Strengthening Vendor Risk Management Program
|
|
- Elinor Johnson
- 6 years ago
- Views:
Transcription
1 Strengthening Vendor Risk Management Program ACUIA Region 5 Fall Meeting Portsmouth, N.H. October 2017
2 PKF O Connor Davies Risk Advisory Services Governance & Regulations Cyber-Security Risk Management & IT Strategy COSO 2013 Implementation Co-source or Outsource Internal Audit Data Governance and Data Analytics Enterprise Risk Management and Internal Control Reviews (Operations and IT) IIA Quality Assessment Reviews / Internal Audit Transformation Business and IT Policy Development Attest Engagements and Agreed-Upon Procedures HIPAA and PCI-DSS Gap Analysis IT Governance and Best Practices Review DMZ or Network Architecture Review / Firewall, Router and Switches Hardening Review DRP/ BCP Assessment IT Security Vulnerability Assessments and Penetration Testing (Network and Web Application) Malware Analysis Wireless Network Assessment Privacy Assessments General Source Code Review (Java,.NET, PHP, Python, C, C++, Objective- C) Social Engineering (includes phishing) Business Continuity Assessments Project Management Service Organization Control (SOC 1) Reporting (SSAE 16 and ISAE 3402) Readiness Reviews and Attestations SOC 2 and 3 Readiness Reviews and Attestations (Trust Services Principles) IT Strategy (Including IT and Business Strategic Alignment) Third Party Risk, Social Media and Cloud Risk Assessment
3 Learning Objectives Why you need a vendor risk management program Discuss the steps of a vendor risk management program Compare the intended uses of Service Organization Control reports and what to look for during the review.
4 Vendor Risk Management A process for assessing and managing risk associated with third party relationships. A third party relationship is any business arrangement between a financial institution and another entity, by contract or otherwise. The relationship includes activities that involve outsourced products and services, use of independent consultants, networking arrangements, merchant payment processing services, joint ventures, and other business arrangements where the financial institution has an ongoing relationship or may have responsibility for associated records.
5 Intertwining Risks Operational Technology Compliance Business Continuity 3 rd Party Risk Reputational Financial Strategic
6 Cloud Responsibility Source:
7 Discussion with a Cloud Hosting Provider The client needs to communicate the organization s regulatory requirements Assigning responsibilities to internal IT who have the technical knowledge Robust access management Not relying on service providers policies and procedures Managing the data is the organization s responsibility
8 Discussion with a Cloud Hosting Provider (cont.) Clients should discuss network design with the provider Inquire whether standard or custom API s are used to prevent vendor lock-out Inquire whether contract terms can be modified based on current and future needs Being responsive when a collaborative effort is need to address an incident Reviewing and addressing the SLA before going live
9 Who Should Be Involved in a Vendor Risk Management Program Procurement & Accounts Payable Information Technology Legal and Regulatory Compliance Risk Management Internal Audit (advisory role)
10 Continuous Vendor Risk Management Due Diligence / Planning Risk Management Contract Management Monitoring Termination Governance Manage & remediate vendor risk Evaluate vendor risk Report on vendor risk Identify & manage evidence Provide a risk rating for each vendor Create a schedule for review Identify triggers that would escalate the review
11 Governance Governance Define the goals and appoint champion Define organization structure & assign responsibilities Develop vendor management policy Taking a risk-based approach Vendor due diligence and monitoring process Escalation process Provide training
12 Elements of a Vendor Risk Management Policy Should outline staff responsibilities and authorities for vendor relationships and program oversight. Should distinguish what is required for critical relationships versus non-critical relationships Should stipulate which employee(s) are authorized to sign contracts Outline expectation and limitations of the vendor relationship
13 Initial Risk Assessment / Planning Ensuring that the vendor relationship is consistent with the strategy and overall business needs Determine the short and long term goals, which should be measurable Creating the criticality levels Assess the vendor based on the risk criteria Appoint a person to be responsible for the relationship Review all documentation (e.g. financials) and vendor responses Identify controls (i.e. reports, insurance, etc) Establish exit Strategy / Contingency Plans
14 Risk Management Risk Management Determine risk factors Conduct risk assessment Establish risk levels Collection of data Address results with management Develop a remediation steps and communication back to the vendor
15 Risk Factors In Evaluating Vendors New service to the credit union Material impact to revenue or expenses Impact to reputation Significant operations functions Sensitivity of the data Compliance and regulatory risk Impact to members
16 Contract Management Contract Management Getting key stakeholders and Legal involved (drafting, reviewing) Keeping abreast of regulatory requirements or industry standards Maintaining position on key contract requirements and language Establishing KPI and SLA Process in place to modify and approve changes to contracts
17 Monitoring Vendor Monitoring Tracking incidents and complaints Manage vendor inventory Evaluate vendor onboarding and off-boarding Evaluate vendor value Process in place to notify incidents (security breach, insolvency)
18 Monitoring Third Parties with a SOC Report Service Organization Control 1 (SOC 1) Service Organization Control 2 (SOC 2) Service Organization Control 3 (SOC 3) Restricted Use Report (Type I or II report) Generally a Restricted Use Report (Type I or II report) General Use Report (with a public seal) Purpose: Reports on controls for financial statement audits Purpose: Reports on controls related to compliance or operations Purpose: Reports on controls related to compliance or operations Trust Services Principles & Criteria: Security, Availability, Processing Integrity, Confidentiality, Privacy
19 Monitoring Third Parties with a SOC Report Is this the right report? Is our location and service covered? Is it the correct period? What are the results of the Independent Auditor s Report opinion? Did they use any subservice providers? Does the department have the appropriate internal controls to address the User Considerations section? Did they cover all the control objectives? Were the test steps sufficient? Evaluate the deviations.
20 Contact Info: Mark Bednarz, MS, CPA, CISA, CFE PKF O Connor Davies, LLP Partner, Head of Risk Advisory P: E: mbednarz@pkfod.com
THIRD-PARTY RISK MANAGEMENT
THIRD-PARTY RISK MANAGEMENT Beyond a Regulatory Requirement April 28, 2017 Ken Glascock, CPA, CAMS, CIA, CFSA, CRCM Director kglascock@bkd.com AGENDA Let s Break It Down What Is Third-Party Risk Management?
More informationTypes of Systems Audit & Relevance. Presented By: Prasad Pendse, CISA
Types of Systems Audit & Relevance Presented By: Prasad Pendse, CISA Agenda Systems Audit Categories & Types of Systems Audit, Relevance IT & Application Audits Security Audits Process Audits Advantages
More informationThird Party Risk Management ( TPRM ) Transformation
Third Party Risk Management ( TPRM ) Transformation September 20, 2017 Internal use only An introduction to TPRM What is a Third Party relationship? A Third Party relationship is any business arrangement
More informationVENDOR RISK MANAGEMENT FCC SERVICES
VENDOR RISK MANAGEMENT FCC SERVICES Introductions Chris Tait, CISA, CFSA, CCSK, CCSFP Principal, Financial Services Baker Tilly Russ Sommers, CPA, CISA Senior Manager, Financial Services Baker Tilly Agenda
More informationIntegrating COSO s Fraud Risk Management Guide on an Enterprise Scale
Integrating COSO s Fraud Risk Management Guide on an Enterprise Scale September 15, 2017 Vincent Walden Partner EY Atlanta Delores White Director, Internal Audit Southern Company Scott Hulsey Chief Compliance
More informationASSESSMENT AND EVALUATION OF THE CITY OF PHILADELPHIA S INFORMATION TECHNOLOGY GENERAL CONTROLS FISCAL 2016
ASSESSMENT AND EVALUATION OF THE CITY OF PHILADELPHIA S INFORMATION TECHNOLOGY GENERAL CONTROLS FISCAL 2016 Charles J. Brennan Chief Information Officer Office of Innovation and Technology 1234 Market
More informationSecuring Intel s External Online Presence
IT@Intel White Paper Intel IT IT Best Practices Information Security May 2011 Securing Intel s External Online Presence Executive Overview Overall, the Intel Secure External Presence program has effectively
More informationABS GUIDELINES ON CONTROL OBJECTIVES & PROCEDURES FOR OUTSOURCED SERVICE PROVIDERS. FREQUENTLY ASKED QUESTIONS 15 June 2017.
ABS GUIDELINES ON CONTROL OBJECTIVES & PROCEDURES FOR OUTSOURCED SERVICE PROVIDERS FREQUENTLY ASKED QUESTIONS 15 June 2017 Contents 1. Objective and Benefits of the ABS Guidelines Page 2 2. Scope and Coverage
More informationPCI Information Session. May NCSU PCI Team
PCI Information Session May 2014 - NCSU PCI Team Agenda PCI compliance process Security Training Why compliance is important PCI DSS update from NCSU ISA 2014 attestation process Questions PCI Compliance
More informationExtended Enterprise Risk Management
Extended Enterprise Risk Management Driving performance through the extended enterprise October 2015 A network within a network The Extended Enterprise is the concept that an organization does not operate
More informationWill Your Company Pass a Privacy Audit?
Will Your Company Pass a Privacy Audit? by Tammi K. Franke The Issue - Companies that collect personal information are under increasing scrutiny by both consumers and governments in the United States and
More informationCloud Computing Opportunities & Challenges
Cloud Computing Opportunities & Challenges AICPA & CPA/SEA Interchange State Regulatory & Legislative Affairs Emerging Technologies July 11, 2017 Presented by Donny C. Shimamoto, CPA.CITP, CGMA 1 Unless
More informationImplementing and maintaining ISAE 3402
Implementing and maintaining ISAE 3402 2 Implementing and maintaining ISAE 3402 Contents Introduction 4 Purpose and background 5 Benefits to the service organization 7 How Ernst & Young helps 8 Successful
More informationThe top five benefits of outsourcing B2B payments processing
fis integrated payables leave the check behind The top five benefits of outsourcing B2B payments processing Migrating away from checks to electronic payments can help companies reduce costs. However, many
More informationThe past, present and future of service organization control reporting
The past, present and future of service organization control reporting Key takeaways from EY s Annual SOCR Client Conference March 2016 Study the past if you would define the future. Confucius b 1 Conference
More informationMicrosoft Cloud Agreement Financial Services Amendment
Microsoft Cloud Agreement Financial Services Amendment This Financial Services Amendment ( Amendment ) is entered into between Customer and the Microsoft Affiliate who are parties to the Microsoft Cloud
More informationCFPB Readiness Series: Consumer Complaint Resolution and Tracking
CFPB Readiness Series: Consumer Complaint Resolution and Tracking Who is KirkpatrickPrice? KirkpatrickPrice is a licensed CPA firm, providing assurance services to over 300 clients in more than 40 states,
More informationPCI Data Breach Preparedness How To Prevent Your Organization From Becoming the Next Data Breach Headline
PCI Data Breach Preparedness How To Prevent Your Organization From Becoming the Next Data Breach Headline Presented by the Bryan Cave Payments Team and Special Guest Speaker Andi Baritchi Agenda Introduction
More informationAuditLink VM A Complete Vendor Management Service
AuditLink VM A Complete Vendor Management Service AuditLink has partnered with Trust Exchange and has put together one of the most robust vendor management services in the industry to meet this growing
More informationACC 269 Auditing and Assurance Services
ACC 269 Auditing and Assurance Services COURSE DESCRIPTION: Prerequisites: ACC 220 Corequisites: None This course introduces selected topics pertaining to the objectives, theory, and practices in engagements
More informationAdvanced External Auditing [AU2] Examination Blueprint
Purpose Advanced External Auditing [AU2] Examination Blueprint 2014-2015 The Advanced External Auditing [AU2] examination has been constructed using an examination blueprint. The blueprint, also referred
More informationThe Do's and Don'ts of Vendor Risk Management
The Do's and Don'ts of Vendor Risk Management James ChrisMansen, VP InformaMon Risk Management, OpMv Security Professional Techniques T11 2013 Fall Conference Sail to Success CRISC CGEIT CISM CISA Agenda
More informationStatement on Risk Management and Internal Control
INTRODUCTION The Board affirms its overall responsibility for the Group s system of internal control and risk management and for reviewing the adequacy and effectiveness of the system. The Board is pleased
More informationBrink's Modern Internal Auditing
Brink's Modern Internal Auditing A Common Body of Knowledge Seventh Edition ROBERT R. MOELLER WILEY John Wiley & Sons, Inc. Preface About the Author xix XXV PART ONE CHAPTER 1 FOUNDATIONS OF MODERN INTERNAL
More informationGOVERNANCE AES 2012 INFORMATION TECHNOLOGY GENERAL COMPUTING CONTROLS (ITGC) CATALOG. Aut. / Man. Control ID # Key SOX Control. Prev. / Det.
GOVERNANCE 8.A.1 - Objective: Information Technology strategies, plans, personnel and budgets are consistent with AES' business and strategic requirements and goals. Objective Risk Statement(s): - IT Projects,
More informationAgenda. Agenda. Why Audit Suppliers. Outsourcing / Offshoring. Supplier Risks. Minimum Security Standards. Audit Focus
Agenda Outsourcing and the Need for Supplier Audits 1 Agenda Why Audit Suppliers Outsourcing / Offshoring Supplier Risks Minimum Security Standards Audit Focus 2 Outsourcing and the Need for Supplier Audits
More informationIT Strategic Plan Portland Community College 2017 Office of the CIO
IT Strategic Plan Portland Community College 2017 Office of the CIO 1 Our Vision Information Technology To be a nationally recognized standard for Higher Education Information Technology organizations
More informationEnterprise Content Management and Business Process Management
Enterprise Content Management and Business Process Management You Don t Have to Own IT to Control IT SM The changing business needs for Enterprise Content Management (ECM) and Business Process Management
More informationSalesforce s Processor Binding Corporate Rules. for the. Processing of Personal Data
Salesforce s Processor Binding Corporate Rules for the Processing of Personal Data Table of Contents 1. Introduction 3 2. Definitions 3 3. Scope and Application 4 4. Responsibilities Towards Customers
More informationRisk Advisory Services Developing your organisation s governance for competitive advantage
Advisory Services Developing your organisation s governance for competitive advantage The Deloitte Advisory Platform of Services can help you to govern your strategic plan to guide your operations measure
More informationEY Center for Board Matters. Leading practices for audit committees
EY Center for Board Matters for audit committees As an audit committee member, your role is increasingly complex and demanding. Regulators, standard-setters and investors are pressing for more transparency
More informationIIROC 2015 Financial Administrators Section Conference
IIROC 2015 Financial Administrators Section Conference September 11, 2015 kpmg.ca Presenters Chris Cornell KPMG Partner, Financial Services Steven Sharma KPMG Partner, Financial Services 2 Agenda Current
More informationInternal Auditing 101 with Panel Discussion. VGFOA Virginia Beach May 2013
Internal Auditing 101 with Panel Discussion VGFOA Virginia Beach May 2013 Introduction of Our Panel Mike Garber Partner, PBMares Jon Munch Financial Services Division Chief - Fauquier County Government
More informationC&H Financial Services. PCI and Tin Compliance Basics
C&H Financial Services PCI and Tin Compliance Basics What Is PCI? (Payment Card Industry) Developed by the PCI Security Standards Council and major payment brands For enhancing payment account data security
More informationElements of a Successful Compliance Management System and Vendor Management Rules of the Road
Elements of a Successful Compliance Management System and Vendor Management Rules of the Road Jonathan L. Pompan Partner, Venable LLP jlpompan@venable.com 202.344.4383 Katherine M. Lamberth Associate,
More informationHOW TO AVOID THE DANGER OF WEAK CONTROLS IN THIRD-PARTY RISK MANAGEMENT
E-Guide HOW TO AVOID THE DANGER OF WEAK CONTROLS IN THIRD-PARTY RISK MANAGEMENT SearchSecurity S ecurity expert Michael Cobb explains how to put in place additional safeguards to protect the system and
More informationInformation Technology Risks in Today s Environment
Information Technology s in Today s Environment - Traci Mizoguchi Enterprise Services Senior Manager, Deloitte & Touche LLP Agenda Overview Top 10 Emerging IT s Summary Q&A 1 Overview Technology continues
More informationOPERATIONAL RISK MANAGEMENT MODULE
OPERATIONAL RISK MANAGEMENT MODULE MODULE OM Operational Risk Management Table of Contents OM-A OM-B OM-1 OM-2 OM-3 OM-4 Date Last Changed Introduction OM-A.1 Purpose 01/2012 OM-A.2 [This Chapter was deleted
More informationOPERATIONAL RISK MANAGEMENT MODULE
OPERATIONAL RISK MANAGEMENT MODULE MODULE OM Operational Risk Management Table of Contents OM-A OM-B OM-1 OM-2 OM-3 OM-4 Date Last Changed Introduction OM-A.1 Purpose 01/2012 OM-A.2 [This Chapter was deleted
More informationEmerging Technology and Security Update
Emerging Technology and Security Update February 13, 2015 Jordan Reed Managing Director Agenda 2015 Internal Audit Capabilities and Needs Survey 2014 IT Priorities Survey Results 2014 IT Security and Privacy
More informationApplying Integrated Assurance Management Scenarios for Governance Capability Assessment
Applying Integrated Assurance Management Scenarios for Governance Capability Assessment János Ivanyos Trusted Business Partners Ltd, Budapest, Hungary, ivanyos@trusted.hu Abstract. The well established
More informationSOLUTION BRIEF EU GENERAL DATA PROTECTION REGULATION COMPLIANCE WITH RSA ARCHER
EU GENERAL DATA PROTECTION REGULATION COMPLIANCE WITH RSA ARCHER ARRIVAL OF GDPR IN 2018 The European Union (EU) General Data Protection Regulation (GDPR), which takes effect in 2018, will bring changes
More informationNavigating the New Health Economy
Navigating the New Health Economy How non-traditional healthcare players are using the HITRUST CSF to drive their security programs forward Speakers Dennis Quandt Risk Assurance Director, PwC Boston, MA
More informationCLAconnect.com/creditunions. Impact the Future of Credit Unions
CLAconnect.com/creditunions Impact the Future of Credit Unions We Believe Enabling your success means a better world for all of us, but now, more than ever, a greater number of operational, regulatory,
More informationhttps://www.e-janco.com
E-mail: support@e-janco.com https://www.e-janco.com Summary Table of Contents IT INFRASTRUCTURE, STRATEGY, AND CHARTER SUMMARY...1 Benefits of IT Infrastructure Management...1 Base Assumptions and Objectives...2
More informationENTERPRISE RISK SERVICES Managing Risk, Driving Results
ENTERPRISE RISK SERVICES Managing Risk, Driving Results Risk Management Solutions At MNP, our Enterprise Risk Services team assists organizations as they navigate through uncertainty by helping them effectively
More informationStrengthening Your Enterprise Risk Management Process
Strengthening Your Enterprise Risk Management Process Belinda Mumma, Senior Consultant, Enterprise Risk Management Services bmumma@sollievo.com (866) 605-5664 x3400 Discussion Topics Definition of Enterprise
More informationUNIVERSITY OF OKLAHOMA Campus Payment Card Security Standard Norman Campus
UNIVERSITY OF OKLAHOMA Campus Payment Card Security Norman Campus Subject: Campus Payment Card Security Coverage: The University of Oklahoma Norman Campus Regulation: Payment Card Industry ( PCI ) Data
More informationSecurity overview. 2. Physical security
1. Collaborate on your projects in a secure environment Thousands of businesses, including Fortune 500 corporations, trust Wrike for managing their projects through collaboration in the cloud. Security
More informationMerchant Services What You Need to Know. Agenda 6/5/2017. Overview of Merchant Services. EMV, Tokenization/Encryption, and PCI (Oh My!
Merchant Services What You Need to Know Heather Nowak VP, CPP Senior Product Manager Agenda Overview of Merchant Services Why accept cards? What you need to know/consider Capabilities/Pricing/Contract
More information2013 COSO Internal Control Framework Update. September 5, 2013
2013 COSO Internal Control Framework Update September 5, 2013 Agenda 2013 COSO IC Framework Topic Minutes The update process 5 What is not changing / What is changing 5 The 17 principles and changes to
More informationBENEFITS OF AN EFFECTIVE OUTSOURCING STRATEGY. March 1, 2017
BENEFITS OF AN EFFECTIVE OUTSOURCING STRATEGY March 1, 2017 RSM overview Fifth largest audit, tax and consulting firm in the U.S. Over $1.6 billion in revenue 80 cities and more than 8,000 employees in
More informationGDPR and Canadian organizations: Addressing key challenges GDPR and Canadian organizations: Addressing key challenges
GDPR and Canadian organizations: Addressing key challenges GDPR and Canadian organizations: Addressing key challenges Cyber Risk 1 GDPR and Canadian organizations: Addressing key challenges The regulation
More informationMultisource Management in the Cloud Age Keys to MSI and SIAM success in Hybrid IT environments
WHITE PAPER Multisource Management in the Cloud Age Keys to MSI and SIAM success in Hybrid IT environments IT delivery has been evolving from a traditional on-premises model to a hybrid model using diverse
More informationBusiness and Application Architecture
Nordic Smart Government Report on Business and Application Architecture v.1.0.3 March 15, 2018 Table of contents 1 Introduction... 2 2 Scope and deliverables... 3 3 Summary... 3 4 Business and application
More informationCloud sourcing: are you familiar with Luxembourg s revised regulatory environment?
Cloud sourcing: are you familiar with Luxembourg s revised regulatory environment? Contents 4 Cloud sourcing: are you familiar with Luxembourg s revised regulatory environment? 6 The new CSSF Circular
More informationPCI COMPLIANCE PCI COMPLIANCE RESPONSE BREACH VULNERABLE SECURITY TECHNOLOGY INTERNET ISSUES STRATEGY APPS INFRASTRUCTURE LOGS
TRAILS INSIDERS LOGS MODEL PCI Compliance What It Is And How To Maintain It PCI COMPLIANCE WHAT IT IS AND HOW TO MAINTAIN IT HACKERS APPS BUSINESS PCI AUDIT BROWSER MALWARE COMPLIANCE VULNERABLE PASSWORDS
More informationSARBANES-OXLEY COMPLIANCE MANAGING CHANGING EXPECTATIONS January 20, 2017
SARBANES-OXLEY COMPLIANCE MANAGING CHANGING EXPECTATIONS January 20, 2017 Pat Mitchell Managing Director Internal Audit, Risk, Business & Technology Consulting CHANGES IN THE COST AND SCOPE OF SOX COMPLIANCE
More informationSystem Council November 2017 paper
Draft: 25 October 2017 ANNEX B.2 System Council November 2017 paper Terms of Reference for the CGIAR System Internal Audit Function arrangements for approval by the SMB after considering inputs of the
More informationThird - Party Governance Done Right. Brenda Ward Director - Global Information Security
Third - Party Governance Done Right Brenda Ward Director - Global Information Security May 13, 2015 BUSINESS RISK FORMS THIRD PARTY UNIVERSE LAW FIRMS THIRD PARTY GOVERNANCE egrc TRACKING TOOL CATEGORY
More informationSeptember 9, 2016 kpmg.ca
IIROC 2016 Financial Administrators Section Conference September 9, 2016 kpmg.ca Presenters The contacts at KPMG in connection with this presentation are: Chris Cornell KPMG Partner, Financial Services
More informationJob Description Network Security Analyst
Job Description Network Security Analyst Accountable to: Scope of Job: Technical Services Manager To ensure front-line defence of Airport networks and networked services, protecting information from unauthorised
More informationSecurity Monitoring Service Description
Security Monitoring Service Description Contents Section 1: UnderdefenseSOC Security Monitoring Service Overview 3 Section 2: Key Components of the Service 4 Section 3: Onboarding Process 5 Section 4:
More informationModel Risk Management
Model Risk Management Presented by: Lisa Thouin, CPA, CGMA FMS May 2016 Meeting Certified Public Accountants Consultants Wealth Management Technology Agenda Overview Model Risk Development, Implementation,
More informationNTGA Compliance & Operational Manager Due Diligence Process
NORTHERN TRUST 2010 PROGRAM SOLUTIONS CONFERENCE Investment Solutions in an Uncertain World: WHAT S NEXT? NTGA Compliance & Operational Manager Due Diligence Process Allison K. Fraser VP & Sr. Compliance
More informationOperational Due Diligence Spotlight on the On-Site Visit
Operational Due Diligence Spotlight on the On-Site Visit Introduction In May 2014, the SEC warned that more than half of the private equity firms it had examined were engaging in serious compliance violations.
More informationSOX 404 & IT Controls
SOX 404 & IT Controls IT Control Recommendations For Small and Mid-size companies by Ike Ugochuku, CIA, CISA TLK Enterprise 2006, www.tlkenterprise.com INTRODUCTION Small, medium, and large businesses
More informationTHE FIVE ELEMENTS OF AN EFFECTIVE HIPAA AUDIT PREPARATION PROGRAM
WHITEPAPER THE FIVE ELEMENTS OF AN EFFECTIVE HIPAA AUDIT PREPARATION PROGRAM ANDREW HICKS MBA, CISA, CCM, CRISC, HCISSP, HITRUST CSF PRACTITIONER PRINCIPAL, HEALTHCARE AND LIFE SCIENCES TABLE OF CONTENTS
More informationIntroduction. Scott Jerabek. The CBORD Group. Product Manager
PCI Compliance Introduction Scott Jerabek Product Manager The CBORD Group Founded in 1975 Foodservice, Campus Card and Security solutions to College and University and Healthcare markets CBORD Product
More informationExcellence in Third Party Risk Management (TPRM)
Excellence in Third Party Risk Management (TPRM) www.pwc.ch FINMA Circular 2017/xx Outsourcing consultation paper - go live July 2017 Key changes Outsourcing of critical services to banks in the same financial
More informationGeneral Data Protection Regulation (GDPR) Readiness
For External Distribution Canada Life UK General Data Protection Regulation (GDPR) Readiness Customers, Clients and Business Partners FAQ GDPR TP FAQ January 2018 Frequently Asked Questions (FAQ) Document
More informationJuan Carlos Ramirez, VP, AML/ATF & Sanctions Audit, Scotiabank. Compliance and Risk Management
Juan Carlos Ramirez, VP, AML/ATF & Sanctions Audit, Scotiabank Compliance and Risk Management Governance Service providers Operational Risk Fraud AML Sanctions Risk Management Compliance Assessment Financial
More informationTABLE OF CONTENTS. The Definitive Guide To SaaS Solutions For The Insurance Industry EXECUTIVE OVERVIEW... 3
2 TABLE OF CONTENTS EXECUTIVE OVERVIEW... 3 WHAT EVERY INSURER NEEDS TO KNOW ABOUT SAAS... 4 WHAT EVERY INSURER NEEDS TO KNOW ABOUT SAAS (CONT.)... 5 BUSTING SAAS MYTHS... 6 AN EVALUATION CHECKLIST FOR
More informationDexia Group Audit Charter
January 2013 Dexia Group Audit Charter The present Charter states the fundamental principles governing the internal audit function in the Dexia Group, describing its objectives, its role, responsibilities
More informationTAG Certified Against Fraud Guidelines. Version 1.0 Released May 2016
TAG Certified Against Fraud Guidelines Version 1.0 Released May 2016 About the TAG Certified Against Fraud Program The mission of the TAG Certified Against Fraud Program is to combat fraudulent non-human
More informationSarbanes-Oxley Act of 2002 Can private businesses benefit from it?
Sarbanes-Oxley Act of 2002 Can private businesses benefit from it? As used in this document, Deloitte means Deloitte Tax LLP, which provides tax services; Deloitte & Touche LLP, which provides assurance
More informationDecember 2015 THE STATUS OF GOVERNMENT S GENERAL COMPUTING CONTROLS:
December 2015 THE STATUS OF GOVERNMENT S GENERAL COMPUTING CONTROLS: 2014 www.bcauditor.com CONTENTS Auditor General s Comments 3 623 Fort Street Victoria, British Columbia Canada V8W 1G1 P: 250.419.6100
More informationBusiness Continuity vs. Operational Risk Management vs. Business Resiliency. Karen Dye Oakley, CBCP, MBCI
Business Continuity vs. Operational Risk Management vs. Business Resiliency Karen Dye Oakley, CBCP, MBCI www.karendyeconsulting.com Background Most recently with Sun Microsystems, Inc. Director, Global
More informationSecuring Capabilities in the Cloud: Security and Privacy in the Evolution of Cloud Computing
The Dbriefs Technology Executive series presents: Securing Capabilities in the Cloud: Security and Privacy in the Evolution of Cloud Computing Vikram Bhat and Irfan Saif, Deloitte & Touche LLP June 2,
More informationTerms of Reference CGIAR System Internal Audit Function
Terms of Reference CGIAR System Internal Audit Function Definitions 1. Internal Audit Function means the arrangements agreed between the System Council and the System Management Board to provide independent
More informationIBM QRadar SIEM. Detect threats with IBM QRadar Security Information and Event Management (SIEM) Highlights
IBM Security Data Sheet IBM QRadar SIEM Detect threats with IBM QRadar Security Information and Event Management (SIEM) Highlights Use IBM QRadar Security Information and Event Management, powered by the
More informationNavigating Technology s Top 10 Risks
Navigating Technology s Top 10 Risks TECHNOLOGY Core Report Internal Audit s Role Philip E. Flora CIA, CISA, CFE, CCSA Sajay Rai CPA, CISSP, CISM CBOK The Global Internal Audit Common Body of Knowledge
More informationMeasuring Compliance Program Effectiveness
Measuring Compliance Program Effectiveness Measuring Compliance Program Effectiveness: A Resource Guide HCCA Hawaii Regional Debbie Troklus, CHC-F, CCEP-F, CCEP-I, CHRC, CHPC Aegis Compliance and Ethics
More informationAudit Committee Presentation FY2011 Audit Plan (annual risk assessment) August 16, 2010
Audit Committee Presentation FY2011 Audit Plan (annual risk assessment) August 16, 2010 INTERNAL AUDITS ACADEMIC ENTERPRISE Are research and development expenses expended in accordance with the terms of
More informationTop 5 Must Do IT Audits
Top 5 Must Do IT Audits Mike Fabrizius, Sharp HealthCare, VP, Internal Audit DJ Wilkins, KPMG, Partner, IT Advisory 2011 AHIA Annual Conference www.ahia.org Background on Sharp HealthCare Sharp s Co-sourcing
More informationRSA ARCHER IT & SECURITY RISK MANAGEMENT
RSA ARCHER IT & SECURITY RISK MANAGEMENT INTRODUCTION Organizations battle growing security challenges by building layer upon layer of defenses: firewalls, anti-virus, intrusion prevention systems, intrusion
More informationCA Network Automation
PRODUCT SHEET: CA Network Automation agility made possible CA Network Automation Help reduce risk and improve IT efficiency by automating network configuration and change management. Overview Traditionally,
More informationThe Case for Outsourcing Accounts Payable
Presented by Lynn Belletti BNY Mellon Transaction Processing Director The & Procure-To-Pay Conference & Expo is produced by: The world is changing. How will you respond to the new pressures of regulatory
More informationDraft Internal Audit Plan 2012/13 Audit Committee (September 2012) Airedale NHS Foundation Trust
Draft Internal Audit Plan 2012/13 (September 2012) Contents 1. Introduction 2. Risk Assessment 3. Internal Audit Plan Appendix A: 3 Year Indicative Plan 1 1. Introduction MIAA s approach to planning focuses
More informationISAE 3402 Type 2. Independent auditor s report on general IT controls regarding operating and hosting services for to
Deloitte Statsautoriseret Revisionspartnerselskab CVR no. 33 96 35 56 Weidekampsgade 6 P.O. Box 1600 0900 Copenhagen C Denmark Phone +45 36 10 20 30 Fax +45 36 10 20 40 www.deloitte.dk IT Relation A/S
More informationRFP for Consultancy to Upgrade from CMMI Maturity Level 3 to CMMI Maturity Level 5 & Prism Certification
Document Control Sheet Name of the Organisation StockHolding Document Management Services Limited RFP Reference No. SDMS/IT-Infra/2016-17/019 Date of issue of RFP Document 21 st January 2017 Pre-bid Meeting
More informationSOLUTION BRIEF EU GENERAL DATA PROTECTION REGULATION COMPLIANCE WITH RSA ARCHER
EU GENERAL DATA PROTECTION REGULATION COMPLIANCE WITH RSA ARCHER ARRIVAL OF GDPR IN 2018 The European Union (EU) General Data Protection Regulation (GDPR) that takes effect in 2018 will bring changes for
More informationAIST Investment Manager Operational Due Diligence Guidance Note February Investment Manager Operational Due Diligence Review Process
AIST Investment Manager Operational Due Diligence Guidance Note February 2017 Introduction The Australian Prudential Regulatory Authority (APRA) regularly communicates its expectations with the entities
More informationExperience the commitment. CGI Exploration2Revenue TM Business Suite. Optimize your upstream back office
Experience the commitment CGI Exploration2Revenue TM Business Suite Optimize your upstream back office Delivering a competitive edge Today s oil and gas companies are challenged to lower the costs of running
More informationStandard Statement and Purpose
Personnel Security Standard Responsible Office: Technology Services Initial Standard Approved: 10/23/2017 Current Revision Approved: 10/23/2017 Standard Statement and Purpose Security of information relies
More informationEffective implementation of COSO s new anti-fraud guidance
Effective implementation of COSO s new anti-fraud guidance In September 2016, the Committee of Sponsoring Organizations of the Treadway Commission (COSO) published a new Fraud Risk Management Guide (Anti-fraud
More informationThe New COSO Framework: Avoiding Deficiencies and Driving Change
The New COSO Framework: Avoiding Deficiencies and Driving Change Session #308 Speaker Introductions Kimberley Mobley, CPA, CISA Ryan Isbell, CPA Greg Daniel, CISA, CRMA Partner Controller Manager Johnson
More informationOpen Cloud Foundation
Open Cloud Foundation Power Rapid Innovation The trusted enterprise-grade foundation for NICE incontact CXone NICE incontact CXone Open Cloud Foundation is the enterprise-grade platform that empowers contact
More informationAWS Life Sciences Competency Consulting Partner Validation Checklist
AWS Life Sciences Competency February 2018 Version 2.2 Table of Contents Introduction... 3 Competency Application and Audit Process... 3 Program Policies... 3 AWS Life Sciences Competency Program Prerequisites...
More informationGuidance Note: Corporate Governance - Audit Committee. March Ce document est aussi disponible en français.
Guidance Note: Corporate Governance - Audit Committee March 2015 Ce document est aussi disponible en français. Applicability The Guidance Note: Corporate Governance Audit Committee (the Guidance Note )
More information