1titled “Department RTOs” indicates the RTOs requested by the listed departments.  The RTO is the amount of time from disaster declaration to the moment when required information system resources are operational.

As is normally the case in projects of this nature, ABC departments often listed unrealistic, financially impracticable, and unattainable RTOs.  Departments will occasionally lose perspective and fail to view their contribution to the organization in the proper context.  Objective evaluation of a department – the relative importance of its business processes, interconnectivity/ interdependencies with other areas of the organization, and the formation of an acceptable RTO is imperative to the success of a business impact analysis.

To objectively determine RTOs, the team analyzed several components.  First, we studied the effect of a sustained loss of the department on the future operations of ABC.  For example, the following may have significant affects on the company:

·         Delayed revenue should the letter of credit not reach the appropriate government contacts.

·         Significant impact on customer service during a prolonged loss of communications and/or claims resolution abilities.

·         A profound impact on ABC’s competitive edge resulting from a loss of underwriting capabilities if a disaster prevents calculation of proposal pricing information during the May-August time period.

The team also analyzed the relative functionality of a given department to determine the criticality of its business processes.  Consequently, the departments that demonstrated the most profound impacts on ABC were those that affected revenue and customer service.

With this in mind, the team evaluated the criticality of a department’s functionality not only by the RTOs requested by the department representatives, but also by the relative importance assigned to the department based on business continuity standards and professional expertise.  Our analysis showed that the key business, given the nature of ABC’s revenue source and the stability of its constituency, customer service/support-related functions are the most critical.  ABC derives its revenue from a letter of credit submitted to the Office of Personnel Management (OPM) based upon cleared claim checks.  Sustaining efficient operations and maintaining a high-level of customer service are the two primary business objectives, as customer (the Mail Handler’s Union) satisfaction results in ABC contract renewal, which in turn drives revenue.  With this in mind, the most critical functions are those directly affecting ABC operations and customer relationships (communications and the timely/accurate payment of claims), such as:

·         Customer Relations

·         Claim Payment Activities

·         Customer Phone Contact

·         Operations/Administrative Services

These departments and their ancillary-service providers were rated highest and assigned lower RTOs.  Other departments were assigned RTOs based upon:

·         How their services impact the customer base

·         How their functionality affects core operations

·         Regulatory restrictions (financial reporting, government regulations, etc.)

·         Revenue lost, penalties, etc.

The departments assigned still higher RTOs do not directly affect operations or customer service.  Such departments include:

·         Accounts Payable

·         Eligibility Reconciliations

·         Exception Processing

 

 

 
Powered by