3 rd Party Vendor Risk Management
|
|
- Susan Taylor
- 8 years ago
- Views:
Transcription
1
2 3 rd Party Vendor Risk Management Session 402 Tuesday, June 9, 2015 (11 to 12pm)
3 Session Objectives The need for enhanced reporting on vendor risk management Current outsourcing environment Key risks faced by vendors and customers from outsourcing arrangements Why the current approach to achieving assurance over vendor operations is no longer sufficient Practice Approach to a Vendor Risk Management Program A better solution on controls assurance What are the components of the SSAE16 / SOC 2 assurance report? What s next Determining what s the right fit for your company 3
4 Current Outsourcing Environment: Today s service based economy has put third party vendors front and center. Advantages of outsourcing: Reduce costs and increase business agility. Data hosting, cloud, and business-process services of vendors, companies can redirect in-house resources back to the business and focus on core competencies. Employing third party vendors opens a company up to additional risks. Data errors to supply chain disruptions 4 th Party Vendor Risks - supplier relationships that are invisible to the end client, thus allowing for additional risk exposures. 4
5 Current Outsourcing Environment: cont. Vendors experiencing more stringent oversight from customers Increasing requests for on-site audits and other assessments Increased time required to oversee outsourced arrangements Regulators are casting a watchful eye on vendors and their customers, driving the need for a more effective and efficient solution to providing assurance over vendor operations. 5
6 Key risks faced by vendors and customers from outsourcing arrangements: Strategic Risks Social, Ethical & Environmental Risks Continuity Risks Financial Risks Operational Risks 6
7 Vendor Risk Management Lifecycle
8 Planning Selection Contract Monitoring Termination Vendor Risk Management In choosing to outsource components of their business to a third party service provider, risk needs to be considered throughout the process. Identifying business requirements RFP process, due diligence during evaluation Clarity, SLAs, Right to Audit, problem resolution Relationship owner, metrics for SLAs, Review of performance Contingency plans, transition, loss of data
9 Planning Planning A good plan prior to beginning the RFP and vendor selection process will help to mitigate many third party risks. Risk Identification Who is impacted? What will have to change (people, process, technology)? Cost benefit analysis Goes beyond the savings of outsourcing vs insourcing Need to include the costs to control the risks (direct and indirect) Process to Select, Assess, and Monitor Vendor Appropriate approval based on activity being outsourced
10 Selection Selection Due diligence during the vendor selection process is critical to managing third party risks. Evaluate company stability Financial Condition Business Experience and Reputation Qualifications and Backgrounds of Company Principals Evaluate the solution Information Systems and processes Information Security Resilience (Disaster recovery, business continuity, insurance) Risk Management Standards and certifications Independent assessments of controls SOC reports
11 The Contract Contract Everything in the vendor relationship comes back to the contract. Companies need to make sure all of the appropriate provisions are in their agreements. Legal processes and requirements Contract approval and legal entity descriptions Intellectual property ownership Complete and explicit terms for contract termination Scope Clear delineation of responsibilities Detailed description of services to be provided Out of scope services Contract term and renewal dates
12 The Contract Contract Service Level Agreements How to measure adherence to SLAs (metrics) Include both qualitative and quantitative metrics Evaluate the SLAs to ensure they reflect your business requirements Payments Defined payment schedule How variable costs are calculated and supported Chargebacks due to service issues Problem Resolution Process and responsibilities need to be clearly defined Tie process (and response) to performance evaluation
13 The Contract Contract Performance Reporting Content, distribution, and frequency Penalties for nonperformance; rewards for performance Security Clearly defined information and security access requirements Nondisclosure and confidentiality agreements Right-to-Audit Not only includes right to audit but also the ability to monitor performance and require remediation when issues are identified Accessibility to perform audit procedures Access to vendor s audit reports while reserving the right to conduct its own audits
14 Monitoring Monitoring Outsourcing is not a turn-key solution but requires ongoing monitoring to ensure risks are mitigated for the duration of the vendor relationship. Assignment of responsibility who is managing the relationship? Ongoing performance measurement against SLAs both vendor reported and independent measures (where possible) Escalation and communication when issues are identified Formal review process Not only operational but should include a refresh of due diligence steps
15 Termination Termination Things change and sometimes a company will need to transition vendors or bring activities in-house. Create a detailed termination / transition plan that has allocated enough time and resources. Data retention and destruction and other technology related issues. Handling of joint intellectual property developed during the course of the arrangement. Reputation risks to the company if the termination happens as a result of the vendor s inability to meet expectations.
16 Why the current approach to achieving assurance over vendor operations is no longer sufficient: Many vendors are receiving multiple and varied questionnaires from a significant number of customers and may result in an inconsistent level of quality in their responses. Vendors are finding themselves investing additional time and resources to meet the demand. Some vendors have tried using SOC (Service Organization Controls) 1 or 2 reports to respond to questionnaires On-site assessments performed by customers also seem deficient because they are performed at a specific point in time, and fail to provide an overall view of a vendor s operations or environment. Vendors are seeking a way to take control of this challenging situation 16
17 A Better Solution on Controls Assurance: The SOC audit report, is built upon the AICPA s SOC reporting principles, allows an independent, standardized assessment to be performed over vendor operations and eliminates the need for the time consuming and costly vendor questionnaire process. The report format makes it easy for both vendors and their customers to digest. The report provides the necessary level of assurance and can help restore a customer s confidence in vendor processes, which in turn will increase customer satisfaction and preserve valuable vendor/customer relationships. 17
18 A Better Solution on Controls Assurance : cont. Benefits to Vendors include: Reduced time and money spent on resources dedicated to the vendor questionnaire process. More time to proactively address risks and deliver value to customers. A decrease in the number of on-site audits. Enhanced vendor marketability as the report can be used to differentiate a vendor from its peers. A greater understanding of expectations and what vendors are being measured against, regardless of the customer. Benefits to Customers include: A greater level of assurance over vendors operations (positive assurance). Savings associated with the reduction in the need to perform onsite visits. Savings associated with not having to create questionnaires, or having to evaluate inconsistent reports, with varying criteria from vendors. 18
19 Determining whether a SOC report is the right fit for your company: For Vendors: How many customers ask you to complete Are you receiving adequate comfort over their vendor risk annual questionnaires? the management of key risks from your How much time, effort, and cost is put into vendors? answering vendor risk annual Are you obtaining sufficient comfort from questionnaires? completed vendor questionnaires? Do your customers obtain the required How much time, effort, and cost are you comfort from the questionnaire responses spending on developing vendor and/or from other control reports provided questionnaires and following up on (such as SOC 1 and 2 reports) or are there remediation activity? gaps in coverage? Do you have on-site audits performed by customers, impacting your resource time and availability? How much internal time do you spend on managing vendor risk management processes relating to satisfying your customer inquiries/questionnaires and/or on-site audits? For Customers: Are on-site audits costing you unnecessary time and effort, and only providing comfort to you at a point in time? 19
20 Planning and Scoping Considerations Identify the existing services, systems and/or processes that you are interested in having audited. Does your organization process transactions on behalf of its customers (SOC 1)? Which principles are most likely to be of interest and concern to your customers (SOC 2/SOC 3)? Who will be users of the report? Assess what, if any, specific audit reports are required by your customer contracts, and whether contracts have right to audit clauses. Do your organization s services, systems and/or processes impact the financial reporting controls of its clients? If so, how and which financial statement accounts? Is there a need to include any products or services provided by outsourcing or co-sourcing partners in the scope of the audit? Determine the type of report to be provided and period covered.
21 SOC Report Overview and Comparison Focus Report Users Internal control over financial reporting Operational Controls SSAE16 SOC 1 SOC 2 SOC 3 Controls relevant to financial reporting. Most applicable when service provider performs financial transaction processing or supports transaction processing systems. Detailed report for user organization s accounting/finance office and user auditors. Concerns regarding security, availability, processing integrity, confidentiality or privacy. Applicable to a variety of systems. Detailed report for Management, Regulators, Auditors, Others. Web site seal and easy to read report for General Public or any users with need for confidence in service organization s controls.
22 Overview and Comparison of SOC Reporting Options Service Organizations Customer Need Internal control over financial reporting Operational Controls SSAE16 SOC 1 SOC 2 SOC 3 Service providers touching financial data payroll providers, trust companies, healthcare claims processors, payment processors, third party administrators. Financial statements audits. Concern over the entry, processing and reporting controls in place for financial processing. Heavily geared toward technology companies -- data centers, managed service providers, cloud collaboration, Software as a Service (SaaS) entities, statement printers. Service organizations that want to display something on their websites for marketing purposes. Detail not needed. ERM, Internal Audit programs, oversight and due diligence. Concern over the security, integrity and confidentiality of data handled.
23 Overview and Comparison of SOC Reporting Options Internal control over financial reporting Operational Controls SSAE16 SOC 1 SOC 2 SOC 3 When Appropriate Annually and if the transactions are material to the customer s financial statements. Annually or when services provided are changed. When the service organization feels it provides them with an advantage.
24 Executing the Engagement: The service auditor can assist in any or all of the phases, typically, progression is as follows: Phase1 (Readiness) During this phase an assessment is done to determine readiness including key customer identification. A health check on the control environment of Vendors is also done during this phase. Phase 2 (Remediation) Management performs activities to rectify control weaknesses identified in phase 1. Phase 3 (SOC 2+ Assessment) The service auditor performs an SOC 2 assessment and expresses an opinion on the vendor's control environment. 24
25 Value Proposition of SSAE16 / SOC Reporting Provides a competitive advantage and differentiator to prospective clients by demonstrating confidence in the establishment of control objectives and effective activities. Builds trust and transparency with your user organizations (i.e., customers) You want you re clients to say Your good stewards of effective governance over key risks that impact my business. Without a current Auditor's Report, an organization may have to entertain multiple audit requests from its customers and their respective auditors. Very often this process results in the identification of opportunities for improvements in many operational areas.
26 Value Proposition Specific to SOC 2 and SOC 3 Reports Provides communication of the service organization s control environment to a broader group of customers and stakeholders than is allowed in a SOC 1 audit. Allows the service organization to benchmark its internal controls against published principles and criteria from a recognized standards organization. Provides customer with a high level of comfort as to the security, privacy and confidentiality of their data and the availability and processing integrity of the services provided under their SLA agreements. A logo from the AICPA can be added to the service organization s website to communicate to the website visitor that the service organization has undergone a SOC 2 audit to ensure that internal controls are properly designed, implemented and effectively operating.
27 SOC Considerations for Your Vendor Management Program Ask for the right report. Review the scope and review period. Review the Independent Service Auditor s Report (aka The Opinion ). Read the Description of the System. Review Section 4 - Control Objectives / Principles & Criteria, Controls, and Test Procedures. Evaluate the complementary user entity controls against the controls within your environment. Be skeptical do not rely only on the SOC report.
28 Three Lines of Defense Drives Governance Structure Clarity of Roles and Responsibilities Structured into Three Lines of Defense Senior Management Board of Directors / Audit Committee 1 st Line of Defense 2 nd Line of Defense 3 rd Line of Defense Administration Controls Internal Control Measures Financial Control Security Risk Management Quality Legal Compliance Assurance & Validation INTERNAL AUDIT External Auditor / Regulator
29 Thank You! Jerry Ravi, Partner Eisner Amper LLP 111 Wood Avenue South Iselin, NJ (732) Derek Danilson, Senior Manager Smart Devine 1600 Market Street, 32 nd Floor Philadelphia, PA
30 Please Complete the Session Evaluation Form on the Conference App
Effectively using SOC 1, SOC 2, and SOC 3 reports for increased assurance over outsourced operations. kpmg.com
Effectively using SOC 1, SOC 2, and SOC 3 reports for increased assurance over outsourced operations kpmg.com b Section or Brochure name Effectively using SOC 1, SOC 2, and SOC 3 reports for increased
More informationVendor Management Best Practices
23 rd Annual and One Day Seminar Vendor Management Best Practices Catherine Bruder CPA, CITP, CISA, CISM, CTGA Michigan Texas Florida Insight. Oversight. Foresight. SM Doeren Mayhew Bruder 1 $100 billion
More informationCredit Union Liability with Third-Party Processors
World Council of Credit Unions Annual Conference Credit Union Liability with Third-Party Processors Andrew (Andy) Poprawa CEO, Deposit Insurance Corporation of Ontario Canada 1 Credit Union Liability with
More informationServices Providers. Ivan Soto
SOP s for Managing Application Services Providers Ivan Soto Learning Objectives At the end of this session we will have covered: Types of Managed Services Outsourcing process Quality expectations for Managed
More informationTHIRD PARTY. T i m L i e t z R e g i o n a l P r a c t i c e L e a d e r R i s k A d v i s o r y S e r v i c e s
MANAGING THIRD PARTY RISK T i m L i e t z R e g i o n a l P r a c t i c e L e a d e r R i s k A d v i s o r y S e r v i c e s Experis -- a different kind of talent company. Experis Tuesday, January 08,
More informationProtecting your brand in the cloud Transparency and trust through enhanced reporting
Protecting your brand in the cloud Transparency and trust through enhanced reporting Third-party Assurance November 2011 At a glance Cloud computing has unprecedented potential to deliver greater business
More informationIT Insights. Managing Third Party Technology Risk
IT Insights Managing Third Party Technology Risk According to a recent study by the Institute of Internal Auditors, more than 65 percent of organizations rely heavily on third parties, yet most allocate
More informationSSAE 16 for Transportation & Logistics Companies. Chris Kradjan Kim Koch
SSAE 16 for Transportation & Logistics Companies Chris Kradjan Kim Koch 1 The material appearing in this presentation is for informational purposes only and should not be construed as advice of any kind,
More informationRisk Management of Outsourced Technology Services. November 28, 2000
Risk Management of Outsourced Technology Services November 28, 2000 Purpose and Background This statement focuses on the risk management process of identifying, measuring, monitoring, and controlling the
More informationManaging data security and privacy risk of third-party vendors
Managing data security and privacy risk of third-party vendors The use of third-party vendors for key business functions is here to stay. Routine sharing of critical information assets, including protected
More informationAuditing Software as a Service (SaaS): Balancing Security with Performance
Auditing Software as a Service (SaaS): Balancing Security with Performance Goals for Today Defining SaaS (Software as a Service) and its importance Identify your company's process for managing SaaS solutions
More informationVendor Management Compliance Top 10 Things Regulators Expect
Vendor Management Compliance Top 10 Things Regulators Expect Paul M. Phillips, CFA Attorney, Adams and Reese Pamela T. Rodriguez, AAP, CIA, CISA EVP, Risk Management & Education, EastPay 2014 EastPay.
More informationUnderstanding SOC Reports for Effective Vendor Management. Jason T. Clinton January 26, 2016
Understanding SOC Reports for Effective Vendor Management Jason T. Clinton January 26, 2016 MEMBER OF PKF NORTH AMERICA, AN ASSOCIATION OF LEGALLY INDEPENDENT FIRMS 2012 Wolf & Company, P.C. Before we
More informationwww.pwc.com Third Party Risk Management 12 April 2012
www.pwc.com Third Party Risk Management 12 April 2012 Agenda 1. Introductions 2. Drivers of Increased Focus on Third Parties 3. Governance 4. Third Party Risks and Scope 5. Third Party Risk Profiling 6.
More informationAuditing Outsourcing Arrangements
Auditing Outsourcing Arrangements Eileen Healy Enterprise Risk Services Director 16 April 2015 Contact Details: - Email: - ehealy@deloitte.ie Mobile: - 086 164 3082 Session Objectives To provide an understanding
More informationProposed Principles to be addressed in APES GN 20 Outsourced Accounting Services
Proposed Principles to be addressed in APES GN 20 Outsourced Accounting Services Roles and Responsibilities The proposed Guidance Note 20 Outsourced Accounting Services (GN 20) will set out the various
More informationSERVICE ORGANIZATION CONTROL REPORTS SM. Formerly SAS 70 Reports
SERVICE ORGANIZATION CONTROL REPORTS SM Formerly SAS 70 Reports SAS No. 70, Service Organizations Standard for reporting on a service organization s controls affecting user entities financial statements
More informationService Organization Control (SOC) Reports Focus on SOC 2 Reporting Standard
Information Systems Audit and Controls Association Service Organization Control (SOC) Reports Focus on SOC 2 Reporting Standard February 4, 2014 Tom Haberman, Principal, Deloitte & Touche LLP Reema Singh,
More informationTO: Chief Executive Officers of National Banks, Federal Branches and Data-Processing Centers, Department and Division Heads, and Examining Personnel
AL 2000 12 O OCC ADVISORY LETTER Comptroller of the Currency Administrator of National Banks Subject: Risk Management of Outsourcing Technology Services TO: Chief Executive Officers of National Banks,
More informationAnatomy of an IT Outsourcing Deal. Bruce Laco Deloitte John Pickett IT World Canada Barry Sookman McCarthy Tetrault
Anatomy of an IT Outsourcing Deal Bruce Laco Deloitte John Pickett IT World Canada Barry Sookman McCarthy Tetrault 3656867 Agenda Key Considerations for IT Outsourcing Decision Anatomy of an Outsourcing
More informationSAS No. 70, Service Organizations
SAS No. 70, Service Organizations A standard for reporting on a service organization s controls affecting user entities' financial statements. Only for use by service organization management, existing
More informationSECURITY AND EXTERNAL SERVICE PROVIDERS
SECURITY AND EXTERNAL SERVICE PROVIDERS How to ensure regulatory compliance and manage risks with Service Organization Control (SOC) Reports Jorge Rey, CISA, CISM, CGEIT Director, Information Security
More informationOUTSOURCING DUE DILIGENCE FORM
OUTSOURCING DUE DILIGENCE FORM SERVICE TO BE OUTSOURCED 1. Type of service to be outsourced: Accounting/Finance: Compliance Consulting: Legal Services: Administrative Functions: Information Technology:
More informationVendor Management. Outsourcing Technology Services
Vendor Management Outsourcing Technology Services Objectives Board and Senior Management Responsibilities Risk Management Program Risk Assessment Service Provider Selection Contracts Ongoing Monitoring
More informationBlind spot Banks are increasingly outsourcing more activities to third parties. But they can t outsource the risks.
Blind spot Banks are increasingly outsourcing more activities to third parties. But they can t outsource the risks. For anyone familiar with the banking industry, it comes as no surprise that banks are
More informationOutsourced Third Party Relationship Management/ Vendor Management. TTS Webinar July 15, 2015 Susan Orr CISA, CISM, CRISC, CRP
Outsourced Third Party Relationship Management/ Vendor Management TTS Webinar July 15, 2015 Susan Orr CISA, CISM, CRISC, CRP 1 Risk Management Guidance 2 3 Appendix J: 4 - Key Elements Third Party Management
More informationGUIDANCE FOR MANAGING THIRD-PARTY RISK
GUIDANCE FOR MANAGING THIRD-PARTY RISK Introduction An institution s board of directors and senior management are ultimately responsible for managing activities conducted through third-party relationships,
More informationManaging Outsourcing Arrangements
Guidance Note GGN 221.1 Managing Outsourcing Arrangements 1. This Guidance Note provides further detail on the requirements for managing material outsourcing arrangements (refer Prudential Standard GPS
More informationCloud Computing: Legal Risks and Best Practices
Cloud Computing: Legal Risks and Best Practices A Bennett Jones Presentation Toronto, Ontario Lisa Abe-Oldenburg, Partner Bennett Jones LLP November 7, 2012 Introduction Security and Data Privacy Recent
More informationMAINTAINING COMPLIANCE AND MANAGING RISK IN OUTSOURCED ENGAGEMENTS. Nick Harrahill PayPal Global Security Operations
MAINTAINING COMPLIANCE AND MANAGING RISK IN OUTSOURCED ENGAGEMENTS Nick Harrahill PayPal Global Security Operations AGENDA Inception of an engagement The legal agreement Assessing the risk Customer call
More informationSoftware as a Service: Guiding Principles
Software as a Service: Guiding Principles As the Office of Information Technology (OIT) works in partnership with colleges and business units across the University, its common goals are to: substantially
More informationPrivacy Governance and Compliance Framework Accountability
Privacy Governance and Framework Accountability Agenda Global Data Protection and Privacy (DPP) Organization Structure Privacy The 3 Lines of Defense (LOD) Model: Overview Privacy The 3 Lines of Defense
More informationWhite Paper on Financial Institution Vendor Management
White Paper on Financial Institution Vendor Management Virtually every organization in the modern economy relies to some extent on third-party vendors that facilitate business operations in a wide variety
More informationDodging Breaches from Dodgy Vendors: Tackling Vendor Risk Management in Healthcare
Dodging Breaches from Dodgy Vendors: Tackling Vendor Risk Management in Healthcare Strengthening Cybersecurity Defenders #ISC2Congress Healthcare and Security "Information Security is simply a personal
More informationMicrosoft s Compliance Framework for Online Services
Microsoft s Compliance Framework for Online Services Online Services Security and Compliance Executive summary Contents Executive summary 1 The changing landscape for online services compliance 4 How Microsoft
More informationInformation Security ISO Standards. Feb 11, 2015. Glen Bruce Director, Enterprise Risk Security & Privacy
Information Security ISO Standards Feb 11, 2015 Glen Bruce Director, Enterprise Risk Security & Privacy Agenda 1. Introduction Information security risks and requirements 2. Information Security Management
More informationThe Gotchas of Cloud-Based
leading thoughts / may 2013 The Gotchas of Cloud-Based Contact Center Solutions Take a dose of caution when moving to a cloud-based solution. Lessons learned from early adopters. By Ken Barton, Strategic
More informationKeeping up with the World of Cloud Computing: What Should Internal Audit be Thinking About?
Keeping up with the World of Cloud Computing: What Should Internal Audit be Thinking About? IIA San Francisco Chapter October 11, 2011 Agenda Introductions Cloud computing overview Risks and audit strategies
More informationWHITE PAPER Third-Party Risk Management Lifecycle Guide
WHITE PAPER Third-Party Risk Management Lifecycle Guide Develop and maintain compliant third-party relationships by following these foundational components of a best-practice assessment program. Third
More informationWeighing in on the Benefits of a SAS 70 Audit for Third Party Data Centers
Weighing in on the Benefits of a SAS 70 Audit for Third Party Data Centers With increasing oversight and growing demands for industry regulations, third party assurance has never been under a keener eye
More informationPharma CloudAdoption. and Qualification Trends
Pharma CloudAdoption and Qualification Trends OurCloudExperience Numerous implementations of EDMS systems with external hosting for smaller life science clients Development of qualification strategy for
More informationVendor Management Compliance Top 10 Things Regulators Expect
Vendor Management Compliance Top 10 Things Regulators Expect Peter Davey, AAP VP & Director, Enterprise Payments, CapitalOne Pamela T. Rodriguez, AAP, CIA, CISA EVP, Risk Management & Education, EastPay
More informationAuditing Cloud Computing and Outsourced Operations
Session 136 Auditing Cloud Computing and Outsourced Operations Monday, May 7, 2012 3:30 PM 5:00 PM Mike Schiller Director of Sales & Marketing IT, Texas Instruments Co Author, IT Auditing: Using Controls
More informationGoodbye, SAS 70! Hello, SSAE 16!
Goodbye, SAS 70! Hello, SSAE 16! A Session to Provide Insight on the New Standard and What Service Providers and End-Users Need to Know January 3, 2012 Agenda Introduction Background on what was SAS 70
More informationAdvisory Guidelines of the Financial Supervisory Authority. Requirements regarding the arrangement of operational risk management
Advisory Guidelines of the Financial Supervisory Authority Requirements regarding the arrangement of operational risk management These Advisory Guidelines have established by resolution no. 63 of the Management
More informationUnderstanding ISO 27018 and Preparing for the Modern Era of Cloud Security
Understanding ISO 27018 and Preparing for the Modern Era of Cloud Security Presented by Microsoft and Foley Hoag LLP s Privacy and Data Security Practice Group May 14, 2015 Proposal or event name (optional)
More informationWhite Paper THE FIVE STEPS TO MANAGING THIRD-PARTY RISK. By James Christiansen, VP, Information Risk Management
White Paper THE FIVE STEPS TO MANAGING THIRD-PARTY RISK By James Christiansen, VP, Information Management Executive Summary The Common Story of a Third-Party Data Breach It begins with a story in the newspaper.
More informationAre your business partners watching your back when you are watching your front?
Are your business partners watching your back when you are watching your front? Danny Shaw SE Practice Leader IT Risk Advisory Services Experis Thursday, October 4, 2012 1 Objectives: Organizations frequently
More informationDigital Asset Manager, Digital Curator. Cultural Informatics, Cultural/ Art ICT Manager
Role title Digital Cultural Asset Manager Also known as Relevant professions Summary statement Mission Digital Asset Manager, Digital Curator Cultural Informatics, Cultural/ Art ICT Manager Deals with
More information451 s Procurement and Vendor Management Capability Development Program
The case for improved Procurement and Vendor Management The current market environment is calling for increased operational efficiency and effectiveness, where value for money and market contestability
More information11/12/2013. Role of the Board. Risk Appetite. Strategy, Planning and Performance. Risk Governance Framework. Assembling an effective team
Role of the Board Risk Appetite Strategy, Planning and Performance Risk Governance Framework Assembling an effective team Role of the CEO Accountability and Disclosure 1 Board members should act on a fully
More informationCFPB Readiness Series: Compliant Vendor Management Overview
CFPB Readiness Series: Compliant Vendor Management Overview Legal Disclaimer This information is not intended to be legal advice and may not be used as legal advice. Legal advice must be tailored to the
More informationAPPLICATION OF KING III CORPORATE GOVERNANCE PRINCIPLES 2014
WOOLWORTHS HOLDINGS LIMITED CORPORATE GOVERNANCE PRINCIPLES 2014 CORPORATE GOVERNANCE PRINCIPLES 2014 CORPORATE GOVERNANCE PRINCIPLES 2014 This table is a useful reference to each of the King III principles
More informationCloud Computing An Auditor s Perspective
Cloud Computing An Auditor s Perspective Sailesh Gadia, CPA, CISA, CIPP sgadia@kpmg.com December 9, 2010 Discussion Agenda Introduction to cloud computing Types of cloud services Benefits, challenges,
More informationGuidance Note: Corporate Governance - Board of Directors. March 2015. Ce document est aussi disponible en français.
Guidance Note: Corporate Governance - Board of Directors March 2015 Ce document est aussi disponible en français. Applicability The Guidance Note: Corporate Governance - Board of Directors (the Guidance
More informationSECURITY RISK MANAGEMENT
SECURITY RISK MANAGEMENT ISACA Atlanta Chapter, Geek Week August 20, 2013 Scott Ritchie, Manager, HA&W Information Assurance Services Scott Ritchie CISSP, CISA, PCI QSA, ISO 27001 Auditor Manager, HA&W
More informationASAE s Job Task Analysis Strategic Level Competencies
ASAE s Job Task Analysis Strategic Level Competencies During 2013, ASAE funded an extensive, psychometrically valid study to document the competencies essential to the practice of association management
More informationVendor Risk Management in the New Regulatory Environment. kpmg.com
Vendor Risk Management in the New Regulatory Environment kpmg.com Vendor Risk Management in the New Regulatory Environment 2 Vendor Risk Management in the New Regulatory Environment Background Regulators
More information3 rd -party Security Risk Assessment
3 rd -party Security Risk Assessment Understanding Supplier Chain Risks. Presented by: Nasser Fattah CISSP, CISM, CISA, CGEIT Email: nasser.fattah@gmail.com Linkedin: www.linkedin.com/in/nasserfattah April
More informationFebruary 2015. Audit committee performance evaluation
February 2015 Audit committee performance evaluation Audit committee performance evaluation The following questionnaire is based on emerging and leading practices to assist in the self-assessment of an
More informationSOC Readiness Assessments. SOC Report - Type 1. SOC Report - Type 2. Building Trust and Confidence in Third-Party Relationships
Building Trust and Confidence in Third-Party Relationships Today s businesses rely heavily on outsourcing certain business tasks or functions to service organizations, even those that are core to their
More informationThird-Party Risk Management for Life Sciences Companies
April 2016 Third-Party Risk Management for Life Sciences Companies Five Leading Practices for Data Protection By Mindy Herman, PMP, and Michael Lucas, CISSP Audit Tax Advisory Risk Performance Crowe Horwath
More informationCloud Assurance: Ensuring Security and Compliance for your IT Environment
Cloud Assurance: Ensuring Security and Compliance for your IT Environment A large global enterprise has to deal with all sorts of potential threats: advanced persistent threats (APTs), phishing, malware
More informationThe Elephant in the Room: What s the Buzz Around Cloud Computing?
The Elephant in the Room: What s the Buzz Around Cloud Computing? Warren W. Stippich, Jr. Partner and National Governance, Risk and Compliance Solution Leader Business Advisory Services Grant Thornton
More informationPast vs. Present: Third Party Risk
Past vs. Present: Third Party Risk Kevin O Sullivan and Hicham Chahine 3 rd Party Risk, Crowe Horwath LLP April 30th, 2015 Agenda Drivers pushing Third Party Risk Past vs. Present Events and Trends Vendor
More informationGrowing Vendor Management
V E N D O R M A N A G E M E N T P R O F I L E S E R I E S A Wh it e Pap e r by Ve n d or I NS I G HT an d C MPG, L L C Growing Vendor Management as a Sustainable Business Process with Automated Vendor
More informationOFFICE OF AUDITS & ADVISORY SERVICES CLOUD COMPUTING AUDIT FINAL REPORT
County of San Diego Auditor and Controller OFFICE OF AUDITS & ADVISORY SERVICES CLOUD COMPUTING AUDIT FINAL REPORT Chief of Audits: Juan R. Perez Audit Manager: Lynne Prizzia, CISA, CRISC Senior Auditor:
More informationB o a r d of Governors of the Federal Reserve System. Supplemental Policy Statement on the. Internal Audit Function and Its Outsourcing
B o a r d of Governors of the Federal Reserve System Supplemental Policy Statement on the Internal Audit Function and Its Outsourcing January 23, 2013 P U R P O S E This policy statement is being issued
More informationCustomer-Facing Information Security Policy
Customer-Facing Information Security Policy Global Security Office (GSO) Version 2.6 Last Updated: 03/23/2015 Symantec Corporation Table of Contents Compliance Framework... 1 High-Level Information Security
More informationSATURDAY, FEBRUARY 28, 2015 CLE 10 (Ethics) 9:30 a.m. 10:30 a.m. Moving to the Cloud - Identifying & Managing Legal, Ethical and Compliance Risks
SATURDAY, FEBRUARY 28, 2015 CLE 10 (Ethics) 9:30 a.m. 10:30 a.m. Moving to the Cloud - Identifying & Managing Legal, Ethical and Compliance Risks Moving to the Cloud - Identifying & Managing Legal, Ethical
More informationCompetency Requirements for Executive Director Candidates
Competency Requirements for Executive Director Candidates There are nine (9) domains of competency for association executives, based on research conducted by the American Society for Association Executives
More informationMorgan Stanley. Policy for the Management of Third Party Residential Mortgage Servicing Providers
Morgan Stanley Policy for the Management of Third Party Residential Mortgage Servicing Providers Title Policy for the Management of Third Party Residential Mortgage Servicing Providers Effective Date Owner
More informationEND TO END DATA CENTRE SOLUTIONS COMPANY PROFILE
END TO END DATA CENTRE SOLUTIONS COMPANY PROFILE About M 2 TD M2 TD is a wholly black Owned IT Consulting Business. M 2 TD is a provider of data center consulting and managed services. In a rapidly changing
More informationIT Governance. What is it and how to audit it. 21 April 2009
What is it and how to audit it 21 April 2009 Agenda Can you define What are the key objectives of How should be structured Roles and responsibilities Key challenges and barriers Auditing Scope Test procedures
More informationAPPLICATION OF THE KING III REPORT ON CORPORATE GOVERNANCE PRINCIPLES
APPLICATION OF THE KING III REPORT ON CORPORATE GOVERNANCE PRINCIPLES Ethical Leadership and Corporate Citizenship The board should provide effective leadership based on ethical foundation. that the company
More informationDomain 1 The Process of Auditing Information Systems
Certified Information Systems Auditor (CISA ) Certification Course Description Our 5-day ISACA Certified Information Systems Auditor (CISA) training course equips information professionals with the knowledge
More informationHelping Midsize Businesses Grow Through HR Technology
Helping Midsize Businesses Grow Through HR Technology As a business grows, the goal of streamlining operations is increasingly important. By maximizing efficiencies across the board, employee by employee,
More informationInformation Security Management System for Microsoft s Cloud Infrastructure
Information Security Management System for Microsoft s Cloud Infrastructure Online Services Security and Compliance Executive summary Contents Executive summary 1 Information Security Management System
More informationPRINCIPLES ON OUTSOURCING OF FINANCIAL SERVICES FOR MARKET INTERMEDIARIES
PRINCIPLES ON OUTSOURCING OF FINANCIAL SERVICES FOR MARKET INTERMEDIARIES TECHNICAL COMMITTEE OF THE INTERNATIONAL ORGANIZATION OF SECURITIES COMMISSIONS FEBRUARY 2005 Preamble The IOSCO Technical Committee
More informationAPES GN 30 Outsourced Services
APES GN 30 Outsourced Services Prepared and issued by Accounting Professional & Ethical Standards Board Limited ISSUED: March 2013 Copyright 2013 Accounting Professional & Ethical Standards Board Limited
More informationCloud Vendor Evaluation
Cloud Vendor Evaluation Checklist Life Sciences in the Cloud Cloud Vendor Evaluation Checklist What to evaluate when choosing a cloud vendor in Life Sciences Cloud computing is radically changing business
More informationLaw Firm Outsourcing. Bradley S. Christmas Akin Gump Strauss Hauer & Feld LLP and Brad L. Peterson Mayer, Brown, Rowe & Maw
Law Firm Outsourcing Bradley S. Christmas Akin Gump Strauss Hauer & Feld LLP and Brad L. Peterson Mayer, Brown, Rowe & Maw August 24, 2006 0 Today s Agenda Outsourcing Overview Advantages and disadvantages
More informationService Measurement Index Framework Version 2.1
Service Measurement Index Framework Version 2.1 July 2014 CSMIC Carnegie Mellon University Silicon Valley Moffett Field, CA USA Introducing the Service Measurement Index (SMI) The Service Measurement Index
More informationVENDOR MANAGEMENT. General Overview
VENDOR MANAGEMENT General Overview With many organizations outsourcing services to other third-party entities, the issue of vendor management has become a noted topic in today s business world. Vendor
More informationIT audit updates. Current hot topics and key considerations. IT risk assessment leading practices
IT audit updates Current hot topics and key considerations Contents IT risk assessment leading practices IT risks to consider in your audit plan IT SOX considerations and risks COSO 2013 and IT considerations
More informationSABPP IT GOVERNANCE COMMITTEE TERMS OF REFERENCE
SABPP IT GOVERNANCE COMMITTEE TERMS OF REFERENCE PREAMBLE The purpose of the IT Governance Committee is to ensure that IT is effectively governed at SABPP in accordance with the King III Code of Governance
More informationBCM and DRP - RFP Template
BCM and DRP - The Supreme Council of Information & Communication Technology ictqatar PUBLICATION DATE Document Reference This document should be used as an example of the contents of an RFP for business
More informationContract and Vendor Management Guide
Contents 1. Guidelines for managing contracts and vendors... 2 1.1. Purpose and scope... 2 1.2. Introduction... 2 2. Contract and Vendor Management 2.1. Levels of management/segmentation... 3 2.2. Supplier
More informationWorking with Vendors Finding the right partners and nurturing the relationship. by John Casey
The Expert Series is a collection of articles, papers and writings by PM Solutions associates and other industry experts that provides insight into the practice and value of project management. Working
More informationPrudential Practice Guide
Prudential Practice Guide SPG 220 Risk Management July 2013 www.apra.gov.au Australian Prudential Regulation Authority Disclaimer and copyright This prudential practice guide is not legal advice and users
More informatione-colt Services Recruitment Process Outsourcing (RPO)
e-colt Services Recruitment Process Outsourcing (RPO) Introduction Recruitment Process Outsourcing (RPO) offers executives a potential competitive advantage in the marketplace as it provides organizations
More informationCORL Dodging Breaches from Dodgy Vendors
CORL Dodging Breaches from Dodgy Vendors Tackling Vendor Security Risk Management in Healthcare Introductions Cliff Baker 20 Years of Healthcare Security experience PricewaterhouseCoopers, HITRUST, Meditology
More informationAuxilion Service Desk as a Service. Service Desk as a Service. Date January 2015. www.auxilion.com Commercial in Confidence Auxilion 2015 Page 1
Title Service Desk as a Service Date January 2015 www.auxilion.com Commercial in Confidence Auxilion 2015 Page 1 1. Disclaimer All information contained in this document is provided in confidence to the
More informationOPERATIONAL RISK RISK ASSESSMENT
OPERATIONAL RISK RISK ASSESSMENT 1 OVERVIEW Inherent Risk Risk Management Composite or Net Residual Risk Trend 2 INHERENT RISK Definition Sources Identification Quantification 3 Definition OPERATIONAL
More informationRisky Business. Is Your Cybersecurity in Cruise Control? ISACA Austin Chapter Meeting May 5, 2015
Risky Business Is Your Cybersecurity in Cruise Control? ISACA Austin Chapter Meeting May 5, 2015 What We ll Cover About Me Background The threat Risks to your organization What your organization can/should
More informationPart A OVERVIEW...1. 1. Introduction...1. 2. Applicability...2. 3. Legal Provision...2. Part B SOUND DATA MANAGEMENT AND MIS PRACTICES...
Part A OVERVIEW...1 1. Introduction...1 2. Applicability...2 3. Legal Provision...2 Part B SOUND DATA MANAGEMENT AND MIS PRACTICES...3 4. Guiding Principles...3 Part C IMPLEMENTATION...13 5. Implementation
More informationAny business relationship between a bank and another entity, by contract or otherwise
An Overview for Bank Directors Managing the Third Party Relationship Patrick Neuman Boardman & Clark LLP Madison, Wisconsin Any business relationship between a bank and another entity, by contract or otherwise
More informationHealth information privacy and security. Norton Rose Fulbright US LLP October 6, 2015
Health information privacy and security Norton Rose Fulbright US LLP October 6, 2015 Speaker Mark Faccenda Mark Faccenda is a Partner in the Washington, D.C. office. As part of Norton Rose Fulbright's
More informationRemittance Processing Disaster Recovery Are You Prepared? Michael Lindsey SVP 3 Point Alliance Jon Gage Product Manager Cloud Processing Creditron
Remittance Processing Disaster Recovery Are You Prepared? Michael Lindsey SVP 3 Point Alliance Jon Gage Product Manager Cloud Processing Creditron AGENDA Risk Analysis Best Practices our Top Ten list A
More informationHow To Be A Successful Compliance Officer
: A Pragmatic Approach to SOC2 and PCI compliance The Cadence Group is a professional services firm specializing in financial and IT compliance and risk management services. Our value proposition includes:
More information