SSAE 16 for Transportation & Logistics Companies. Chris Kradjan Kim Koch

Save this PDF as:
 WORD  PNG  TXT  JPG

Size: px
Start display at page:

Download "SSAE 16 for Transportation & Logistics Companies. Chris Kradjan Kim Koch"

Transcription

1 SSAE 16 for Transportation & Logistics Companies Chris Kradjan Kim Koch 1

2 The material appearing in this presentation is for informational purposes only and should not be construed as advice of any kind, including, without limitation, legal, accounting, or investment advice. This information is not intended to create, and receipt does not constitute, a legal relationship, including, but not limited to, an accountant-client relationship. Although this information may have been prepared by professionals, it should not be used as a substitute for professional services. If legal, accounting, investment, or other professional advice is required, the services of a professional should be sought. 2

3 TODAY S PRESENTERS Chris Kradjan, CPA, CITP, CRISC National SSAE 16 and IT Audit Practice Leader Partner, Moss Adams (206) / (415) Kim Koch, CPA Senior Manager, Moss Adams (509)

4 SESSION DESCRIPTION Old SAS 70 compliance requirements are yesterday s news. The latest SSAE 16 requirements include: o SOC 1, SOC 2, and SOC 3 o Other reporting options What are the benefits of having a SSAE 16? How does a SSAE 16 help you get new business? What are the current reporting requirements? What reports do you need when? This session will bring attendees up-to-speed. And include tips for what companies can do to prepare. 4

5 INTRODUCTION Businesses outsource to service organizations This can impact the businesses operations, financial statements, internal controls, and systems SOC audits: o Are an independent examination of the internal controls of the service organization o Consider the (1) design and (2) operating effectiveness of the relevant internal controls o Serve as regular due diligence of performance 5

6 OUTSOURCING ARRANGEMENTS Traditional Services Transportation and Logistics Finance Payroll Third Party Administrators Document Management Specialized Services New Services Cloud Providers Software as a Service (SaaS) Infrastructure as a Service (IaaS) Platform as a Service (PaaS) 6

7 VENDOR MANAGEMENT Financial and performance history Security and availability safeguards Reliable processing integrity Confidential and private records Staff knowledge and expertise Regulatory and operational compliance Compliance with service level agreements Regular due diligence and monitoring 7

8 TRANSPORTATION & LOGISTICS COMPANIES Revenue management Web-based shipping systems Inventory management Rate management Delivery management Customer service Scheduling Compliance 8

9 BENEFITS Differentiator from peers Builds trust with user organization Can limit multiple audit requests Offers opportunities for improvement 9

10 SOC REPORTING 10

11 OVERVIEW Historical with SAS 70 SAS 70 Reporting New with SSAE 16 SOC 1 Internal Controls Over Financial Reporting SOC 2 Trust Services Principles (Detailed Reporting) SOC 3 Trust Services Principles (SysTrust/WebTrust) 11

12 SOC COMPARISON SOC 2 1. Auditors report 2. Management assertion 3. Detail system description 4. Management controls 5. Auditor tests of controls SOC 1 and results of those tests criteria 1. Auditors report 2. Management assertion 3. Detail system description 4. Management controls 5. Auditor tests of controls and results of those tests control objectives Source: AICPA SOC 3 1. Auditors report 2. Management assertion 3. Detail system description 4. Management controls 5. Auditor tests of controls and results of those tests 12

13 SOC 1 13

14 SOC 1 Effectively known as SSAE 16 (AT 801) was SAS 70 Focus is on internal controls over financial reporting Independent examination of controls Auditor-to-auditor communication Concept of Type 1 and Type 2 reports Structure of the report Testing methods Carve-out and inclusive methods Restricted use distribution of report o Management of the service organization o Customers of service organization o Financial Statement auditors of customers 14

15 SOC 2 15

16 SOC 2 AUDITS Well suited for IT and cloud providers o SaaS / IaaS / PaaS o Application service provider o Data centers o Virtualized environments Address principles and criteria related to: o Security o Availability o Processing Integrity o Confidentiality o Privacy 16

17 SOC 2 The engagement is used to emphasize system reliability Concept of Type 1 and Type 2 reports Report presentation similar to SOC 1 audit Based on a prescribed Trust Services Principles and Criteria Principles o Security o Availability o Processing Integrity o Confidentiality o Privacy Expected to have limited carve outs and complementary user entity controls Restricted use, but intended for a broader range of users, including existing users, prospective users, and regulators 17

18 SYSTEM BOUNDARY COMPONENTS Infrastructure The physical structures, IT and other hardware (facilities, computers, equipment, mobile devices and telecommunications networks) Software The application programs and IT system software that supports application programs (operating systems, middleware, and utilities) People The personnel involved in the governance, operation and use of a system (developers, operators, entity users, vendor personnel, and managers) Procedures The automated and manual procedures Data Transaction streams, files, databases, and tables and output used or processed by a system 18

19 TRUST SERVICES PRINCIPLES Trust Services Principles updated in February 2014 Effective for periods ending on or after December 15, 2014 Early adoption is permitted Organized now into Common Criteria o Organization and management o Communications o Risk management and design and implementation of controls o Monitoring of controls o Logical and physical access controls o System operations o Change management 19

20 Security Availability Confidentiality Processing Integrity Privacy IT security policy Security awareness and communication Logical access Physical access Environmental controls Security monitoring User authentication Incident management Asset classification / mgt. Systems development and maintenance Personnel security Configuration mgt. Change management Monitoring / compliance Availability policy Backup and restoration Incident Management Disaster recovery Business continuity management Security Change Management Monitoring / compliance Confidentiality policy Confidentiality of inputs Confidentiality of data processing Confidentiality of outputs Information disclosures (including third parties) Confidentiality of Information in systems development Incident Management Security Change Management System processing integrity policies Completeness, accuracy, timeliness, and authorization of inputs, system processing, and outputs Information tracing from source to disposition Incident Management Security Change Management Availability Monitoring Privacy Policies PII Classification Risk Assessment Incident & Breach management Provision of notice Choice and consent Collection Use and retention Disposal Access Disclosure to third parties Security for privacy Quality Monitoring and enforcement Monitoring / compliance 20

21 SOC 3 21

22 SOC 3 22

23 SOC 3 Delivered in the form of a seal displayed on websites Registered certification by the AICPA and CICA Only one type of report no type 1 or type 2 Reports may be as of a specified date or for a specified period General use report Service organizations that have undergone a SOC 2 engagement and received a SOC 2 report may meet the requirements for a SOC 3 report if: o SOC 2 report is an unqualified Type 2 report o Report covers at least 2 month period o No carve outs from its system description o Significant complementary user entity controls are involved o Service auditor is licensed by AICPA/CICA to use a SOC 3 seal 23 23

24 OTHER REPORTING 24

25 INTERNATIONAL REPORTING ISAE 3402 SSAE 16 (SOC 1/2/3) United States CICA 5970 Canada AAF 01/06 United Kingdom HKCPA HK/China AUS 810 Australia Others 25 25

26 CLOUD SECURITY ALLIANCE Cloud Control Matrix Compliance Data Governance Facility Security Human Resources Information Security Legal Operations Management Risk Management Release Management Resiliency Security Architecture 26

27 COMBINED AUDITS 27

28 GUIDANCE 28

29 GETTING STARTED Determine if there is sufficient demand for the SOC audit Assign SOC lead and commit control owners Understand the process, time and effort involved Select a service auditor Define scope of controls, type of audit, and timing Confirm whether to issue a SOC 1/2/3 and Type 1 or 2 report Determine impact related to subservice organizations Self-assess readiness of controls and remediate gaps Document the system description and controls Plan, prepare for, and participate in the SOC audit 29

30 CONSIDERATIONS Scope confirmation SOC 1 readiness assessment Remediation efforts Report updates SOC audit Follow-up audits, if necessary 30

31 TIPS FOR DEFINING CONTROLS Leverage existing sources: o Customer contracts o RFP responses o Due diligence questionnaires o Compliance forms o QC/internal audit o Competitor reports Start with a solid outline, and then expand and formalize Review wording and presentation with your service auditor Isolate control activities from the control descriptions Ensure management has a reasonable basis to assert the controls and monitor that they are operating effectively 31

32 BRANDING 32

33 QUESTIONS Chris Kradjan, CPA, CITP, CRISC National SSAE 16 and IT Audit Practice Leader Partner, Moss Adams (206) / (415) Kim Koch, CPA Senior Manager, Moss Adams (509)

34 The material appearing in this presentation is for informational purposes only and is not legal or accounting advice. Communication of this information is not intended to create, and receipt does not constitute, a legal relationship, including, but not limited to, an accountant-client relationship. Although these materials may have been prepared by professionals, they should not be used as a substitute for professional services. If legal, accounting, or other professional advice is required, the services of a professional should be sought. 34

Effectively using SOC 1, SOC 2, and SOC 3 reports for increased assurance over outsourced operations. kpmg.com

Effectively using SOC 1, SOC 2, and SOC 3 reports for increased assurance over outsourced operations. kpmg.com Effectively using SOC 1, SOC 2, and SOC 3 reports for increased assurance over outsourced operations kpmg.com b Section or Brochure name Effectively using SOC 1, SOC 2, and SOC 3 reports for increased

More information

Service Organization Control (SOC) Reports Focus on SOC 2 Reporting Standard

Service Organization Control (SOC) Reports Focus on SOC 2 Reporting Standard Information Systems Audit and Controls Association Service Organization Control (SOC) Reports Focus on SOC 2 Reporting Standard February 4, 2014 Tom Haberman, Principal, Deloitte & Touche LLP Reema Singh,

More information

Understanding SOC Reports for Effective Vendor Management. Jason T. Clinton January 26, 2016

Understanding SOC Reports for Effective Vendor Management. Jason T. Clinton January 26, 2016 Understanding SOC Reports for Effective Vendor Management Jason T. Clinton January 26, 2016 MEMBER OF PKF NORTH AMERICA, AN ASSOCIATION OF LEGALLY INDEPENDENT FIRMS 2012 Wolf & Company, P.C. Before we

More information

Information for Management of a Service Organization

Information for Management of a Service Organization Information for Management of a Service Organization Copyright 2011 American Institute of Certified Public Accountants, Inc. New York, NY 10036-8775 All rights reserved. For information about the procedure

More information

Reports on Service Organizations Where we ve been?

Reports on Service Organizations Where we ve been? Reports on Service Organizations Where we ve been? What s changing? How does this impact Internal Audit? Eric Wright Shareholder Frank Dezort Senior Manager Schneider Downs & Co., Inc. May 2, 2011 Overview

More information

Baker Tilly refers to Baker Tilly Virchow Krause, LLP, an independently owned and managed member of Baker Tilly International. Understanding SOC 3

Baker Tilly refers to Baker Tilly Virchow Krause, LLP, an independently owned and managed member of Baker Tilly International. Understanding SOC 3 Baker Tilly refers to Baker Tilly Virchow Krause, LLP, an independently owned and managed member of Baker Tilly International. Understanding SOC 3 Agenda 1) A brief perspective on where SOC 3 originated

More information

Service Organization Control Reports

Service Organization Control Reports SAS 70 ENDS EXIT TO SSAE 16 Service Organization Control Reports What Did We Learn from Year One? Agenda Definitions Service Organization Reports What are they? Year One Experiences SSAE 16 Year One Experiences

More information

SOC on Amazon Web Services (AWS) What You Need To Know Understanding the regulatory roadmap for SOC on AWS

SOC on Amazon Web Services (AWS) What You Need To Know Understanding the regulatory roadmap for SOC on AWS SOC on Amazon Web Services (AWS) What You Need To Know Understanding the regulatory roadmap for SOC on AWS Jeff Cook November 2015 Summary Service Organization Control (SOC) reports (formerly SAS 70 or

More information

WELCOME TO SECURE360 2013

WELCOME TO SECURE360 2013 WELCOME TO SECURE360 2013 Don t forget to pick up your Certificate of Attendance at the end of each day. Please complete the Session Survey front and back, and leave it on your seat. Are you tweeting?

More information

SECURITY AND EXTERNAL SERVICE PROVIDERS

SECURITY AND EXTERNAL SERVICE PROVIDERS SECURITY AND EXTERNAL SERVICE PROVIDERS How to ensure regulatory compliance and manage risks with Service Organization Control (SOC) Reports Jorge Rey, CISA, CISM, CGEIT Director, Information Security

More information

Cloud Computing: Compliance and Client Expectations

Cloud Computing: Compliance and Client Expectations Cloud Computing: Compliance and Client Expectations February 15, 2012 MOSS ADAMS LLP 1 TODAY S PRESENTERS Moderator Kevin Villanueva, CPA, CISA, CISM, CITP, CRISC Sr. Manager, Infrastructure and Security

More information

Orchestrating the New Paradigm Cloud Assurance

Orchestrating the New Paradigm Cloud Assurance Orchestrating the New Paradigm Cloud Assurance Amsterdam 17 January 2012 John Hermans - Partner Current business challenges versus traditional IT Organizations are challenged with: Traditional IT seems

More information

SAS No. 70, Service Organizations

SAS No. 70, Service Organizations SAS No. 70, Service Organizations A standard for reporting on a service organization s controls affecting user entities' financial statements. Only for use by service organization management, existing

More information

Cloud Security and Managing Use Risks

Cloud Security and Managing Use Risks Carl F. Allen, CISM, CRISC, MBA Director, Information Systems Security Intermountain Healthcare Regulatory Compliance External Audit Legal and ediscovery Information Security Architecture Models Access

More information

SERVICE ORGANIZATION CONTROL REPORTS SM. Formerly SAS 70 Reports

SERVICE ORGANIZATION CONTROL REPORTS SM. Formerly SAS 70 Reports SERVICE ORGANIZATION CONTROL REPORTS SM Formerly SAS 70 Reports SAS No. 70, Service Organizations Standard for reporting on a service organization s controls affecting user entities financial statements

More information

Asset Manager Guide to SAS 70. Issue Date: October 7, 2007. Asset

Asset Manager Guide to SAS 70. Issue Date: October 7, 2007. Asset Asset Manager Guide to SAS 70 Issue Date: October 7, 2007 Asset Management Group A s s e t M a n a g e r G u i d e SAS 70 Table of Contents Executive Summary...3 Overview and Current Landscape...3 Service

More information

Understanding changes to the Trust Services Principles for SOC 2 reporting

Understanding changes to the Trust Services Principles for SOC 2 reporting Baker Tilly refers to Baker Tilly Virchow Krause, LLP, an independently owned and managed member of Baker Tilly International. Understanding changes to the Trust Services Principles for SOC 2 reporting

More information

Service Organization Control (SOC) Reports

Service Organization Control (SOC) Reports Service Organization Control (SOC) Reports Transitioning from SAS 70 to SSAE 16 Deloitte & Touche LLP Agenda Overview SAS 70/SSAE 16 Historical Perspective The New Framework Under SSAE 16 (SOC 1) Impact

More information

SOC Readiness Assessments. SOC Report - Type 1. SOC Report - Type 2. Building Trust and Confidence in Third-Party Relationships

SOC Readiness Assessments. SOC Report - Type 1. SOC Report - Type 2. Building Trust and Confidence in Third-Party Relationships Building Trust and Confidence in Third-Party Relationships Today s businesses rely heavily on outsourcing certain business tasks or functions to service organizations, even those that are core to their

More information

3 rd Party Vendor Risk Management

3 rd Party Vendor Risk Management 3 rd Party Vendor Risk Management Session 402 Tuesday, June 9, 2015 (11 to 12pm) Session Objectives The need for enhanced reporting on vendor risk management Current outsourcing environment Key risks faced

More information

Goodbye, SAS 70! Hello, SSAE 16!

Goodbye, SAS 70! Hello, SSAE 16! Goodbye, SAS 70! Hello, SSAE 16! A Session to Provide Insight on the New Standard and What Service Providers and End-Users Need to Know January 3, 2012 Agenda Introduction Background on what was SAS 70

More information

The Changing SAS 70 Landscape Dan Hirstein Director Rebecca Goodpasture Senior Manager Deloitte & Touche LLP January 13, 2011

The Changing SAS 70 Landscape Dan Hirstein Director Rebecca Goodpasture Senior Manager Deloitte & Touche LLP January 13, 2011 The Changing SAS 70 Landscape Dan Hirstein Director Rebecca Goodpasture Senior Manager Deloitte & Touche LLP January 13, 2011 Table of Contents A Short History of SAS 70 Overview of SSAE 16 and ISAE 3402

More information

About the Presenter. Presentation Objectives. SaaS / Cloud Computing Risk Management AICPA Attest Alternatives

About the Presenter. Presentation Objectives. SaaS / Cloud Computing Risk Management AICPA Attest Alternatives SaaS / Cloud Computing Risk Management AICPA Attest Alternatives Presenter: Dan Schroeder, CPA/CITP Habif, Arogeti, & Wynne, LLP Georgia Society of CPAs Annual Convention June 16, 2010 About the Presenter

More information

Service Organization Control (SOC) reports What are they?

Service Organization Control (SOC) reports What are they? Service Organization Control (SOC) reports What are they? Jeff Cook, CPA, CITP, CIPT, CISA June 2015 Introduction Service Organization Control (SOC) reports are on the rise in the IT assurance and compliance

More information

Vendor Management Best Practices

Vendor Management Best Practices 23 rd Annual and One Day Seminar Vendor Management Best Practices Catherine Bruder CPA, CITP, CISA, CISM, CTGA Michigan Texas Florida Insight. Oversight. Foresight. SM Doeren Mayhew Bruder 1 $100 billion

More information

Cloud IT, Privacy, and Security. June 13, 2013

Cloud IT, Privacy, and Security. June 13, 2013 Cloud IT, Privacy, and Security June 13, 2013 Chris Kradjan, CPA, CITP, CRISC Chris Kradjan is the National Leader for IT Consulting and the SSAE 16 Practice of Moss Adams. With more than 16 years of experience,

More information

The silver lining: Getting value and mitigating risk in cloud computing

The silver lining: Getting value and mitigating risk in cloud computing The silver lining: Getting value and mitigating risk in cloud computing Frequently asked questions The cloud is here to stay. And given its decreased costs and increased business agility, organizations

More information

MHM S PERSPECTIVE: CHANGES COMING TO SAS 70.KNOW THE FACTS

MHM S PERSPECTIVE: CHANGES COMING TO SAS 70.KNOW THE FACTS Mayer Hoffman McCann P.C. An Independent CPA Firm MHM S AUDITING PERSPECTIVE: STANDARD NO. 5 Since its issuance in 1992, the American Institute of Certified Public Accountants (AICPA) Statement on Auditing

More information

FAQs New Service Organization Standards and Implementation Guidance

FAQs New Service Organization Standards and Implementation Guidance FAQs New Service Organization Standards and Implementation Guidance During the past two years several significant changes have occurred in audit and attest standards for reporting on controls at service

More information

Ayla Networks, Inc. SOC 3 SysTrust 2015

Ayla Networks, Inc. SOC 3 SysTrust 2015 Ayla Networks, Inc. SOC 3 SysTrust 2015 SOC 3 SYSTRUST FOR SERVICE ORGANIZATIONS REPORT July 1, 2015 To December 31, 2015 Table of Contents SECTION 1 INDEPENDENT SERVICE AUDITOR S REPORT... 2 SECTION 2

More information

Frequently asked questions: SOC 2 and 3

Frequently asked questions: SOC 2 and 3 1. Is the licensing requirement for a SOC 2 or 3 different than for a SOC 1? SOC reports are attestation reports issued in accordance with AICPA standards. Therefore, licensing requirements are the same

More information

G24 - SAS 70 Practices and Developments Todd Bishop

G24 - SAS 70 Practices and Developments Todd Bishop G24 - SAS 70 Practices and Developments Todd Bishop SAS No. 70 Practices & Developments Todd Bishop Senior Manager, PricewaterhouseCoopers LLP Agenda SAS 70 Background Information and Overview Common SAS

More information

Feeley & Driscoll, P.C. Certified Public Accountants / Business Consultants www.fdcpa.com. Visit us on the web: www.fdcpa.com Or Call: 888-875-9770

Feeley & Driscoll, P.C. Certified Public Accountants / Business Consultants www.fdcpa.com. Visit us on the web: www.fdcpa.com Or Call: 888-875-9770 Feeley & Driscoll, P.C. Certified Public Accountants / Business Consultants www.fdcpa.com SAS 70 Background 2 SAS No. 70 Reports on the Processing of Transactions by Service Organizations Independent examination

More information

Service Organization Controls. Managing Risks by Obtaining a Service Auditor s Report

Service Organization Controls. Managing Risks by Obtaining a Service Auditor s Report Service Organization Controls Managing Risks by Obtaining a Service Auditor s Report Contributing Authors Audrey Katcher, CPA, CITP, Partner at RubinBrown, LLP Janis Parthun, CPA, CITP, Sr. Technical Manager

More information

CONTROLLING CLOUDS: BEYOND SAFETY

CONTROLLING CLOUDS: BEYOND SAFETY CONTROLLING CLOUDS: BEYOND SAFETY GORDON HAFF (@ghaff) CLOUD EVANGELIST 22 OCTOBER 2013 ABOUT ME Red Hat Cloud Evangelist Twitter: @ghaff Google+: Gordon Haff Email: ghaff@redhat.com Blog: http://bitmason.blogspot.com

More information

3.B METHODOLOGY SERVICE PROVIDER

3.B METHODOLOGY SERVICE PROVIDER 3.B METHODOLOGY SERVICE PROVIDER Approximately four years ago, the American Institute of Certified Public Accountants (AICPA) issued Statement on Standards for Attestation Engagements (SSAE) No. 16, Reporting

More information

www.pwc.com Third Party Risk Management 12 April 2012

www.pwc.com Third Party Risk Management 12 April 2012 www.pwc.com Third Party Risk Management 12 April 2012 Agenda 1. Introductions 2. Drivers of Increased Focus on Third Parties 3. Governance 4. Third Party Risks and Scope 5. Third Party Risk Profiling 6.

More information

Understanding Vendor Risk And Analyzing the SSAE No. 16

Understanding Vendor Risk And Analyzing the SSAE No. 16 Understanding Vendor Risk And Analyzing the SSAE No. 16 Accelerate your Credit Union s Performance June 19, 2014 AUSTIN, TEXAS www.cuaccelerator.com Agenda Vendor Management Key Outsourcing Risk Areas

More information

SECTION I INDEPENDENT SERVICE AUDITOR S REPORT

SECTION I INDEPENDENT SERVICE AUDITOR S REPORT SOC2 Security Report on Controls Supporting DriveSavers Services Independent Service Auditor s Report on Design of Controls Placed in Operation and Tests of Operational Effectiveness Relevant to Security

More information

Assessing the Audit Impact of Cloud Computing. kpmg.com

Assessing the Audit Impact of Cloud Computing. kpmg.com Assessing the Audit Impact of Cloud Computing kpmg.com 1 Assessing the Audit Impact of Cloud Computing Cloud Computing Cloud computing is becoming an important IT strategy for entities that need varying

More information

HOW SECURE IS YOUR PAYMENT CARD DATA?

HOW SECURE IS YOUR PAYMENT CARD DATA? HOW SECURE IS YOUR PAYMENT CARD DATA? October 27, 2011 MOSS ADAMS LLP 1 TODAY S PRESENTERS Francis Tam, CPA, CISA, CISM, CITP, CRISC, PCI QSA Managing Director PCI Practice Leader Kevin Villanueva,, CISSP,

More information

At a glance. A provision to require a written assertion from company management is the most notable difference between the two standards.

At a glance. A provision to require a written assertion from company management is the most notable difference between the two standards. At a glance While there are some differences, SAS 70 and SSAE 16 are substantially the same. SAS 70 is an audit standard while SSAE 16 is an attest standard. Out with the old SAS 70 and in with the new

More information

Documentation of Use of a Type 2 Service Auditor s Report In an Audit of an Employee Benefit Plan s Financial Statements

Documentation of Use of a Type 2 Service Auditor s Report In an Audit of an Employee Benefit Plan s Financial Statements Documentation of Use of a Type 2 Service Auditor s Report In an Audit of an Employee Benefit Plan s Financial Statements PLAN NAME: PLAN YEAR END: CLIENT NUMBER: SCOPE OF PLAN AUDIT: LIMITED FULL Note:

More information

Domain 1 The Process of Auditing Information Systems

Domain 1 The Process of Auditing Information Systems Certified Information Systems Auditor (CISA ) Certification Course Description Our 5-day ISACA Certified Information Systems Auditor (CISA) training course equips information professionals with the knowledge

More information

HOW SECURE IS YOUR PAYMENT CARD DATA? COMPLYING WITH PCI DSS

HOW SECURE IS YOUR PAYMENT CARD DATA? COMPLYING WITH PCI DSS HOW SECURE IS YOUR PAYMENT CARD DATA? COMPLYING WITH PCI DSS August 23, 2011 MOSS ADAMS LLP 1 TODAY S PRESENTERS Presenters Francis Tam, CPA, CISA, CISM, CITP, CRISC, PCI QSA Managing Director, IT Security

More information

Service Organizations and the Internal Audit function. 2015 conference Institute of Internal Auditors in Israel

Service Organizations and the Internal Audit function. 2015 conference Institute of Internal Auditors in Israel Service Organizations and the Internal Audit function 2015 conference Institute of Internal Auditors in Israel Proprietary This work product/document is intended solely for the information and use of the

More information

CLOUD COMPUTING for Construction Accounting BY BRIAN J. THOMAS

CLOUD COMPUTING for Construction Accounting BY BRIAN J. THOMAS CLOUD COMPUTING for Construction Accounting BY BRIAN J. THOMAS Copyright 2012 by the Construction Financial Management Association. All rights reserved. This article first appeared in CFMA Building Profits.

More information

Cloud Security Panel: Real World GRC Experiences. ISACA Atlanta s 2013 Annual Geek Week

Cloud Security Panel: Real World GRC Experiences. ISACA Atlanta s 2013 Annual Geek Week Cloud Security Panel: Real World GRC Experiences ISACA Atlanta s 2013 Annual Geek Week Agenda Introductions Recap: Overview of Cloud Computing and Why Auditors Should Care Reference Materials Panel/Questions

More information

Pharma CloudAdoption. and Qualification Trends

Pharma CloudAdoption. and Qualification Trends Pharma CloudAdoption and Qualification Trends OurCloudExperience Numerous implementations of EDMS systems with external hosting for smaller life science clients Development of qualification strategy for

More information

TECH INSIGHTS TRUST AND TRANSPARENCY IN A CLOUDY WORLD. IT advisory services

TECH INSIGHTS TRUST AND TRANSPARENCY IN A CLOUDY WORLD. IT advisory services TECH INSIGHTS IT advisory services TRUST AND TRANSPARENCY IN A CLOUDY WORLD Service Organization Controls (SOC) Reporting for Financial and Data Security In a world of cloud computing and business process

More information

Cloud Computing An Auditor s Perspective

Cloud Computing An Auditor s Perspective Cloud Computing An Auditor s Perspective Sailesh Gadia, CPA, CISA, CIPP sgadia@kpmg.com December 9, 2010 Discussion Agenda Introduction to cloud computing Types of cloud services Benefits, challenges,

More information

Security from a customer s perspective. Halogen s approach to security

Security from a customer s perspective. Halogen s approach to security September 18, 2015 Security from a customer s perspective Using a cloud-based talent management program can deliver tremendous benefits to your organization, including aligning your workforce, improving

More information

SECURING HEALTH INFORMATION IN THE CLOUD. Feisal Nanji, Executive Director, Techumen feisal@techumen.com

SECURING HEALTH INFORMATION IN THE CLOUD. Feisal Nanji, Executive Director, Techumen feisal@techumen.com SECURING HEALTH INFORMATION IN THE CLOUD Feisal Nanji, Executive Director, Techumen feisal@techumen.com Conflict of Interest Disclosure Feisal Nanji, MPP, CISSP Has no real or apparent conflicts of interest

More information

Security Issues in Cloud Computing

Security Issues in Cloud Computing Security Issues in Computing CSCI 454/554 Computing w Definition based on NIST: A model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources

More information

GETTING THE MOST FROM THE CLOUD. A White Paper presented by

GETTING THE MOST FROM THE CLOUD. A White Paper presented by GETTING THE MOST FROM THE CLOUD A White Paper presented by Why Move to the Cloud? CLOUD COMPUTING the latest evolution of IT services delivery is a scenario under which common business applications are

More information

How Secure is Your Payment Card Data?

How Secure is Your Payment Card Data? How Secure is Your Payment Card Data? Complying with PCI DSS SLIDE 1 PRESENTERS Francis Tam, CPA, CISA, CISM, CITP, CRISC, PCI QSA Managing Director, IT Security Practice PCI Practice Leader Francis has

More information

Protecting your brand in the cloud Transparency and trust through enhanced reporting

Protecting your brand in the cloud Transparency and trust through enhanced reporting Protecting your brand in the cloud Transparency and trust through enhanced reporting Third-party Assurance November 2011 At a glance Cloud computing has unprecedented potential to deliver greater business

More information

Microsoft s Compliance Framework for Online Services

Microsoft s Compliance Framework for Online Services Microsoft s Compliance Framework for Online Services Online Services Security and Compliance Executive summary Contents Executive summary 1 The changing landscape for online services compliance 4 How Microsoft

More information

Farewell to SAS 70. What you need to know about the New Standard for Service Organization Reporting

Farewell to SAS 70. What you need to know about the New Standard for Service Organization Reporting Farewell to SAS 70 What you need to know about the New Standard for Service Organization Reporting ADVISORY rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International Cooperative

More information

Securing The Cloud With Confidence. Opinion Piece

Securing The Cloud With Confidence. Opinion Piece Securing The Cloud With Confidence Opinion Piece 1 Securing the cloud with confidence Contents Introduction 03 Don t outsource what you don t understand 03 Steps towards control 04 Due diligence 04 F-discovery

More information

SSAE 16 & SAS 70 A Primer on Changes to Service Organization Audit Standards

SSAE 16 & SAS 70 A Primer on Changes to Service Organization Audit Standards A Member of OneBeacon Insurance Group SSAE 16 & SAS 70 A Primer on Changes to Service Organization Audit Standards Author: Jack Fletcher, Risk Control Technology Specialist Published: November 2014 Executive

More information

SSAE 16 and ISAE 3402: Preparing for New Service Company Control Standards Mastering Requirements Governing Your Next Controls Report

SSAE 16 and ISAE 3402: Preparing for New Service Company Control Standards Mastering Requirements Governing Your Next Controls Report Presenting a live 110 minute teleconference with interactive Q&A SSAE 16 and ISAE 3402: Preparing for New Service Company Control Standards Mastering Requirements Governing Your Next Controls Report WEDNESDAY,

More information

Here comes SSAE 16 SAS 70 EVOLUTION: How will the new standard affect my business? How do I prepare to meet the new requirements?

Here comes SSAE 16 SAS 70 EVOLUTION: How will the new standard affect my business? How do I prepare to meet the new requirements? SAS 70 EVOLUTION: Here comes SSAE 16 PLANNING FOR THE NEW SERVICE ORGANIZATION REPORTING STANDARDS The prevalence of SAS 70 audits has grown dramatically since the standards issuance in April of 1992.

More information

360 of Vendor Management

360 of Vendor Management 360 of Vendor Management Jay Brietz, CPA and CIA Shareholder Elliott Davis Decosimo, LLC Elliott Davis Decosimo, PLLC Disclaimer This material was used by Elliott Davis Decosimo during an oral presentation;

More information

Keeping up with the World of Cloud Computing: What Should Internal Audit be Thinking About?

Keeping up with the World of Cloud Computing: What Should Internal Audit be Thinking About? Keeping up with the World of Cloud Computing: What Should Internal Audit be Thinking About? IIA San Francisco Chapter October 11, 2011 Agenda Introductions Cloud computing overview Risks and audit strategies

More information

SSAE 16 Everything You Wanted To Know But Are Afraid To Ask. Kurt Hagerman CISA, CISSP, QSA Managing Director, Coalfire December 8, 2011

SSAE 16 Everything You Wanted To Know But Are Afraid To Ask. Kurt Hagerman CISA, CISSP, QSA Managing Director, Coalfire December 8, 2011 SSAE 16 Everything You Wanted To Know But Are Afraid To Ask Kurt Hagerman CISA, CISSP, QSA Managing Director, Coalfire December 8, 2011 1 Agenda SAS 70 Misunderstood and Overused o Why the change? SSAE

More information

SRA International Managed Information Systems Internal Audit Report

SRA International Managed Information Systems Internal Audit Report SRA International Managed Information Systems Internal Audit Report Report #2014-03 June 18, 2014 Table of Contents Executive Summary... 3 Background Information... 4 Background... 4 Audit Objectives...

More information

Virginia Government Finance Officers Association Spring Conference May 28, 2014. Cloud Security 101

Virginia Government Finance Officers Association Spring Conference May 28, 2014. Cloud Security 101 Virginia Government Finance Officers Association Spring Conference May 28, 2014 Cloud Security 101 Presenters: John Montoro, RealTime Accounting Solutions Ted Brown, Network Alliance Presenters John Montoro

More information

Qualification Guideline

Qualification Guideline Qualification Guideline June 2013 Disclaimer: This document is meant as a reference to Life Science companies in regards to the Microsoft O365 platform. Montrium does not warrant that the use of the recommendations

More information

Webtrends Inc. Service Organization Controls (SOC) 3 SM Report on the SaaS Solutions Services System Relevant to Security

Webtrends Inc. Service Organization Controls (SOC) 3 SM Report on the SaaS Solutions Services System Relevant to Security Webtrends Inc. Service Organization Controls (SOC) 3 SM Report on the SaaS Solutions Services System Relevant to Security For the Period January 1, 2015 through June 30, 2015 SOC 3 SM SOC 3 is a service

More information

SOC 3 for Security and Availability

SOC 3 for Security and Availability SOC 3 for Security and Availability Independent Practioner s Trust Services Report For the Period October 1, 2013 through September 30, 2014 Independent SOC 3 Report for the Security and Availability Trust

More information

Cloud Computing; What is it, How long has it been here, and Where is it going?

Cloud Computing; What is it, How long has it been here, and Where is it going? Cloud Computing; What is it, How long has it been here, and Where is it going? David Losacco, CPA, CIA, CISA Principal January 10, 2013 Agenda The Cloud WHAT IS THE CLOUD? How long has it been here? Where

More information

Validating Enterprise Systems: A Practical Guide

Validating Enterprise Systems: A Practical Guide Table of Contents Validating Enterprise Systems: A Practical Guide Foreword 1 Introduction The Need for Guidance on Compliant Enterprise Systems What is an Enterprise System The Need to Validate Enterprise

More information

A Flexible and Comprehensive Approach to a Cloud Compliance Program

A Flexible and Comprehensive Approach to a Cloud Compliance Program A Flexible and Comprehensive Approach to a Cloud Compliance Program Stuart Aston Microsoft UK Session ID: SPO-201 Session Classification: General Interest Compliance in the cloud Transparency Responsibility

More information

Privacy Risk Assessments

Privacy Risk Assessments Privacy Risk Assessments Michael Hulet Principal November 8, 2012 Agenda Privacy Review Definition Trends Privacy Program Considerations Privacy Risk Assessment Risk Assessment Tools Generally Accepted

More information

INFORMATION TECHNOLOGY SECURITY STANDARDS

INFORMATION TECHNOLOGY SECURITY STANDARDS INFORMATION TECHNOLOGY SECURITY STANDARDS Version 2.0 December 2013 Table of Contents 1 OVERVIEW 3 2 SCOPE 4 3 STRUCTURE 5 4 ASSET MANAGEMENT 6 5 HUMAN RESOURCES SECURITY 7 6 PHYSICAL AND ENVIRONMENTAL

More information

Compliance in the Cloud: A Pragmatic Approach to SOC2 and PCI compliance

Compliance in the Cloud: A Pragmatic Approach to SOC2 and PCI compliance : A Pragmatic Approach to SOC2 and PCI compliance The Cadence Group is a professional services firm specializing in financial and IT compliance and risk management services. Our value proposition includes:

More information

2014 HIMSS Analytics Cloud Survey

2014 HIMSS Analytics Cloud Survey 2014 HIMSS Analytics Cloud Survey June 2014 2 Introduction Cloud services have been touted as a viable approach to reduce operating expenses for healthcare organizations. Yet, engage in any conversation

More information

CLOUD STORAGE SECURITY INTRODUCTION. Gordon Arnold, IBM

CLOUD STORAGE SECURITY INTRODUCTION. Gordon Arnold, IBM CLOUD STORAGE SECURITY INTRODUCTION Gordon Arnold, IBM SNIA Legal Notice The material contained in this tutorial is copyrighted by the SNIA. Member companies and individual members may use this material

More information

The Next Generation of Security Leaders

The Next Generation of Security Leaders The Next Generation of Security Leaders In an increasingly complex cyber world, there is a growing need for information security leaders who possess the breadth and depth of expertise necessary to establish

More information

Cloud Security considerations for business adoption. Ricci IEONG CSA-HK&M Chapter

Cloud Security considerations for business adoption. Ricci IEONG CSA-HK&M Chapter Cloud Security considerations for business adoption Ricci IEONG CSA-HK&M Chapter What is Cloud Computing? Slide 2 What is Cloud Computing? My Cloud @ Internet Pogoplug What is Cloud Computing? Compute

More information

The CIPM certification is comprised of two domains: Privacy Program Governance (I) and Privacy Program Operational Life Cycle (II).

The CIPM certification is comprised of two domains: Privacy Program Governance (I) and Privacy Program Operational Life Cycle (II). Page 1 of 7 The CIPM certification is comprised of two domains: Privacy Program Governance (I) and Privacy Program Operational Life Cycle (II). Domain I provides a solid foundation for the governance of

More information

Anypoint Platform Cloud Security and Compliance. Whitepaper

Anypoint Platform Cloud Security and Compliance. Whitepaper Anypoint Platform Cloud Security and Compliance Whitepaper 1 Overview Security is a top concern when evaluating cloud services, whether it be physical, network, infrastructure, platform or data security.

More information

Understanding ISO 27018 and Preparing for the Modern Era of Cloud Security

Understanding ISO 27018 and Preparing for the Modern Era of Cloud Security Understanding ISO 27018 and Preparing for the Modern Era of Cloud Security Presented by Microsoft and Foley Hoag LLP s Privacy and Data Security Practice Group May 14, 2015 Proposal or event name (optional)

More information

The Elephant in the Room: What s the Buzz Around Cloud Computing?

The Elephant in the Room: What s the Buzz Around Cloud Computing? The Elephant in the Room: What s the Buzz Around Cloud Computing? Warren W. Stippich, Jr. Partner and National Governance, Risk and Compliance Solution Leader Business Advisory Services Grant Thornton

More information

Weighing in on the Benefits of a SAS 70 Audit for Third Party Data Centers

Weighing in on the Benefits of a SAS 70 Audit for Third Party Data Centers Weighing in on the Benefits of a SAS 70 Audit for Third Party Data Centers With increasing oversight and growing demands for industry regulations, third party assurance has never been under a keener eye

More information

FINAL May 2005. Guideline on Security Systems for Safeguarding Customer Information

FINAL May 2005. Guideline on Security Systems for Safeguarding Customer Information FINAL May 2005 Guideline on Security Systems for Safeguarding Customer Information Table of Contents 1 Introduction 1 1.1 Purpose of Guideline 1 2 Definitions 2 3 Internal Controls and Procedures 2 3.1

More information

9/14/2015. Before we begin. Learning Objectives. Kevin Secrest IT Audit Manager, University of Pennsylvania

9/14/2015. Before we begin. Learning Objectives. Kevin Secrest IT Audit Manager, University of Pennsylvania Evaluating and Managing Third Party IT Service Providers Are You Really Getting The Assurance You Need To Mitigate Information Security and Privacy Risks? Kevin Secrest IT Audit Manager, University of

More information

System Description of the Date Center System Relevant to Security and Availability (SOC 3) November 1, 2011 through April 30, 2012

System Description of the Date Center System Relevant to Security and Availability (SOC 3) November 1, 2011 through April 30, 2012 System Description of the Date Center System Relevant to Security and Availability (SOC 3) November 1, 2011 through April 30, 2012 Moss Adams LLP 9665 Granite Ridge Drive, Suite 600 San Diego, CA 92123

More information

Daren Kinser Auditor, UCSD Jennifer McDonald Auditor, UCSD

Daren Kinser Auditor, UCSD Jennifer McDonald Auditor, UCSD Daren Kinser Auditor, UCSD Jennifer McDonald Auditor, UCSD Agenda Cloud Computing Technical Overview Cloud Related Applications Identified Risks Assessment Criteria Cloud Computing What Is It? National

More information

End of the SAS 70 Era

End of the SAS 70 Era End of the SAS 70 Era For years businesses that outsource have relied on SAS 70 reports on the internal controls of third party providers. The standard for those reports is changing. New Standards Replacing

More information

HIPAA in the Cloud. How to Effectively Collaborate with Cloud Providers

HIPAA in the Cloud. How to Effectively Collaborate with Cloud Providers How to Effectively Collaborate with Cloud Providers Speaker Bio Chad Kissinger Chad Kissinger Founder OnRamp Chad Kissinger is the Founder of OnRamp, an industry leading high security and hybrid hosting

More information

6 Cloud computing overview

6 Cloud computing overview 6 Cloud computing overview 6.1 General ISO/IEC 17788:2014 (E) Cloud Computing Overview Page 1 of 6 Cloud computing is a paradigm for enabling network access to a scalable and elastic pool of shareable

More information

Cloud Services Overview

Cloud Services Overview Cloud Services Overview John Hankins Global Offering Executive Ricoh Production Print Solutions May 23, 2012 Cloud Services Agenda Definitions Types of Clouds The Role of Virtualization Cloud Architecture

More information

STORAGE SECURITY TUTORIAL With a focus on Cloud Storage. Gordon Arnold, IBM

STORAGE SECURITY TUTORIAL With a focus on Cloud Storage. Gordon Arnold, IBM STORAGE SECURITY TUTORIAL With a focus on Cloud Storage Gordon Arnold, IBM SNIA Legal Notice The material contained in this tutorial is copyrighted by the SNIA. Member companies and individual members

More information

IT General Controls Domain COBIT Domain Control Objective Control Activity Test Plan Test of Controls Results

IT General Controls Domain COBIT Domain Control Objective Control Activity Test Plan Test of Controls Results Acquire or develop application systems software Controls provide reasonable assurance that application and system software is acquired or developed that effectively supports financial reporting requirements.

More information

AHLA. JJ. Keeping Your Cloud Services Provider from Raining on Your Parade. Jean Hess Manager HORNE LLP Ridgeland, MS

AHLA. JJ. Keeping Your Cloud Services Provider from Raining on Your Parade. Jean Hess Manager HORNE LLP Ridgeland, MS AHLA JJ. Keeping Your Cloud Services Provider from Raining on Your Parade Jean Hess Manager HORNE LLP Ridgeland, MS Melissa Markey Hall Render Killian Heath & Lyman PC Troy, MI Physicians and Hospitals

More information

GAIN CLARITY CRITICAL ISSUES. Your Data in the Cloud : Benefits & Risks GAIN CONTROL. berrydunn.com

GAIN CLARITY CRITICAL ISSUES. Your Data in the Cloud : Benefits & Risks GAIN CONTROL. berrydunn.com GAIN CLARITY CRITICAL ISSUES Your Data in the Cloud : Benefits & Risks berrydunn.com AGENDA Defining Cloud Services Benefits and Risks Core Requirements Myths about Clouds Is Your Data in the Cloud Secure?

More information

Cloud Risk Management: How to Consolidate your CSP and Corporate Risk Profile

Cloud Risk Management: How to Consolidate your CSP and Corporate Risk Profile Cloud Risk Management: How to Consolidate your CSP and Corporate Risk Profile Jerry Wertelecky, CPA, Fellow HKIoD & Managing Director INTRODUCTION Jerry Wertelecky Country of Birth: United States Current

More information