At a glance. A provision to require a written assertion from company management is the most notable difference between the two standards.

Save this PDF as:
 WORD  PNG  TXT  JPG

Size: px
Start display at page:

Download "At a glance. A provision to require a written assertion from company management is the most notable difference between the two standards."

Transcription

1 At a glance While there are some differences, SAS 70 and SSAE 16 are substantially the same. SAS 70 is an audit standard while SSAE 16 is an attest standard. Out with the old SAS 70 and in with the new SSAE 16 Although not a significant change, companies must prepare to meet new levels of trust and transparency A provision to require a written assertion from company management is the most notable difference between the two standards. The new standard affects reports with periods ending on or after June 15, Early adoption is permitted.

2 Introduction The biggest challenge for most service organizations is determining which controls report can best meet the needs of their stakeholders. It is not expected to be difficult to make the change from SAS 70 to SSAE 16 because differences between the two standards are minimal. However, management should consider using the time ahead to assess which SSAE 16 report is right for your organization and whether the report s focus is still on internal controls over financial reporting The change to SSAE 16 occurs for reports with periods ending on or after June 15, Change ushers in a new attestation standard for service organizations and their customers When an organization provides a service for a customer and there is an effect on that customer s financial reporting, it s likely that an audit of the service organization will be completed on behalf of the customer. Until now, the Statement on Auditing Standards (SAS) No. 70 was the governing standard for performing those audits. The SAS 70 report served as an independent assessment for customers and their auditors on internal controls over financial reporting at the service organization. The new standard Statement on Standards for Attestation Engagements No. 16 (SSAE 16) and its global counterpart International Standard for Assurance Engagements No (ISAE 3402) provide an option for service organizations that need to deliver consistent global reporting. Service organizations should use the SSAE 16 standard if they are reporting on internal control over financial reporting and plan to issue their report within the United States. 1 Although the differences between SAS 70 and SSAE 16 are minimal, companies should be aware of the new requirements and changes from the previous SAS 70 requirements. The management assertion requirement Under SSAE 16, the service organization is required to provide a written assertion. A written assertion is management s opportunity to inform customers of, among others, the services provided, types of transactions, and processes covered within the report. It also represents management s explicit responsibility for the content of the report description including the controls and control objectives. In providing a written assertion, management communicates to the customer that the controls in the report are fairly presented, suitably designed, and are operating effectively to achieve the specified control objectives. This requirement essentially mirrors management s implicit responsibilities 1 While similar, the focus of this paper is on SSAE 16, not the international standard. 1 Out with the old SAS 70 and in with the new SSAE 16

3 in a SAS 70 engagement today. Management s assertion will accompany the SSAE 16 report and be available for customers and their auditors to read. The following points from the standard can be used by management when developing its assertion. Management s assertion should be based on suitable criteria for assessing and describing a service organization s system and the design and operating effectiveness of its controls. Management is also responsible for establishing and stating the criteria used in the report. For criteria to be deemed suitable, it needs to be fairly presented, define the services covered in the report, summarize the types of transactions processed and cover the elements of the Committee of Sponsoring Organizations (COSO) internal controls framework, among others. Criteria may also need to be further tailored to meet specific elements established by law, regulation, user groups, or a professional body. Paragraphs of SSAE 16 provide detail on elements that most often will be included as part of management s description of its system and, in turn, the criteria for evaluation. Bottom line for those organizations reporting under the SAS 70 standard, management s efforts to provide its assertion may be minimal. A service auditor is allowed to issue a report only if management provides the written assertion. Management should have a reasonable basis for its assertion. This basis may be achieved through ongoing monitoring activities used to assess the business that provide evidence of the design and operating effectiveness of controls. These monitoring activities can come from a variety of sources such as operational monitoring, internal audits, and compliance activities. The written assertion typically would be placed on company letterhead, but a signature is not required. Many of the required items for SSAE 16 exist in a similar form today in management s representation letter that is signed at the completion of a SAS 70 engagement. Examples from a management representation letter that are also present in the assertion include the following items relative to: Management responsibility for the fair presentation of the description of the organization s controls and for establishing and maintaining appropriate controls related to the processing of transactions for user organizations. Management s belief that controls are suitably designed to achieve the control objectives specified in the description of the system controls. An example assertion is available in the SSAE 16 standard. Out with the old SAS 70 and in with the new SSAE 16 2

4 Description of the system In addition to a written assertion, management must prepare or update its description of the service organization s system. The system is defined as the policies and procedures designed, implemented, and documented by management to provide customers with the services covered by the service auditor s report. Management s description should identify (as applicable): Services covered by the report The classes of transactions processed Control objectives and related controls Controls performed by the subservice organization (inclusive reports) The process used to prepare reports and other information provided to customers Changes to the system during the period covered by the report Other aspects of the service organization s control environment, risk assessment process, information and communication systems, and monitoring of controls, as defined by the COSO s internal control framework that could be relevant to user entities Complementary user entity controls, where applicable Bottom line many of the required elements for an SSAE 16 system description may already be included in the appropriate degree of detail in the SAS 70 reports. 3 Out with the old SAS 70 and in with the new SSAE 16

5 Identification of risks to achieving control objectives Similar to guidance under SAS 70, management s description of the system should specify control objectives and related controls. SSAE 16 allows management to employ a formal or informal process to identify the relevant risks. Making compliance with this requirement straightforward, many companies may have already performed this risk assessment as part of the creation and annual update process of the control objectives and control activities for their historical SAS 70 efforts. Some organizations also may have formal risk assessment processes in place for Sarbanes-Oxley compliance or internal audit efforts may already encompass the content to be covered in the SSAE 16 report. It is advisable that management document the relevant risk assessment processes and conduct at least an annual evaluation of risks related to the system, with evidence retained to demonstrate management s process of risk identification. Bottom line for organizations reporting under the SAS 70 standard, management processes for risk identification are likely to exist. Subservice organizations Consistent with the prior standard, SSAE 16 allows the service organization to describe the use of subservice organizations through either an inclusive or carve-out presentation method. Service organization management plays an important role in determining how the subservice providers fit into their control environment and should consider the effect subservice providers have on their assertion. They should consider questions such as: Where are the controls over processing performed? Who exercises key controls over the services provided? Are the activities performed at the subservice organization relevant to a user s entity s internal control over financial reporting? Like the SAS 70 process, management s description of its system should clearly distinguish the services provided by the subservice organization. The inclusive method is typically more detailed regarding the system and processing components provided by the service organization. It encompasses controls and control objectives completed by the subservicer. Out with the old SAS 70 and in with the new SSAE 16 4

6 Additionally, when using the inclusive method, the subservice organization is subject to the same requirements as the service organization and should provide the following: A written assertion, to be included in, or attached to, management s description of the service organization s system A letter of representation prior to the completion of the engagement The requirement that the subservice organization provide a written assertion when employing the inclusive method may present the greatest change and one that service organization management should proactively coordinate well in advance of a service auditor engagement. Using work of internal audit Under SSAE 16, there is an expanded definition of internal audit that includes members of compliance or risk departments who perform similar duties as internal audit. Service auditors may use the work of internal audit or other independent control-related functions that has been performed independent of the service auditor s work to support their testing. However, there are often challenges in finding sufficient alignment of the scope and timing of work performed by internal audit or other independent control-related functions with that of a service auditor. For example, internal audit may review only a quarter of the year for a particular area, and the SSAE 16 engagement covers a 12-month period, so reliance on the internal audit testing would not give the practitioner comfort that control was operating for the entire SSAE 16 period. If service auditors are able to address these challenges and rely upon this work in performing their tests of controls, additional disclosure is required within the report. Such disclosure is not required when internal audit or another controlrelated function is used in the more common direct assistance capacity (e.g., under the direction and supervision of a service auditor). 5 Out with the old SAS 70 and in with the new SSAE 16

7 Call to action The following are action items for the service organization to consider when implementing the new SSAE 16 standard: Service auditor Initiate discussions with service auditors to increase your understanding of the new standard and gain insight from the service auditor s perspective for your business to affirm SSAE 16 is the right reporting option for your business needs. Communication plan Establish a plan to communicate information about the new standard with customer service teams, program offices, contract teams, sales teams, and customers. Revisit and assess the impact on customer contracts, as necessary. Timing of adoption The standard is effective for reports with periods ending on or after June 15, For example, a 12-month report period beginning July 1, 2010, would be issued under SSAE 16. Subservice organizations If subservice organizations are to be included in management s description of the service organization s system, determine whether to use the inclusive or carve-out method. If using the inclusive method, initiate discussions with the subservice organization regarding its requirements under the new standard. Management s written assertion/ risk assessment In developing the written assertion, evaluate the risks that threaten the achievement of the control objectives relative to the services provided and the control activities that mitigate these risks to determine whether enhancements are needed to cover the scope of SSAE 16. System description Revisit existing descriptions of controls within current SAS 70 reports as a foundation for developing management s description of the service organization s system, including the services provided, classes of transactions, business processes, control objectives, and related controls. Consider formalizing a process to capture updates as they occur during the year. Out with the old SAS 70 and in with the new SSAE 16 6

8 Included in the table is a summary of primary changes and practical tips management can use to prepare for the new reporting options. Change Choosing the right report Management's written assertion Risk assessment System description Practical tips Determine who is requesting the report and how they plan to use it. Gain an understanding of the requester s overall objective. Is the report request coming from a regulator or a prospective customer wanting information on privacy protection? Inventory what monitoring is taking place within the organization (risk management, internal audit, compliance, others) and map to the current SAS 70 controls. Familiarize yourself with the content of the management assertion. Your service auditor can provide an example management assertion. Evaluate current risk assessment processes used in the business Examine the current risk assessment and control objectives and determine whether they cover existing risks to the system Document the risk assessment process. Conduct a risk assessment evaluation on an annual or more-frequent basis and retain the evidence Review the current description of controls and determine whether it adequately covers the processing flow of transactions. Establish a method to capture changes that occur to the environment during the year. Note 1: SSAE 16 Statement on Standards for Attestation Engagements (SSAE) No. 16, Reporting on Controls at a Service Organization, was finalized by the Auditing Standards Board of the American Institute of Certified Public Accountants (AICPA) in January SSAE 16 effectively replaces SAS 70 as the authoritative guidance for reporting on internal controls over financial reporting at service organizations. SSAE 16 was formally issued in April 2010 with an effective date of June 15, You can order a copy of SSAE 16 from the AICPA s online store at publication number Out with the old SAS 70 and in with the new SSAE 16

9 Acknowledgements Authors George Galindo Angela Shifflette For a deeper discussion about how the change from SAS 70 to SSAE 16 may affect your business, please contact: Steve Del Vecchio Risk Assurance Partner Joseph Griffin Risk Assurance Partner Chris Thompson Risk Assurance Partner Angela Shifflette Risk Assurance Director Out with the old SAS 70 and in with the new SSAE 16 8

10 PwC. All rights reserved. PwC and PwC US refer to PricewaterhouseCoopers LLP, a Delaware limited liability partnership, which is a member firm of PricewaterhouseCoopers International Limited, each member firm of which is a separate legal entity. This document is for general information purposes only, and should not be used as a substitute for consultation with professional advisors. MW

The end of SAS70 what next for Performance Assurance?

The end of SAS70 what next for Performance Assurance? Enhancing Trust and Transparency The end of SAS70 what next for Performance Assurance? A perspective on transitioning from SAS 70 to ISAE 3402 pwc Enhancing Trust and Transparency 1 Contents What you need

More information

Feeley & Driscoll, P.C. Certified Public Accountants / Business Consultants www.fdcpa.com. Visit us on the web: www.fdcpa.com Or Call: 888-875-9770

Feeley & Driscoll, P.C. Certified Public Accountants / Business Consultants www.fdcpa.com. Visit us on the web: www.fdcpa.com Or Call: 888-875-9770 Feeley & Driscoll, P.C. Certified Public Accountants / Business Consultants www.fdcpa.com SAS 70 Background 2 SAS No. 70 Reports on the Processing of Transactions by Service Organizations Independent examination

More information

G24: Audits of Controls at a Service Organization: New Standards SSAE 16 and ISAE 3402 Duff Donnelly and Jeffrey Spivack, Grant Thornton LLP

G24: Audits of Controls at a Service Organization: New Standards SSAE 16 and ISAE 3402 Duff Donnelly and Jeffrey Spivack, Grant Thornton LLP G24: Audits of Controls at a Service Organization: New Standards SSAE 16 and ISAE 3402 Duff Donnelly and Jeffrey Spivack, Grant Thornton LLP Audits of controls at a service organization Roadmap to the

More information

Here comes SSAE 16 SAS 70 EVOLUTION: How will the new standard affect my business? How do I prepare to meet the new requirements?

Here comes SSAE 16 SAS 70 EVOLUTION: How will the new standard affect my business? How do I prepare to meet the new requirements? SAS 70 EVOLUTION: Here comes SSAE 16 PLANNING FOR THE NEW SERVICE ORGANIZATION REPORTING STANDARDS The prevalence of SAS 70 audits has grown dramatically since the standards issuance in April of 1992.

More information

The Changing SAS 70 Landscape Dan Hirstein Director Rebecca Goodpasture Senior Manager Deloitte & Touche LLP January 13, 2011

The Changing SAS 70 Landscape Dan Hirstein Director Rebecca Goodpasture Senior Manager Deloitte & Touche LLP January 13, 2011 The Changing SAS 70 Landscape Dan Hirstein Director Rebecca Goodpasture Senior Manager Deloitte & Touche LLP January 13, 2011 Table of Contents A Short History of SAS 70 Overview of SSAE 16 and ISAE 3402

More information

G24 - SAS 70 Practices and Developments Todd Bishop

G24 - SAS 70 Practices and Developments Todd Bishop G24 - SAS 70 Practices and Developments Todd Bishop SAS No. 70 Practices & Developments Todd Bishop Senior Manager, PricewaterhouseCoopers LLP Agenda SAS 70 Background Information and Overview Common SAS

More information

SSAE 16 and ISAE 3402: Preparing for New Service Company Control Standards Mastering Requirements Governing Your Next Controls Report

SSAE 16 and ISAE 3402: Preparing for New Service Company Control Standards Mastering Requirements Governing Your Next Controls Report Presenting a live 110 minute teleconference with interactive Q&A SSAE 16 and ISAE 3402: Preparing for New Service Company Control Standards Mastering Requirements Governing Your Next Controls Report WEDNESDAY,

More information

FAQs New Service Organization Standards and Implementation Guidance

FAQs New Service Organization Standards and Implementation Guidance FAQs New Service Organization Standards and Implementation Guidance During the past two years several significant changes have occurred in audit and attest standards for reporting on controls at service

More information

Reports on Service Organizations Where we ve been?

Reports on Service Organizations Where we ve been? Reports on Service Organizations Where we ve been? What s changing? How does this impact Internal Audit? Eric Wright Shareholder Frank Dezort Senior Manager Schneider Downs & Co., Inc. May 2, 2011 Overview

More information

MHM S PERSPECTIVE: CHANGES COMING TO SAS 70.KNOW THE FACTS

MHM S PERSPECTIVE: CHANGES COMING TO SAS 70.KNOW THE FACTS Mayer Hoffman McCann P.C. An Independent CPA Firm MHM S AUDITING PERSPECTIVE: STANDARD NO. 5 Since its issuance in 1992, the American Institute of Certified Public Accountants (AICPA) Statement on Auditing

More information

Service Organization Control (SOC) Reports

Service Organization Control (SOC) Reports Service Organization Control (SOC) Reports Transitioning from SAS 70 to SSAE 16 Deloitte & Touche LLP Agenda Overview SAS 70/SSAE 16 Historical Perspective The New Framework Under SSAE 16 (SOC 1) Impact

More information

BASIS FOR CONCLUSIONS Canadian Standard on Assurance Engagements (CSAE) 3416, Reporting on Controls at a Service Organization

BASIS FOR CONCLUSIONS Canadian Standard on Assurance Engagements (CSAE) 3416, Reporting on Controls at a Service Organization August 2010 BASIS FOR CONCLUSIONS Canadian Standard on Assurance Engagements (CSAE) 3416, Reporting on Controls at a Service Organization This Basis for Conclusions has been prepared by staff of the Auditing

More information

Shared Service System Audits: What User Management and Auditors Need to Know

Shared Service System Audits: What User Management and Auditors Need to Know Shared Service System Audits: What User Management and Auditors Need to Know JFMIP May 2014 Presented by: Robert Dacey GAO Session Objectives Properly using SSAE 16 service organization audit reports Revisions

More information

Service Organization Control (SOC) Reports Focus on SOC 2 Reporting Standard

Service Organization Control (SOC) Reports Focus on SOC 2 Reporting Standard Information Systems Audit and Controls Association Service Organization Control (SOC) Reports Focus on SOC 2 Reporting Standard February 4, 2014 Tom Haberman, Principal, Deloitte & Touche LLP Reema Singh,

More information

Protecting your brand in the cloud Transparency and trust through enhanced reporting

Protecting your brand in the cloud Transparency and trust through enhanced reporting Protecting your brand in the cloud Transparency and trust through enhanced reporting Third-party Assurance November 2011 At a glance Cloud computing has unprecedented potential to deliver greater business

More information

ISAE 3402 and SSAE 16 (replacing SAS 70) Reinforcing confidence through demonstration of effective controls

ISAE 3402 and SSAE 16 (replacing SAS 70) Reinforcing confidence through demonstration of effective controls ISAE 3402 and SSAE 16 (replacing SAS 70) Reinforcing confidence through demonstration of effective controls ISAE 3402 and SSAE 16 defined Overview of service organisation control reports Service organisation

More information

Goodbye, SAS 70! Hello, SSAE 16!

Goodbye, SAS 70! Hello, SSAE 16! Goodbye, SAS 70! Hello, SSAE 16! A Session to Provide Insight on the New Standard and What Service Providers and End-Users Need to Know January 3, 2012 Agenda Introduction Background on what was SAS 70

More information

SECTION I INDEPENDENT SERVICE AUDITOR S REPORT

SECTION I INDEPENDENT SERVICE AUDITOR S REPORT SOC2 Security Report on Controls Supporting DriveSavers Services Independent Service Auditor s Report on Design of Controls Placed in Operation and Tests of Operational Effectiveness Relevant to Security

More information

End of the SAS 70 Era

End of the SAS 70 Era End of the SAS 70 Era For years businesses that outsource have relied on SAS 70 reports on the internal controls of third party providers. The standard for those reports is changing. New Standards Replacing

More information

Information for Management of a Service Organization

Information for Management of a Service Organization Information for Management of a Service Organization Copyright 2011 American Institute of Certified Public Accountants, Inc. New York, NY 10036-8775 All rights reserved. For information about the procedure

More information

Farewell to SAS 70. What you need to know about the New Standard for Service Organization Reporting

Farewell to SAS 70. What you need to know about the New Standard for Service Organization Reporting Farewell to SAS 70 What you need to know about the New Standard for Service Organization Reporting ADVISORY rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International Cooperative

More information

Effectively using SOC 1, SOC 2, and SOC 3 reports for increased assurance over outsourced operations. kpmg.com

Effectively using SOC 1, SOC 2, and SOC 3 reports for increased assurance over outsourced operations. kpmg.com Effectively using SOC 1, SOC 2, and SOC 3 reports for increased assurance over outsourced operations kpmg.com b Section or Brochure name Effectively using SOC 1, SOC 2, and SOC 3 reports for increased

More information

Service Organization Control Reports

Service Organization Control Reports SAS 70 ENDS EXIT TO SSAE 16 Service Organization Control Reports What Did We Learn from Year One? Agenda Definitions Service Organization Reports What are they? Year One Experiences SSAE 16 Year One Experiences

More information

Reporting on Controls at a Service Organization

Reporting on Controls at a Service Organization Reporting on Controls at a Service Organization 1529 AT Section 801 Reporting on Controls at a Service Organization (Supersedes the guidance for service auditors in Statement on Auditing Standards No.

More information

Service Organizations: Auditing Interpretations of Section 324

Service Organizations: Auditing Interpretations of Section 324 Service Organizations 1835 AU Section 9324 Service Organizations: Auditing Interpretations of Section 324 1. Describing Tests of Operating Effectiveness and the Results of Such Tests.01 Question Paragraph.44f

More information

Asset Manager Guide to SAS 70. Issue Date: October 7, 2007. Asset

Asset Manager Guide to SAS 70. Issue Date: October 7, 2007. Asset Asset Manager Guide to SAS 70 Issue Date: October 7, 2007 Asset Management Group A s s e t M a n a g e r G u i d e SAS 70 Table of Contents Executive Summary...3 Overview and Current Landscape...3 Service

More information

SERVICE ORGANIZATION CONTROL REPORTS SM. Formerly SAS 70 Reports

SERVICE ORGANIZATION CONTROL REPORTS SM. Formerly SAS 70 Reports SERVICE ORGANIZATION CONTROL REPORTS SM Formerly SAS 70 Reports SAS No. 70, Service Organizations Standard for reporting on a service organization s controls affecting user entities financial statements

More information

Understanding Vendor Risk And Analyzing the SSAE No. 16

Understanding Vendor Risk And Analyzing the SSAE No. 16 Understanding Vendor Risk And Analyzing the SSAE No. 16 Accelerate your Credit Union s Performance June 19, 2014 AUSTIN, TEXAS www.cuaccelerator.com Agenda Vendor Management Key Outsourcing Risk Areas

More information

www.pwc.com Third Party Risk Management 12 April 2012

www.pwc.com Third Party Risk Management 12 April 2012 www.pwc.com Third Party Risk Management 12 April 2012 Agenda 1. Introductions 2. Drivers of Increased Focus on Third Parties 3. Governance 4. Third Party Risks and Scope 5. Third Party Risk Profiling 6.

More information

SSAE 16 & SAS 70 A Primer on Changes to Service Organization Audit Standards

SSAE 16 & SAS 70 A Primer on Changes to Service Organization Audit Standards A Member of OneBeacon Insurance Group SSAE 16 & SAS 70 A Primer on Changes to Service Organization Audit Standards Author: Jack Fletcher, Risk Control Technology Specialist Published: November 2014 Executive

More information

Documentation of Use of a Type 2 Service Auditor s Report In an Audit of an Employee Benefit Plan s Financial Statements

Documentation of Use of a Type 2 Service Auditor s Report In an Audit of an Employee Benefit Plan s Financial Statements Documentation of Use of a Type 2 Service Auditor s Report In an Audit of an Employee Benefit Plan s Financial Statements PLAN NAME: PLAN YEAR END: CLIENT NUMBER: SCOPE OF PLAN AUDIT: LIMITED FULL Note:

More information

Frequently asked questions: SOC 2 and 3

Frequently asked questions: SOC 2 and 3 1. Is the licensing requirement for a SOC 2 or 3 different than for a SOC 1? SOC reports are attestation reports issued in accordance with AICPA standards. Therefore, licensing requirements are the same

More information

Cybersecurity and the AICPA Cybersecurity Attestation Project

Cybersecurity and the AICPA Cybersecurity Attestation Project Cybersecurity and the AICPA Cybersecurity Attestation Project Chris Halterman Executive Director EY Chair AICPA Trust Information Integrity Task Force 2 October 2015 Increasing awareness of cybersecurity

More information

3.B METHODOLOGY SERVICE PROVIDER

3.B METHODOLOGY SERVICE PROVIDER 3.B METHODOLOGY SERVICE PROVIDER Approximately four years ago, the American Institute of Certified Public Accountants (AICPA) issued Statement on Standards for Attestation Engagements (SSAE) No. 16, Reporting

More information

SAS No. 70, Service Organizations

SAS No. 70, Service Organizations SAS No. 70, Service Organizations A standard for reporting on a service organization s controls affecting user entities' financial statements. Only for use by service organization management, existing

More information

SSAE 16 for Transportation & Logistics Companies. Chris Kradjan Kim Koch

SSAE 16 for Transportation & Logistics Companies. Chris Kradjan Kim Koch SSAE 16 for Transportation & Logistics Companies Chris Kradjan Kim Koch 1 The material appearing in this presentation is for informational purposes only and should not be construed as advice of any kind,

More information

INTERNATIONAL STANDARD ON ASSURANCE ENGAGEMENTS (ISAE) 3402 ASSURANCE REPORTS ON CONTROLS AT A SERVICE ORGANIZATION

INTERNATIONAL STANDARD ON ASSURANCE ENGAGEMENTS (ISAE) 3402 ASSURANCE REPORTS ON CONTROLS AT A SERVICE ORGANIZATION INTERNATIONAL STANDARD ON ASSURANCE ENGAGEMENTS (ISAE) 3402 ASSURANCE REPORTS ON CONTROLS AT A SERVICE ORGANIZATION (Effective for service auditors assurance reports covering periods ending on or after

More information

Monitoring Outside Service Providers, Part III: SAS 70 Updates

Monitoring Outside Service Providers, Part III: SAS 70 Updates Monitoring Outside Service Providers, Part III: SAS 70 Updates Richard F. Fischer, CPA Louis Plung & Company, LLP richard.fischer@louisplung.com 412-281-8771 CHANGES TO SAS 70 SERVICE ORGANIZATIONS: Statement

More information

Understanding SOC Reports for Effective Vendor Management. Jason T. Clinton January 26, 2016

Understanding SOC Reports for Effective Vendor Management. Jason T. Clinton January 26, 2016 Understanding SOC Reports for Effective Vendor Management Jason T. Clinton January 26, 2016 MEMBER OF PKF NORTH AMERICA, AN ASSOCIATION OF LEGALLY INDEPENDENT FIRMS 2012 Wolf & Company, P.C. Before we

More information

Attracting pension plan assets What alternative investment managers need to know

Attracting pension plan assets What alternative investment managers need to know www.pwc.com/us/assetmanagement Attracting pension plan assets What alternative investment managers need to know February 2012 At a glance Retirement plan sponsors are continuing to give alternative investments,

More information

FS Regulatory Brief. How the SEC s Custody Rule Impacts Private Fund Advisers. Introduction. The Custody Rule: An overview

FS Regulatory Brief. How the SEC s Custody Rule Impacts Private Fund Advisers. Introduction. The Custody Rule: An overview How the SEC s Custody Rule Impacts Private Fund Advisers Introduction Under the Dodd-Frank Wall Street Reform and Consumer Protection Act (Dodd-Frank, or the Act ) and rules recently adopted by the Securities

More information

Simplifying the audit through innovation

Simplifying the audit through innovation Simplifying the audit through innovation Simplifying the audit through innovation New performance Smoother workflows and stronger collaboration New clarity Consistent execution and greater visibility New

More information

The 21 st Century Version of SAS 70..SSAE 16

The 21 st Century Version of SAS 70..SSAE 16 presents Mastering SAS 70 Audit Reports for Service Organizations Evaluating Internal Controls Issues With Type I and Type II Reports A Live 110-Minute Teleconference/Webinar with Interactive Q&A Today's

More information

OUTSOURCING AND SERVICE AUDITOR S REPORTS

OUTSOURCING AND SERVICE AUDITOR S REPORTS OUTSOURCING AND SERVICE AUDITOR S REPORTS FREEDOM TO DO BUSINESS Outsourcing and service Auditor s Reports 3 OUTSOURCING AND SERVICE AUDITOR S REPORTS SERVICE AUDITOR S REPORTS ARE GROWING IN IMPORTANCE,

More information

Reg AB Is Here to Stay:

Reg AB Is Here to Stay: PwC Reg AB Is Here to Stay: What does this mean for servicers? By LaWanda Morris Tom Knox PwC Reg AB Is Here to Stay: What does this mean for servicers? By LaWanda Morris/Tom Knox Background The Securities

More information

Healthcare IT Assurance Peace of Mind Through Privacy and Security Risk Management

Healthcare IT Assurance Peace of Mind Through Privacy and Security Risk Management Healthcare IT Assurance Peace of Mind Through Privacy and Security Risk Management By Dan Schroeder, CPA, MBA, CISA, CIA, PCI QSA, CISM, CIPP/US Dan.schroeder@hawcpa.com BRIEF CONTENTS HCIT IMPROVES THE

More information

SSAE 16 SOC 1 Type 2

SSAE 16 SOC 1 Type 2 SSAE 16 SOC 1 Type 2 Independent Service Auditor s Report on Management s Description of a Service Organization s System and the Suitability of the Design and Operating Effectiveness of Controls September

More information

SOC on Amazon Web Services (AWS) What You Need To Know Understanding the regulatory roadmap for SOC on AWS

SOC on Amazon Web Services (AWS) What You Need To Know Understanding the regulatory roadmap for SOC on AWS SOC on Amazon Web Services (AWS) What You Need To Know Understanding the regulatory roadmap for SOC on AWS Jeff Cook November 2015 Summary Service Organization Control (SOC) reports (formerly SAS 70 or

More information

Guide to Understanding SAS 70 Reports

Guide to Understanding SAS 70 Reports Guide to Understanding SAS 70 Reports Authors: Norm Parkerson, Business Advisory Services Executive Director and Brett Williams, Business Advisory Services Partner In today s global economy, service organizations

More information

Metrics by design A practical approach to measuring internal audit performance

Metrics by design A practical approach to measuring internal audit performance Metrics by design A practical approach to measuring internal audit performance September 2014 At a glance Expectations of Internal Audit are rising. Regulatory pressure is increasing. Budgets are tightening.

More information

GAO. Government Auditing Standards. 2011 Revision. By the Comptroller General of the United States. United States Government Accountability Office

GAO. Government Auditing Standards. 2011 Revision. By the Comptroller General of the United States. United States Government Accountability Office GAO United States Government Accountability Office By the Comptroller General of the United States December 2011 Government Auditing Standards 2011 Revision GAO-12-331G GAO United States Government Accountability

More information

Auditing Derivative Instruments, Hedging Activities, and Investments in Securities 1

Auditing Derivative Instruments, Hedging Activities, and Investments in Securities 1 Auditing Derivative Instruments 1915 AU Section 332 Auditing Derivative Instruments, Hedging Activities, and Investments in Securities 1 (Supersedes SAS No. 81.) Source: SAS No. 92. See section 9332 for

More information

Navigating the transition to CSAE 3416

Navigating the transition to CSAE 3416 www.pwc.com/ca/controls Navigating the transition to CSAE 3416 FAQs on the new Canadian Standard on Assurance Engagements In response to changes in third-party assurance standards in both the US and internationally,

More information

Our comments concerning internal control and other significant matters are presented as follows:

Our comments concerning internal control and other significant matters are presented as follows: MANAGEMENT LETTER Board of Directors Indianapolis, Indiana In planning and performing our audit of the consolidated financial statements of TCM International Institute, Inc. and European Evangelistic Society

More information

Financial Forecasts and Projections

Financial Forecasts and Projections Financial Forecasts and Projections 1345 AT Section 301 Financial Forecasts and Projections Source: SSAE No. 10; SSAE No. 11; SSAE No. 17. Effective when the date of the practitioner s report is on or

More information

INTERNATIONAL STANDARD ON AUDITING 200 OBJECTIVE AND GENERAL PRINCIPLES GOVERNING AN AUDIT OF FINANCIAL STATEMENTS CONTENTS

INTERNATIONAL STANDARD ON AUDITING 200 OBJECTIVE AND GENERAL PRINCIPLES GOVERNING AN AUDIT OF FINANCIAL STATEMENTS CONTENTS INTERNATIONAL STANDARD ON AUDITING 200 OBJECTIVE AND GENERAL PRINCIPLES GOVERNING (Effective for audits of financial statements for periods beginning on or after December 15, 2005. The Appendix contains

More information

TIS Section 9520, SSAE No. 16, Reporting on Controls at a Service Organization

TIS Section 9520, SSAE No. 16, Reporting on Controls at a Service Organization November 2011 AICPA Technical Practice Aids TIS Section 9520, SSAE No. 16, Reporting on Controls at a Service Organization.01 New Standards for Service Auditors and User Auditors Inquiry Did the issuance

More information

Management s Discussion and Analysis

Management s Discussion and Analysis Management s Discussion and Analysis 1473 AT Section 701 Management s Discussion and Analysis Source: SSAE No. 10. Effective when management s discussion and analysis is for a period ending on or after

More information

About the Presenter. Presentation Objectives. SaaS / Cloud Computing Risk Management AICPA Attest Alternatives

About the Presenter. Presentation Objectives. SaaS / Cloud Computing Risk Management AICPA Attest Alternatives SaaS / Cloud Computing Risk Management AICPA Attest Alternatives Presenter: Dan Schroeder, CPA/CITP Habif, Arogeti, & Wynne, LLP Georgia Society of CPAs Annual Convention June 16, 2010 About the Presenter

More information

Aberdeen City Council IT Security (Network and perimeter)

Aberdeen City Council IT Security (Network and perimeter) Aberdeen City Council IT Security (Network and perimeter) Internal Audit Report 2014/2015 for Aberdeen City Council August 2014 Internal Audit KPIs Target Dates Actual Dates Red/Amber/Green Commentary

More information

Healthcare Internal Audit: In a Time of Transition

Healthcare Internal Audit: In a Time of Transition The 2015 State of the Internal Audit Profession Study Healthcare Internal Audit: In a Time of Transition The healthcare industry in the United States is facing many challenges with the enactment of legislation

More information

The evolution of model risk management January 2016

The evolution of model risk management January 2016 www.pwc.com/us/insurance The evolution of model risk management January 2016 2 top issues The evolution of model risk management One of the fastest growing concerns on insurers enterprise risk agenda is

More information

Agreed-Upon Procedures Engagements

Agreed-Upon Procedures Engagements Agreed-Upon Procedures Engagements 1323 AT Section 201 Agreed-Upon Procedures Engagements Source: SSAE No. 10; SSAE No. 11. Effective when the subject matter or assertion is as of or for a period ending

More information

INTERNATIONAL STANDARD ON AUDITING 620 USING THE WORK OF AN AUDITOR S EXPERT CONTENTS

INTERNATIONAL STANDARD ON AUDITING 620 USING THE WORK OF AN AUDITOR S EXPERT CONTENTS INTERNATIONAL STANDARD ON AUDITING 620 USING THE WORK OF AN AUDITOR S EXPERT (Effective for audits of financial statements for periods beginning on or after December 15, 2009) CONTENTS Paragraph Introduction

More information

Dataline A look at current financial reporting issues

Dataline A look at current financial reporting issues Dataline A look at current financial reporting issues No. 2013-22 November 21, 2013 What s inside? Overview... 1 The main details... 2 Quantifying errors... 2 Evaluating whether the financial statements

More information

Getting to strong Leading Practices for value-enhancing internal audit By Richard Reynolds and Abhinav Aggarwal - PricewaterhouseCoopers LLP

Getting to strong Leading Practices for value-enhancing internal audit By Richard Reynolds and Abhinav Aggarwal - PricewaterhouseCoopers LLP Getting to strong Leading Practices for value-enhancing internal audit By Richard Reynolds and Abhinav Aggarwal - PricewaterhouseCoopers LLP Today's unpredictable business climate and challenging regulatory

More information

Navigating the Standards for Information Technology Controls

Navigating the Standards for Information Technology Controls Navigating the Standards for Information Technology Controls By Joseph B. O Donnell and Yigal Rechtman JULY 2005 - Pervasive use of computers, along with recent legislation such as the Sarbanes- Oxley

More information

INTERNATIONAL STANDARD ON AUDITING 580 MANAGEMENT REPRESENTATIONS CONTENTS

INTERNATIONAL STANDARD ON AUDITING 580 MANAGEMENT REPRESENTATIONS CONTENTS INTERNATIONAL STANDARD ON 580 MANAGEMENT REPRESENTATIONS (Effective for audits of financial statements for periods beginning on or after December 15, 2004) CONTENTS Paragraph Introduction... 1-2 Acknowledgment

More information

IAASB Main Agenda (June 2010) Agenda Item. April 28, 2009

IAASB Main Agenda (June 2010) Agenda Item. April 28, 2009 Agenda Item 8-B Statement of Position 09-1 April 28, 2009 Performing Agreed-Upon Procedures Engagements That Address the Completeness, Accuracy, or Consistency of XBRL-Tagged Data Issued Under the Authority

More information

Applying Integrated Risk Management Scenarios for Improving Enterprise Governance

Applying Integrated Risk Management Scenarios for Improving Enterprise Governance Applying Integrated Risk Management Scenarios for Improving Enterprise Governance János Ivanyos Trusted Business Partners Ltd, Budapest, Hungary, ivanyos@trusted.hu Abstract: The term of scenario is used

More information

GAO. Government Auditing Standards: Implementation Tool

GAO. Government Auditing Standards: Implementation Tool United States Government Accountability Office GAO By the Comptroller General of the United States December 2007 Government Auditing Standards: Implementation Tool Professional Requirements Tool for Use

More information

Please provide the full name of the applicant whose experience you are verifying.

Please provide the full name of the applicant whose experience you are verifying. CPA Certificate Experience Verification Connecticut Department of Consumer Protection Form SBA 12 -Instructions (Rev. 06/16) GENERAL INSTRUCTIONS This form is provided as a means for disclosure and verification

More information

COSO 2013: WHAT HAS CHANGED & STEPS TO TAKE TO ENSURE COMPLIANCE

COSO 2013: WHAT HAS CHANGED & STEPS TO TAKE TO ENSURE COMPLIANCE COSO 2013: WHAT HAS CHANGED & STEPS TO TAKE TO ENSURE COMPLIANCE COMMITTEE OF SPONSORING ORGANIZATIONS (COSO) 2013 The Committee of Sponsoring Organizations (COSO) Internal Controls Integrated Framework,

More information

FS Regulatory Brief SEC Proposes Amendments to Broker- Dealer Financial Reporting Rule

FS Regulatory Brief SEC Proposes Amendments to Broker- Dealer Financial Reporting Rule SEC Proposes Amendments to Broker- Dealer Financial Reporting Rule Amendments call for brokerdealers assertion of compliance with the Financial Responsibility Rules, new reviews by independent auditors,

More information

Guide to the Sarbanes-Oxley Act: IT Risks and Controls. Frequently Asked Questions

Guide to the Sarbanes-Oxley Act: IT Risks and Controls. Frequently Asked Questions Guide to the Sarbanes-Oxley Act: IT Risks and Controls Frequently Asked Questions Table of Contents Page No. Introduction.......................................................................1 Overall

More information

The Upside of Risk: Enterprise Risk Management and Public Real Estate Companies

The Upside of Risk: Enterprise Risk Management and Public Real Estate Companies The Upside of Risk: Enterprise Risk Management and Public Real Estate Companies James Barkley, Simon Property Group, Inc. and David E. Weiss, DDR Corp. Introduction: As lawyers, particularly real estate

More information

This article will provide background on the Sarbanes-Oxley Act of 2002, prior to discussing the implications for business continuity practitioners.

This article will provide background on the Sarbanes-Oxley Act of 2002, prior to discussing the implications for business continuity practitioners. Auditing the Business Continuity Process Dr. Eric Schmidt, Principal, Transitional Data Services, Inc. Business continuity audits are rapidly becoming one of the most urgent issues throughout the international

More information

RECKENEN FOCUS ON SAS 70 & SSAE 16

RECKENEN FOCUS ON SAS 70 & SSAE 16 RECKENEN FOCUS ON SAS 70 & SSAE 16 Hassan Sultan, CPA Managing Director 3001 Park Center Drive Suite 1000 Alexandria, VA 22302 Phone (703) 249 4509 Email hsultan@reckenen.com SAS 70 & SSAE 16 Overview

More information

FS Regulatory Brief. SEC Staff Provides Guidance on the Use of Social Media by Advisers. Introduction

FS Regulatory Brief. SEC Staff Provides Guidance on the Use of Social Media by Advisers. Introduction SEC Staff Provides Guidance on the Use of Social Media by Advisers Introduction Reflecting the fact that many registered investment advisers and their personnel use social media in various forms to communicate

More information

Aberdeen City Council IT Asset Management

Aberdeen City Council IT Asset Management Aberdeen City Council IT Asset Management Internal Audit Report 2014/2015 for Aberdeen City Council January 2015 Terms or reference agreed 4 weeks prior to fieldwork Target Dates per agreed Actual Dates

More information

April 2013. Managing cloud migration Contract restructuring and retained IT

April 2013. Managing cloud migration Contract restructuring and retained IT April 2013 Managing cloud migration Contract restructuring and retained IT Abstract We continually see companies restructure their IT outsourcing contracts with traditional IT providers as part of their

More information

Citation for published version (APA): Berthing, H. H. (2014). Vision for IT Audit 2020. Abstract from Nordic ISACA Conference 2014, Oslo, Norway.

Citation for published version (APA): Berthing, H. H. (2014). Vision for IT Audit 2020. Abstract from Nordic ISACA Conference 2014, Oslo, Norway. Aalborg Universitet Vision for IT Audit 2020 Berthing, Hans Henrik Aabenhus Publication date: 2014 Document Version Early version, also known as pre-print Link to publication from Aalborg University Citation

More information

Internal controls readiness: why you need to act today*

Internal controls readiness: why you need to act today* Internal controls readiness: why you need to act today* Internal controls readiness: why you need to act today I. Introduction Auditing has become more of a regulated industry after the enactment of the

More information

University Audit and Compliance. Internal Controls Enterprise-Wide Risk Assessment

University Audit and Compliance. Internal Controls Enterprise-Wide Risk Assessment Internal Controls Enterprise-Wide Risk Assessment Balancing Risk and Controls In order to achieve goals and objectives, management needs to effectively balance risks and controls. Control procedures need

More information

Do you know your privacy risks? How new technologies, changing business models, and emerging regulations are changing the data-protection landscape

Do you know your privacy risks? How new technologies, changing business models, and emerging regulations are changing the data-protection landscape January 2013 Do you know your privacy risks? How new technologies, changing business models, and emerging regulations are changing the data-protection landscape At a glance Threats to data security both

More information

The Importance of IT Controls to Sarbanes-Oxley Compliance

The Importance of IT Controls to Sarbanes-Oxley Compliance Hosted by Deloitte, PricewaterhouseCoopers and ISACA/ITGI The Importance of IT Controls to Sarbanes-Oxley Compliance 15 December 2003 1 Presenters Chris Fox, CA Sr. Manager, Internal Audit Services PricewaterhouseCoopers

More information

Cloud Computing An Auditor s Perspective

Cloud Computing An Auditor s Perspective Cloud Computing An Auditor s Perspective Sailesh Gadia, CPA, CISA, CIPP sgadia@kpmg.com December 9, 2010 Discussion Agenda Introduction to cloud computing Types of cloud services Benefits, challenges,

More information

Fraud Prevention and Deterrence

Fraud Prevention and Deterrence Fraud Prevention and Deterrence Fraud Risk Assessment 2016 Association of Certified Fraud Examiners, Inc. What Is Fraud Risk? The vulnerability that an organization faces from individuals capable of combining

More information

IT Insights. Managing Third Party Technology Risk

IT Insights. Managing Third Party Technology Risk IT Insights Managing Third Party Technology Risk According to a recent study by the Institute of Internal Auditors, more than 65 percent of organizations rely heavily on third parties, yet most allocate

More information

SEC ISSUES FINAL RULES FOR NEW CEO/CFO CERTIFICATION UNDER SECTION 302 OF THE SARBANES-OXLEY ACT

SEC ISSUES FINAL RULES FOR NEW CEO/CFO CERTIFICATION UNDER SECTION 302 OF THE SARBANES-OXLEY ACT CLIENT MEMORANDUM SEC ISSUES FINAL RULES FOR NEW CEO/CFO CERTIFICATION UNDER SECTION 302 OF THE SARBANES-OXLEY ACT As noted in our previous client memoranda, the Sarbanes-Oxley Act of 2002 (the Act ) calls

More information

Impact of New Internal Control Frameworks

Impact of New Internal Control Frameworks Impact of New Internal Control Frameworks Webcast: Tuesday, February 25, 2014 CPE Credit: 1 0 With You Today Bob Jacobson Principal, Risk Advisory Services Consulting Leader West Region Bob.Jacobson@mcgladrey.com

More information

www.pwc.com SAP Training Are your people adequately trained to maximize your

www.pwc.com SAP Training Are your people adequately trained to maximize your www.pwc.com SAP Training Are your people adequately trained to maximize your return from SAP? Understand the challenges your organization has with SAP Background Organizations are investing significant

More information

IAIS Insurance Core Principle 16

IAIS Insurance Core Principle 16 www.pwc.com Chicago Actuarial Association ORSA Readiness June 19, 2014 IAIS Insurance Core Principle 16 The supervisory regime establishes enterprise risk management requirements for solvency purposes

More information

TECH INSIGHTS TRUST AND TRANSPARENCY IN A CLOUDY WORLD. IT advisory services

TECH INSIGHTS TRUST AND TRANSPARENCY IN A CLOUDY WORLD. IT advisory services TECH INSIGHTS IT advisory services TRUST AND TRANSPARENCY IN A CLOUDY WORLD Service Organization Controls (SOC) Reporting for Financial and Data Security In a world of cloud computing and business process

More information

A Closer Look Financial Services Regulation

A Closer Look Financial Services Regulation A Closer Look Financial Services Regulation To view our other A Closer Look pieces, please visit www.pwcregulatory.com \ Model risk mitigation and cost reduction through effective documentation June 2013

More information

Baker Tilly refers to Baker Tilly Virchow Krause, LLP, an independently owned and managed member of Baker Tilly International. Understanding SOC 3

Baker Tilly refers to Baker Tilly Virchow Krause, LLP, an independently owned and managed member of Baker Tilly International. Understanding SOC 3 Baker Tilly refers to Baker Tilly Virchow Krause, LLP, an independently owned and managed member of Baker Tilly International. Understanding SOC 3 Agenda 1) A brief perspective on where SOC 3 originated

More information

Vendor Management Best Practices

Vendor Management Best Practices 23 rd Annual and One Day Seminar Vendor Management Best Practices Catherine Bruder CPA, CITP, CISA, CISM, CTGA Michigan Texas Florida Insight. Oversight. Foresight. SM Doeren Mayhew Bruder 1 $100 billion

More information

Internal Control over Financial Reporting Guidance for Smaller Public Companies

Internal Control over Financial Reporting Guidance for Smaller Public Companies Internal Control over Financial Reporting Guidance for Smaller Public Companies Frequently Asked Questions Internal Control over Financial Reporting Guidance for Smaller Public Companies Frequently Asked

More information

Lifting the fog* Accounting for uncertainty in income taxes

Lifting the fog* Accounting for uncertainty in income taxes Lifting the fog* Accounting for uncertainty in income taxes Contents Introduction 01 Identifying uncertain tax positions 02 Recognizing uncertain tax positions 03 Measuring the tax benefit 04 Disclosures

More information

Audit and Permitted Non-Audit Services Pre-Approval Policy (Pertaining to the Company s Independent Auditor)

Audit and Permitted Non-Audit Services Pre-Approval Policy (Pertaining to the Company s Independent Auditor) Audit and Permitted Non-Audit Services Pre-Approval Policy (Pertaining to the Company s Independent Auditor) Statement of Principles Pursuant to the Sarbanes-Oxley Act of 2002 (the Act ) and in accordance

More information