Leveraging eDiscovery

Technology for Internal

Audit

2016 Houston IIA 7th Annual

Conference

April 11, 2016

kpmg.com

1 © 2016 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member

firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. NDPPS 540226

1. Survey said…

2. Leveraging eDiscovery technology to audit risk

a. IP threat assessment

b. PII management

c. Incident response

3. Questions?

Agenda

Seeking Value Through

Internal Audit

2016 KPMG/Forbes Survey

3 © 2016 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member

firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. NDPPS 540226

What makes Internal Audit

worthwhile?

What does Internal Audit need

in order to be successful?

KPMG/Forbes Survey Internal Audit through the lens of the stakeholder

4 © 2016 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member

firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. NDPPS 540226

KPMG/Forbes Survey Internal Audit insights

5 © 2016 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member

firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. NDPPS 540226

KPMG/Forbes Survey Internal Audit effectiveness

6 © 2016 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member

firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. NDPPS 540226

KPMG/Forbes Survey Internal Audit utilization

7 © 2016 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member

firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. NDPPS 540226

KPMG/Forbes Survey Internal Audit skill requirements

The Top 5 skills needed for IA professionals

Source: The future of Internal Audit through the lens of stakeholder needs, KPMG International, 2016

8 © 2016 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member

firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. NDPPS 540226

KPMG/Forbes Survey Enterprise use of data and analytics

9 © 2016 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member

firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. NDPPS 540226

KPMG/Forbes Survey Internal Audit through the lens of the stakeholder

IP Threat

Assessment

PII

Management

Incident

Response

IP Threat Assessment

11 © 2016 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member

firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. NDPPS 540226

IP Threat Assessment Protecting enterprise value

• Unstructured data (e.g., email, network shares, SharePoint, individual assets)

• Legacy systems

• Data migrations (e.g., Office 365)

Identify at-risk data sources

• In-place or collect to search

• Conceptual analysis to identify target data

Index and search

• Sampling and statistical analysis

• Leverage predictive coding to accelerate review

Evaluate results

• Defensible deletion

• Segregate and archive

• Move to secure repository

Disposition data

12 © 2016 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member

firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. NDPPS 540226

IP Threat Assessment Protecting enterprise value

13 © 2016 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member

firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. NDPPS 540226

IP Threat Assessment Protecting enterprise value

14 © 2016 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member

firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. NDPPS 540226

IP Threat Assessment Protecting enterprise value

15 © 2016 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member

firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. NDPPS 540226

IP Threat Assessment Protecting enterprise value

16 © 2016 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member

firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. NDPPS 540226

IP Threat Assessment Protecting enterprise value

17 © 2016 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member

firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. NDPPS 540226

IP Threat Assessment Protecting enterprise value

Identify IP Threats

• Review IP protection policies

• Interview business to identify types of IP

• Interview IT to understand data sources containing IP

Select IP Audit Target

• High risk repositories

• High value IP

Catalog IP Management

Characteristics

• Review data storage and backup protocols

• Determine user access controls

• Understand data movement inside and out

Assess Against Controls

• Retention and backup

• Access rights management

• Security and encryption in transit

PII Management

19 © 2016 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member

firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. NDPPS 540226

PII Management Protecting individual privacy

• Unstructured data (e.g., email, network shares, SharePoint, individual assets)

• Legacy systems

• Data migrations (e.g., Office 365)

Identify at-risk data sources

• In-place or collect to search

• Mask-based searching (e.g., XXX-XX-XXXX)

Index and search

• Sampling and statistical analysis

• Leverage predictive coding to accelerate review

Evaluate results

• Defensible deletion

• Segregate and archive

• Move to secure repository

Disposition data

20 © 2016 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member

firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. NDPPS 540226

PII Management Protecting individual privacy

21 © 2016 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member

firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. NDPPS 540226

PII Management Protecting individual privacy

22 © 2016 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member

firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. NDPPS 540226

PII Management Protecting individual privacy

23 © 2016 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member

firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. NDPPS 540226

PII Management Protecting individual privacy

Identify PII Risks

• Review PII protection policies

• Interview business to identify types of PII

• Interview IT to understand data sources containing PII

Select PII Audit Target

• High risk repositories

• High value IP

Catalog PII Management

Characteristics

• Review data storage and backup protocols

• Determine user access controls

• Understand data movement inside and out

Assess Against Controls

• Retention and backup

• Access rights management

• Security and encryption in transit

Incident Response

25 © 2016 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member

firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. NDPPS 540226

Incident Response Protecting enterprise reputation and resources

Incident Response Scenarios

Data breach

Natural and man-made disasters

Large-scale litigation

Regulatory investigation

26 © 2016 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member

firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. NDPPS 540226

Incident Response Protecting enterprise reputation and resources

27 © 2016 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member

firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. NDPPS 540226

Incident Response Protecting enterprise reputation and resources

Compliant • Managed by legal department

• Reflects leading practices

• Demonstrates good faith

Defensible • Documented procedures

• Consistent implementation

• Documented execution

Reasonable • Reflects litigation profile

• Balances cost and burden

• Good faith rather than perfection

28 © 2016 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member

firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. NDPPS 540226

Incident Response Protecting enterprise reputation and resources

Questions?

Priya Keshav, Managing Director

Dennis Kiker, Director

www.kpmg.com

KPMG Forensic is service of KPMG International.

This proposal is in all respects subject to the negotiation, agreement, and signing of a specific

engagement letter or contract.

This proposal is made by KPMG AG, a Swiss corporation and subsidiary of KPMG Holding

AG/SA, which is a subsidiary of KPMG Europe LLP and a member of the KPMG network of

independent firms affiliated with KPMG International Cooperative (“KPMG International”), a

Swiss legal entity. KPMG Europe LLP and KPMG International provide no client services. No

KPMG Europe LLP subsidiary or other member firm has any authority to obligate or bind KPMG

Europe LLP, KPMG International or any other member firm vis-à-vis third parties, nor does

KPMG Europe LLP or KPMG International have any such authority to obligate or bind any

subsidiary or member firm.

© 2016 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the

KPMG network of independent member firms affiliated with KPMG International Cooperative

(“KPMG International”), a Swiss entity. All rights reserved. NDPPS 540226

The KPMG name and logo are registered trademarks or trademarks of KPMG International.