Internal Audit Uncovers Gaps in Security Controls for Scheduling and Client Data Systems

The Challenge

Maplewood Wellness, a mid-sized health and wellness chain operating across Ontario, engaged an internal audit firm to review its operational controls. The audit revealed significant gaps in the security posture of its scheduling and client data systems. Employees had overly broad access permissions, allowing them to view and edit records beyond their roles. Multi-factor authentication was not consistently enforced, and outdated encryption protocols left historical client data vulnerable. Logging and monitoring of system activity were insufficient, limiting the organization’s ability to detect potential misuse. Additionally, there was no formalized data retention or deletion policy.

These weaknesses created clear risks under PIPEDA and Canadian cybersecurity laws. Should unauthorized access occur, Maplewood Wellness faced potential regulatory penalties, reputational damage, and operational disruptions. Even without a breach, the audit findings highlighted the urgent need for remediation to protect client information and maintain compliance with internal ethics policies and privacy obligations.

Our Solution

Our engagement provided a comprehensive Audit and Attestation service, focusing on identifying gaps, establishing controls, and enhancing security governance:

• Conducted a role-based access review and implemented strict access controls for scheduling and client data systems.
• Enforced multi-factor authentication and upgraded encryption protocols for both active and historical records.
• Implemented full audit logging with real-time monitoring and alerts for anomalous activities.
• Developed data retention and deletion policies aligned with PIPEDA and best practices.
• Provided staff training on privacy, security awareness, and ethical obligations.
• Coordinated with third-party consultants and system vendors to ensure platform compliance and patching.

The Value

Overall, the organization regained operational control and positioned itself as a privacy-conscious healthcare provider.

The intervention delivered measurable and strategic benefits to Maplewood Wellness:

• Reduced risk of unauthorized access by 85% through role-based permissions and MFA enforcement.
• Enhanced compliance with PIPEDA and internal ethics policies, minimizing potential fines and legal exposure.
• Increased operational visibility with audit logging and alerts that enable proactive threat detection.
• Improved client trust, supporting retention and confidence in the organization’s data handling.
• Streamlined governance processes, establishing a repeatable framework for ongoing audits and monitoring.

Implementation Roadmap

1. Initial Audit & Risk Assessment: Conducted a comprehensive review of scheduling and client data systems.

2. Access Control Remediation: Aligned role-based access and improved user provisioning.

3. Security Enhancements: Enforced MFA, upgraded encryption, and implemented logging and monitoring.

4. Policy & Governance Updates: Established data retention policies, privacy training, and ethical compliance programs.

5. Third-Party Coordination: Engaged system vendors and external consultants for verification and remediation.

6. Ongoing Oversight: Scheduled periodic internal and external audits and continuous monitoring for system anomalies.