Ashutosh Pednekar,FCA, CISA, ISA (ICA), LLB (Gen), B.Com.

Partner, M P Chitale & Co.

November 6, 2007

IRDA – ICAI Round Table Meeting on Insurance Industry

IS Audit & IT systems in Insurance Industry

2© Ashutosh Pednekar, M.P.Chitale & Co.

Acknowledgements

Material published by Information Systems Audit & Control Association (ISACA) – the leading association of professionals in Information Systems (IS) Audit, Control, Security & Governance

Thoughts of

Mr.Samir Shah, CFO, HDFC General Insurance Co. Ltd. &

Ms.Anagha Thatte, Partner, M P Chitale & Co.

3© Ashutosh Pednekar, M.P.Chitale & Co.

Disclaimers

No representation or warranties are made by the ISACA with regard to this presentation by Ashutosh Pednekar. ISACA has no responsibility for its contents.

These are my personal views and can not be construed to be the views of M/s. M. P. Chitale & Co., Chartered Accountants or IRDA or ICAI.

These views do not and shall not be considered as professional advice.

This presentation should not be reproduced in part or in whole, in any manner or form, without my written permission.

4© Ashutosh Pednekar, M.P.Chitale & Co.

IT systems in Insurance Industry

Need to cater to two broad segments Policy Management Premium / Commission /

Claims / Opex

Fund (Investment) Management

Needs of the industry Flexibility & scalability to handle complexities of

existing & new products

various delivery channels

Regulatory compliances and its reportings

Integration capabilities between multiple systems

Robustness a labour intensive industry with wide geographical spread

Availability

5© Ashutosh Pednekar, M.P.Chitale & Co.

Growing Complexities & Pressures are Increasing

Risks...

Increased Operationa

l Risk

Market Convention

Market Convention

Regulatory Demands

Regulatory Demands

Increased Transaction

Volumes

Increased Transaction

Volumes

Complex Instruments

and Strategies

Complex Instruments

and Strategies

Increasing HR Complexities

Increasing HR Complexities

Reliance on Technology &

Information Systems

Reliance on Technology &

Information Systems

6© Ashutosh Pednekar, M.P.Chitale & Co.

Business Process & Information Assets

These two are inextricably linked.

Each Business Process leads to Creation of Information at every stage

Storing it

Updating on real-time basis

Using it

Protecting from misuse – intentional or otherwise

7© Ashutosh Pednekar, M.P.Chitale & Co.

= Data and information embedded/stored in

Data Information

and IT Resource

Management

Data Information

and IT Resource

Management

Enterprise-wide Information Assets

Knowledge Management(Digitizing Knowledge)

Knowledge Management(Digitizing Knowledge)

ComputersPeople

8© Ashutosh Pednekar, M.P.Chitale & Co.

IS Risk Management

Objective :Minimizing likelihoodlikelihood (frequency) and intensityintensity (business impact) of loss of : confidentiality C

integrity I

availability Aof information.

…. the CIACIA Principle

9© Ashutosh Pednekar, M.P.Chitale & Co.

CIA - Vulnerabilities & Exposures

Con

fiden

tialit

y

Information

Manipulating processes

Competitors

Integrity

Availability

Hackers Systems Bugs

Acts of God

UsersHuman errors

10© Ashutosh Pednekar, M.P.Chitale & Co.

IS Audit Initial Steps

Assess reliance placed by the Management on the system efficacy & the reliance placed by them on IT systems to

take managerial decisions

take operating level decisions

conduct operations

Get a feel of the IS Risk as perceived by the Top Management

11© Ashutosh Pednekar, M.P.Chitale & Co.

IS Risk Mitigation : Building Blocks

Building BlocksBuilding Blocks

Business Process Reengineering

Business Process Reengineering

Management, Planning &

Organization of IS

Management, Planning &

Organization of IS

Business Application Systems & Controls

Business Application Systems & Controls

Systems Development Life

Cycle

Systems Development Life

Cycle

Disaster Recovery &

Business Continuity

Disaster Recovery &

Business Continuity

Protection of Information

Assets

Protection of Information

Assets

Technical Infrastructure &

Operational Practices

Technical Infrastructure &

Operational Practices

12© Ashutosh Pednekar, M.P.Chitale & Co.

IS Audit Areas

Compliance with IS Security Policy & Procedures

Includes an assessment of the understanding of the policy & procedure requirements across the organization

Hardware

Monitoring

Sizing

Upgradations

13© Ashutosh Pednekar, M.P.Chitale & Co.

IS Audit Areas…

Software – core as well as end-user applications Licensing

Version Control

Upgradations

Patch implementation

14© Ashutosh Pednekar, M.P.Chitale & Co.

IS Audit Areas…

Logical Controls

Need to do basis

Controls have to be for data as well as

programs

Authorization protocols

Conflict of interest, if any to be identified

Physical Controls

Network management

15© Ashutosh Pednekar, M.P.Chitale & Co.

IS Audit Areas…

Operations Management

Within data center

At Ops level

At corporate level

At branches & outlets

With field staff

Controls over outsourced agencies have to be equally stringent, if not more

Focus on vulnerabilities at the agency level

Adequacy of SLAs

BCP / DRP

16© Ashutosh Pednekar, M.P.Chitale & Co.

IS Audit Methodology

is achieved by

Key Controls

by focusing on

Summary of IT Goals

that satisfies the

Business Requirements for

IT

Control over the

IT Processes

is measured by

Key Metrics COBIT® Technique

17© Ashutosh Pednekar, M.P.Chitale & Co.

IS Audit value adds

Vetting the IS Policy & Procedures for their

adequacy

Functionality Reviews

Pre Implementation Reviews

Post Implementation Reviews

Source Code Audit

Ethical Hacking / Penetration Testing

18© Ashutosh Pednekar, M.P.Chitale & Co.

Thank you

: ashu01@mpchitale.com