Ashutosh Pednekar, FCA, CISA, ISA (ICA), LLB (Gen), B.Com. Partner, M P Chitale & Co. November 6,...
-
Upload
devin-madden -
Category
Documents
-
view
223 -
download
2
Transcript of Ashutosh Pednekar, FCA, CISA, ISA (ICA), LLB (Gen), B.Com. Partner, M P Chitale & Co. November 6,...
Ashutosh Pednekar,FCA, CISA, ISA (ICA), LLB (Gen), B.Com.
Partner, M P Chitale & Co.
November 6, 2007
IRDA – ICAI Round Table Meeting on Insurance Industry
IS Audit & IT systems in Insurance Industry
2© Ashutosh Pednekar, M.P.Chitale & Co.
Acknowledgements
Material published by Information Systems Audit & Control Association (ISACA) – the leading association of professionals in Information Systems (IS) Audit, Control, Security & Governance
Thoughts of
Mr.Samir Shah, CFO, HDFC General Insurance Co. Ltd. &
Ms.Anagha Thatte, Partner, M P Chitale & Co.
3© Ashutosh Pednekar, M.P.Chitale & Co.
Disclaimers
No representation or warranties are made by the ISACA with regard to this presentation by Ashutosh Pednekar. ISACA has no responsibility for its contents.
These are my personal views and can not be construed to be the views of M/s. M. P. Chitale & Co., Chartered Accountants or IRDA or ICAI.
These views do not and shall not be considered as professional advice.
This presentation should not be reproduced in part or in whole, in any manner or form, without my written permission.
4© Ashutosh Pednekar, M.P.Chitale & Co.
IT systems in Insurance Industry
Need to cater to two broad segments Policy Management Premium / Commission /
Claims / Opex
Fund (Investment) Management
Needs of the industry Flexibility & scalability to handle complexities of
existing & new products
various delivery channels
Regulatory compliances and its reportings
Integration capabilities between multiple systems
Robustness a labour intensive industry with wide geographical spread
Availability
5© Ashutosh Pednekar, M.P.Chitale & Co.
Growing Complexities & Pressures are Increasing
Risks...
Increased Operationa
l Risk
Market Convention
Market Convention
Regulatory Demands
Regulatory Demands
Increased Transaction
Volumes
Increased Transaction
Volumes
Complex Instruments
and Strategies
Complex Instruments
and Strategies
Increasing HR Complexities
Increasing HR Complexities
Reliance on Technology &
Information Systems
Reliance on Technology &
Information Systems
6© Ashutosh Pednekar, M.P.Chitale & Co.
Business Process & Information Assets
These two are inextricably linked.
Each Business Process leads to Creation of Information at every stage
Storing it
Updating on real-time basis
Using it
Protecting from misuse – intentional or otherwise
7© Ashutosh Pednekar, M.P.Chitale & Co.
= Data and information embedded/stored in
Data Information
and IT Resource
Management
Data Information
and IT Resource
Management
Enterprise-wide Information Assets
Knowledge Management(Digitizing Knowledge)
Knowledge Management(Digitizing Knowledge)
ComputersPeople
8© Ashutosh Pednekar, M.P.Chitale & Co.
IS Risk Management
Objective :Minimizing likelihoodlikelihood (frequency) and intensityintensity (business impact) of loss of : confidentiality C
integrity I
availability Aof information.
…. the CIACIA Principle
9© Ashutosh Pednekar, M.P.Chitale & Co.
CIA - Vulnerabilities & Exposures
Con
fiden
tialit
y
Information
Manipulating processes
Competitors
Integrity
Availability
Hackers Systems Bugs
Acts of God
UsersHuman errors
10© Ashutosh Pednekar, M.P.Chitale & Co.
IS Audit Initial Steps
Assess reliance placed by the Management on the system efficacy & the reliance placed by them on IT systems to
take managerial decisions
take operating level decisions
conduct operations
Get a feel of the IS Risk as perceived by the Top Management
11© Ashutosh Pednekar, M.P.Chitale & Co.
IS Risk Mitigation : Building Blocks
Building BlocksBuilding Blocks
Business Process Reengineering
Business Process Reengineering
Management, Planning &
Organization of IS
Management, Planning &
Organization of IS
Business Application Systems & Controls
Business Application Systems & Controls
Systems Development Life
Cycle
Systems Development Life
Cycle
Disaster Recovery &
Business Continuity
Disaster Recovery &
Business Continuity
Protection of Information
Assets
Protection of Information
Assets
Technical Infrastructure &
Operational Practices
Technical Infrastructure &
Operational Practices
12© Ashutosh Pednekar, M.P.Chitale & Co.
IS Audit Areas
Compliance with IS Security Policy & Procedures
Includes an assessment of the understanding of the policy & procedure requirements across the organization
Hardware
Monitoring
Sizing
Upgradations
13© Ashutosh Pednekar, M.P.Chitale & Co.
IS Audit Areas…
Software – core as well as end-user applications Licensing
Version Control
Upgradations
Patch implementation
14© Ashutosh Pednekar, M.P.Chitale & Co.
IS Audit Areas…
Logical Controls
Need to do basis
Controls have to be for data as well as
programs
Authorization protocols
Conflict of interest, if any to be identified
Physical Controls
Network management
15© Ashutosh Pednekar, M.P.Chitale & Co.
IS Audit Areas…
Operations Management
Within data center
At Ops level
At corporate level
At branches & outlets
With field staff
Controls over outsourced agencies have to be equally stringent, if not more
Focus on vulnerabilities at the agency level
Adequacy of SLAs
BCP / DRP
16© Ashutosh Pednekar, M.P.Chitale & Co.
IS Audit Methodology
is achieved by
Key Controls
by focusing on
Summary of IT Goals
that satisfies the
Business Requirements for
IT
Control over the
IT Processes
is measured by
Key Metrics COBIT® Technique
17© Ashutosh Pednekar, M.P.Chitale & Co.
IS Audit value adds
Vetting the IS Policy & Procedures for their
adequacy
Functionality Reviews
Pre Implementation Reviews
Post Implementation Reviews
Source Code Audit
Ethical Hacking / Penetration Testing