Leveraging ediscovery Technology for Internal Audit 2016 Houston IIA 7th Annual Conference

Transcription

1 Leveraging ediscovery Technology for Internal Audit 2016 Houston IIA 7th Annual Conference April 11, 2016 kpmg.com

2 Agenda 1. Survey said 2. Leveraging ediscovery technology to audit risk a. IP threat assessment b. PII management c. Incident response 3. Questions? 1

3 Seeking Value Through Internal Audit 2016 KPMG/Forbes Survey

4 KPMG/Forbes Survey Internal Audit through the lens of the stakeholder What makes Internal Audit worthwhile? What does Internal Audit need in order to be successful? 3

5 KPMG/Forbes Survey Internal Audit insights 4

6 KPMG/Forbes Survey Internal Audit effectiveness 5

7 KPMG/Forbes Survey Internal Audit utilization 6

8 KPMG/Forbes Survey Internal Audit skill requirements The Top 5 skills needed for IA professionals Source: The future of Internal Audit through the lens of stakeholder needs, KPMG International,

9 KPMG/Forbes Survey Enterprise use of data and analytics 8

10 KPMG/Forbes Survey Internal Audit through the lens of the stakeholder IP Threat Assessment PII Management Incident Response 9

11 IP Threat Assessment

12 IP Threat Assessment Protecting enterprise value Identify at-risk data sources Unstructured data (e.g., , network shares, SharePoint, individual assets) Legacy systems Data migrations (e.g., Office 365) Index and search In-place or collect to search Conceptual analysis to identify target data Evaluate results Sampling and statistical analysis Leverage predictive coding to accelerate review Disposition data Defensible deletion Segregate and archive Move to secure repository 11

13 IP Threat Assessment Protecting enterprise value 12

14 IP Threat Assessment Protecting enterprise value 13

15 IP Threat Assessment Protecting enterprise value 14

16 IP Threat Assessment Protecting enterprise value 15

17 IP Threat Assessment Protecting enterprise value 16

18 IP Threat Assessment Protecting enterprise value Identify IP Threats Select IP Audit Target Catalog IP Management Characteristics Assess Against Controls Review IP protection policies Interview business to identify types of IP Interview IT to understand data sources containing IP High risk repositories High value IP Review data storage and backup protocols Determine user access controls Understand data movement inside and out Retention and backup Access rights management Security and encryption in transit 17

19 PII Management

20 PII Management Protecting individual privacy Identify at-risk data sources Unstructured data (e.g., , network shares, SharePoint, individual assets) Legacy systems Data migrations (e.g., Office 365) Index and search In-place or collect to search Mask-based searching (e.g., XXX-XX-XXXX) Evaluate results Sampling and statistical analysis Leverage predictive coding to accelerate review Disposition data Defensible deletion Segregate and archive Move to secure repository 19

21 PII Management Protecting individual privacy 20

22 PII Management Protecting individual privacy 21

23 PII Management Protecting individual privacy 22

24 PII Management Protecting individual privacy Identify PII Risks Select PII Audit Target Catalog PII Management Characteristics Assess Against Controls Review PII protection policies Interview business to identify types of PII Interview IT to understand data sources containing PII High risk repositories High value IP Review data storage and backup protocols Determine user access controls Understand data movement inside and out Retention and backup Access rights management Security and encryption in transit 23

25 Incident Response

26 Incident Response Protecting enterprise reputation and resources Incident Response Scenarios Data breach Natural and man-made disasters Large-scale litigation Regulatory investigation 25

27 Incident Response Protecting enterprise reputation and resources 26

28 Incident Response Protecting enterprise reputation and resources Compliant Managed by legal department Reflects leading practices Demonstrates good faith Defensible Documented procedures Consistent implementation Documented execution Reasonable Reflects litigation profile Balances cost and burden Good faith rather than perfection 27

29 Incident Response Protecting enterprise reputation and resources 28

30 Questions? Priya Keshav, Managing Director Dennis Kiker, Director

31 KPMG Forensic is service of KPMG International. This proposal is in all respects subject to the negotiation, agreement, and signing of a specific engagement letter or contract. This proposal is made by KPMG AG, a Swiss corporation and subsidiary of KPMG Holding AG/SA, which is a subsidiary of KPMG Europe LLP and a member of the KPMG network of independent firms affiliated with KPMG International Cooperative ( KPMG International ), a Swiss legal entity. KPMG Europe LLP and KPMG International provide no client services. No KPMG Europe LLP subsidiary or other member firm has any authority to obligate or bind KPMG Europe LLP, KPMG International or any other member firm vis-à-vis third parties, nor does KPMG Europe LLP or KPMG International have any such authority to obligate or bind any subsidiary or member firm KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative ( KPMG International ), a Swiss entity. All rights reserved. NDPPS The KPMG name and logo are registered trademarks or trademarks of KPMG International.