The end of SAS70 what next for Performance Assurance?
|
|
- Thomasine James
- 8 years ago
- Views:
Transcription
1 Enhancing Trust and Transparency The end of SAS70 what next for Performance Assurance? A perspective on transitioning from SAS 70 to ISAE 3402 pwc Enhancing Trust and Transparency 1
2 Contents What you need to know 2 Detailed assessment of key changes to the standard 3 Key action Items 7 Contacts 8 PricewaterhouseCoopers
3 The SAS70 standard is obsolete from 15th June 2011 The changes are subtle but our overall view is that organisations need to act now, to help minimise the impact on themselves and their customers. Enhancing Trust and Transparency 1
4 What you need to know Organisations that provide services to their customers are often subject to independent assessments of the processes executed on behalf of their customers. Statement on Auditing Standards (SAS) No. 70 has long been the most widespread and recognised standard globally for performing these assessments. It gave the service organisation a mechanism for providing an independent assurance report (and therefore comfort) to their customers. The requirements and guidance for auditors reporting under SAS 70 will be superseded for reporting periods ending on or after the 15th June 2011 by SSAE 16. However, given both SAS 70 and SSAE 16 are US based standards, and many countries did not have their own standard for performing such assessments, an international standard, ISAE 3402, was issued in December This new standard will provide a reporting option for service organisations that need a global attestation standard to deliver consistent reporting worldwide, or will form the basis for updating regional standards (such as AAF 01/06). Like SSAE 16, the new standard is effective for reports with periods ending on or after June 15, 2011 and will permit early adoption. The focus of this document is on the necessary changes to move from SAS 70 to ISAE It includes comments on the impact of those updates on service organisations and service auditors. Key similarities and differences between ISAE 3402 and SAS 70 Similarities Scope is focused on controls that are likely to be relevant to user entities internal control over financial reporting Type 1 and Type 2 reports may be issued by the service auditor. Reports may include (inclusive method) or exclude (carve-out method) services provided by subservice organisations Service organisation s description of controls under SAS 70 generally will provide a basis for the system description under ISAE 3402 Service auditor s report is restricted to use by the service organisations management, customers of the service organisation and the customers auditors Differences Management is required to provide a written assertion with respect to the service organisations responsibilities for systems and controls Subservice organisations are required to provide a similar assertion when they are included in the scope of the report In a Type 2 report, the service auditor opines on the suitability of the design of controls related to the control objectives throughout the entire period The service auditor is required to disclose any reliance on the work of Internal Audit (or other independent management testing functions) within the report Overall assessment of key changes to the standard The new standard is not designed to change how an engagement to report on controls is performed. Rather, it has been prepared to meet the demand for an internationally recognised standard and to fit into the current framework for assurance standards. The new standard does include some new requirements and changes to previous requirements of SAS 70. For each of the key changes discussed herein, we have provided an assessment of the difference from SAS 70 and the level of effort it will require of the service organisation to implement the change. Acronym Buster Statement on Standards for Attestation Engagements 16 (SSAE 16) is the US standard issued by the American Institute of Certified Public Accountants. The International Standard on Assurance Engagements 3402 (ISAE 3402) is issued by the International Auditing and Assurance Standards Board (IAASB). 2 PricewaterhouseCoopers
5 Detailed assessment of key changes to the standard Management assertion Difference from SAS 70 Different Level of effort to implement Medium Under the new standard, the service organisation has to acknowledge its responsibilities through a written assertion, which will state that the controls are fairly presented, suitably designed and operating effectively to achieve the specified control objectives. Management s assertion will be included in, or attached to, management s description of the system and documented within the report. Management s assertion should be based on suitable criteria. Management should select the criteria to be used to make their assertion and should state them within the assertion. A service auditor is precluded from issuing a report if management does not provide a written assertion. The standard provides outline guidance in this area, which should make this requirement straight-forward to implement. Management should have a reasonable basis for its assertion, which may be achieved through on-going monitoring activities that provide evidence of the design and operating effectiveness of controls. But there is no specific requirement for management testing as with Sarbanes Oxley. Management s representation letter signed at the completion of a SAS 70 engagement today covers the same ground as the required items within management s assertion. Therefore, provision of the assertion is not expected to incur costs at the service organisation. However, service organisations may wish to consider who will be responsible for making the assertion. Enhancing Trust and Transparency 3
6 Description of the system Difference from SAS 70 Similar Level of effort to implement Medium In addition to a written assertion, management is responsible for preparing its description of the service organisation s system ( the system ). The system is defined as the policies and procedures designed, implemented, and documented by management to provide customers with the services covered by the service auditor s report. Management s description should identify at a minimum, the following criteria (as applicable): Services covered, including as appropriate the classes of transactions processed; The procedures by which services are provided and details of the relevant records and supporting information; Period covered by the report; Relevant control objectives and related controls; Complementary user controls; Controls performed by the subservice organisation (inclusive reports); The process used to prepare reports provided to customers; Changes to the system during the period covered by the report; and Other aspects of the service organisation s control environment, risk assessment process, information and communication systems, and monitoring of controls, as defined by the Committee of Sponsoring Organisations (COSO) internal control framework that could be relevant to user entities. In many cases, a majority of the elements to be included in management s description of the system as required under ISAE 3402 have been included in existing SAS 70 reports. In such cases, there should not be a significant additional work effort required of the service organisation. 4 PricewaterhouseCoopers
7 Identification of risks to achieving control objectives Difference from SAS 70 Similar Level of effort to implement Low Similar to guidance under SAS 70, management s description of the system should specify control objectives and related controls. Management are expected to consider the risks that threaten the achievement of the control objectives, whether the controls do enough to mitigate those risks and whether the controls are consistently applied. ISAE 3402 allows for management to have a formal or informal process for identifying the relevant risks and does not require that management explicitly include such risks within the report. However, our perspective on leading practice is that management conduct and formally document their consideration of the relevant risks. As many companies have already performed this risk assessment as part of the creation of the control objectives and control activities for their historical SAS 70 efforts, identifying the relevant risks factors should not create significant additional work Subservice organisations Difference from SAS 70 Different Level of effort to implement Medium Consistent with SAS 70, ISAE 3402 allows the service organisation to describe the use of subservice organisations through either an inclusive or carve-out method of presentation. When using the inclusive method, management s description of the system should include a description of, and clearly distinguish, the services provided by the subservice organisation. Additionally, the subservice organisation is subject to the same requirements as the service organisation and should provide the following: A description of the related control objectives and controls at the subservice organisation; A written assertion, to be included in, or attached to, management s description of the service organisation s system; and A letter of representation. The requirement that the subservice organisation provide a written assertion, when employing the inclusive method, may present the greatest challenge, which management should proactively coordinate well in advance of a service auditor engagement. The representation letter signed at the completion of a SAS 70 engagement today, covers the same ground as the required items within the assertion. Enhancing Trust and Transparency 5
8 Using work of internal audit Difference from SAS 70 Moderate Level of effort to implement Medium The service auditor may use the work of internal audit or other independent controlrelated functions that has been performed independent of the service auditor s work to support their testing. However, there are often challenges in finding sufficient alignment of the scope and timing of work performed by internal audit or other independent control-related functions with that of the service auditor. If the service auditor is able to overcome such challenges and is able to use this work in performing their tests of controls, additional disclosure is required within the report to provide transparency on the use of internal audit. Such disclosure is not required when individual members of an internal audit or another control-related function are used in the more common direct assistance capacity (i.e. under the direction of the service auditor). 6 PricewaterhouseCoopers
9 Key Action Items The following are key action items for the service organisation to consider when implementing the new ISAE 3402 standard: Service auditor initiate discussions with service auditors to increase your understanding of the new standard and gain insight from the service auditor s perspective; Timing of adoption the standard is effective for reports with periods ending on or after June 15, For example, a twelve-month report period beginning July 1, 2010 would be issued under ISAE 3402; Management s assertion identify the risks that threaten achievement of control objectives, evaluate current control monitoring processes to determine if enhancements are necessary to support management s written assertion. Determine which members of management will be responsible for providing the assertion; System description re-visit existing descriptions of controls within current SAS 70 reports as a foundation for developing management s description of the service organisation s system, including control objectives, risks, and related controls; Subservice organisations if subservice organisations are to be included in management s description of the service organisation s system, determine whether to use the inclusive or carve-out method. If using the inclusive method, initiate discussions with the subservice organisation regarding their requirements under the new standard; and Communication plan establish a plan for communication of the new standard and for education of customer service teams, contract teams, sales teams, and customers. Re-visit and assess the impact on customer contracts, as necessary. Enhancing Trust and Transparency 7
10 Contacts Neil Hewitt Partner Tel: +44 (0) Richard Porter Partner Tel: +44 (0) Ian Armfield Partner Tel: +44 (0) Mark Garland Director Tel: +44 (0) David Woerndl Senior Manager Tel: +44 (0) PricewaterhouseCoopers
11
12 pwc.com This document has been prepared for the intended recipients only. To the extent permitted by law, PricewaterhouseCoopers LLP does not accept or assume any liability, responsibility or duty of care for any use of or reliance on this document by anyone, other than (i) the intended recipient to the extent agreed in the relevant contract for the matter to which this document relates (if any), or (ii) as expressly agreed by PricewaterhouseCoopers LLP at its sole discretion in writing in advance PricewaterhouseCoopers LLP. All rights reserved. PricewaterhouseCoopers refers to PricewaterhouseCoopers LLP (a limited liability partnership in the United Kingdom) or, as the context requires, other member firms of PricewaterhouseCoopers International Limited, each of which is a separate and independent legal entity.
At a glance. A provision to require a written assertion from company management is the most notable difference between the two standards.
At a glance While there are some differences, SAS 70 and SSAE 16 are substantially the same. SAS 70 is an audit standard while SSAE 16 is an attest standard. Out with the old SAS 70 and in with the new
More informationFeeley & Driscoll, P.C. Certified Public Accountants / Business Consultants www.fdcpa.com. Visit us on the web: www.fdcpa.com Or Call: 888-875-9770
Feeley & Driscoll, P.C. Certified Public Accountants / Business Consultants www.fdcpa.com SAS 70 Background 2 SAS No. 70 Reports on the Processing of Transactions by Service Organizations Independent examination
More informationThe Changing SAS 70 Landscape Dan Hirstein Director Rebecca Goodpasture Senior Manager Deloitte & Touche LLP January 13, 2011
The Changing SAS 70 Landscape Dan Hirstein Director Rebecca Goodpasture Senior Manager Deloitte & Touche LLP January 13, 2011 Table of Contents A Short History of SAS 70 Overview of SSAE 16 and ISAE 3402
More informationHere comes SSAE 16 SAS 70 EVOLUTION: How will the new standard affect my business? How do I prepare to meet the new requirements?
SAS 70 EVOLUTION: Here comes SSAE 16 PLANNING FOR THE NEW SERVICE ORGANIZATION REPORTING STANDARDS The prevalence of SAS 70 audits has grown dramatically since the standards issuance in April of 1992.
More informationG24: Audits of Controls at a Service Organization: New Standards SSAE 16 and ISAE 3402 Duff Donnelly and Jeffrey Spivack, Grant Thornton LLP
G24: Audits of Controls at a Service Organization: New Standards SSAE 16 and ISAE 3402 Duff Donnelly and Jeffrey Spivack, Grant Thornton LLP Audits of controls at a service organization Roadmap to the
More informationG24 - SAS 70 Practices and Developments Todd Bishop
G24 - SAS 70 Practices and Developments Todd Bishop SAS No. 70 Practices & Developments Todd Bishop Senior Manager, PricewaterhouseCoopers LLP Agenda SAS 70 Background Information and Overview Common SAS
More informationGoodbye, SAS 70! Hello, SSAE 16!
Goodbye, SAS 70! Hello, SSAE 16! A Session to Provide Insight on the New Standard and What Service Providers and End-Users Need to Know January 3, 2012 Agenda Introduction Background on what was SAS 70
More informationISAE 3402 and SSAE 16 (replacing SAS 70) Reinforcing confidence through demonstration of effective controls
ISAE 3402 and SSAE 16 (replacing SAS 70) Reinforcing confidence through demonstration of effective controls ISAE 3402 and SSAE 16 defined Overview of service organisation control reports Service organisation
More informationReporting on Controls at a Service Organization
Reporting on Controls at a Service Organization 1529 AT Section 801 Reporting on Controls at a Service Organization (Supersedes the guidance for service auditors in Statement on Auditing Standards No.
More informationFarewell to SAS 70. What you need to know about the New Standard for Service Organization Reporting
Farewell to SAS 70 What you need to know about the New Standard for Service Organization Reporting ADVISORY rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International Cooperative
More informationEnd of the SAS 70 Era
End of the SAS 70 Era For years businesses that outsource have relied on SAS 70 reports on the internal controls of third party providers. The standard for those reports is changing. New Standards Replacing
More informationMHM S PERSPECTIVE: CHANGES COMING TO SAS 70.KNOW THE FACTS
Mayer Hoffman McCann P.C. An Independent CPA Firm MHM S AUDITING PERSPECTIVE: STANDARD NO. 5 Since its issuance in 1992, the American Institute of Certified Public Accountants (AICPA) Statement on Auditing
More informationBASIS FOR CONCLUSIONS Canadian Standard on Assurance Engagements (CSAE) 3416, Reporting on Controls at a Service Organization
August 2010 BASIS FOR CONCLUSIONS Canadian Standard on Assurance Engagements (CSAE) 3416, Reporting on Controls at a Service Organization This Basis for Conclusions has been prepared by staff of the Auditing
More informationAberdeen City Council IT Governance
Aberdeen City Council IT Governance Internal Audit Report 2013/2014 for Aberdeen City Council May 2014 Internal Audit KPIs Target Dates Actual Dates Red/Amber/Green Commentary where applicable Terms or
More informationShared Service System Audits: What User Management and Auditors Need to Know
Shared Service System Audits: What User Management and Auditors Need to Know JFMIP May 2014 Presented by: Robert Dacey GAO Session Objectives Properly using SSAE 16 service organization audit reports Revisions
More informationAberdeen City Council
Aberdeen City Council Internal Audit Report Final Contract management arrangements within Social Care & Wellbeing 2013/2014 for Aberdeen City Council January 2014 Internal Audit KPI Targets Target Dates
More informationReports on Service Organizations Where we ve been?
Reports on Service Organizations Where we ve been? What s changing? How does this impact Internal Audit? Eric Wright Shareholder Frank Dezort Senior Manager Schneider Downs & Co., Inc. May 2, 2011 Overview
More informationFAQs New Service Organization Standards and Implementation Guidance
FAQs New Service Organization Standards and Implementation Guidance During the past two years several significant changes have occurred in audit and attest standards for reporting on controls at service
More informationAberdeen City Council IT Asset Management
Aberdeen City Council IT Asset Management Internal Audit Report 2014/2015 for Aberdeen City Council January 2015 Terms or reference agreed 4 weeks prior to fieldwork Target Dates per agreed Actual Dates
More informationSSAE 16 and ISAE 3402: Preparing for New Service Company Control Standards Mastering Requirements Governing Your Next Controls Report
Presenting a live 110 minute teleconference with interactive Q&A SSAE 16 and ISAE 3402: Preparing for New Service Company Control Standards Mastering Requirements Governing Your Next Controls Report WEDNESDAY,
More informationSSAE 16 & SAS 70 A Primer on Changes to Service Organization Audit Standards
A Member of OneBeacon Insurance Group SSAE 16 & SAS 70 A Primer on Changes to Service Organization Audit Standards Author: Jack Fletcher, Risk Control Technology Specialist Published: November 2014 Executive
More informationAberdeen City Council IT Security (Network and perimeter)
Aberdeen City Council IT Security (Network and perimeter) Internal Audit Report 2014/2015 for Aberdeen City Council August 2014 Internal Audit KPIs Target Dates Actual Dates Red/Amber/Green Commentary
More informationBusiness Continuity Business Impact Analysis arrangements
Aberdeen City Council Internal Audit Report 2012/2013 for Aberdeen City Council May 2013 Business Continuity Business Impact Analysis arrangements Final Report Contents Section Page 1. Executive Summary
More informationService Organization Control (SOC) Reports
Service Organization Control (SOC) Reports Transitioning from SAS 70 to SSAE 16 Deloitte & Touche LLP Agenda Overview SAS 70/SSAE 16 Historical Perspective The New Framework Under SSAE 16 (SOC 1) Impact
More informationMonitoring Outside Service Providers, Part III: SAS 70 Updates
Monitoring Outside Service Providers, Part III: SAS 70 Updates Richard F. Fischer, CPA Louis Plung & Company, LLP richard.fischer@louisplung.com 412-281-8771 CHANGES TO SAS 70 SERVICE ORGANIZATIONS: Statement
More informationService Organization Control Reports
SAS 70 ENDS EXIT TO SSAE 16 Service Organization Control Reports What Did We Learn from Year One? Agenda Definitions Service Organization Reports What are they? Year One Experiences SSAE 16 Year One Experiences
More informationService Organizations: Auditing Interpretations of Section 324
Service Organizations 1835 AU Section 9324 Service Organizations: Auditing Interpretations of Section 324 1. Describing Tests of Operating Effectiveness and the Results of Such Tests.01 Question Paragraph.44f
More informationAberdeen City Council IT Disaster Recovery
Aberdeen City Council IT Disaster Recovery Internal Audit Report 2014/2015 for Aberdeen City Council January 2015 Terms or reference agreed 4 weeks prior to fieldwork Target Dates per agreed Actual Dates
More informationOUTSOURCING AND SERVICE AUDITOR S REPORTS
OUTSOURCING AND SERVICE AUDITOR S REPORTS FREEDOM TO DO BUSINESS Outsourcing and service Auditor s Reports 3 OUTSOURCING AND SERVICE AUDITOR S REPORTS SERVICE AUDITOR S REPORTS ARE GROWING IN IMPORTANCE,
More informationINTERNATIONAL STANDARD ON ASSURANCE ENGAGEMENTS (ISAE) 3402 ASSURANCE REPORTS ON CONTROLS AT A SERVICE ORGANIZATION
INTERNATIONAL STANDARD ON ASSURANCE ENGAGEMENTS (ISAE) 3402 ASSURANCE REPORTS ON CONTROLS AT A SERVICE ORGANIZATION (Effective for service auditors assurance reports covering periods ending on or after
More informationFrequently asked questions: SOC 2 and 3
1. Is the licensing requirement for a SOC 2 or 3 different than for a SOC 1? SOC reports are attestation reports issued in accordance with AICPA standards. Therefore, licensing requirements are the same
More informationEffectively using SOC 1, SOC 2, and SOC 3 reports for increased assurance over outsourced operations. kpmg.com
Effectively using SOC 1, SOC 2, and SOC 3 reports for increased assurance over outsourced operations kpmg.com b Section or Brochure name Effectively using SOC 1, SOC 2, and SOC 3 reports for increased
More informationThe 21 st Century Version of SAS 70..SSAE 16
presents Mastering SAS 70 Audit Reports for Service Organizations Evaluating Internal Controls Issues With Type I and Type II Reports A Live 110-Minute Teleconference/Webinar with Interactive Q&A Today's
More informationConsultation Response
Consultation Response PROPOSED AUDITING STANDARD AN AUDIT OF INTERNAL CONTROL OVER FINANCIAL REPORTING PERFORMED IN CONJUNCTION WITH AN AUDIT OF FINANCIAL STATEMENTS PCAOB Rulemaking Docket Matter No.
More informationAsset Manager Guide to SAS 70. Issue Date: October 7, 2007. Asset
Asset Manager Guide to SAS 70 Issue Date: October 7, 2007 Asset Management Group A s s e t M a n a g e r G u i d e SAS 70 Table of Contents Executive Summary...3 Overview and Current Landscape...3 Service
More informationA Flexible and Comprehensive Approach to a Cloud Compliance Program
A Flexible and Comprehensive Approach to a Cloud Compliance Program Stuart Aston Microsoft UK Session ID: SPO-201 Session Classification: General Interest Compliance in the cloud Transparency Responsibility
More informationUnderstanding SOC Reports for Effective Vendor Management. Jason T. Clinton January 26, 2016
Understanding SOC Reports for Effective Vendor Management Jason T. Clinton January 26, 2016 MEMBER OF PKF NORTH AMERICA, AN ASSOCIATION OF LEGALLY INDEPENDENT FIRMS 2012 Wolf & Company, P.C. Before we
More informationManaging contractors involved in high impact activities
www.pwc.co.uk November 2011 Managing contractors involved in high impact activities A study of practices adopted by major organisations across six different sectors Contents 1. Introduction 2 2. Executive
More informationInformation for Management of a Service Organization
Information for Management of a Service Organization Copyright 2011 American Institute of Certified Public Accountants, Inc. New York, NY 10036-8775 All rights reserved. For information about the procedure
More informationSSAE 16 SOC 1 Type 2
SSAE 16 SOC 1 Type 2 Independent Service Auditor s Report on Management s Description of a Service Organization s System and the Suitability of the Design and Operating Effectiveness of Controls September
More informationAberdeen City Council. Fleet Management Final Report
Aberdeen City Council Fleet Management Final Report Internal Audit Report 2013/2014 for Aberdeen City Council February 2014 Internal Audit KPI Targets Target Dates Actual Dates Red/Amber/ Green Commentary
More informationThird party assurance services
TECHNOLOGY RISK SERVICES Third party assurance services Delivering assurance over your service providers The current third party service provider environment Corporate UK has been transformed in recent
More informationGuide to Understanding SAS 70 Reports
Guide to Understanding SAS 70 Reports Authors: Norm Parkerson, Business Advisory Services Executive Director and Brett Williams, Business Advisory Services Partner In today s global economy, service organizations
More informationOur Impacts: accurate base factor data supporting Audit Ready Output
Our Impacts: accurate base factor data supporting Audit Ready Output Report on third party sourced base factors used within the Our Impacts platform as at 31 January 2014 and the design of internal controls
More informationHow mature is the internal control framework at your service organisation? ISAE 3402 and SSAE 16: Reinforcing confidence through demonstration of
How mature is the internal control framework at your service organisation? ISAE 3402 and SSAE 16: Reinforcing confidence through demonstration of effective controls ISAE 3402 and SSAE 16 defined Overview
More informationNavigating the transition to CSAE 3416
www.pwc.com/ca/controls Navigating the transition to CSAE 3416 FAQs on the new Canadian Standard on Assurance Engagements In response to changes in third-party assurance standards in both the US and internationally,
More informationThe Importance of IT Controls to Sarbanes-Oxley Compliance
Hosted by Deloitte, PricewaterhouseCoopers and ISACA/ITGI The Importance of IT Controls to Sarbanes-Oxley Compliance 15 December 2003 1 Presenters Chris Fox, CA Sr. Manager, Internal Audit Services PricewaterhouseCoopers
More informationInvitation to Comment document: Improving the Auditor's report
Stockholm 9th October 2012 Mr. James Gunn Technical Director International Auditing and Assurance Standards Board 545 Fifth Avenue, 14th Floor New York, New York 10017, USA Invitation to Comment document:
More informationBUSINESS ASSOCIATE PRIVACY AND SECURITY ADDENDUM RECITALS
BUSINESS ASSOCIATE PRIVACY AND SECURITY ADDENDUM This Business Associate Addendum ( Addendum ), effective, 20 ( Effective Date ), is entered into by and between University of Southern California, ( University
More information3.B METHODOLOGY SERVICE PROVIDER
3.B METHODOLOGY SERVICE PROVIDER Approximately four years ago, the American Institute of Certified Public Accountants (AICPA) issued Statement on Standards for Attestation Engagements (SSAE) No. 16, Reporting
More informationAuditing Standard 5- Effective and Efficient SOX Compliance
Auditing Standard 5- Effective and Efficient SOX Compliance September 6, 2007 Presented to: The Dallas Chapter of the Institute of Internal Auditors These slides are incomplete without the benefit of the
More information) ) ) ) ) ) ) ) ) ) ) )
1666 K Street, NW Washington, D.C. 20006 Telephone: (202) 207-9100 Facsimile: (202)862-8430 PROPOSED AUDITING STANDARD RELATED TO CONFIRMATION AND RELATED AMENDMENTS TO PCAOB STANDARDS ) ) ) ) ) ) ) )
More informationSECTION I INDEPENDENT SERVICE AUDITOR S REPORT
SOC2 Security Report on Controls Supporting DriveSavers Services Independent Service Auditor s Report on Design of Controls Placed in Operation and Tests of Operational Effectiveness Relevant to Security
More informationSSAE 16 for Transportation & Logistics Companies. Chris Kradjan Kim Koch
SSAE 16 for Transportation & Logistics Companies Chris Kradjan Kim Koch 1 The material appearing in this presentation is for informational purposes only and should not be construed as advice of any kind,
More informationReg AB Is Here to Stay:
PwC Reg AB Is Here to Stay: What does this mean for servicers? By LaWanda Morris Tom Knox PwC Reg AB Is Here to Stay: What does this mean for servicers? By LaWanda Morris/Tom Knox Background The Securities
More informationTIS Section 9520, SSAE No. 16, Reporting on Controls at a Service Organization
November 2011 AICPA Technical Practice Aids TIS Section 9520, SSAE No. 16, Reporting on Controls at a Service Organization.01 New Standards for Service Auditors and User Auditors Inquiry Did the issuance
More informationService Organization Control (SOC) Reports Focus on SOC 2 Reporting Standard
Information Systems Audit and Controls Association Service Organization Control (SOC) Reports Focus on SOC 2 Reporting Standard February 4, 2014 Tom Haberman, Principal, Deloitte & Touche LLP Reema Singh,
More informationREPORTING ACCOUNTANTS WORK ON FINANCIAL REPORTING PROCEDURES. Financing Change initiative
REPORTING ACCOUNTANTS WORK ON FINANCIAL REPORTING PROCEDURES consultation PAPER Financing Change initiative inspiring CONFIdENCE icaew.com/financingchange ICAEW operates under a Royal Charter, working
More informationEntitlements Management System (EMS) Technology Update Project Health Check Review
Entitlements Management System (EMS) Technology Update Project Health Check Review February 2010 Final This report and PricewaterhouseCoopers deliverables are intended solely for the Department of Finance
More informationPractical guide to corporate governance
www.pwc.co.uk Practical guide to corporate governance Governance reporting Moving it forward April 2013 Draft Contents 1 What s the issue? 1 How to address the issue 1 Conclusion 3 Appendices 4 Appendix
More informationProtecting your brand in the cloud Transparency and trust through enhanced reporting
Protecting your brand in the cloud Transparency and trust through enhanced reporting Third-party Assurance November 2011 At a glance Cloud computing has unprecedented potential to deliver greater business
More informationSouth Northamptonshire Council Contract Assurance: Leisure Contract
South Northamptonshire Council Contract Assurance: Leisure Contract FINAL Internal Audit Report 2012/2013 January 2013 Contents 1. Executive summary 4 2. Background and scope 5 3. Detailed current year
More informationTHE ROLE OF AN SOC 1 REPORT (formerly SAS 70) IN FREIGHT PAYMENT
THE ROLE OF AN SOC 1 REPORT (formerly SAS 70) IN FREIGHT PAYMENT White Paper www.a3freightpayment.com THE ROLE OF AN SOC 1 REPORT (formerly SAS 70) IN FREIGHT PAYMENT Introduction An essential element
More informationAuditing Derivative Instruments, Hedging Activities, and Investments in Securities 1
Auditing Derivative Instruments 1915 AU Section 332 Auditing Derivative Instruments, Hedging Activities, and Investments in Securities 1 (Supersedes SAS No. 81.) Source: SAS No. 92. See section 9332 for
More informationRECKENEN FOCUS ON SAS 70 & SSAE 16
RECKENEN FOCUS ON SAS 70 & SSAE 16 Hassan Sultan, CPA Managing Director 3001 Park Center Drive Suite 1000 Alexandria, VA 22302 Phone (703) 249 4509 Email hsultan@reckenen.com SAS 70 & SSAE 16 Overview
More informationUK Corporate Governance Code: Raising the bar on risk management Why this is not business as usual and what you need to do to comply
www.pwc.co.uk/riskassurance UK Corporate Governance Code: Raising the bar on risk management Why this is not business as usual and what you need to do to comply September 2014 The FRC s amendments to the
More informationUK Stewardship Code. Response by Generation Investment Management LLP. London / 31 March, 2015. Generation Investment Management Page 1
UK Stewardship Code Response by LLP London / 31 March, 2015 Page 1 This document, available on our website, outlines our response to the UK Stewardship Code and the ways in which we discharge our stewardship
More informationUnderstanding Vendor Risk And Analyzing the SSAE No. 16
Understanding Vendor Risk And Analyzing the SSAE No. 16 Accelerate your Credit Union s Performance June 19, 2014 AUSTIN, TEXAS www.cuaccelerator.com Agenda Vendor Management Key Outsourcing Risk Areas
More informationGAO. Government Auditing Standards. 2011 Revision. By the Comptroller General of the United States. United States Government Accountability Office
GAO United States Government Accountability Office By the Comptroller General of the United States December 2011 Government Auditing Standards 2011 Revision GAO-12-331G GAO United States Government Accountability
More informationStructured finance. - accounting developments: Special purposes entities Consolidation and Disclosure
www.pwc.com/securitisation Structured finance - accounting developments: elop Special purposes entities Consolidation and Disclosure Sp pecial purp pose entit ies new standards on consolidation and disclosure
More informationInternal Audit Testing and Sampling Techniques. Chartered Institute of Internal Auditors May 2014
Internal Audit Testing and Sampling Techniques Chartered Institute of Internal Auditors May 2014 Controls Testing Slide 1 Testing Priorities Risk B1 Risk A1 Risk B2 Risk A2 Risk C2 Risk C1 Controls testing
More informationCitation for published version (APA): Berthing, H. H. (2014). Vision for IT Audit 2020. Abstract from Nordic ISACA Conference 2014, Oslo, Norway.
Aalborg Universitet Vision for IT Audit 2020 Berthing, Hans Henrik Aabenhus Publication date: 2014 Document Version Early version, also known as pre-print Link to publication from Aalborg University Citation
More informationInformation Commissioner's Office
Information Commissioner's Office Internal Audit 2013-14: Follow up Last updated 4 July 2014 Distribution For action Senior Corporate Governance Manager Timetable Fieldwork completed 21 May 2014 Draft
More informationInnovation Working Group
Innovation Working Group Chuck Landes, IAASB Deputy Chair and Working Group Chair IAASB Meeting September 2015 Agenda Item 8-B Page 1 Purpose of the Session Inform the IAASB on new developments that may
More informationWeighing in on the Benefits of a SAS 70 Audit for Third Party Data Centers
Weighing in on the Benefits of a SAS 70 Audit for Third Party Data Centers With increasing oversight and growing demands for industry regulations, third party assurance has never been under a keener eye
More informationBUSINESS VALUATION Detailed Valuation Report Introduction
BUSINESS VALUATION Detailed Valuation Report The detailed report shall provide sufficient information to permit intended users to understand the data, reasoning, and analyses underlying the Valuator s
More informationAlternative Investment Fund Managers Directive. What does this mean for your business?
Alternative Investment Fund Managers Directive What does this mean for your business? Background to the Alternative Investment Fund Managers Directive (AIFMD) The Alternative Investment Fund Managers (AIFM)
More informationWest Middlesex University Hospital NHS Trust
www.pwc.co.uk July 2014 Government and Public Sector West Middlesex University Hospital NHS Trust Annual Audit Letter 2013/14 Audit PricewaterhouseCoopers LLP 7 More London Riverside London SE1 2RT The
More informationInternational Institute of Management
Executive Education Executive Action Learning Seminars Executive Seminars Executive Courses International Institute of Management Executive Education Courses CIO & Sarbanes Oxley Compliance SOX Implementation
More informationDriving performance and value through strategic vendor management
Banking and Capital Markets Driving performance and value through strategic vendor management As companies face increasing pressure to reduce costs and improve productivity and efficiency, many are looking
More informationRole is Broader and More Strategic
Internal Control Transformation IC s Role is Broader and More Strategic CACUBO Winter Workshop - 2013 Introduction Cindy Berg Director McGladrey LLP 201 N Harrison Street Davenport, Iowa 52801 cindy.berg@mcgladrey.com
More informationInquiry of a Client s Lawyer Concerning Litigation, Claims, and Assessments 1
Inquiry of a Client s Lawyer 1985 AU Section 337 Inquiry of a Client s Lawyer Concerning Litigation, Claims, and Assessments 1 Source: SAS No. 12. See section 9337 for interpretations of this section.
More informationOur comments concerning internal control and other significant matters are presented as follows:
MANAGEMENT LETTER Board of Directors Indianapolis, Indiana In planning and performing our audit of the consolidated financial statements of TCM International Institute, Inc. and European Evangelistic Society
More informationInnovation Working Group
Innovation Working Group Chuck Landes, Chair, Innovation Working Group Agenda Item I.1 IAASB-CAG Meeting, September 15-16, 2015 New York, USA Page 1 Purpose of the Session Inform the CAG on new developments
More informationdebt collection software PRIVACY POLICY
debt collection software PRIVACY POLICY debt collection software Our Commitment to Your Privacy Swordfish Software CC ( Swordfish, we or us) is committed to protecting your privacy. We value the trust
More informationSTANDING ADVISORY GROUP MEETING
1666 K Street, NW Washington, D.C. 20006 Telephone: (202) 207-9100 Facsimile: (202)862-8430 www.pcaobus.org STANDING ADVISORY GROUP MEETING AUDIT CONFIRMATIONS APRIL 2, 2009 Introduction Confirmations
More informationRisk & Assurance. Tailored to your needs. Internal audit solutions
Risk & Assurance Tailored to your needs Internal audit solutions Internal audit solutions The need for internal audit has never been as urgent as it is today. Unmanaged risks can literally cause the demise
More informationManaging risk in construction projects how to achieve a successful outcome*
how to achieve a successful outcome* Project risk and controls Slaying the dragon Scott Jardine *connectedthinking PwC Contents Background to the dragon Project risk management Project controls Background
More informationOxford City Council Managing Capital Projects
www.pwc.co.uk Internal Audit Report 2014/2015 August 2015 Oxford City Council Managing Capital Projects Table of Contents 1. Executive Summary... 3 2. Background and scope... 5 3. Detailed findings...
More informationVendor Management Best Practices
23 rd Annual and One Day Seminar Vendor Management Best Practices Catherine Bruder CPA, CITP, CISA, CISM, CTGA Michigan Texas Florida Insight. Oversight. Foresight. SM Doeren Mayhew Bruder 1 $100 billion
More informationNavigating the Regulatory Maze. AIFMD Impact on Service Providers
www.pwc.com Navigating the Regulatory Maze Navigating the Regulatory Maze AIFMD Impact on Service Providers January 2011 AIFMD Impact on Service Providers The Alternative Investment Fund Managers Directive
More informationGuide to the Sarbanes-Oxley Act: IT Risks and Controls. Frequently Asked Questions
Guide to the Sarbanes-Oxley Act: IT Risks and Controls Frequently Asked Questions Table of Contents Page No. Introduction.......................................................................1 Overall
More informationAudit and Permitted Non-Audit Services Pre-Approval Policy (Pertaining to the Company s Independent Auditor)
Audit and Permitted Non-Audit Services Pre-Approval Policy (Pertaining to the Company s Independent Auditor) Statement of Principles Pursuant to the Sarbanes-Oxley Act of 2002 (the Act ) and in accordance
More informationDocumentation of Use of a Type 2 Service Auditor s Report In an Audit of an Employee Benefit Plan s Financial Statements
Documentation of Use of a Type 2 Service Auditor s Report In an Audit of an Employee Benefit Plan s Financial Statements PLAN NAME: PLAN YEAR END: CLIENT NUMBER: SCOPE OF PLAN AUDIT: LIMITED FULL Note:
More informationOffice of the Police and Crime Commissioner for Avon and Somerset and Avon and Somerset Constabulary
Office of the Police and Crime Commissioner for Avon and Somerset and Avon and Somerset Constabulary Internal Audit Report () FINAL Risk Management: Follow Up of Previous Internal Audit Recommendations
More informationSpecial Purpose Reports on the Effectiveness of Control Procedures
Auditing Standard AUS 810 (July 2002) Special Purpose Reports on the Effectiveness of Control Procedures Prepared by the Auditing & Assurance Standards Board of the Australian Accounting Research Foundation
More information1. FPO. Guide to the Sarbanes-Oxley Act: IT Risks and Controls. Second Edition
1. FPO Guide to the Sarbanes-Oxley Act: IT Risks and Controls Second Edition Table of Contents Introduction... 1 Overall IT Risk and Control Approach and Considerations When Complying with Sarbanes-Oxley...
More informationAdding up or adding value?
Get up to speed Building Better Finance Functions Adding up or adding value? Making business partnering work whatwouldyouliketochange.com Contents Adding up or adding value? 3 The strategic value of business
More informationCloud Computing An Auditor s Perspective
Cloud Computing An Auditor s Perspective Sailesh Gadia, CPA, CISA, CIPP sgadia@kpmg.com December 9, 2010 Discussion Agenda Introduction to cloud computing Types of cloud services Benefits, challenges,
More informationWELCOME TO SECURE360 2013
WELCOME TO SECURE360 2013 Don t forget to pick up your Certificate of Attendance at the end of each day. Please complete the Session Survey front and back, and leave it on your seat. Are you tweeting?
More information