3 rd Party Vendor Risk Management

Size: px
Start display at page:

Download "3 rd Party Vendor Risk Management"

Transcription

1

2 3 rd Party Vendor Risk Management Session 402 Tuesday, June 9, 2015 (11 to 12pm)

3 Session Objectives The need for enhanced reporting on vendor risk management Current outsourcing environment Key risks faced by vendors and customers from outsourcing arrangements Why the current approach to achieving assurance over vendor operations is no longer sufficient Practice Approach to a Vendor Risk Management Program A better solution on controls assurance What are the components of the SSAE16 / SOC 2 assurance report? What s next Determining what s the right fit for your company 3

4 Current Outsourcing Environment: Today s service based economy has put third party vendors front and center. Advantages of outsourcing: Reduce costs and increase business agility. Data hosting, cloud, and business-process services of vendors, companies can redirect in-house resources back to the business and focus on core competencies. Employing third party vendors opens a company up to additional risks. Data errors to supply chain disruptions 4 th Party Vendor Risks - supplier relationships that are invisible to the end client, thus allowing for additional risk exposures. 4

5 Current Outsourcing Environment: cont. Vendors experiencing more stringent oversight from customers Increasing requests for on-site audits and other assessments Increased time required to oversee outsourced arrangements Regulators are casting a watchful eye on vendors and their customers, driving the need for a more effective and efficient solution to providing assurance over vendor operations. 5

6 Key risks faced by vendors and customers from outsourcing arrangements: Strategic Risks Social, Ethical & Environmental Risks Continuity Risks Financial Risks Operational Risks 6

7 Vendor Risk Management Lifecycle

8 Planning Selection Contract Monitoring Termination Vendor Risk Management In choosing to outsource components of their business to a third party service provider, risk needs to be considered throughout the process. Identifying business requirements RFP process, due diligence during evaluation Clarity, SLAs, Right to Audit, problem resolution Relationship owner, metrics for SLAs, Review of performance Contingency plans, transition, loss of data

9 Planning Planning A good plan prior to beginning the RFP and vendor selection process will help to mitigate many third party risks. Risk Identification Who is impacted? What will have to change (people, process, technology)? Cost benefit analysis Goes beyond the savings of outsourcing vs insourcing Need to include the costs to control the risks (direct and indirect) Process to Select, Assess, and Monitor Vendor Appropriate approval based on activity being outsourced

10 Selection Selection Due diligence during the vendor selection process is critical to managing third party risks. Evaluate company stability Financial Condition Business Experience and Reputation Qualifications and Backgrounds of Company Principals Evaluate the solution Information Systems and processes Information Security Resilience (Disaster recovery, business continuity, insurance) Risk Management Standards and certifications Independent assessments of controls SOC reports

11 The Contract Contract Everything in the vendor relationship comes back to the contract. Companies need to make sure all of the appropriate provisions are in their agreements. Legal processes and requirements Contract approval and legal entity descriptions Intellectual property ownership Complete and explicit terms for contract termination Scope Clear delineation of responsibilities Detailed description of services to be provided Out of scope services Contract term and renewal dates

12 The Contract Contract Service Level Agreements How to measure adherence to SLAs (metrics) Include both qualitative and quantitative metrics Evaluate the SLAs to ensure they reflect your business requirements Payments Defined payment schedule How variable costs are calculated and supported Chargebacks due to service issues Problem Resolution Process and responsibilities need to be clearly defined Tie process (and response) to performance evaluation

13 The Contract Contract Performance Reporting Content, distribution, and frequency Penalties for nonperformance; rewards for performance Security Clearly defined information and security access requirements Nondisclosure and confidentiality agreements Right-to-Audit Not only includes right to audit but also the ability to monitor performance and require remediation when issues are identified Accessibility to perform audit procedures Access to vendor s audit reports while reserving the right to conduct its own audits

14 Monitoring Monitoring Outsourcing is not a turn-key solution but requires ongoing monitoring to ensure risks are mitigated for the duration of the vendor relationship. Assignment of responsibility who is managing the relationship? Ongoing performance measurement against SLAs both vendor reported and independent measures (where possible) Escalation and communication when issues are identified Formal review process Not only operational but should include a refresh of due diligence steps

15 Termination Termination Things change and sometimes a company will need to transition vendors or bring activities in-house. Create a detailed termination / transition plan that has allocated enough time and resources. Data retention and destruction and other technology related issues. Handling of joint intellectual property developed during the course of the arrangement. Reputation risks to the company if the termination happens as a result of the vendor s inability to meet expectations.

16 Why the current approach to achieving assurance over vendor operations is no longer sufficient: Many vendors are receiving multiple and varied questionnaires from a significant number of customers and may result in an inconsistent level of quality in their responses. Vendors are finding themselves investing additional time and resources to meet the demand. Some vendors have tried using SOC (Service Organization Controls) 1 or 2 reports to respond to questionnaires On-site assessments performed by customers also seem deficient because they are performed at a specific point in time, and fail to provide an overall view of a vendor s operations or environment. Vendors are seeking a way to take control of this challenging situation 16

17 A Better Solution on Controls Assurance: The SOC audit report, is built upon the AICPA s SOC reporting principles, allows an independent, standardized assessment to be performed over vendor operations and eliminates the need for the time consuming and costly vendor questionnaire process. The report format makes it easy for both vendors and their customers to digest. The report provides the necessary level of assurance and can help restore a customer s confidence in vendor processes, which in turn will increase customer satisfaction and preserve valuable vendor/customer relationships. 17

18 A Better Solution on Controls Assurance : cont. Benefits to Vendors include: Reduced time and money spent on resources dedicated to the vendor questionnaire process. More time to proactively address risks and deliver value to customers. A decrease in the number of on-site audits. Enhanced vendor marketability as the report can be used to differentiate a vendor from its peers. A greater understanding of expectations and what vendors are being measured against, regardless of the customer. Benefits to Customers include: A greater level of assurance over vendors operations (positive assurance). Savings associated with the reduction in the need to perform onsite visits. Savings associated with not having to create questionnaires, or having to evaluate inconsistent reports, with varying criteria from vendors. 18

19 Determining whether a SOC report is the right fit for your company: For Vendors: How many customers ask you to complete Are you receiving adequate comfort over their vendor risk annual questionnaires? the management of key risks from your How much time, effort, and cost is put into vendors? answering vendor risk annual Are you obtaining sufficient comfort from questionnaires? completed vendor questionnaires? Do your customers obtain the required How much time, effort, and cost are you comfort from the questionnaire responses spending on developing vendor and/or from other control reports provided questionnaires and following up on (such as SOC 1 and 2 reports) or are there remediation activity? gaps in coverage? Do you have on-site audits performed by customers, impacting your resource time and availability? How much internal time do you spend on managing vendor risk management processes relating to satisfying your customer inquiries/questionnaires and/or on-site audits? For Customers: Are on-site audits costing you unnecessary time and effort, and only providing comfort to you at a point in time? 19

20 Planning and Scoping Considerations Identify the existing services, systems and/or processes that you are interested in having audited. Does your organization process transactions on behalf of its customers (SOC 1)? Which principles are most likely to be of interest and concern to your customers (SOC 2/SOC 3)? Who will be users of the report? Assess what, if any, specific audit reports are required by your customer contracts, and whether contracts have right to audit clauses. Do your organization s services, systems and/or processes impact the financial reporting controls of its clients? If so, how and which financial statement accounts? Is there a need to include any products or services provided by outsourcing or co-sourcing partners in the scope of the audit? Determine the type of report to be provided and period covered.

21 SOC Report Overview and Comparison Focus Report Users Internal control over financial reporting Operational Controls SSAE16 SOC 1 SOC 2 SOC 3 Controls relevant to financial reporting. Most applicable when service provider performs financial transaction processing or supports transaction processing systems. Detailed report for user organization s accounting/finance office and user auditors. Concerns regarding security, availability, processing integrity, confidentiality or privacy. Applicable to a variety of systems. Detailed report for Management, Regulators, Auditors, Others. Web site seal and easy to read report for General Public or any users with need for confidence in service organization s controls.

22 Overview and Comparison of SOC Reporting Options Service Organizations Customer Need Internal control over financial reporting Operational Controls SSAE16 SOC 1 SOC 2 SOC 3 Service providers touching financial data payroll providers, trust companies, healthcare claims processors, payment processors, third party administrators. Financial statements audits. Concern over the entry, processing and reporting controls in place for financial processing. Heavily geared toward technology companies -- data centers, managed service providers, cloud collaboration, Software as a Service (SaaS) entities, statement printers. Service organizations that want to display something on their websites for marketing purposes. Detail not needed. ERM, Internal Audit programs, oversight and due diligence. Concern over the security, integrity and confidentiality of data handled.

23 Overview and Comparison of SOC Reporting Options Internal control over financial reporting Operational Controls SSAE16 SOC 1 SOC 2 SOC 3 When Appropriate Annually and if the transactions are material to the customer s financial statements. Annually or when services provided are changed. When the service organization feels it provides them with an advantage.

24 Executing the Engagement: The service auditor can assist in any or all of the phases, typically, progression is as follows: Phase1 (Readiness) During this phase an assessment is done to determine readiness including key customer identification. A health check on the control environment of Vendors is also done during this phase. Phase 2 (Remediation) Management performs activities to rectify control weaknesses identified in phase 1. Phase 3 (SOC 2+ Assessment) The service auditor performs an SOC 2 assessment and expresses an opinion on the vendor's control environment. 24

25 Value Proposition of SSAE16 / SOC Reporting Provides a competitive advantage and differentiator to prospective clients by demonstrating confidence in the establishment of control objectives and effective activities. Builds trust and transparency with your user organizations (i.e., customers) You want you re clients to say Your good stewards of effective governance over key risks that impact my business. Without a current Auditor's Report, an organization may have to entertain multiple audit requests from its customers and their respective auditors. Very often this process results in the identification of opportunities for improvements in many operational areas.

26 Value Proposition Specific to SOC 2 and SOC 3 Reports Provides communication of the service organization s control environment to a broader group of customers and stakeholders than is allowed in a SOC 1 audit. Allows the service organization to benchmark its internal controls against published principles and criteria from a recognized standards organization. Provides customer with a high level of comfort as to the security, privacy and confidentiality of their data and the availability and processing integrity of the services provided under their SLA agreements. A logo from the AICPA can be added to the service organization s website to communicate to the website visitor that the service organization has undergone a SOC 2 audit to ensure that internal controls are properly designed, implemented and effectively operating.

27 SOC Considerations for Your Vendor Management Program Ask for the right report. Review the scope and review period. Review the Independent Service Auditor s Report (aka The Opinion ). Read the Description of the System. Review Section 4 - Control Objectives / Principles & Criteria, Controls, and Test Procedures. Evaluate the complementary user entity controls against the controls within your environment. Be skeptical do not rely only on the SOC report.

28 Three Lines of Defense Drives Governance Structure Clarity of Roles and Responsibilities Structured into Three Lines of Defense Senior Management Board of Directors / Audit Committee 1 st Line of Defense 2 nd Line of Defense 3 rd Line of Defense Administration Controls Internal Control Measures Financial Control Security Risk Management Quality Legal Compliance Assurance & Validation INTERNAL AUDIT External Auditor / Regulator

29 Thank You! Jerry Ravi, Partner Eisner Amper LLP 111 Wood Avenue South Iselin, NJ (732) Derek Danilson, Senior Manager Smart Devine 1600 Market Street, 32 nd Floor Philadelphia, PA

30 Please Complete the Session Evaluation Form on the Conference App

Effectively using SOC 1, SOC 2, and SOC 3 reports for increased assurance over outsourced operations. kpmg.com

Effectively using SOC 1, SOC 2, and SOC 3 reports for increased assurance over outsourced operations. kpmg.com Effectively using SOC 1, SOC 2, and SOC 3 reports for increased assurance over outsourced operations kpmg.com b Section or Brochure name Effectively using SOC 1, SOC 2, and SOC 3 reports for increased

More information

Vendor Management Best Practices

Vendor Management Best Practices 23 rd Annual and One Day Seminar Vendor Management Best Practices Catherine Bruder CPA, CITP, CISA, CISM, CTGA Michigan Texas Florida Insight. Oversight. Foresight. SM Doeren Mayhew Bruder 1 $100 billion

More information

Credit Union Liability with Third-Party Processors

Credit Union Liability with Third-Party Processors World Council of Credit Unions Annual Conference Credit Union Liability with Third-Party Processors Andrew (Andy) Poprawa CEO, Deposit Insurance Corporation of Ontario Canada 1 Credit Union Liability with

More information

Protecting your brand in the cloud Transparency and trust through enhanced reporting

Protecting your brand in the cloud Transparency and trust through enhanced reporting Protecting your brand in the cloud Transparency and trust through enhanced reporting Third-party Assurance November 2011 At a glance Cloud computing has unprecedented potential to deliver greater business

More information

Services Providers. Ivan Soto

Services Providers. Ivan Soto SOP s for Managing Application Services Providers Ivan Soto Learning Objectives At the end of this session we will have covered: Types of Managed Services Outsourcing process Quality expectations for Managed

More information

SSAE 16 for Transportation & Logistics Companies. Chris Kradjan Kim Koch

SSAE 16 for Transportation & Logistics Companies. Chris Kradjan Kim Koch SSAE 16 for Transportation & Logistics Companies Chris Kradjan Kim Koch 1 The material appearing in this presentation is for informational purposes only and should not be construed as advice of any kind,

More information

Risk Management of Outsourced Technology Services. November 28, 2000

Risk Management of Outsourced Technology Services. November 28, 2000 Risk Management of Outsourced Technology Services November 28, 2000 Purpose and Background This statement focuses on the risk management process of identifying, measuring, monitoring, and controlling the

More information

IT Insights. Managing Third Party Technology Risk

IT Insights. Managing Third Party Technology Risk IT Insights Managing Third Party Technology Risk According to a recent study by the Institute of Internal Auditors, more than 65 percent of organizations rely heavily on third parties, yet most allocate

More information

THIRD PARTY. T i m L i e t z R e g i o n a l P r a c t i c e L e a d e r R i s k A d v i s o r y S e r v i c e s

THIRD PARTY. T i m L i e t z R e g i o n a l P r a c t i c e L e a d e r R i s k A d v i s o r y S e r v i c e s MANAGING THIRD PARTY RISK T i m L i e t z R e g i o n a l P r a c t i c e L e a d e r R i s k A d v i s o r y S e r v i c e s Experis -- a different kind of talent company. Experis Tuesday, January 08,

More information

Understanding SOC Reports for Effective Vendor Management. Jason T. Clinton January 26, 2016

Understanding SOC Reports for Effective Vendor Management. Jason T. Clinton January 26, 2016 Understanding SOC Reports for Effective Vendor Management Jason T. Clinton January 26, 2016 MEMBER OF PKF NORTH AMERICA, AN ASSOCIATION OF LEGALLY INDEPENDENT FIRMS 2012 Wolf & Company, P.C. Before we

More information

Auditing Outsourcing Arrangements

Auditing Outsourcing Arrangements Auditing Outsourcing Arrangements Eileen Healy Enterprise Risk Services Director 16 April 2015 Contact Details: - Email: - ehealy@deloitte.ie Mobile: - 086 164 3082 Session Objectives To provide an understanding

More information

SERVICE ORGANIZATION CONTROL REPORTS SM. Formerly SAS 70 Reports

SERVICE ORGANIZATION CONTROL REPORTS SM. Formerly SAS 70 Reports SERVICE ORGANIZATION CONTROL REPORTS SM Formerly SAS 70 Reports SAS No. 70, Service Organizations Standard for reporting on a service organization s controls affecting user entities financial statements

More information

Managing data security and privacy risk of third-party vendors

Managing data security and privacy risk of third-party vendors Managing data security and privacy risk of third-party vendors The use of third-party vendors for key business functions is here to stay. Routine sharing of critical information assets, including protected

More information

Vendor Management Compliance Top 10 Things Regulators Expect

Vendor Management Compliance Top 10 Things Regulators Expect Vendor Management Compliance Top 10 Things Regulators Expect Paul M. Phillips, CFA Attorney, Adams and Reese Pamela T. Rodriguez, AAP, CIA, CISA EVP, Risk Management & Education, EastPay 2014 EastPay.

More information

SAS No. 70, Service Organizations

SAS No. 70, Service Organizations SAS No. 70, Service Organizations A standard for reporting on a service organization s controls affecting user entities' financial statements. Only for use by service organization management, existing

More information

Auditing Software as a Service (SaaS): Balancing Security with Performance

Auditing Software as a Service (SaaS): Balancing Security with Performance Auditing Software as a Service (SaaS): Balancing Security with Performance Goals for Today Defining SaaS (Software as a Service) and its importance Identify your company's process for managing SaaS solutions

More information

TO: Chief Executive Officers of National Banks, Federal Branches and Data-Processing Centers, Department and Division Heads, and Examining Personnel

TO: Chief Executive Officers of National Banks, Federal Branches and Data-Processing Centers, Department and Division Heads, and Examining Personnel AL 2000 12 O OCC ADVISORY LETTER Comptroller of the Currency Administrator of National Banks Subject: Risk Management of Outsourcing Technology Services TO: Chief Executive Officers of National Banks,

More information

Service Organization Control (SOC) Reports Focus on SOC 2 Reporting Standard

Service Organization Control (SOC) Reports Focus on SOC 2 Reporting Standard Information Systems Audit and Controls Association Service Organization Control (SOC) Reports Focus on SOC 2 Reporting Standard February 4, 2014 Tom Haberman, Principal, Deloitte & Touche LLP Reema Singh,

More information

www.pwc.com Third Party Risk Management 12 April 2012

www.pwc.com Third Party Risk Management 12 April 2012 www.pwc.com Third Party Risk Management 12 April 2012 Agenda 1. Introductions 2. Drivers of Increased Focus on Third Parties 3. Governance 4. Third Party Risks and Scope 5. Third Party Risk Profiling 6.

More information

Proposed Principles to be addressed in APES GN 20 Outsourced Accounting Services

Proposed Principles to be addressed in APES GN 20 Outsourced Accounting Services Proposed Principles to be addressed in APES GN 20 Outsourced Accounting Services Roles and Responsibilities The proposed Guidance Note 20 Outsourced Accounting Services (GN 20) will set out the various

More information

OUTSOURCING DUE DILIGENCE FORM

OUTSOURCING DUE DILIGENCE FORM OUTSOURCING DUE DILIGENCE FORM SERVICE TO BE OUTSOURCED 1. Type of service to be outsourced: Accounting/Finance: Compliance Consulting: Legal Services: Administrative Functions: Information Technology:

More information

SECURITY AND EXTERNAL SERVICE PROVIDERS

SECURITY AND EXTERNAL SERVICE PROVIDERS SECURITY AND EXTERNAL SERVICE PROVIDERS How to ensure regulatory compliance and manage risks with Service Organization Control (SOC) Reports Jorge Rey, CISA, CISM, CGEIT Director, Information Security

More information

GUIDANCE FOR MANAGING THIRD-PARTY RISK

GUIDANCE FOR MANAGING THIRD-PARTY RISK GUIDANCE FOR MANAGING THIRD-PARTY RISK Introduction An institution s board of directors and senior management are ultimately responsible for managing activities conducted through third-party relationships,

More information

Privacy Governance and Compliance Framework Accountability

Privacy Governance and Compliance Framework Accountability Privacy Governance and Framework Accountability Agenda Global Data Protection and Privacy (DPP) Organization Structure Privacy The 3 Lines of Defense (LOD) Model: Overview Privacy The 3 Lines of Defense

More information

451 s Procurement and Vendor Management Capability Development Program

451 s Procurement and Vendor Management Capability Development Program The case for improved Procurement and Vendor Management The current market environment is calling for increased operational efficiency and effectiveness, where value for money and market contestability

More information

Cloud Computing: Legal Risks and Best Practices

Cloud Computing: Legal Risks and Best Practices Cloud Computing: Legal Risks and Best Practices A Bennett Jones Presentation Toronto, Ontario Lisa Abe-Oldenburg, Partner Bennett Jones LLP November 7, 2012 Introduction Security and Data Privacy Recent

More information

360 of Vendor Management

360 of Vendor Management 360 of Vendor Management Jay Brietz, CPA and CIA Shareholder Elliott Davis Decosimo, LLC Elliott Davis Decosimo, PLLC Disclaimer This material was used by Elliott Davis Decosimo during an oral presentation;

More information

SECURITY RISK MANAGEMENT

SECURITY RISK MANAGEMENT SECURITY RISK MANAGEMENT ISACA Atlanta Chapter, Geek Week August 20, 2013 Scott Ritchie, Manager, HA&W Information Assurance Services Scott Ritchie CISSP, CISA, PCI QSA, ISO 27001 Auditor Manager, HA&W

More information

Anatomy of an IT Outsourcing Deal. Bruce Laco Deloitte John Pickett IT World Canada Barry Sookman McCarthy Tetrault

Anatomy of an IT Outsourcing Deal. Bruce Laco Deloitte John Pickett IT World Canada Barry Sookman McCarthy Tetrault Anatomy of an IT Outsourcing Deal Bruce Laco Deloitte John Pickett IT World Canada Barry Sookman McCarthy Tetrault 3656867 Agenda Key Considerations for IT Outsourcing Decision Anatomy of an Outsourcing

More information

Understanding ISO 27018 and Preparing for the Modern Era of Cloud Security

Understanding ISO 27018 and Preparing for the Modern Era of Cloud Security Understanding ISO 27018 and Preparing for the Modern Era of Cloud Security Presented by Microsoft and Foley Hoag LLP s Privacy and Data Security Practice Group May 14, 2015 Proposal or event name (optional)

More information

Managing Outsourcing Arrangements

Managing Outsourcing Arrangements Guidance Note GGN 221.1 Managing Outsourcing Arrangements 1. This Guidance Note provides further detail on the requirements for managing material outsourcing arrangements (refer Prudential Standard GPS

More information

Blind spot Banks are increasingly outsourcing more activities to third parties. But they can t outsource the risks.

Blind spot Banks are increasingly outsourcing more activities to third parties. But they can t outsource the risks. Blind spot Banks are increasingly outsourcing more activities to third parties. But they can t outsource the risks. For anyone familiar with the banking industry, it comes as no surprise that banks are

More information

Outsourced Third Party Relationship Management/ Vendor Management. TTS Webinar July 15, 2015 Susan Orr CISA, CISM, CRISC, CRP

Outsourced Third Party Relationship Management/ Vendor Management. TTS Webinar July 15, 2015 Susan Orr CISA, CISM, CRISC, CRP Outsourced Third Party Relationship Management/ Vendor Management TTS Webinar July 15, 2015 Susan Orr CISA, CISM, CRISC, CRP 1 Risk Management Guidance 2 3 Appendix J: 4 - Key Elements Third Party Management

More information

Dodging Breaches from Dodgy Vendors: Tackling Vendor Risk Management in Healthcare

Dodging Breaches from Dodgy Vendors: Tackling Vendor Risk Management in Healthcare Dodging Breaches from Dodgy Vendors: Tackling Vendor Risk Management in Healthcare Strengthening Cybersecurity Defenders #ISC2Congress Healthcare and Security "Information Security is simply a personal

More information

Goodbye, SAS 70! Hello, SSAE 16!

Goodbye, SAS 70! Hello, SSAE 16! Goodbye, SAS 70! Hello, SSAE 16! A Session to Provide Insight on the New Standard and What Service Providers and End-Users Need to Know January 3, 2012 Agenda Introduction Background on what was SAS 70

More information

CFPB Readiness Series: Compliant Vendor Management Overview

CFPB Readiness Series: Compliant Vendor Management Overview CFPB Readiness Series: Compliant Vendor Management Overview Legal Disclaimer This information is not intended to be legal advice and may not be used as legal advice. Legal advice must be tailored to the

More information

SOC Readiness Assessments. SOC Report - Type 1. SOC Report - Type 2. Building Trust and Confidence in Third-Party Relationships

SOC Readiness Assessments. SOC Report - Type 1. SOC Report - Type 2. Building Trust and Confidence in Third-Party Relationships Building Trust and Confidence in Third-Party Relationships Today s businesses rely heavily on outsourcing certain business tasks or functions to service organizations, even those that are core to their

More information

MAINTAINING COMPLIANCE AND MANAGING RISK IN OUTSOURCED ENGAGEMENTS. Nick Harrahill PayPal Global Security Operations

MAINTAINING COMPLIANCE AND MANAGING RISK IN OUTSOURCED ENGAGEMENTS. Nick Harrahill PayPal Global Security Operations MAINTAINING COMPLIANCE AND MANAGING RISK IN OUTSOURCED ENGAGEMENTS Nick Harrahill PayPal Global Security Operations AGENDA Inception of an engagement The legal agreement Assessing the risk Customer call

More information

ASAE s Job Task Analysis Strategic Level Competencies

ASAE s Job Task Analysis Strategic Level Competencies ASAE s Job Task Analysis Strategic Level Competencies During 2013, ASAE funded an extensive, psychometrically valid study to document the competencies essential to the practice of association management

More information

Microsoft s Compliance Framework for Online Services

Microsoft s Compliance Framework for Online Services Microsoft s Compliance Framework for Online Services Online Services Security and Compliance Executive summary Contents Executive summary 1 The changing landscape for online services compliance 4 How Microsoft

More information

Vendor Management. Outsourcing Technology Services

Vendor Management. Outsourcing Technology Services Vendor Management Outsourcing Technology Services Objectives Board and Senior Management Responsibilities Risk Management Program Risk Assessment Service Provider Selection Contracts Ongoing Monitoring

More information

IT Governance. What is it and how to audit it. 21 April 2009

IT Governance. What is it and how to audit it. 21 April 2009 What is it and how to audit it 21 April 2009 Agenda Can you define What are the key objectives of How should be structured Roles and responsibilities Key challenges and barriers Auditing Scope Test procedures

More information

Software as a Service: Guiding Principles

Software as a Service: Guiding Principles Software as a Service: Guiding Principles As the Office of Information Technology (OIT) works in partnership with colleges and business units across the University, its common goals are to: substantially

More information

Weighing in on the Benefits of a SAS 70 Audit for Third Party Data Centers

Weighing in on the Benefits of a SAS 70 Audit for Third Party Data Centers Weighing in on the Benefits of a SAS 70 Audit for Third Party Data Centers With increasing oversight and growing demands for industry regulations, third party assurance has never been under a keener eye

More information

Cloud Computing An Auditor s Perspective

Cloud Computing An Auditor s Perspective Cloud Computing An Auditor s Perspective Sailesh Gadia, CPA, CISA, CIPP sgadia@kpmg.com December 9, 2010 Discussion Agenda Introduction to cloud computing Types of cloud services Benefits, challenges,

More information

White Paper on Financial Institution Vendor Management

White Paper on Financial Institution Vendor Management White Paper on Financial Institution Vendor Management Virtually every organization in the modern economy relies to some extent on third-party vendors that facilitate business operations in a wide variety

More information

APPLICATION OF KING III CORPORATE GOVERNANCE PRINCIPLES 2014

APPLICATION OF KING III CORPORATE GOVERNANCE PRINCIPLES 2014 WOOLWORTHS HOLDINGS LIMITED CORPORATE GOVERNANCE PRINCIPLES 2014 CORPORATE GOVERNANCE PRINCIPLES 2014 CORPORATE GOVERNANCE PRINCIPLES 2014 This table is a useful reference to each of the King III principles

More information

Competency Requirements for Executive Director Candidates

Competency Requirements for Executive Director Candidates Competency Requirements for Executive Director Candidates There are nine (9) domains of competency for association executives, based on research conducted by the American Society for Association Executives

More information

Advisory Guidelines of the Financial Supervisory Authority. Requirements regarding the arrangement of operational risk management

Advisory Guidelines of the Financial Supervisory Authority. Requirements regarding the arrangement of operational risk management Advisory Guidelines of the Financial Supervisory Authority Requirements regarding the arrangement of operational risk management These Advisory Guidelines have established by resolution no. 63 of the Management

More information

Morgan Stanley. Policy for the Management of Third Party Residential Mortgage Servicing Providers

Morgan Stanley. Policy for the Management of Third Party Residential Mortgage Servicing Providers Morgan Stanley Policy for the Management of Third Party Residential Mortgage Servicing Providers Title Policy for the Management of Third Party Residential Mortgage Servicing Providers Effective Date Owner

More information

Pharma CloudAdoption. and Qualification Trends

Pharma CloudAdoption. and Qualification Trends Pharma CloudAdoption and Qualification Trends OurCloudExperience Numerous implementations of EDMS systems with external hosting for smaller life science clients Development of qualification strategy for

More information

Vendor Management Compliance Top 10 Things Regulators Expect

Vendor Management Compliance Top 10 Things Regulators Expect Vendor Management Compliance Top 10 Things Regulators Expect Peter Davey, AAP VP & Director, Enterprise Payments, CapitalOne Pamela T. Rodriguez, AAP, CIA, CISA EVP, Risk Management & Education, EastPay

More information

WHITE PAPER Third-Party Risk Management Lifecycle Guide

WHITE PAPER Third-Party Risk Management Lifecycle Guide WHITE PAPER Third-Party Risk Management Lifecycle Guide Develop and maintain compliant third-party relationships by following these foundational components of a best-practice assessment program. Third

More information

Guidance Note: Corporate Governance - Board of Directors. March 2015. Ce document est aussi disponible en français.

Guidance Note: Corporate Governance - Board of Directors. March 2015. Ce document est aussi disponible en français. Guidance Note: Corporate Governance - Board of Directors March 2015 Ce document est aussi disponible en français. Applicability The Guidance Note: Corporate Governance - Board of Directors (the Guidance

More information

Keeping up with the World of Cloud Computing: What Should Internal Audit be Thinking About?

Keeping up with the World of Cloud Computing: What Should Internal Audit be Thinking About? Keeping up with the World of Cloud Computing: What Should Internal Audit be Thinking About? IIA San Francisco Chapter October 11, 2011 Agenda Introductions Cloud computing overview Risks and audit strategies

More information

Vendor Risk Management in the New Regulatory Environment. kpmg.com

Vendor Risk Management in the New Regulatory Environment. kpmg.com Vendor Risk Management in the New Regulatory Environment kpmg.com Vendor Risk Management in the New Regulatory Environment 2 Vendor Risk Management in the New Regulatory Environment Background Regulators

More information

Digital Asset Manager, Digital Curator. Cultural Informatics, Cultural/ Art ICT Manager

Digital Asset Manager, Digital Curator. Cultural Informatics, Cultural/ Art ICT Manager Role title Digital Cultural Asset Manager Also known as Relevant professions Summary statement Mission Digital Asset Manager, Digital Curator Cultural Informatics, Cultural/ Art ICT Manager Deals with

More information

B o a r d of Governors of the Federal Reserve System. Supplemental Policy Statement on the. Internal Audit Function and Its Outsourcing

B o a r d of Governors of the Federal Reserve System. Supplemental Policy Statement on the. Internal Audit Function and Its Outsourcing B o a r d of Governors of the Federal Reserve System Supplemental Policy Statement on the Internal Audit Function and Its Outsourcing January 23, 2013 P U R P O S E This policy statement is being issued

More information

The Elephant in the Room: What s the Buzz Around Cloud Computing?

The Elephant in the Room: What s the Buzz Around Cloud Computing? The Elephant in the Room: What s the Buzz Around Cloud Computing? Warren W. Stippich, Jr. Partner and National Governance, Risk and Compliance Solution Leader Business Advisory Services Grant Thornton

More information

Information Security ISO Standards. Feb 11, 2015. Glen Bruce Director, Enterprise Risk Security & Privacy

Information Security ISO Standards. Feb 11, 2015. Glen Bruce Director, Enterprise Risk Security & Privacy Information Security ISO Standards Feb 11, 2015 Glen Bruce Director, Enterprise Risk Security & Privacy Agenda 1. Introduction Information security risks and requirements 2. Information Security Management

More information

Domain 1 The Process of Auditing Information Systems

Domain 1 The Process of Auditing Information Systems Certified Information Systems Auditor (CISA ) Certification Course Description Our 5-day ISACA Certified Information Systems Auditor (CISA) training course equips information professionals with the knowledge

More information

APPLICATION OF THE KING III REPORT ON CORPORATE GOVERNANCE PRINCIPLES

APPLICATION OF THE KING III REPORT ON CORPORATE GOVERNANCE PRINCIPLES APPLICATION OF THE KING III REPORT ON CORPORATE GOVERNANCE PRINCIPLES Ethical Leadership and Corporate Citizenship The board should provide effective leadership based on ethical foundation. that the company

More information

Information Security Management System for Microsoft s Cloud Infrastructure

Information Security Management System for Microsoft s Cloud Infrastructure Information Security Management System for Microsoft s Cloud Infrastructure Online Services Security and Compliance Executive summary Contents Executive summary 1 Information Security Management System

More information

Customer-Facing Information Security Policy

Customer-Facing Information Security Policy Customer-Facing Information Security Policy Global Security Office (GSO) Version 2.6 Last Updated: 03/23/2015 Symantec Corporation Table of Contents Compliance Framework... 1 High-Level Information Security

More information

Service Measurement Index Framework Version 2.1

Service Measurement Index Framework Version 2.1 Service Measurement Index Framework Version 2.1 July 2014 CSMIC Carnegie Mellon University Silicon Valley Moffett Field, CA USA Introducing the Service Measurement Index (SMI) The Service Measurement Index

More information

Auditing Cloud Computing and Outsourced Operations

Auditing Cloud Computing and Outsourced Operations Session 136 Auditing Cloud Computing and Outsourced Operations Monday, May 7, 2012 3:30 PM 5:00 PM Mike Schiller Director of Sales & Marketing IT, Texas Instruments Co Author, IT Auditing: Using Controls

More information

Compliance. Group Standard

Compliance. Group Standard Group Standard Compliance Serco is committed to good governance practices and the management of risks supported by a robust business compliance process SMS-GS-G2 Compliance July 2014 v1.0 Serco Public

More information

IT audit updates. Current hot topics and key considerations. IT risk assessment leading practices

IT audit updates. Current hot topics and key considerations. IT risk assessment leading practices IT audit updates Current hot topics and key considerations Contents IT risk assessment leading practices IT risks to consider in your audit plan IT SOX considerations and risks COSO 2013 and IT considerations

More information

11/12/2013. Role of the Board. Risk Appetite. Strategy, Planning and Performance. Risk Governance Framework. Assembling an effective team

11/12/2013. Role of the Board. Risk Appetite. Strategy, Planning and Performance. Risk Governance Framework. Assembling an effective team Role of the Board Risk Appetite Strategy, Planning and Performance Risk Governance Framework Assembling an effective team Role of the CEO Accountability and Disclosure 1 Board members should act on a fully

More information

Any business relationship between a bank and another entity, by contract or otherwise

Any business relationship between a bank and another entity, by contract or otherwise An Overview for Bank Directors Managing the Third Party Relationship Patrick Neuman Boardman & Clark LLP Madison, Wisconsin Any business relationship between a bank and another entity, by contract or otherwise

More information

White Paper THE FIVE STEPS TO MANAGING THIRD-PARTY RISK. By James Christiansen, VP, Information Risk Management

White Paper THE FIVE STEPS TO MANAGING THIRD-PARTY RISK. By James Christiansen, VP, Information Risk Management White Paper THE FIVE STEPS TO MANAGING THIRD-PARTY RISK By James Christiansen, VP, Information Management Executive Summary The Common Story of a Third-Party Data Breach It begins with a story in the newspaper.

More information

e-colt Services Recruitment Process Outsourcing (RPO)

e-colt Services Recruitment Process Outsourcing (RPO) e-colt Services Recruitment Process Outsourcing (RPO) Introduction Recruitment Process Outsourcing (RPO) offers executives a potential competitive advantage in the marketplace as it provides organizations

More information

Risky Business. Is Your Cybersecurity in Cruise Control? ISACA Austin Chapter Meeting May 5, 2015

Risky Business. Is Your Cybersecurity in Cruise Control? ISACA Austin Chapter Meeting May 5, 2015 Risky Business Is Your Cybersecurity in Cruise Control? ISACA Austin Chapter Meeting May 5, 2015 What We ll Cover About Me Background The threat Risks to your organization What your organization can/should

More information

OFFICE OF AUDITS & ADVISORY SERVICES CLOUD COMPUTING AUDIT FINAL REPORT

OFFICE OF AUDITS & ADVISORY SERVICES CLOUD COMPUTING AUDIT FINAL REPORT County of San Diego Auditor and Controller OFFICE OF AUDITS & ADVISORY SERVICES CLOUD COMPUTING AUDIT FINAL REPORT Chief of Audits: Juan R. Perez Audit Manager: Lynne Prizzia, CISA, CRISC Senior Auditor:

More information

Part A OVERVIEW...1. 1. Introduction...1. 2. Applicability...2. 3. Legal Provision...2. Part B SOUND DATA MANAGEMENT AND MIS PRACTICES...

Part A OVERVIEW...1. 1. Introduction...1. 2. Applicability...2. 3. Legal Provision...2. Part B SOUND DATA MANAGEMENT AND MIS PRACTICES... Part A OVERVIEW...1 1. Introduction...1 2. Applicability...2 3. Legal Provision...2 Part B SOUND DATA MANAGEMENT AND MIS PRACTICES...3 4. Guiding Principles...3 Part C IMPLEMENTATION...13 5. Implementation

More information

SATURDAY, FEBRUARY 28, 2015 CLE 10 (Ethics) 9:30 a.m. 10:30 a.m. Moving to the Cloud - Identifying & Managing Legal, Ethical and Compliance Risks

SATURDAY, FEBRUARY 28, 2015 CLE 10 (Ethics) 9:30 a.m. 10:30 a.m. Moving to the Cloud - Identifying & Managing Legal, Ethical and Compliance Risks SATURDAY, FEBRUARY 28, 2015 CLE 10 (Ethics) 9:30 a.m. 10:30 a.m. Moving to the Cloud - Identifying & Managing Legal, Ethical and Compliance Risks Moving to the Cloud - Identifying & Managing Legal, Ethical

More information

Prudential Practice Guide

Prudential Practice Guide Prudential Practice Guide SPG 220 Risk Management July 2013 www.apra.gov.au Australian Prudential Regulation Authority Disclaimer and copyright This prudential practice guide is not legal advice and users

More information

Are your business partners watching your back when you are watching your front?

Are your business partners watching your back when you are watching your front? Are your business partners watching your back when you are watching your front? Danny Shaw SE Practice Leader IT Risk Advisory Services Experis Thursday, October 4, 2012 1 Objectives: Organizations frequently

More information

Effective risk management

Effective risk management Effective risk management Our holistic and disciplined risk management program is designed to mitigate risks at all levels of our business in order to protect our clients interests. 2 Vanguard > Effective

More information

SABPP IT GOVERNANCE COMMITTEE TERMS OF REFERENCE

SABPP IT GOVERNANCE COMMITTEE TERMS OF REFERENCE SABPP IT GOVERNANCE COMMITTEE TERMS OF REFERENCE PREAMBLE The purpose of the IT Governance Committee is to ensure that IT is effectively governed at SABPP in accordance with the King III Code of Governance

More information

The Gotchas of Cloud-Based

The Gotchas of Cloud-Based leading thoughts / may 2013 The Gotchas of Cloud-Based Contact Center Solutions Take a dose of caution when moving to a cloud-based solution. Lessons learned from early adopters. By Ken Barton, Strategic

More information

Transforming risk management into a competitive advantage kpmg.com

Transforming risk management into a competitive advantage kpmg.com INSURANCE RISK MANAGEMENT ADVISORY SOLUTIONS Transforming risk management into a competitive advantage kpmg.com 2 Transforming risk management into a competitive advantage Assessing risk. Building value.

More information

HITRUST CSF Assurance Program

HITRUST CSF Assurance Program HITRUST CSF Assurance Program Simplifying the information protection of healthcare data 1 May 2015 2015 HITRUST LLC, Frisco, TX. All Rights Reserved Table of Contents Background CSF Assurance Program Overview

More information

CLOUD COMPUTING for Construction Accounting BY BRIAN J. THOMAS

CLOUD COMPUTING for Construction Accounting BY BRIAN J. THOMAS CLOUD COMPUTING for Construction Accounting BY BRIAN J. THOMAS Copyright 2012 by the Construction Financial Management Association. All rights reserved. This article first appeared in CFMA Building Profits.

More information

G24 - SAS 70 Practices and Developments Todd Bishop

G24 - SAS 70 Practices and Developments Todd Bishop G24 - SAS 70 Practices and Developments Todd Bishop SAS No. 70 Practices & Developments Todd Bishop Senior Manager, PricewaterhouseCoopers LLP Agenda SAS 70 Background Information and Overview Common SAS

More information

Helping Midsize Businesses Grow Through HR Technology

Helping Midsize Businesses Grow Through HR Technology Helping Midsize Businesses Grow Through HR Technology As a business grows, the goal of streamlining operations is increasingly important. By maximizing efficiencies across the board, employee by employee,

More information

APES GN 30 Outsourced Services

APES GN 30 Outsourced Services APES GN 30 Outsourced Services Prepared and issued by Accounting Professional & Ethical Standards Board Limited ISSUED: March 2013 Copyright 2013 Accounting Professional & Ethical Standards Board Limited

More information

PRINCIPLES ON OUTSOURCING OF FINANCIAL SERVICES FOR MARKET INTERMEDIARIES

PRINCIPLES ON OUTSOURCING OF FINANCIAL SERVICES FOR MARKET INTERMEDIARIES PRINCIPLES ON OUTSOURCING OF FINANCIAL SERVICES FOR MARKET INTERMEDIARIES TECHNICAL COMMITTEE OF THE INTERNATIONAL ORGANIZATION OF SECURITIES COMMISSIONS FEBRUARY 2005 Preamble The IOSCO Technical Committee

More information

3 rd -party Security Risk Assessment

3 rd -party Security Risk Assessment 3 rd -party Security Risk Assessment Understanding Supplier Chain Risks. Presented by: Nasser Fattah CISSP, CISM, CISA, CGEIT Email: nasser.fattah@gmail.com Linkedin: www.linkedin.com/in/nasserfattah April

More information

February 2015. Audit committee performance evaluation

February 2015. Audit committee performance evaluation February 2015 Audit committee performance evaluation Audit committee performance evaluation The following questionnaire is based on emerging and leading practices to assist in the self-assessment of an

More information

Past vs. Present: Third Party Risk

Past vs. Present: Third Party Risk Past vs. Present: Third Party Risk Kevin O Sullivan and Hicham Chahine 3 rd Party Risk, Crowe Horwath LLP April 30th, 2015 Agenda Drivers pushing Third Party Risk Past vs. Present Events and Trends Vendor

More information

Compliance in the Cloud: A Pragmatic Approach to SOC2 and PCI compliance

Compliance in the Cloud: A Pragmatic Approach to SOC2 and PCI compliance : A Pragmatic Approach to SOC2 and PCI compliance The Cadence Group is a professional services firm specializing in financial and IT compliance and risk management services. Our value proposition includes:

More information

CAYMAN ISLANDS. Supplement No. 5 published with Gazette No. 19 dated 14 September, STATEMENT OF GUIDANCE: OUTSOURCING REGULATED ENTITIES

CAYMAN ISLANDS. Supplement No. 5 published with Gazette No. 19 dated 14 September, STATEMENT OF GUIDANCE: OUTSOURCING REGULATED ENTITIES CAYMAN ISLANDS Supplement No. 5 published with Gazette No. 19 dated 14 September, 2015. STATEMENT OF GUIDANCE: OUTSOURCING REGULATED ENTITIES Statement of Guidance: Outsourcing Regulated Entities 1. STATEMENT

More information

Auxilion Service Desk as a Service. Service Desk as a Service. Date January 2015. www.auxilion.com Commercial in Confidence Auxilion 2015 Page 1

Auxilion Service Desk as a Service. Service Desk as a Service. Date January 2015. www.auxilion.com Commercial in Confidence Auxilion 2015 Page 1 Title Service Desk as a Service Date January 2015 www.auxilion.com Commercial in Confidence Auxilion 2015 Page 1 1. Disclaimer All information contained in this document is provided in confidence to the

More information

Remittance Processing Disaster Recovery Are You Prepared? Michael Lindsey SVP 3 Point Alliance Jon Gage Product Manager Cloud Processing Creditron

Remittance Processing Disaster Recovery Are You Prepared? Michael Lindsey SVP 3 Point Alliance Jon Gage Product Manager Cloud Processing Creditron Remittance Processing Disaster Recovery Are You Prepared? Michael Lindsey SVP 3 Point Alliance Jon Gage Product Manager Cloud Processing Creditron AGENDA Risk Analysis Best Practices our Top Ten list A

More information

CORL Dodging Breaches from Dodgy Vendors

CORL Dodging Breaches from Dodgy Vendors CORL Dodging Breaches from Dodgy Vendors Tackling Vendor Security Risk Management in Healthcare Introductions Cliff Baker 20 Years of Healthcare Security experience PricewaterhouseCoopers, HITRUST, Meditology

More information

Information Security Handbook

Information Security Handbook Information Security Handbook Adopted 6/4/14 Page 0 Page 1 1. Introduction... 5 1.1. Executive Summary... 5 1.2. Governance... 5 1.3. Scope and Application... 5 1.4. Biennial Review... 5 2. Definitions...

More information

Business Performance & Data Quality Metrics. David Loshin Knowledge Integrity, Inc. loshin@knowledge-integrity.com (301) 754-6350

Business Performance & Data Quality Metrics. David Loshin Knowledge Integrity, Inc. loshin@knowledge-integrity.com (301) 754-6350 Business Performance & Data Quality Metrics David Loshin Knowledge Integrity, Inc. loshin@knowledge-integrity.com (301) 754-6350 1 Does Data Integrity Imply Business Value? Assumption: improved data quality,

More information

Weighing in on the Benefits of a SAS 70 Audit for Payroll Service Providers

Weighing in on the Benefits of a SAS 70 Audit for Payroll Service Providers Weighing in on the Benefits of a SAS 70 Audit for Payroll Service Providers With increasing oversight and growing demands for industry regulations, third party assurance has never been under a keener eye

More information

VENDOR MANAGEMENT. General Overview

VENDOR MANAGEMENT. General Overview VENDOR MANAGEMENT General Overview With many organizations outsourcing services to other third-party entities, the issue of vendor management has become a noted topic in today s business world. Vendor

More information