SSAE 16 and AT Section 101
|
|
- Dortha Brooks
- 7 years ago
- Views:
Transcription
1 call S. Douglas Road Suite 940N Coral Gables, FL SSAE 16 and AT Section 101
2 A Changed Approach to Assurance Since 1992, Statement on Auditing Standard (SAS) 70 has been the source of guidance for service organizations, user entity external auditors, and service auditors. SAS 70 was recently divided and replaced by two new standards. The first standard is SAS Audit Considerations relating to an Entity Using a Service Organization that was developed for user entity external auditors. The Accounting Standards Board (ASB) has finalized this new auditing standard but it does not go into effect until December 15, Early implementation of this standard is not permitted. The second standard is Statement on Standards for Attestation Engagements (SSAE) 16 Reporting on Controls at a Service Organization, AT section 801 that was developed for the service auditor. SSAE 16 went into effect on June 15, SAS 70 was changed because external auditors rely on auditing standards to report on the audit of financial statements, whereas SSAE 16 provides guidance to the service auditor for reporting on the service organization s description of the system (including controls and control objectives) as they relate to financial reporting. The major changes between SAS 70 and SSAE 16 included the following: A written assertion by service organization management regarding the design and operating effectiveness of the description of the system (including controls and control objectives); The exclusion of evidence from prior periods on the satisfactory operation of controls to provide a basis for the reduction of testing in the current period; The identification of work performed by the service organization s internal auditors and the service auditor s procedures with respect to that work; and In a type 2 engagement, the service auditor s opinion on the design and operating effectiveness of the description of the system (including controls and control objectives) for a period rather than as of a specified date. The period referenced is the same period in which the description is reviewed (AICPA, 2011). SSAE 16 Guidance Expanded Again In the past, a SAS 70 review was often inappropriately used to report on controls related to compliance, systems, and processes that were clearly unrelated to user entity s internal controls relevant to financial reporting. Because of this confusion and lack of clarity in scope, the nature of a SSAE 16 review has been re-defined and the AICPA has SSAE 16 and AT Section 101 2
3 issued further guidance on providing assurance on user entity s controls that are unrelated to financial reporting. Reporting on user entity s controls relevant to financial reporting will continue to be performed under SSAE 16 guidance. However, reporting on user entity controls that are unrelated to financial reporting must now be performed under SSAE Attest Engagements, AT section 101. This standard allows a service auditor to report on subject matter other than financial statements. Attestation standards were developed to provide guidance on a growing number of services that CPAs have been requested to report on. The subject matter to be reported on in these services may include such things as: Historical or prospective performance or condition (for example, historical or prospective financial information, performance measurements, and backlog data); Physical characteristics (for example, narrative descriptions, square footage of facilities); Historical events (for example, the price of a market basket of goods on a certain date); Analyses (for example, break-even analyses); Systems and processes (for example, internal control); Compliance with laws, regulations, and contracts; and The effectiveness of controls over privacy (AICPA, 2009). Three New Reporting Options: SOC 1, SOC 2, and SOC 3 Service Organization Control (SOC) 1 Report An engagement conducted under SSAE 16 will now result in a Service Organization Control (SOC) 1 report. A SOC 1 engagement focuses on the reporting of user entity s controls relevant to financial reporting. A type I and II report remain the same where a type I report assesses the fairness of the description and the suitability of the design of controls to achieve control objectives. A type II report continues to include as assessment of the design of controls, but also includes an opinion on controls operating effectiveness, as well as tests of controls and associated results. Both types of assessments require an assertion by management, as defined in SSAE 16, and require that both types of reports be restricted to service organization clients, existing user entities, and user auditors. One of the most significant changes between SOC 1 and SOC 2 engagements pertains to the differentiation in scope and boundaries of the system of internal controls. In a SOC 1 engagement, the controls that achieve control objectives for financial statement assertions remain the same and include the following: Classes of transactions in the user entity s operations that are significant to the user entity s financial statements; Automated and manual procedures in which accounts/transactions are initiated, authorized, recorded, processed, and reported in the financial statements; The capture of other events and conditions that are significant to the financial statements; and The financial reporting process used to prepare the financial statements including significant accounting estimates and disclosures (AICPA, 2011). However, the scope of general computer controls to be defined in the description and assessed by the service auditor must be re-evaluated to ensure that information security, change management, and computer operations control objectives are only related to internal controls relevant to financial reporting and not comingled with overall objectives related to security, availability, processing integrity, confidentiality, or privacy of the system; as this is scope of a SOC 2 engagement. Changes in scope can be readily determined by re-focusing only on the general control objectives and associated controls related to the financial reporting application and the control environment that supports it. SOC 2 Report An engagement that provides assurance on controls at a service organization other than those relevant to user entity s internal controls over financial reporting is now performed under AT section 101 and is specifically called a SOC 2 engagement. A SOC 2 engagement assesses controls over one or more principles relevant to security, availability, processing integrity, confidentiality, or privacy. Assurance is provided on all of the system components of the principle being assessed using the criteria in the AICPA s Trust Services Principles Criteria and Illustrations. SSAE 16 and AT Section 101 3
4 Like a SOC 1 report, there are two types of SOC 2 reports; i.e. Type I and Type II. A type I report includes the following: Management s description of the service organization s system; A written assertion by management that the description of the system of controls Has been designed and implemented as of a specified date; Was suitably designed to meet the applicable trust services criteria as of a specified date A service auditor s report that expresses an opinion (AICPA, 2011). A type II report is similar to a Type I report except that it also needs to include an opinion on the operating effectiveness of controls, as well as the tests performed and associated results. In addition, when the description of controls addresses the privacy principle, management must include a statement that they complied with the commitments in their statement of privacy practices throughout the period. Specific tests and results related to this compliance must also be included. In both type I and II engagements management s written assertion should be attached to the description of the service organization s system. When the report addresses the privacy principle, the statement of privacy practices should also be attached to the description. Both type I and II SOC 2 reports should be restricted to management of the service organization and other specified parties. As noted previously in this paper, one of the most significant changes between a SOC 1 and SOC 2 engagement pertains to the differentiation in scope and boundaries of the system of internal controls. A SOC 2 engagement assesses controls over one or more principles relevant to security, availability, processing integrity, confidentiality, or privacy of all the system components related to each principle. Whereas, a SOC 1 engagement accesses controls related to financial transaction initiation, authorization, recording, processing, and reporting; and the general computer controls that support the financial reporting system. These boundaries need to be understood. For purposes of illustration, the AICPA provides the following illustration for a SOC 2 engagement: In a SOC 2 engagement that addresses the privacy principle, the system boundaries cover, at a minimum, all the system components, as they relate to the personal information lifecycle, which consists of the collection, use, retention, disclosure, and disposal or anonymization of personal information, within well-defined processes and informal ad hoc procedures, such as ing personal information to an actuary for retirement benefit calculations. The system boundaries would also include instances in which the personal information is combined with other information (for example, in a database or system), a process that would not otherwise cause the other information to be included in the scope of the engagement. That notwithstanding, the scope of a privacy engagement may be restricted to a business unit or geographical location, as long as the personal information is not commingled with information from, or shared with, other business units or geographical locations (AICPA, 2011). From a SOC 2 perspective, the description of the system may include one or more information system resources that support the principles of security, availability, processing integrity, confidentiality or privacy and can include: The infrastructure the physical and hardware components of a system (facilities, equipment and networks); Software the programs and operating software of a system (systems, applications and utilities); People the personnel involved in the operation and use of system (developers, operators, users and managers); Procedures the automated and manual procedures involved in the operation of a system; and Data the information used and supported by a system (transaction streams, files, databases, and tables) (AICPA, 2011). Finally, guidance for performing a SOC 2 engagement also clarifies the meaning of the term security, and the difference between privacy and security. The term security can be interpreted more narrowly in a SOC 1 engagement versus a SOC 2 engagement. In a SOC 1 engagement, security refers more to the protection of information from unauthorized access or disclosure. However, in a SOC 2 engagement that addresses the privacy or confidentiality principle, security relates more to the authorization, protection, and integrity of SSAE 16 and AT Section 101 4
5 transactions throughout the system. As it relates to the difference between privacy and security, privacy is perceived to encompass a broader set of activities beyond security that contribute to the effectiveness of a privacy program (AICPA, 2011). SOC 3 Report A SOC 3 engagement is similar to a SOC 2 engagement; however, a SOC 3 report contain a limited description of the system, a written assertion from management, and an opinion. A SOC 3 report is designed to meet the needs of users who do not require the detail provided in a SOC 2 report. It is the AICPA s position that SOC 3 reports address a market need since both current and prospective customers may use them. As in a SOC 2 engagement, the criteria used for evaluating the design and operating effectiveness of controls in a SOC 3 engagement are the Trust Services Principles Criteria and Illustrations. A service organization that receives a SOC 3 engagement may also display the SysTrust for Service Organization seal on their website. SOC 3 reports are considered general use reports and can be distributed to the public including customers, regulators, business partners, suppliers, and management. An assertion by service organization management is required; however a report may still be issued without one. In this case, the form of the report will vary and should be restricted. Confusion All Over Again! Due to increasing internal control breakdowns, fraud and theft of confidential and private information, regulation related to internal controls continues to increase. With the benefits of outsourcing comes the transference of risk. User entity management needs to ensure and feel comfortable that their service organization s system has been updated for the new requirements. Management needs to ensure whether: Risk is sufficiently addressed. Does the service organization s control environment include a risk assessment process, information and communication systems and control and monitoring activities? The control environment is critical since it can have a pervasive impact as a whole as it relates to whether controls were suitably designed and operating effectively; They need to develop and/or implement new complementary controls due to changes in the service organization s description of their system; There is a change to the mix or percentage of operations handled by subservice organizations working with your service provider and whether the service organization s description adequately addresses this through the inclusive or carve out method. Often, relationships with subservice providers are not fully understood and can be minimized unintentionally in the service organization s report. Management must also develop more detailed assertions for SOC 1, 2 and 3 type engagements. This assertion must fully address the design and operating effectives of the description of the system (including controls and control objectives) for the new criteria. Numerous issues related to the service organization s description of the system have also arisen with the implementation of the new standards. Service organization management needs to ensure that: The scope of the description of the system is appropriate and complies with applicable regulatory requirements. General computer controls will differ between SOC 1 and SOC 2 engagements; Control objectives and associated controls address new requirements and criteria defined in the standards. The scope of a SOC 2 engagement addresses controls that are unrelated to financial reporting and include those that support security, availability, processing integrity, confidentiality or privacy principles; The AICPA s Trust Services Principles Criteria have been properly integrated into the description of the system. This criteria is necessary for a service auditor to perform a SOC 2 or SOC 3 engagement; and Risk assessment and management activities are updated and/or expanded as necessary. The AICPA has recently issued an Alert and two study guides on the changing dynamics of providing assurance services related to controls at service organizations. This guidance will help both user and service organization management become aware of the increased requirements and differences between the definition and scope of SOC 1, SOC 2, and SOC 3 engagements. SSAE 16 and AT Section 101 5
6 References AICPA. (2011). Service Organizations: New Reporting Options Alert, Strengthening Engagement Integrity Safeguarding Reporting. New York, NY: AICPA. AICPA. (2011). Service Organizations: Applying SSAE No. 16, Reporting on Controls at a Service Organization (SOC1). New York, NY: AICPA. AICPA. (2011). Reporting on Controls at a Service Organization (SOC 2). New York, NY: AICPA. Sherinsky, J.M. (2010). Replacing SAS 70 New Standards for Engagements Involving Outsourcing. Journal of Accountancy. Retrieved from Klein, M. (2011). SAS 70, SSAE 16, SOC and Data Center Standards. OTBlog. Retrieved from SSAE 16 and AT Section 101 6
Information for Management of a Service Organization
Information for Management of a Service Organization Copyright 2011 American Institute of Certified Public Accountants, Inc. New York, NY 10036-8775 All rights reserved. For information about the procedure
More informationService Organization Control Reports
SAS 70 ENDS EXIT TO SSAE 16 Service Organization Control Reports What Did We Learn from Year One? Agenda Definitions Service Organization Reports What are they? Year One Experiences SSAE 16 Year One Experiences
More informationSSAE 16 for Transportation & Logistics Companies. Chris Kradjan Kim Koch
SSAE 16 for Transportation & Logistics Companies Chris Kradjan Kim Koch 1 The material appearing in this presentation is for informational purposes only and should not be construed as advice of any kind,
More informationBaker Tilly refers to Baker Tilly Virchow Krause, LLP, an independently owned and managed member of Baker Tilly International. Understanding SOC 3
Baker Tilly refers to Baker Tilly Virchow Krause, LLP, an independently owned and managed member of Baker Tilly International. Understanding SOC 3 Agenda 1) A brief perspective on where SOC 3 originated
More informationService Organization Control (SOC) Reports Focus on SOC 2 Reporting Standard
Information Systems Audit and Controls Association Service Organization Control (SOC) Reports Focus on SOC 2 Reporting Standard February 4, 2014 Tom Haberman, Principal, Deloitte & Touche LLP Reema Singh,
More informationFeeley & Driscoll, P.C. Certified Public Accountants / Business Consultants www.fdcpa.com. Visit us on the web: www.fdcpa.com Or Call: 888-875-9770
Feeley & Driscoll, P.C. Certified Public Accountants / Business Consultants www.fdcpa.com SAS 70 Background 2 SAS No. 70 Reports on the Processing of Transactions by Service Organizations Independent examination
More informationShared Service System Audits: What User Management and Auditors Need to Know
Shared Service System Audits: What User Management and Auditors Need to Know JFMIP May 2014 Presented by: Robert Dacey GAO Session Objectives Properly using SSAE 16 service organization audit reports Revisions
More informationThe Changing SAS 70 Landscape Dan Hirstein Director Rebecca Goodpasture Senior Manager Deloitte & Touche LLP January 13, 2011
The Changing SAS 70 Landscape Dan Hirstein Director Rebecca Goodpasture Senior Manager Deloitte & Touche LLP January 13, 2011 Table of Contents A Short History of SAS 70 Overview of SSAE 16 and ISAE 3402
More informationGoodbye, SAS 70! Hello, SSAE 16!
Goodbye, SAS 70! Hello, SSAE 16! A Session to Provide Insight on the New Standard and What Service Providers and End-Users Need to Know January 3, 2012 Agenda Introduction Background on what was SAS 70
More informationSECTION I INDEPENDENT SERVICE AUDITOR S REPORT
SOC2 Security Report on Controls Supporting DriveSavers Services Independent Service Auditor s Report on Design of Controls Placed in Operation and Tests of Operational Effectiveness Relevant to Security
More informationReports on Service Organizations Where we ve been?
Reports on Service Organizations Where we ve been? What s changing? How does this impact Internal Audit? Eric Wright Shareholder Frank Dezort Senior Manager Schneider Downs & Co., Inc. May 2, 2011 Overview
More informationEffectively using SOC 1, SOC 2, and SOC 3 reports for increased assurance over outsourced operations. kpmg.com
Effectively using SOC 1, SOC 2, and SOC 3 reports for increased assurance over outsourced operations kpmg.com b Section or Brochure name Effectively using SOC 1, SOC 2, and SOC 3 reports for increased
More informationService Organization Control (SOC) reports What are they?
Service Organization Control (SOC) reports What are they? Jeff Cook, CPA, CITP, CIPT, CISA June 2015 Introduction Service Organization Control (SOC) reports are on the rise in the IT assurance and compliance
More informationEnd of the SAS 70 Era
End of the SAS 70 Era For years businesses that outsource have relied on SAS 70 reports on the internal controls of third party providers. The standard for those reports is changing. New Standards Replacing
More informationService Organization Controls. Managing Risks by Obtaining a Service Auditor s Report
Service Organization Controls Managing Risks by Obtaining a Service Auditor s Report Contributing Authors Audrey Katcher, CPA/CITP, Partner at RubinBrown, LLP Janis Parthun, CPA/CITP, Sr. Technical Manager
More informationUnderstanding SOC Reports for Effective Vendor Management. Jason T. Clinton January 26, 2016
Understanding SOC Reports for Effective Vendor Management Jason T. Clinton January 26, 2016 MEMBER OF PKF NORTH AMERICA, AN ASSOCIATION OF LEGALLY INDEPENDENT FIRMS 2012 Wolf & Company, P.C. Before we
More informationSERVICE ORGANIZATION CONTROL REPORTS SM. Formerly SAS 70 Reports
SERVICE ORGANIZATION CONTROL REPORTS SM Formerly SAS 70 Reports SAS No. 70, Service Organizations Standard for reporting on a service organization s controls affecting user entities financial statements
More informationHere comes SSAE 16 SAS 70 EVOLUTION: How will the new standard affect my business? How do I prepare to meet the new requirements?
SAS 70 EVOLUTION: Here comes SSAE 16 PLANNING FOR THE NEW SERVICE ORGANIZATION REPORTING STANDARDS The prevalence of SAS 70 audits has grown dramatically since the standards issuance in April of 1992.
More informationFarewell to SAS 70. What you need to know about the New Standard for Service Organization Reporting
Farewell to SAS 70 What you need to know about the New Standard for Service Organization Reporting ADVISORY rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International Cooperative
More informationFAQs New Service Organization Standards and Implementation Guidance
FAQs New Service Organization Standards and Implementation Guidance During the past two years several significant changes have occurred in audit and attest standards for reporting on controls at service
More informationSECURITY AND EXTERNAL SERVICE PROVIDERS
SECURITY AND EXTERNAL SERVICE PROVIDERS How to ensure regulatory compliance and manage risks with Service Organization Control (SOC) Reports Jorge Rey, CISA, CISM, CGEIT Director, Information Security
More informationTIS Section 9520, SSAE No. 16, Reporting on Controls at a Service Organization
November 2011 AICPA Technical Practice Aids TIS Section 9520, SSAE No. 16, Reporting on Controls at a Service Organization.01 New Standards for Service Auditors and User Auditors Inquiry Did the issuance
More informationUpdate on AICPA Assurance Services Executive Committee Activities
Update on AICPA Assurance Services Executive Committee Activities Amy Pawlicki Director Business Reporting, Assurance & Advisory Services and XBRL AICPA Agenda ASEC overview Summary of work streams by
More informationSAS No. 70, Service Organizations
SAS No. 70, Service Organizations A standard for reporting on a service organization s controls affecting user entities' financial statements. Only for use by service organization management, existing
More informationVendor Management Best Practices
23 rd Annual and One Day Seminar Vendor Management Best Practices Catherine Bruder CPA, CITP, CISA, CISM, CTGA Michigan Texas Florida Insight. Oversight. Foresight. SM Doeren Mayhew Bruder 1 $100 billion
More informationSOC Readiness Assessments. SOC Report - Type 1. SOC Report - Type 2. Building Trust and Confidence in Third-Party Relationships
Building Trust and Confidence in Third-Party Relationships Today s businesses rely heavily on outsourcing certain business tasks or functions to service organizations, even those that are core to their
More informationSSAE 16 and ISAE 3402: Preparing for New Service Company Control Standards Mastering Requirements Governing Your Next Controls Report
Presenting a live 110 minute teleconference with interactive Q&A SSAE 16 and ISAE 3402: Preparing for New Service Company Control Standards Mastering Requirements Governing Your Next Controls Report WEDNESDAY,
More informationAyla Networks, Inc. SOC 3 SysTrust 2015
Ayla Networks, Inc. SOC 3 SysTrust 2015 SOC 3 SYSTRUST FOR SERVICE ORGANIZATIONS REPORT July 1, 2015 To December 31, 2015 Table of Contents SECTION 1 INDEPENDENT SERVICE AUDITOR S REPORT... 2 SECTION 2
More informationService Organization Control (SOC 3) Report on a Description of the Data Center Colocation System Relevant to Security and Availability
15301 Dallas Parkway, Suite 960, Addison, TX 75001 MAIN 214 545 3965 FAX 214 545 3966 www.bkmsh.com Service Organization Control (SOC 3) Report on a Description of the Data Center Colocation System Relevant
More informationWELCOME TO SECURE360 2013
WELCOME TO SECURE360 2013 Don t forget to pick up your Certificate of Attendance at the end of each day. Please complete the Session Survey front and back, and leave it on your seat. Are you tweeting?
More informationSSAE 16 SOC 1 Type 2
SSAE 16 SOC 1 Type 2 Independent Service Auditor s Report on Management s Description of a Service Organization s System and the Suitability of the Design and Operating Effectiveness of Controls September
More informationMonitoring Outside Service Providers, Part III: SAS 70 Updates
Monitoring Outside Service Providers, Part III: SAS 70 Updates Richard F. Fischer, CPA Louis Plung & Company, LLP richard.fischer@louisplung.com 412-281-8771 CHANGES TO SAS 70 SERVICE ORGANIZATIONS: Statement
More informationAbout the Presenter. Presentation Objectives. SaaS / Cloud Computing Risk Management AICPA Attest Alternatives
SaaS / Cloud Computing Risk Management AICPA Attest Alternatives Presenter: Dan Schroeder, CPA/CITP Habif, Arogeti, & Wynne, LLP Georgia Society of CPAs Annual Convention June 16, 2010 About the Presenter
More informationSSAE 16 Everything You Wanted To Know But Are Afraid To Ask. Kurt Hagerman CISA, CISSP, QSA Managing Director, Coalfire December 8, 2011
SSAE 16 Everything You Wanted To Know But Are Afraid To Ask Kurt Hagerman CISA, CISSP, QSA Managing Director, Coalfire December 8, 2011 1 Agenda SAS 70 Misunderstood and Overused o Why the change? SSAE
More informationSSAE 16 & SAS 70 A Primer on Changes to Service Organization Audit Standards
A Member of OneBeacon Insurance Group SSAE 16 & SAS 70 A Primer on Changes to Service Organization Audit Standards Author: Jack Fletcher, Risk Control Technology Specialist Published: November 2014 Executive
More informationFrequently asked questions: SOC 2 and 3
1. Is the licensing requirement for a SOC 2 or 3 different than for a SOC 1? SOC reports are attestation reports issued in accordance with AICPA standards. Therefore, licensing requirements are the same
More informationService Organization Controls. Managing Risks by Obtaining a Service Auditor s Report
Service Organization Controls Managing Risks by Obtaining a Service Auditor s Report Contributing Authors Audrey Katcher, CPA, CITP, Partner at RubinBrown, LLP Janis Parthun, CPA, CITP, Sr. Technical Manager
More informationAt a glance. A provision to require a written assertion from company management is the most notable difference between the two standards.
At a glance While there are some differences, SAS 70 and SSAE 16 are substantially the same. SAS 70 is an audit standard while SSAE 16 is an attest standard. Out with the old SAS 70 and in with the new
More informationSOC on Amazon Web Services (AWS) What You Need To Know Understanding the regulatory roadmap for SOC on AWS
SOC on Amazon Web Services (AWS) What You Need To Know Understanding the regulatory roadmap for SOC on AWS Jeff Cook November 2015 Summary Service Organization Control (SOC) reports (formerly SAS 70 or
More informationService Organization Control (SOC) Reports
Service Organization Control (SOC) Reports Transitioning from SAS 70 to SSAE 16 Deloitte & Touche LLP Agenda Overview SAS 70/SSAE 16 Historical Perspective The New Framework Under SSAE 16 (SOC 1) Impact
More informationKeeping watch over your best business interests.
Keeping watch over your best business interests. 0101010 1010101 0101010 1010101 IT Security Services Regulatory Compliance Services IT Audit Services Forensic Services Risk Management Services Attestation
More informationIndependent Service Auditor s Report
Independent Service Auditor s Report Microsoft Corporation Global Foundation Services Independent SOC 3 Report for the Security and Availability Trust Principle for Microsoft GFS 1 Independent Service
More informationSOC 3 for Security and Availability
SOC 3 for Security and Availability Independent Practioner s Trust Services Report For the Period October 1, 2014 through September 30, 2015 Independent SOC 3 Report for the Security and Availability Trust
More informationUnderstanding Vendor Risk And Analyzing the SSAE No. 16
Understanding Vendor Risk And Analyzing the SSAE No. 16 Accelerate your Credit Union s Performance June 19, 2014 AUSTIN, TEXAS www.cuaccelerator.com Agenda Vendor Management Key Outsourcing Risk Areas
More information3.B METHODOLOGY SERVICE PROVIDER
3.B METHODOLOGY SERVICE PROVIDER Approximately four years ago, the American Institute of Certified Public Accountants (AICPA) issued Statement on Standards for Attestation Engagements (SSAE) No. 16, Reporting
More informationG24: Audits of Controls at a Service Organization: New Standards SSAE 16 and ISAE 3402 Duff Donnelly and Jeffrey Spivack, Grant Thornton LLP
G24: Audits of Controls at a Service Organization: New Standards SSAE 16 and ISAE 3402 Duff Donnelly and Jeffrey Spivack, Grant Thornton LLP Audits of controls at a service organization Roadmap to the
More informationVENDOR MANAGEMENT. General Overview
VENDOR MANAGEMENT General Overview With many organizations outsourcing services to other third-party entities, the issue of vendor management has become a noted topic in today s business world. Vendor
More informationMHM S PERSPECTIVE: CHANGES COMING TO SAS 70.KNOW THE FACTS
Mayer Hoffman McCann P.C. An Independent CPA Firm MHM S AUDITING PERSPECTIVE: STANDARD NO. 5 Since its issuance in 1992, the American Institute of Certified Public Accountants (AICPA) Statement on Auditing
More informationwww.pwc.com Third Party Risk Management 12 April 2012
www.pwc.com Third Party Risk Management 12 April 2012 Agenda 1. Introductions 2. Drivers of Increased Focus on Third Parties 3. Governance 4. Third Party Risks and Scope 5. Third Party Risk Profiling 6.
More informationDocumentation of Use of a Type 2 Service Auditor s Report In an Audit of an Employee Benefit Plan s Financial Statements
Documentation of Use of a Type 2 Service Auditor s Report In an Audit of an Employee Benefit Plan s Financial Statements PLAN NAME: PLAN YEAR END: CLIENT NUMBER: SCOPE OF PLAN AUDIT: LIMITED FULL Note:
More information3 rd Party Vendor Risk Management
3 rd Party Vendor Risk Management Session 402 Tuesday, June 9, 2015 (11 to 12pm) Session Objectives The need for enhanced reporting on vendor risk management Current outsourcing environment Key risks faced
More informationSOC 3 for Security and Availability
SOC 3 for Security and Availability Independent Practioner s Trust Services Report For the Period October 1, 2013 through September 30, 2014 Independent SOC 3 Report for the Security and Availability Trust
More informationInformation Security Management System for Microsoft s Cloud Infrastructure
Information Security Management System for Microsoft s Cloud Infrastructure Online Services Security and Compliance Executive summary Contents Executive summary 1 Information Security Management System
More informationReport of Independent Accountants. To the Management of Verizon Communications Inc. Verizon Business IP Application Hosting:
Report of Independent Accountants Ernst & Young, LLP Two Commerce Square Suite 4000 2001 Market Street Philadelphia, Pennsylvania 19103-7096 Tel: +1 215 448 5000 Fax: +1 215 448 4069 www.ey.com To the
More informationCSA Position Paper on AICPA Service Organization Control Reports
CSA Position Paper on AICPA Service Organization Control Reports February 2013 2013, Cloud Security Alliance. All rights reserved. You may download, store, display on your computer, view, print, and link
More informationReporting on Controls at a Service Organization
Reporting on Controls at a Service Organization 1529 AT Section 801 Reporting on Controls at a Service Organization (Supersedes the guidance for service auditors in Statement on Auditing Standards No.
More informationWebtrends Inc. Service Organization Controls (SOC) 3 SM Report on the SaaS Solutions Services System Relevant to Security
Webtrends Inc. Service Organization Controls (SOC) 3 SM Report on the SaaS Solutions Services System Relevant to Security For the Period January 1, 2015 through June 30, 2015 SOC 3 SM SOC 3 is a service
More informationHIPAA Compliance and Reporting Requirements
Healthcare IT Assurance Peace of Mind Through Privacy and Security Risk Management By Dan Schroeder, CPA, MBA, CISA, CIA, PCI QSA, CISM, CIPP/US Dan.schroeder@hawcpa.com BRIEF CONTENTS HCIT IMPROVES THE
More informationMicrosoft s Compliance Framework for Online Services
Microsoft s Compliance Framework for Online Services Online Services Security and Compliance Executive summary Contents Executive summary 1 The changing landscape for online services compliance 4 How Microsoft
More informationIAASB Main Agenda (June 2010) Agenda Item. April 28, 2009
Agenda Item 8-B Statement of Position 09-1 April 28, 2009 Performing Agreed-Upon Procedures Engagements That Address the Completeness, Accuracy, or Consistency of XBRL-Tagged Data Issued Under the Authority
More informationASTRAZENECA GLOBAL POLICY SAFEGUARDING COMPANY ASSETS AND RESOURCES
ASTRAZENECA GLOBAL POLICY SAFEGUARDING COMPANY ASSETS AND RESOURCES THIS POLICY SETS OUT THE REQUIREMENTS FOR SAFEGUARDING COMPANY ASSETS AND RESOURCES TO PROTECT PATIENTS, STAFF, PRODUCTS, PROPERTY AND
More informationUnderstanding changes to the Trust Services Principles for SOC 2 reporting
Baker Tilly refers to Baker Tilly Virchow Krause, LLP, an independently owned and managed member of Baker Tilly International. Understanding changes to the Trust Services Principles for SOC 2 reporting
More informationAsset Manager Guide to SAS 70. Issue Date: October 7, 2007. Asset
Asset Manager Guide to SAS 70 Issue Date: October 7, 2007 Asset Management Group A s s e t M a n a g e r G u i d e SAS 70 Table of Contents Executive Summary...3 Overview and Current Landscape...3 Service
More informationChapter 04. Board of Public Accountancy.
Chapter 04. Board of Public Accountancy. (Words in boldface and underlined indicate language being added; words [CAPITALIZED AND BRACKETED] indicate language being deleted. Complete new sections are not
More information13.19 ETHICS REPORTING POLICY AND PROCEDURE
13.13 SOFTWARE AND COMPUTER USAGE Temple University has adopted an extensive software policy and an extensive computer usage policy that govern the usage of software, hardware, computer related equipment
More informationCopyright 2015, American Institute of Certified Public Accountants, Inc. All Rights Re... STATEMENT ON STANDARDS FOR CONSULTING SERVICES
Page 1 of 7 Consulting Services CS Section STATEMENT ON STANDARDS FOR CONSULTING SERVICES Statements on Standards for Consulting Services are issued by the AICPA Management Consulting Services Executive
More informationGAO. Government Auditing Standards. 2011 Revision. By the Comptroller General of the United States. United States Government Accountability Office
GAO United States Government Accountability Office By the Comptroller General of the United States December 2011 Government Auditing Standards 2011 Revision GAO-12-331G GAO United States Government Accountability
More informationRE: PCAOB Rulemaking Docket Matter No. 004 Statement Regarding the Establishment of Auditing and Other Professional Standards
May 12, 2003 Office of the Secretary Public Company Accounting Oversight Board 1666 K Street, N.W. Washington, D.C. 20006-2803 RE: PCAOB Rulemaking Docket Matter No. 004 Statement Regarding the Establishment
More informationOFFICE OF AUDITS & ADVISORY SERVICES SUNGARD TREASURY MANAGEMENT SYSTEM CONTRACT COMPLIANCE FINAL AUDIT REPORT
County of San Diego Auditor and Controller OFFICE OF AUDITS & ADVISORY SERVICES SUNGARD TREASURY MANAGEMENT SYSTEM CONTRACT COMPLIANCE FINAL AUDIT REPORT Chief of Audits: Juan R. Perez Senior Audit Manager:
More informationG24 - SAS 70 Practices and Developments Todd Bishop
G24 - SAS 70 Practices and Developments Todd Bishop SAS No. 70 Practices & Developments Todd Bishop Senior Manager, PricewaterhouseCoopers LLP Agenda SAS 70 Background Information and Overview Common SAS
More informationService Organizations: Auditing Interpretations of Section 324
Service Organizations 1835 AU Section 9324 Service Organizations: Auditing Interpretations of Section 324 1. Describing Tests of Operating Effectiveness and the Results of Such Tests.01 Question Paragraph.44f
More informationINTERNATIONAL STANDARD ON ASSURANCE ENGAGEMENTS (ISAE) 3402 ASSURANCE REPORTS ON CONTROLS AT A SERVICE ORGANIZATION
INTERNATIONAL STANDARD ON ASSURANCE ENGAGEMENTS (ISAE) 3402 ASSURANCE REPORTS ON CONTROLS AT A SERVICE ORGANIZATION (Effective for service auditors assurance reports covering periods ending on or after
More informationSRI LANKA AUDITING PRACTICE STATEMENT 1013 ELECTRONIC COMMERCE EFFECT ON THE AUDIT OF FINANCIAL STATEMENTS
SRI LANKA AUDITING PRACTICE STATEMENT 1013 ELECTRONIC COMMERCE EFFECT ON THE AUDIT OF FINANCIAL STATEMENTS (This Statement is effective for all the audits commencing on or after 01 April 2010) CONTENTS
More informationINTERNATIONAL AUDITING PRACTICE STATEMENT 1013 ELECTRONIC COMMERCE EFFECT ON THE AUDIT OF FINANCIAL STATEMENTS
INTERNATIONAL PRACTICE STATEMENT 1013 ELECTRONIC COMMERCE EFFECT ON THE AUDIT OF FINANCIAL STATEMENTS (This Statement is effective) CONTENTS Paragraph Introduction... 1 5 Skills and Knowledge... 6 7 Knowledge
More informationThe silver lining: Getting value and mitigating risk in cloud computing
The silver lining: Getting value and mitigating risk in cloud computing Frequently asked questions The cloud is here to stay. And given its decreased costs and increased business agility, organizations
More informationRole is Broader and More Strategic
Internal Control Transformation IC s Role is Broader and More Strategic CACUBO Winter Workshop - 2013 Introduction Cindy Berg Director McGladrey LLP 201 N Harrison Street Davenport, Iowa 52801 cindy.berg@mcgladrey.com
More informationCOSO s 2013 Internal Control Framework in Depth: Implementing the Enhanced Guidance for Internal Control over External Financial Reporting
in Depth: Implementing the Enhanced Guidance for Internal Control over External Financial Reporting Table of Contents EXECUTIVE SUMMARY... 3 BACKGROUND... 3 SIGNIFICANT CHANGES AFFECTING INTERNAL CONTROL
More informationINTERNATIONAL STANDARD ON ASSURANCE ENGAGEMENTS 3000 ASSURANCE ENGAGEMENTS OTHER THAN AUDITS OR REVIEWS OF HISTORICAL FINANCIAL INFORMATION CONTENTS
INTERNATIONAL STANDARD ON ASSURANCE ENGAGEMENTS 3000 ASSURANCE ENGAGEMENTS OTHER THAN AUDITS OR REVIEWS OF HISTORICAL FINANCIAL INFORMATION (Effective for assurance reports dated on or after January 1,
More informationSECURITY AND REGULATORY COMPLIANCE OVERVIEW
Powering Cloud IT SECURITY AND REGULATORY COMPLIANCE OVERVIEW BetterCloud for Office 365 Executive Summary BetterCloud provides critical insights, automated management, and intelligent data security for
More informationGAO. Government Auditing Standards. 2003 Revision. By the Comptroller General of the United States. United States General Accounting Office.
GAO United States General Accounting Office By the Comptroller General of the United States June 2003 Government Auditing Standards 2003 Revision GAO-03-673G GAO United States General Accounting Office
More informationEPCS Third party audits the CPA perspective. 13 September 2012
EPCS Third party audits the CPA perspective 13 September 2012 Agenda Introduction History Report review Audit process Moving forward Introduction 1311.300 Application provider requirements Third-party
More informationPRACTICE NOTE 1013 ELECTRONIC COMMERCE - EFFECT ON THE AUDIT OF FINANCIAL STATEMENTS
PRACTICE NOTE 1013 ELECTRONIC COMMERCE - EFFECT ON THE AUDIT OF FINANCIAL STATEMENTS (Issued December 2003; revised September 2004 (name change)) PN 1013 (September 04) PN 1013 (December 03) Contents Paragraphs
More informationAudit, Review, Compilation, and Preparation of Financial Statements
Audit, Review, Compilation, and Preparation of Financial Statements DISCLAIMER: This publication has not been approved, disapproved or otherwise acted upon by any senior technical committees of, and does
More informationGenerally Accepted Recordkeeping Principles
Generally Accepted Recordkeeping Principles Information Governance Maturity Model Information is one of the most vital strategic assets any organization possesses. Organizations depend on information to
More informationMelissa M. Wolf, CPA (570) 820.0186 Melissa.Wolf@ParenteBeard.com. Employee Benefit Plan Auditing and Regulatory Update 2012
Melissa M. Wolf, CPA (570) 820.0186 Melissa.Wolf@ParenteBeard.com Employee Benefit Plan Auditing and Regulatory Update 2012 Agenda ASU 2010-06 SOC1 (Formerly SAS 70), SOC2 and SOC3 Department of Labor
More informationInformation Security: Business Assurance Guidelines
Information Security: Business Assurance Guidelines The DTI drives our ambition of prosperity for all by working to create the best environment for business success in the UK. We help people and companies
More informationSystem Description of the Date Center System Relevant to Security and Availability (SOC 3) November 1, 2011 through April 30, 2012
System Description of the Date Center System Relevant to Security and Availability (SOC 3) November 1, 2011 through April 30, 2012 Moss Adams LLP 9665 Granite Ridge Drive, Suite 600 San Diego, CA 92123
More informationUnderstanding the Entity and Its Environment and Assessing the Risks of Material Misstatement
Understanding the Entity and Its Environment 267 AU-C Section 315 Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement Source: SAS No. 122; SAS No. 128. Effective
More informationNational Examination Risk Alert
National Examination Risk Alert By the Office of Compliance Inspections and Examinations 1 In this Alert: Topic: Observations related to the use of social media by registered investment advisers. Key Takeaways:
More informationCFPB Readiness Series: Compliant Vendor Management Overview
CFPB Readiness Series: Compliant Vendor Management Overview Legal Disclaimer This information is not intended to be legal advice and may not be used as legal advice. Legal advice must be tailored to the
More informationLast updated: 30 May 2016. Credit Suisse Privacy Policy
Last updated: 30 May 2016 Credit Suisse Please read this privacy policy (the ) as it describes how we intend to collect, use, store, share, and safeguard your information. By accessing, visiting or using
More informationSTATE OF NORTH CAROLINA
STATE OF NORTH CAROLINA PERFORMANCE AUDIT OFFICE OF INFORMATION TECHNOLOGY SERVICES STATE TERM CONTRACT FOR MICROCOMPUTERS AND PERIPHERALS JULY 2013 OFFICE OF THE STATE AUDITOR BETH A. WOOD, CPA STATE
More informationEffective Monitoring of Outsourced Plan Recordkeeping and Reporting Functions
Effective Monitoring of Outsourced Plan Recordkeeping and Reporting Functions Plan Advisory The AICPA EBPAQC is a firm-based, volunteer membership center created with the goal of promoting quality employee
More informationHow mature is the internal control framework at your service organisation? ISAE 3402 and SSAE 16: Reinforcing confidence through demonstration of
How mature is the internal control framework at your service organisation? ISAE 3402 and SSAE 16: Reinforcing confidence through demonstration of effective controls ISAE 3402 and SSAE 16 defined Overview
More informationLarry Laine, Deputy Land Commissioner and Chief Clerk. Annual Report on the Internal Audit Quality Assurance and Improvement Program
DATE: TO: FROM: SUBJECT: Larry Laine, Deputy Land Commissioner and Chief Clerk Tracey Hall, Deputy Commissioner of Internal Audit Annual Report on the Internal Audit The following report is presented in
More informationReporting on Control Procedures at Outsourcing Entities
Auditing Guidance Statement AGS 1042 (July 2002) Reporting on Control Procedures at Outsourcing Entities Prepared by the Auditing & Assurance Standards Board of the Australian Accounting Research Foundation
More informationPRACTICE GUIDE. Formulating and Expressing Internal Audit Opinions
PRACTICE GUIDE Formulating and Expressing Internal Audit Opinions 2 of 23 Table of Contents 1. Executive Summary... 1 2. Introduction... 2 3. Planning the Expression of an Opinion... 3 3.1 Expressing an
More informationUnderstanding ISO 27018 and Preparing for the Modern Era of Cloud Security
Understanding ISO 27018 and Preparing for the Modern Era of Cloud Security Presented by Microsoft and Foley Hoag LLP s Privacy and Data Security Practice Group May 14, 2015 Proposal or event name (optional)
More informationCOMMENTARY Scope & Purpose Definitions I. Education. II. Transparency III. Consumer Control
CONTENTS: SUMMARY SELF REGULATORY PRINCIPLES FOR ONLINE BEHAVIORAL ADVERTISING Introduction Definitions I. Education II. Transparency III. Consumer Control IV. Data Security V. Material Changes to Existing
More informationCertified Identity and Access Manager (CIAM) Overview & Curriculum
Identity and access management (IAM) is the most important discipline of the information security field. It is the foundation of any information security program and one of the information security management
More information