The end of SAS70 what next for Performance Assurance?

Save this PDF as:
 WORD  PNG  TXT  JPG

Size: px
Start display at page:

Download "The end of SAS70 what next for Performance Assurance?"

Transcription

1 Enhancing Trust and Transparency The end of SAS70 what next for Performance Assurance? A perspective on transitioning from SAS 70 to ISAE 3402 pwc Enhancing Trust and Transparency 1

2 Contents What you need to know 2 Detailed assessment of key changes to the standard 3 Key action Items 7 Contacts 8 PricewaterhouseCoopers

3 The SAS70 standard is obsolete from 15th June 2011 The changes are subtle but our overall view is that organisations need to act now, to help minimise the impact on themselves and their customers. Enhancing Trust and Transparency 1

4 What you need to know Organisations that provide services to their customers are often subject to independent assessments of the processes executed on behalf of their customers. Statement on Auditing Standards (SAS) No. 70 has long been the most widespread and recognised standard globally for performing these assessments. It gave the service organisation a mechanism for providing an independent assurance report (and therefore comfort) to their customers. The requirements and guidance for auditors reporting under SAS 70 will be superseded for reporting periods ending on or after the 15th June 2011 by SSAE 16. However, given both SAS 70 and SSAE 16 are US based standards, and many countries did not have their own standard for performing such assessments, an international standard, ISAE 3402, was issued in December This new standard will provide a reporting option for service organisations that need a global attestation standard to deliver consistent reporting worldwide, or will form the basis for updating regional standards (such as AAF 01/06). Like SSAE 16, the new standard is effective for reports with periods ending on or after June 15, 2011 and will permit early adoption. The focus of this document is on the necessary changes to move from SAS 70 to ISAE It includes comments on the impact of those updates on service organisations and service auditors. Key similarities and differences between ISAE 3402 and SAS 70 Similarities Scope is focused on controls that are likely to be relevant to user entities internal control over financial reporting Type 1 and Type 2 reports may be issued by the service auditor. Reports may include (inclusive method) or exclude (carve-out method) services provided by subservice organisations Service organisation s description of controls under SAS 70 generally will provide a basis for the system description under ISAE 3402 Service auditor s report is restricted to use by the service organisations management, customers of the service organisation and the customers auditors Differences Management is required to provide a written assertion with respect to the service organisations responsibilities for systems and controls Subservice organisations are required to provide a similar assertion when they are included in the scope of the report In a Type 2 report, the service auditor opines on the suitability of the design of controls related to the control objectives throughout the entire period The service auditor is required to disclose any reliance on the work of Internal Audit (or other independent management testing functions) within the report Overall assessment of key changes to the standard The new standard is not designed to change how an engagement to report on controls is performed. Rather, it has been prepared to meet the demand for an internationally recognised standard and to fit into the current framework for assurance standards. The new standard does include some new requirements and changes to previous requirements of SAS 70. For each of the key changes discussed herein, we have provided an assessment of the difference from SAS 70 and the level of effort it will require of the service organisation to implement the change. Acronym Buster Statement on Standards for Attestation Engagements 16 (SSAE 16) is the US standard issued by the American Institute of Certified Public Accountants. The International Standard on Assurance Engagements 3402 (ISAE 3402) is issued by the International Auditing and Assurance Standards Board (IAASB). 2 PricewaterhouseCoopers

5 Detailed assessment of key changes to the standard Management assertion Difference from SAS 70 Different Level of effort to implement Medium Under the new standard, the service organisation has to acknowledge its responsibilities through a written assertion, which will state that the controls are fairly presented, suitably designed and operating effectively to achieve the specified control objectives. Management s assertion will be included in, or attached to, management s description of the system and documented within the report. Management s assertion should be based on suitable criteria. Management should select the criteria to be used to make their assertion and should state them within the assertion. A service auditor is precluded from issuing a report if management does not provide a written assertion. The standard provides outline guidance in this area, which should make this requirement straight-forward to implement. Management should have a reasonable basis for its assertion, which may be achieved through on-going monitoring activities that provide evidence of the design and operating effectiveness of controls. But there is no specific requirement for management testing as with Sarbanes Oxley. Management s representation letter signed at the completion of a SAS 70 engagement today covers the same ground as the required items within management s assertion. Therefore, provision of the assertion is not expected to incur costs at the service organisation. However, service organisations may wish to consider who will be responsible for making the assertion. Enhancing Trust and Transparency 3

6 Description of the system Difference from SAS 70 Similar Level of effort to implement Medium In addition to a written assertion, management is responsible for preparing its description of the service organisation s system ( the system ). The system is defined as the policies and procedures designed, implemented, and documented by management to provide customers with the services covered by the service auditor s report. Management s description should identify at a minimum, the following criteria (as applicable): Services covered, including as appropriate the classes of transactions processed; The procedures by which services are provided and details of the relevant records and supporting information; Period covered by the report; Relevant control objectives and related controls; Complementary user controls; Controls performed by the subservice organisation (inclusive reports); The process used to prepare reports provided to customers; Changes to the system during the period covered by the report; and Other aspects of the service organisation s control environment, risk assessment process, information and communication systems, and monitoring of controls, as defined by the Committee of Sponsoring Organisations (COSO) internal control framework that could be relevant to user entities. In many cases, a majority of the elements to be included in management s description of the system as required under ISAE 3402 have been included in existing SAS 70 reports. In such cases, there should not be a significant additional work effort required of the service organisation. 4 PricewaterhouseCoopers

7 Identification of risks to achieving control objectives Difference from SAS 70 Similar Level of effort to implement Low Similar to guidance under SAS 70, management s description of the system should specify control objectives and related controls. Management are expected to consider the risks that threaten the achievement of the control objectives, whether the controls do enough to mitigate those risks and whether the controls are consistently applied. ISAE 3402 allows for management to have a formal or informal process for identifying the relevant risks and does not require that management explicitly include such risks within the report. However, our perspective on leading practice is that management conduct and formally document their consideration of the relevant risks. As many companies have already performed this risk assessment as part of the creation of the control objectives and control activities for their historical SAS 70 efforts, identifying the relevant risks factors should not create significant additional work Subservice organisations Difference from SAS 70 Different Level of effort to implement Medium Consistent with SAS 70, ISAE 3402 allows the service organisation to describe the use of subservice organisations through either an inclusive or carve-out method of presentation. When using the inclusive method, management s description of the system should include a description of, and clearly distinguish, the services provided by the subservice organisation. Additionally, the subservice organisation is subject to the same requirements as the service organisation and should provide the following: A description of the related control objectives and controls at the subservice organisation; A written assertion, to be included in, or attached to, management s description of the service organisation s system; and A letter of representation. The requirement that the subservice organisation provide a written assertion, when employing the inclusive method, may present the greatest challenge, which management should proactively coordinate well in advance of a service auditor engagement. The representation letter signed at the completion of a SAS 70 engagement today, covers the same ground as the required items within the assertion. Enhancing Trust and Transparency 5

8 Using work of internal audit Difference from SAS 70 Moderate Level of effort to implement Medium The service auditor may use the work of internal audit or other independent controlrelated functions that has been performed independent of the service auditor s work to support their testing. However, there are often challenges in finding sufficient alignment of the scope and timing of work performed by internal audit or other independent control-related functions with that of the service auditor. If the service auditor is able to overcome such challenges and is able to use this work in performing their tests of controls, additional disclosure is required within the report to provide transparency on the use of internal audit. Such disclosure is not required when individual members of an internal audit or another control-related function are used in the more common direct assistance capacity (i.e. under the direction of the service auditor). 6 PricewaterhouseCoopers

9 Key Action Items The following are key action items for the service organisation to consider when implementing the new ISAE 3402 standard: Service auditor initiate discussions with service auditors to increase your understanding of the new standard and gain insight from the service auditor s perspective; Timing of adoption the standard is effective for reports with periods ending on or after June 15, For example, a twelve-month report period beginning July 1, 2010 would be issued under ISAE 3402; Management s assertion identify the risks that threaten achievement of control objectives, evaluate current control monitoring processes to determine if enhancements are necessary to support management s written assertion. Determine which members of management will be responsible for providing the assertion; System description re-visit existing descriptions of controls within current SAS 70 reports as a foundation for developing management s description of the service organisation s system, including control objectives, risks, and related controls; Subservice organisations if subservice organisations are to be included in management s description of the service organisation s system, determine whether to use the inclusive or carve-out method. If using the inclusive method, initiate discussions with the subservice organisation regarding their requirements under the new standard; and Communication plan establish a plan for communication of the new standard and for education of customer service teams, contract teams, sales teams, and customers. Re-visit and assess the impact on customer contracts, as necessary. Enhancing Trust and Transparency 7

10 Contacts Neil Hewitt Partner Tel: +44 (0) Richard Porter Partner Tel: +44 (0) Ian Armfield Partner Tel: +44 (0) Mark Garland Director Tel: +44 (0) David Woerndl Senior Manager Tel: +44 (0) PricewaterhouseCoopers

11

12 pwc.com This document has been prepared for the intended recipients only. To the extent permitted by law, PricewaterhouseCoopers LLP does not accept or assume any liability, responsibility or duty of care for any use of or reliance on this document by anyone, other than (i) the intended recipient to the extent agreed in the relevant contract for the matter to which this document relates (if any), or (ii) as expressly agreed by PricewaterhouseCoopers LLP at its sole discretion in writing in advance PricewaterhouseCoopers LLP. All rights reserved. PricewaterhouseCoopers refers to PricewaterhouseCoopers LLP (a limited liability partnership in the United Kingdom) or, as the context requires, other member firms of PricewaterhouseCoopers International Limited, each of which is a separate and independent legal entity.

At a glance. A provision to require a written assertion from company management is the most notable difference between the two standards.

At a glance. A provision to require a written assertion from company management is the most notable difference between the two standards. At a glance While there are some differences, SAS 70 and SSAE 16 are substantially the same. SAS 70 is an audit standard while SSAE 16 is an attest standard. Out with the old SAS 70 and in with the new

More information

Feeley & Driscoll, P.C. Certified Public Accountants / Business Consultants www.fdcpa.com. Visit us on the web: www.fdcpa.com Or Call: 888-875-9770

Feeley & Driscoll, P.C. Certified Public Accountants / Business Consultants www.fdcpa.com. Visit us on the web: www.fdcpa.com Or Call: 888-875-9770 Feeley & Driscoll, P.C. Certified Public Accountants / Business Consultants www.fdcpa.com SAS 70 Background 2 SAS No. 70 Reports on the Processing of Transactions by Service Organizations Independent examination

More information

Here comes SSAE 16 SAS 70 EVOLUTION: How will the new standard affect my business? How do I prepare to meet the new requirements?

Here comes SSAE 16 SAS 70 EVOLUTION: How will the new standard affect my business? How do I prepare to meet the new requirements? SAS 70 EVOLUTION: Here comes SSAE 16 PLANNING FOR THE NEW SERVICE ORGANIZATION REPORTING STANDARDS The prevalence of SAS 70 audits has grown dramatically since the standards issuance in April of 1992.

More information

The Changing SAS 70 Landscape Dan Hirstein Director Rebecca Goodpasture Senior Manager Deloitte & Touche LLP January 13, 2011

The Changing SAS 70 Landscape Dan Hirstein Director Rebecca Goodpasture Senior Manager Deloitte & Touche LLP January 13, 2011 The Changing SAS 70 Landscape Dan Hirstein Director Rebecca Goodpasture Senior Manager Deloitte & Touche LLP January 13, 2011 Table of Contents A Short History of SAS 70 Overview of SSAE 16 and ISAE 3402

More information

G24: Audits of Controls at a Service Organization: New Standards SSAE 16 and ISAE 3402 Duff Donnelly and Jeffrey Spivack, Grant Thornton LLP

G24: Audits of Controls at a Service Organization: New Standards SSAE 16 and ISAE 3402 Duff Donnelly and Jeffrey Spivack, Grant Thornton LLP G24: Audits of Controls at a Service Organization: New Standards SSAE 16 and ISAE 3402 Duff Donnelly and Jeffrey Spivack, Grant Thornton LLP Audits of controls at a service organization Roadmap to the

More information

G24 - SAS 70 Practices and Developments Todd Bishop

G24 - SAS 70 Practices and Developments Todd Bishop G24 - SAS 70 Practices and Developments Todd Bishop SAS No. 70 Practices & Developments Todd Bishop Senior Manager, PricewaterhouseCoopers LLP Agenda SAS 70 Background Information and Overview Common SAS

More information

Goodbye, SAS 70! Hello, SSAE 16!

Goodbye, SAS 70! Hello, SSAE 16! Goodbye, SAS 70! Hello, SSAE 16! A Session to Provide Insight on the New Standard and What Service Providers and End-Users Need to Know January 3, 2012 Agenda Introduction Background on what was SAS 70

More information

ISAE 3402 and SSAE 16 (replacing SAS 70) Reinforcing confidence through demonstration of effective controls

ISAE 3402 and SSAE 16 (replacing SAS 70) Reinforcing confidence through demonstration of effective controls ISAE 3402 and SSAE 16 (replacing SAS 70) Reinforcing confidence through demonstration of effective controls ISAE 3402 and SSAE 16 defined Overview of service organisation control reports Service organisation

More information

Reporting on Controls at a Service Organization

Reporting on Controls at a Service Organization Reporting on Controls at a Service Organization 1529 AT Section 801 Reporting on Controls at a Service Organization (Supersedes the guidance for service auditors in Statement on Auditing Standards No.

More information

Farewell to SAS 70. What you need to know about the New Standard for Service Organization Reporting

Farewell to SAS 70. What you need to know about the New Standard for Service Organization Reporting Farewell to SAS 70 What you need to know about the New Standard for Service Organization Reporting ADVISORY rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International Cooperative

More information

End of the SAS 70 Era

End of the SAS 70 Era End of the SAS 70 Era For years businesses that outsource have relied on SAS 70 reports on the internal controls of third party providers. The standard for those reports is changing. New Standards Replacing

More information

Aberdeen City Council IT Governance

Aberdeen City Council IT Governance Aberdeen City Council IT Governance Internal Audit Report 2013/2014 for Aberdeen City Council May 2014 Internal Audit KPIs Target Dates Actual Dates Red/Amber/Green Commentary where applicable Terms or

More information

MHM S PERSPECTIVE: CHANGES COMING TO SAS 70.KNOW THE FACTS

MHM S PERSPECTIVE: CHANGES COMING TO SAS 70.KNOW THE FACTS Mayer Hoffman McCann P.C. An Independent CPA Firm MHM S AUDITING PERSPECTIVE: STANDARD NO. 5 Since its issuance in 1992, the American Institute of Certified Public Accountants (AICPA) Statement on Auditing

More information

BASIS FOR CONCLUSIONS Canadian Standard on Assurance Engagements (CSAE) 3416, Reporting on Controls at a Service Organization

BASIS FOR CONCLUSIONS Canadian Standard on Assurance Engagements (CSAE) 3416, Reporting on Controls at a Service Organization August 2010 BASIS FOR CONCLUSIONS Canadian Standard on Assurance Engagements (CSAE) 3416, Reporting on Controls at a Service Organization This Basis for Conclusions has been prepared by staff of the Auditing

More information

Shared Service System Audits: What User Management and Auditors Need to Know

Shared Service System Audits: What User Management and Auditors Need to Know Shared Service System Audits: What User Management and Auditors Need to Know JFMIP May 2014 Presented by: Robert Dacey GAO Session Objectives Properly using SSAE 16 service organization audit reports Revisions

More information

Aberdeen City Council

Aberdeen City Council Aberdeen City Council Internal Audit Report Final Contract management arrangements within Social Care & Wellbeing 2013/2014 for Aberdeen City Council January 2014 Internal Audit KPI Targets Target Dates

More information

Aberdeen City Council IT Asset Management

Aberdeen City Council IT Asset Management Aberdeen City Council IT Asset Management Internal Audit Report 2014/2015 for Aberdeen City Council January 2015 Terms or reference agreed 4 weeks prior to fieldwork Target Dates per agreed Actual Dates

More information

Reports on Service Organizations Where we ve been?

Reports on Service Organizations Where we ve been? Reports on Service Organizations Where we ve been? What s changing? How does this impact Internal Audit? Eric Wright Shareholder Frank Dezort Senior Manager Schneider Downs & Co., Inc. May 2, 2011 Overview

More information

FAQs New Service Organization Standards and Implementation Guidance

FAQs New Service Organization Standards and Implementation Guidance FAQs New Service Organization Standards and Implementation Guidance During the past two years several significant changes have occurred in audit and attest standards for reporting on controls at service

More information

SSAE 16 & SAS 70 A Primer on Changes to Service Organization Audit Standards

SSAE 16 & SAS 70 A Primer on Changes to Service Organization Audit Standards A Member of OneBeacon Insurance Group SSAE 16 & SAS 70 A Primer on Changes to Service Organization Audit Standards Author: Jack Fletcher, Risk Control Technology Specialist Published: November 2014 Executive

More information

SSAE 16 and ISAE 3402: Preparing for New Service Company Control Standards Mastering Requirements Governing Your Next Controls Report

SSAE 16 and ISAE 3402: Preparing for New Service Company Control Standards Mastering Requirements Governing Your Next Controls Report Presenting a live 110 minute teleconference with interactive Q&A SSAE 16 and ISAE 3402: Preparing for New Service Company Control Standards Mastering Requirements Governing Your Next Controls Report WEDNESDAY,

More information

Aberdeen City Council IT Security (Network and perimeter)

Aberdeen City Council IT Security (Network and perimeter) Aberdeen City Council IT Security (Network and perimeter) Internal Audit Report 2014/2015 for Aberdeen City Council August 2014 Internal Audit KPIs Target Dates Actual Dates Red/Amber/Green Commentary

More information

Business Continuity Business Impact Analysis arrangements

Business Continuity Business Impact Analysis arrangements Aberdeen City Council Internal Audit Report 2012/2013 for Aberdeen City Council May 2013 Business Continuity Business Impact Analysis arrangements Final Report Contents Section Page 1. Executive Summary

More information

Service Organization Control Reports

Service Organization Control Reports SAS 70 ENDS EXIT TO SSAE 16 Service Organization Control Reports What Did We Learn from Year One? Agenda Definitions Service Organization Reports What are they? Year One Experiences SSAE 16 Year One Experiences

More information

Service Organization Control (SOC) Reports

Service Organization Control (SOC) Reports Service Organization Control (SOC) Reports Transitioning from SAS 70 to SSAE 16 Deloitte & Touche LLP Agenda Overview SAS 70/SSAE 16 Historical Perspective The New Framework Under SSAE 16 (SOC 1) Impact

More information

Service Organizations: Auditing Interpretations of Section 324

Service Organizations: Auditing Interpretations of Section 324 Service Organizations 1835 AU Section 9324 Service Organizations: Auditing Interpretations of Section 324 1. Describing Tests of Operating Effectiveness and the Results of Such Tests.01 Question Paragraph.44f

More information

OUTSOURCING AND SERVICE AUDITOR S REPORTS

OUTSOURCING AND SERVICE AUDITOR S REPORTS OUTSOURCING AND SERVICE AUDITOR S REPORTS FREEDOM TO DO BUSINESS Outsourcing and service Auditor s Reports 3 OUTSOURCING AND SERVICE AUDITOR S REPORTS SERVICE AUDITOR S REPORTS ARE GROWING IN IMPORTANCE,

More information

Aberdeen City Council IT Disaster Recovery

Aberdeen City Council IT Disaster Recovery Aberdeen City Council IT Disaster Recovery Internal Audit Report 2014/2015 for Aberdeen City Council January 2015 Terms or reference agreed 4 weeks prior to fieldwork Target Dates per agreed Actual Dates

More information

Monitoring Outside Service Providers, Part III: SAS 70 Updates

Monitoring Outside Service Providers, Part III: SAS 70 Updates Monitoring Outside Service Providers, Part III: SAS 70 Updates Richard F. Fischer, CPA Louis Plung & Company, LLP richard.fischer@louisplung.com 412-281-8771 CHANGES TO SAS 70 SERVICE ORGANIZATIONS: Statement

More information

INTERNATIONAL STANDARD ON ASSURANCE ENGAGEMENTS (ISAE) 3402 ASSURANCE REPORTS ON CONTROLS AT A SERVICE ORGANIZATION

INTERNATIONAL STANDARD ON ASSURANCE ENGAGEMENTS (ISAE) 3402 ASSURANCE REPORTS ON CONTROLS AT A SERVICE ORGANIZATION INTERNATIONAL STANDARD ON ASSURANCE ENGAGEMENTS (ISAE) 3402 ASSURANCE REPORTS ON CONTROLS AT A SERVICE ORGANIZATION (Effective for service auditors assurance reports covering periods ending on or after

More information

Frequently asked questions: SOC 2 and 3

Frequently asked questions: SOC 2 and 3 1. Is the licensing requirement for a SOC 2 or 3 different than for a SOC 1? SOC reports are attestation reports issued in accordance with AICPA standards. Therefore, licensing requirements are the same

More information

SSAE 16 SOC 1 Type 2

SSAE 16 SOC 1 Type 2 SSAE 16 SOC 1 Type 2 Independent Service Auditor s Report on Management s Description of a Service Organization s System and the Suitability of the Design and Operating Effectiveness of Controls September

More information

Effectively using SOC 1, SOC 2, and SOC 3 reports for increased assurance over outsourced operations. kpmg.com

Effectively using SOC 1, SOC 2, and SOC 3 reports for increased assurance over outsourced operations. kpmg.com Effectively using SOC 1, SOC 2, and SOC 3 reports for increased assurance over outsourced operations kpmg.com b Section or Brochure name Effectively using SOC 1, SOC 2, and SOC 3 reports for increased

More information

Understanding SOC Reports for Effective Vendor Management. Jason T. Clinton January 26, 2016

Understanding SOC Reports for Effective Vendor Management. Jason T. Clinton January 26, 2016 Understanding SOC Reports for Effective Vendor Management Jason T. Clinton January 26, 2016 MEMBER OF PKF NORTH AMERICA, AN ASSOCIATION OF LEGALLY INDEPENDENT FIRMS 2012 Wolf & Company, P.C. Before we

More information

Managing contractors involved in high impact activities

Managing contractors involved in high impact activities www.pwc.co.uk November 2011 Managing contractors involved in high impact activities A study of practices adopted by major organisations across six different sectors Contents 1. Introduction 2 2. Executive

More information

Our Impacts: accurate base factor data supporting Audit Ready Output

Our Impacts: accurate base factor data supporting Audit Ready Output Our Impacts: accurate base factor data supporting Audit Ready Output Report on third party sourced base factors used within the Our Impacts platform as at 31 January 2014 and the design of internal controls

More information

Asset Manager Guide to SAS 70. Issue Date: October 7, 2007. Asset

Asset Manager Guide to SAS 70. Issue Date: October 7, 2007. Asset Asset Manager Guide to SAS 70 Issue Date: October 7, 2007 Asset Management Group A s s e t M a n a g e r G u i d e SAS 70 Table of Contents Executive Summary...3 Overview and Current Landscape...3 Service

More information

The 21 st Century Version of SAS 70..SSAE 16

The 21 st Century Version of SAS 70..SSAE 16 presents Mastering SAS 70 Audit Reports for Service Organizations Evaluating Internal Controls Issues With Type I and Type II Reports A Live 110-Minute Teleconference/Webinar with Interactive Q&A Today's

More information

Information for Management of a Service Organization

Information for Management of a Service Organization Information for Management of a Service Organization Copyright 2011 American Institute of Certified Public Accountants, Inc. New York, NY 10036-8775 All rights reserved. For information about the procedure

More information

RECKENEN FOCUS ON SAS 70 & SSAE 16

RECKENEN FOCUS ON SAS 70 & SSAE 16 RECKENEN FOCUS ON SAS 70 & SSAE 16 Hassan Sultan, CPA Managing Director 3001 Park Center Drive Suite 1000 Alexandria, VA 22302 Phone (703) 249 4509 Email hsultan@reckenen.com SAS 70 & SSAE 16 Overview

More information

SECTION I INDEPENDENT SERVICE AUDITOR S REPORT

SECTION I INDEPENDENT SERVICE AUDITOR S REPORT SOC2 Security Report on Controls Supporting DriveSavers Services Independent Service Auditor s Report on Design of Controls Placed in Operation and Tests of Operational Effectiveness Relevant to Security

More information

Navigating the transition to CSAE 3416

Navigating the transition to CSAE 3416 www.pwc.com/ca/controls Navigating the transition to CSAE 3416 FAQs on the new Canadian Standard on Assurance Engagements In response to changes in third-party assurance standards in both the US and internationally,

More information

The Importance of IT Controls to Sarbanes-Oxley Compliance

The Importance of IT Controls to Sarbanes-Oxley Compliance Hosted by Deloitte, PricewaterhouseCoopers and ISACA/ITGI The Importance of IT Controls to Sarbanes-Oxley Compliance 15 December 2003 1 Presenters Chris Fox, CA Sr. Manager, Internal Audit Services PricewaterhouseCoopers

More information

Consultation Response

Consultation Response Consultation Response PROPOSED AUDITING STANDARD AN AUDIT OF INTERNAL CONTROL OVER FINANCIAL REPORTING PERFORMED IN CONJUNCTION WITH AN AUDIT OF FINANCIAL STATEMENTS PCAOB Rulemaking Docket Matter No.

More information

3.B METHODOLOGY SERVICE PROVIDER

3.B METHODOLOGY SERVICE PROVIDER 3.B METHODOLOGY SERVICE PROVIDER Approximately four years ago, the American Institute of Certified Public Accountants (AICPA) issued Statement on Standards for Attestation Engagements (SSAE) No. 16, Reporting

More information

Invitation to Comment document: Improving the Auditor's report

Invitation to Comment document: Improving the Auditor's report Stockholm 9th October 2012 Mr. James Gunn Technical Director International Auditing and Assurance Standards Board 545 Fifth Avenue, 14th Floor New York, New York 10017, USA Invitation to Comment document:

More information

Third party assurance services

Third party assurance services TECHNOLOGY RISK SERVICES Third party assurance services Delivering assurance over your service providers The current third party service provider environment Corporate UK has been transformed in recent

More information

Entitlements Management System (EMS) Technology Update Project Health Check Review

Entitlements Management System (EMS) Technology Update Project Health Check Review Entitlements Management System (EMS) Technology Update Project Health Check Review February 2010 Final This report and PricewaterhouseCoopers deliverables are intended solely for the Department of Finance

More information

UK Corporate Governance Code: Raising the bar on risk management Why this is not business as usual and what you need to do to comply

UK Corporate Governance Code: Raising the bar on risk management Why this is not business as usual and what you need to do to comply www.pwc.co.uk/riskassurance UK Corporate Governance Code: Raising the bar on risk management Why this is not business as usual and what you need to do to comply September 2014 The FRC s amendments to the

More information

Aberdeen City Council. Fleet Management Final Report

Aberdeen City Council. Fleet Management Final Report Aberdeen City Council Fleet Management Final Report Internal Audit Report 2013/2014 for Aberdeen City Council February 2014 Internal Audit KPI Targets Target Dates Actual Dates Red/Amber/ Green Commentary

More information

Auditing Standard 5- Effective and Efficient SOX Compliance

Auditing Standard 5- Effective and Efficient SOX Compliance Auditing Standard 5- Effective and Efficient SOX Compliance September 6, 2007 Presented to: The Dallas Chapter of the Institute of Internal Auditors These slides are incomplete without the benefit of the

More information

) ) ) ) ) ) ) ) ) ) ) )

) ) ) ) ) ) ) ) ) ) ) ) 1666 K Street, NW Washington, D.C. 20006 Telephone: (202) 207-9100 Facsimile: (202)862-8430 PROPOSED AUDITING STANDARD RELATED TO CONFIRMATION AND RELATED AMENDMENTS TO PCAOB STANDARDS ) ) ) ) ) ) ) )

More information

Guide to Understanding SAS 70 Reports

Guide to Understanding SAS 70 Reports Guide to Understanding SAS 70 Reports Authors: Norm Parkerson, Business Advisory Services Executive Director and Brett Williams, Business Advisory Services Partner In today s global economy, service organizations

More information

Reg AB Is Here to Stay:

Reg AB Is Here to Stay: PwC Reg AB Is Here to Stay: What does this mean for servicers? By LaWanda Morris Tom Knox PwC Reg AB Is Here to Stay: What does this mean for servicers? By LaWanda Morris/Tom Knox Background The Securities

More information

TIS Section 9520, SSAE No. 16, Reporting on Controls at a Service Organization

TIS Section 9520, SSAE No. 16, Reporting on Controls at a Service Organization November 2011 AICPA Technical Practice Aids TIS Section 9520, SSAE No. 16, Reporting on Controls at a Service Organization.01 New Standards for Service Auditors and User Auditors Inquiry Did the issuance

More information

Auditing Derivative Instruments, Hedging Activities, and Investments in Securities 1

Auditing Derivative Instruments, Hedging Activities, and Investments in Securities 1 Auditing Derivative Instruments 1915 AU Section 332 Auditing Derivative Instruments, Hedging Activities, and Investments in Securities 1 (Supersedes SAS No. 81.) Source: SAS No. 92. See section 9332 for

More information

Service Organization Control (SOC) Reports Focus on SOC 2 Reporting Standard

Service Organization Control (SOC) Reports Focus on SOC 2 Reporting Standard Information Systems Audit and Controls Association Service Organization Control (SOC) Reports Focus on SOC 2 Reporting Standard February 4, 2014 Tom Haberman, Principal, Deloitte & Touche LLP Reema Singh,

More information

A Flexible and Comprehensive Approach to a Cloud Compliance Program

A Flexible and Comprehensive Approach to a Cloud Compliance Program A Flexible and Comprehensive Approach to a Cloud Compliance Program Stuart Aston Microsoft UK Session ID: SPO-201 Session Classification: General Interest Compliance in the cloud Transparency Responsibility

More information

How mature is the internal control framework at your service organisation? ISAE 3402 and SSAE 16: Reinforcing confidence through demonstration of

How mature is the internal control framework at your service organisation? ISAE 3402 and SSAE 16: Reinforcing confidence through demonstration of How mature is the internal control framework at your service organisation? ISAE 3402 and SSAE 16: Reinforcing confidence through demonstration of effective controls ISAE 3402 and SSAE 16 defined Overview

More information

Introducing Agile Projects Colin Evans February 2016

Introducing Agile Projects Colin Evans February 2016 www.pwc.co.uk Introducing Agile Projects Colin Evans February 2016 Agenda What is an agile project? Why has agile become popular? A crash course in agile. Some of the issues with agile? Discussion Some

More information

Understanding Vendor Risk And Analyzing the SSAE No. 16

Understanding Vendor Risk And Analyzing the SSAE No. 16 Understanding Vendor Risk And Analyzing the SSAE No. 16 Accelerate your Credit Union s Performance June 19, 2014 AUSTIN, TEXAS www.cuaccelerator.com Agenda Vendor Management Key Outsourcing Risk Areas

More information

Alternative Investment Fund Managers Directive. What does this mean for your business?

Alternative Investment Fund Managers Directive. What does this mean for your business? Alternative Investment Fund Managers Directive What does this mean for your business? Background to the Alternative Investment Fund Managers Directive (AIFMD) The Alternative Investment Fund Managers (AIFM)

More information

Cyber security Building confidence in your digital future

Cyber security Building confidence in your digital future www.pwc.co.uk/cyber Cyber security Building confidence in your digital future We provide a range of integrated cyber security services, helping you protect what matters Building confidence in your digital

More information

BUSINESS ASSOCIATE PRIVACY AND SECURITY ADDENDUM RECITALS

BUSINESS ASSOCIATE PRIVACY AND SECURITY ADDENDUM RECITALS BUSINESS ASSOCIATE PRIVACY AND SECURITY ADDENDUM This Business Associate Addendum ( Addendum ), effective, 20 ( Effective Date ), is entered into by and between University of Southern California, ( University

More information

Protecting your brand in the cloud Transparency and trust through enhanced reporting

Protecting your brand in the cloud Transparency and trust through enhanced reporting Protecting your brand in the cloud Transparency and trust through enhanced reporting Third-party Assurance November 2011 At a glance Cloud computing has unprecedented potential to deliver greater business

More information

West Middlesex University Hospital NHS Trust

West Middlesex University Hospital NHS Trust www.pwc.co.uk July 2014 Government and Public Sector West Middlesex University Hospital NHS Trust Annual Audit Letter 2013/14 Audit PricewaterhouseCoopers LLP 7 More London Riverside London SE1 2RT The

More information

STANDING ADVISORY GROUP MEETING

STANDING ADVISORY GROUP MEETING 1666 K Street, NW Washington, D.C. 20006 Telephone: (202) 207-9100 Facsimile: (202)862-8430 www.pcaobus.org STANDING ADVISORY GROUP MEETING AUDIT CONFIRMATIONS APRIL 2, 2009 Introduction Confirmations

More information

Internal Audit Testing and Sampling Techniques. Chartered Institute of Internal Auditors May 2014

Internal Audit Testing and Sampling Techniques. Chartered Institute of Internal Auditors May 2014 Internal Audit Testing and Sampling Techniques Chartered Institute of Internal Auditors May 2014 Controls Testing Slide 1 Testing Priorities Risk B1 Risk A1 Risk B2 Risk A2 Risk C2 Risk C1 Controls testing

More information

THE ROLE OF AN SOC 1 REPORT (formerly SAS 70) IN FREIGHT PAYMENT

THE ROLE OF AN SOC 1 REPORT (formerly SAS 70) IN FREIGHT PAYMENT THE ROLE OF AN SOC 1 REPORT (formerly SAS 70) IN FREIGHT PAYMENT White Paper www.a3freightpayment.com THE ROLE OF AN SOC 1 REPORT (formerly SAS 70) IN FREIGHT PAYMENT Introduction An essential element

More information

Structured finance. - accounting developments: Special purposes entities Consolidation and Disclosure

Structured finance. - accounting developments: Special purposes entities Consolidation and Disclosure www.pwc.com/securitisation Structured finance - accounting developments: elop Special purposes entities Consolidation and Disclosure Sp pecial purp pose entit ies new standards on consolidation and disclosure

More information

Citation for published version (APA): Berthing, H. H. (2014). Vision for IT Audit 2020. Abstract from Nordic ISACA Conference 2014, Oslo, Norway.

Citation for published version (APA): Berthing, H. H. (2014). Vision for IT Audit 2020. Abstract from Nordic ISACA Conference 2014, Oslo, Norway. Aalborg Universitet Vision for IT Audit 2020 Berthing, Hans Henrik Aabenhus Publication date: 2014 Document Version Early version, also known as pre-print Link to publication from Aalborg University Citation

More information

SSAE 16 for Transportation & Logistics Companies. Chris Kradjan Kim Koch

SSAE 16 for Transportation & Logistics Companies. Chris Kradjan Kim Koch SSAE 16 for Transportation & Logistics Companies Chris Kradjan Kim Koch 1 The material appearing in this presentation is for informational purposes only and should not be construed as advice of any kind,

More information

Inquiry of a Client s Lawyer Concerning Litigation, Claims, and Assessments 1

Inquiry of a Client s Lawyer Concerning Litigation, Claims, and Assessments 1 Inquiry of a Client s Lawyer 1985 AU Section 337 Inquiry of a Client s Lawyer Concerning Litigation, Claims, and Assessments 1 Source: SAS No. 12. See section 9337 for interpretations of this section.

More information

GAO. Government Auditing Standards. 2011 Revision. By the Comptroller General of the United States. United States Government Accountability Office

GAO. Government Auditing Standards. 2011 Revision. By the Comptroller General of the United States. United States Government Accountability Office GAO United States Government Accountability Office By the Comptroller General of the United States December 2011 Government Auditing Standards 2011 Revision GAO-12-331G GAO United States Government Accountability

More information

Managing risk in construction projects how to achieve a successful outcome*

Managing risk in construction projects how to achieve a successful outcome* how to achieve a successful outcome* Project risk and controls Slaying the dragon Scott Jardine *connectedthinking PwC Contents Background to the dragon Project risk management Project controls Background

More information

Our comments concerning internal control and other significant matters are presented as follows:

Our comments concerning internal control and other significant matters are presented as follows: MANAGEMENT LETTER Board of Directors Indianapolis, Indiana In planning and performing our audit of the consolidated financial statements of TCM International Institute, Inc. and European Evangelistic Society

More information

Role is Broader and More Strategic

Role is Broader and More Strategic Internal Control Transformation IC s Role is Broader and More Strategic CACUBO Winter Workshop - 2013 Introduction Cindy Berg Director McGladrey LLP 201 N Harrison Street Davenport, Iowa 52801 cindy.berg@mcgladrey.com

More information

Navigating the Regulatory Maze. AIFMD Impact on Service Providers

Navigating the Regulatory Maze. AIFMD Impact on Service Providers www.pwc.com Navigating the Regulatory Maze Navigating the Regulatory Maze AIFMD Impact on Service Providers January 2011 AIFMD Impact on Service Providers The Alternative Investment Fund Managers Directive

More information

Information Commissioner's Office

Information Commissioner's Office Information Commissioner's Office Internal Audit 2013-14: Follow up Last updated 4 July 2014 Distribution For action Senior Corporate Governance Manager Timetable Fieldwork completed 21 May 2014 Draft

More information

IAASB. EMERGING PRACTICE ISSUES REGARDING t h e USE o f EXTERNAL CONFIRMATIONS STAFF AUDIT PRACTICE ALERT NOVEMBER 2009.

IAASB. EMERGING PRACTICE ISSUES REGARDING t h e USE o f EXTERNAL CONFIRMATIONS STAFF AUDIT PRACTICE ALERT NOVEMBER 2009. IAASB NOVEMBER 2009 STAFF AUDIT PRACTICE ALERT International Auditing and Assurance Standards Board The IAASB is an independent standard-setting board of the International Federation of Accountants. EMERGING

More information

REPORTING ACCOUNTANTS WORK ON FINANCIAL REPORTING PROCEDURES. Financing Change initiative

REPORTING ACCOUNTANTS WORK ON FINANCIAL REPORTING PROCEDURES. Financing Change initiative REPORTING ACCOUNTANTS WORK ON FINANCIAL REPORTING PROCEDURES consultation PAPER Financing Change initiative inspiring CONFIdENCE icaew.com/financingchange ICAEW operates under a Royal Charter, working

More information

Guide to the Sarbanes-Oxley Act: IT Risks and Controls. Frequently Asked Questions

Guide to the Sarbanes-Oxley Act: IT Risks and Controls. Frequently Asked Questions Guide to the Sarbanes-Oxley Act: IT Risks and Controls Frequently Asked Questions Table of Contents Page No. Introduction.......................................................................1 Overall

More information

Innovation Working Group

Innovation Working Group Innovation Working Group Chuck Landes, IAASB Deputy Chair and Working Group Chair IAASB Meeting September 2015 Agenda Item 8-B Page 1 Purpose of the Session Inform the IAASB on new developments that may

More information

Audit and Permitted Non-Audit Services Pre-Approval Policy (Pertaining to the Company s Independent Auditor)

Audit and Permitted Non-Audit Services Pre-Approval Policy (Pertaining to the Company s Independent Auditor) Audit and Permitted Non-Audit Services Pre-Approval Policy (Pertaining to the Company s Independent Auditor) Statement of Principles Pursuant to the Sarbanes-Oxley Act of 2002 (the Act ) and in accordance

More information

WELCOME TO SECURE360 2013

WELCOME TO SECURE360 2013 WELCOME TO SECURE360 2013 Don t forget to pick up your Certificate of Attendance at the end of each day. Please complete the Session Survey front and back, and leave it on your seat. Are you tweeting?

More information

INTERNATIONAL STANDARD ON AUDITING 580 MANAGEMENT REPRESENTATIONS CONTENTS

INTERNATIONAL STANDARD ON AUDITING 580 MANAGEMENT REPRESENTATIONS CONTENTS INTERNATIONAL STANDARD ON 580 MANAGEMENT REPRESENTATIONS (Effective for audits of financial statements for periods beginning on or after December 15, 2004) CONTENTS Paragraph Introduction... 1-2 Acknowledgment

More information

Practical guide to corporate governance

Practical guide to corporate governance www.pwc.co.uk Practical guide to corporate governance Governance reporting Moving it forward April 2013 Draft Contents 1 What s the issue? 1 How to address the issue 1 Conclusion 3 Appendices 4 Appendix

More information

19/10/2012. How do you monitor. (...And why should you?) CAS Annual Meeting - Henry Jupe

19/10/2012. How do you monitor. (...And why should you?) CAS Annual Meeting - Henry Jupe www.pwc.com How do you monitor data quality? (...And why should you?) CAS Annual Meeting - November 2012 Henry Jupe Antitrust notice The Casualty Actuarial Society is committed to adhering strictly to

More information

SERVICE ORGANIZATION CONTROL REPORTS SM. Formerly SAS 70 Reports

SERVICE ORGANIZATION CONTROL REPORTS SM. Formerly SAS 70 Reports SERVICE ORGANIZATION CONTROL REPORTS SM Formerly SAS 70 Reports SAS No. 70, Service Organizations Standard for reporting on a service organization s controls affecting user entities financial statements

More information

CHAPTER 5 PROFESSIONAL AUDITING STANDARDS AND THE AUDIT OPINION FORMULATION PROCESS

CHAPTER 5 PROFESSIONAL AUDITING STANDARDS AND THE AUDIT OPINION FORMULATION PROCESS A U D I T I N G A RISK-BASED APPROACH TO CONDUCTING A QUALITY AUDIT 9 th Edition Karla M. Johnstone Audrey A. Gramling Larry E. Rittenberg CHAPTER 5 PROFESSIONAL AUDITING STANDARDS AND THE AUDIT OPINION

More information

South Northamptonshire Council Contract Assurance: Leisure Contract

South Northamptonshire Council Contract Assurance: Leisure Contract South Northamptonshire Council Contract Assurance: Leisure Contract FINAL Internal Audit Report 2012/2013 January 2013 Contents 1. Executive summary 4 2. Background and scope 5 3. Detailed current year

More information

The Upside of Risk: Enterprise Risk Management and Public Real Estate Companies

The Upside of Risk: Enterprise Risk Management and Public Real Estate Companies The Upside of Risk: Enterprise Risk Management and Public Real Estate Companies James Barkley, Simon Property Group, Inc. and David E. Weiss, DDR Corp. Introduction: As lawyers, particularly real estate

More information

FRAMEWORK FOR THE PREPARATION OF ACCOUNTS. Best Practice Guidance

FRAMEWORK FOR THE PREPARATION OF ACCOUNTS. Best Practice Guidance FRAMEWORK FOR THE PREPARATION OF ACCOUNTS Best Practice Guidance Revised Edition April 2010 PUBLISHED IN APRIL 2010 THE INSTITUTE OF CHARTERED ACCOUNTANTS OF SCOTLAND This document is published by the

More information

INSTITUTE OF CERTIFIED PUBLIC ACCOUNTANTS OF RWANDA (ICPAR)

INSTITUTE OF CERTIFIED PUBLIC ACCOUNTANTS OF RWANDA (ICPAR) From: To: Subject: INSTITUTE OF CERTIFIED PUBLIC ACCOUNTANTS OF RWANDA INSTITUTE OF CERTIFIED PUBLIC ACCOUNTANTS OF RWANDA (ICPAR) PO Box 3213 Kigali Tel. +250784103930; Email: icparwanda@gmail.com ICPAR

More information

SARBANES-OXLEY SECTION 404

SARBANES-OXLEY SECTION 404 SARBANES-OXLEY SECTION 404 A TOOLKIT FOR MANAGEMENT AND AUDITORS VOLUME 2 Public Company Accounting Oversight Board The Public Company Accounting Oversight Board (PCAOB) was established by Congress under

More information

BUSINESS VALUATION Detailed Valuation Report Introduction

BUSINESS VALUATION Detailed Valuation Report Introduction BUSINESS VALUATION Detailed Valuation Report The detailed report shall provide sufficient information to permit intended users to understand the data, reasoning, and analyses underlying the Valuator s

More information

Oxford City Council Managing Capital Projects

Oxford City Council Managing Capital Projects www.pwc.co.uk Internal Audit Report 2014/2015 August 2015 Oxford City Council Managing Capital Projects Table of Contents 1. Executive Summary... 3 2. Background and scope... 5 3. Detailed findings...

More information

UK Stewardship Code. Response by Generation Investment Management LLP. London / 31 March, 2015. Generation Investment Management Page 1

UK Stewardship Code. Response by Generation Investment Management LLP. London / 31 March, 2015. Generation Investment Management Page 1 UK Stewardship Code Response by LLP London / 31 March, 2015 Page 1 This document, available on our website, outlines our response to the UK Stewardship Code and the ways in which we discharge our stewardship

More information

Independent auditors report to the members of Aviva plc

Independent auditors report to the members of Aviva plc 112 Aviva plc Annual report and accounts 2014 Independent auditors report to the members of Aviva plc Report on the financial statements Our opinion In our opinion, Aviva plc s Consolidated financial statements

More information

Reporting on Control Procedures at Outsourcing Entities

Reporting on Control Procedures at Outsourcing Entities Auditing Guidance Statement AGS 1042 (July 2002) Reporting on Control Procedures at Outsourcing Entities Prepared by the Auditing & Assurance Standards Board of the Australian Accounting Research Foundation

More information