There are a number of reasons why more and more organizations
|
|
- Herbert Cooper
- 8 years ago
- Views:
Transcription
1 Christopher G. Nickell and Charles Denyer Statement on Auditing Standard No. 70 (SAS 70) is an internationally recognized auditing standard developed by the American Institute of Certified Public Accountants (AICPA) in This article offers an overview of the SAS 70 audit used to report on the processing of transactions by service organizations, which can be done by completing either a SAS 70 Type I or Type II audit. A SAS 70 Type I is known as reporting on controls placed in operation, while a SAS 70 Type II is known as reporting on controls placed in operation and tests of operating effectiveness. SAS 70 COMPLIANCE GROWING There are a number of reasons why more and more organizations (i.e., service organizations) are being asked to become SAS 70 compliant. Primarily, it stems from the growing surge of legislation, such as the passing of the following recent laws; the Health Insurance Portability and Accountability Act of 1996 (HIPAA), Gramm-Leach- Bliley Act of 1999, but most notably, the Sarbanes-Oxley Act of 2002, Sections 404 and 302. Collectively, these three rulings advocate protection of privacy, corporate accountability and establishment of internal controls throughout organizations. Thus, a need was created in many industries for a due diligence process that can aggregate many of the principles found within these three acts and provide companies with a high level of assurance and confidence when using service organizations for outsourcing critical business functions. Additionally, the overall growth in technology and its permeation into all layers of business has facilitated the growth of SAS 70 audits. IT facilities such as Internet Service Providers (ISPs), data warehouses, along with insurance and other health-related claims processing companies have grown exponentially in recent years. Therefore, an audit process to ensure data integrity and all related transactions was needed. There is also a huge movement within the business culture of our nation, and globally, that data and all related IT transactions must be safe and secure at all times. Because such a heavy reliance is placed on computer systems, organizations are compelled now more than ever to Christopher G. Nickell and Charles Denyer are senior managers with CPA firm DuPont & Morgan LLC. Christopher G. Nickell also serves as a part-time instructor of Accounting at Georgia State University. BENEFITS LAW JOURNAL 58 VOL. 20, NO. 1, SPRING 2007
2 ensure that data and all related processes and procedures are safe, secure, and IT controls are operating as designed, in an effective manner. As a result, SAS 70 audits are widely becoming known as the de facto due diligence document throughout the country and the world regarding the reporting on an organization s internal controls that have the ability to impact financial reporting. What Types of Industries and Organizations Have to Become SAS 70 Compliant? Since the scope of SAS 70 audits has grown tremendously within the last few years, service organizations within almost every conceivable industry can be viewed as potential candidates for this type of audit. Here is just a partial listing of what we and many industry experts consider prime candidates for SAS 70 audits: Claims processing centers; Trust/benefit plan administrators; Data centers and co-locations; Application service providers; Payroll processors; and Internet service providers. What Are the Advantages of Becoming SAS 70 Certified? There are numerous advantages for both service organizations becoming SAS 70 certified and the users of SAS 70 reports. Benefits to Service Organizations An unqualified (i.e., clean) opinion from a SAS 70 service auditor s report demonstrates that your organization has effective controls that are in place. A Type I SAS 70 report would issue an unqualified opinion for a stated point in time (i.e., as of June 1, 2005), while a Type II report would also issue an unqualified opinion over a stated time period (i.e., for the period June 1, 2005, to November 30, 2005). An additional benefit to service organizations is the ability to leverage SAS 70 certification into a market differentiator against existing competitors who are vying for outsourcing contracts from user organizations. Becoming SAS 70 compliant also greatly decreases business interruption incidents by effectively removing the possibility of sporadic audits throughout the year for the sole purpose of satisfying requirements set forth by user organizations. BENEFITS LAW JOURNAL 59 VOL. 20, NO. 1, SPRING 2007
3 Benefits to User Organizations Ultimately, user organizations are able to gain a greater understanding and assurance of the internal controls in place at service organizations. SAS 70 certification signifies that service organizations have taken proactive steps in developing and implementing numerous controls throughout the identified platform being used to process transactions for user organizations. Furthermore, SAS 70 Type I and Type II reports assist external auditors for user organizations by cutting down on the time and costs of having to inquire on controls at service organizations. WHY SAS 70 AUDITS ARE UNIQUE Because of the unique nature of what is allowed to be included in a SAS 70 report, auditors have implemented an exhaustive list of policies, procedures, and related controls that must be examined for this type of engagement. Therefore, what makes this type of audit superior to any other type of internal control review is quite simply the scope of the engagement and the voluminous amount of information included in the final service auditor s report. While IT security consultants focus primarily on general and application controls when conducting their assessments, SAS 70 auditors emphasize these features, and many more, such as operational and Human Resource issues, along with physical security guidelines and business continuity plans in the unlikely event of a business interruption disaster. In essence, the greater the scope, the more meaningful and useful the document is. And this is what makes SAS 70 superior to any other internal control review procedure. Only a certified public accountant (CPA) or accounting firm can sign off and issue a SAS 70 Type I or Type II service auditor s report. While there are many IT professionals who engage in SAS 70 audit work, they are strictly prohibited from issuing a report and therefore should never be looked upon as a primary source for conducting this type of audit. While they may provide needed skill sets at times, they are generally deficient in many traditional accounting and auditing skills and therefore lack the ability to understand various components of a SAS 70 audit. Only a seasoned accountant, with both financial statement auditing and IT skills, should be considered as the primary source for SAS 70 engagements. What Are the Primary Differences Between a SAS 70 Type I and Type II Engagement? A Type I report simply is issued for a particular date. For example, an accounting firm would examine a company s controls and report on the processing of transactions and these controls for a specified point in time, such as June 1, BENEFITS LAW JOURNAL 60 VOL. 20, NO. 1, SPRING 2007
4 A Type II report is issued after a minimum six-month testing period has been completed. For example, an accounting firm would examine a company s controls from June 1, 2005, to November 30, 2005, and report on the controls placed in operations and tests of operating effectiveness for that same period. Unlike a Type I, which consists of inquiry and observation of controls, a Type II would include testing of controls. Table 1 lists contents found in a Type I and Type II report: TABLE 1. CONTENTS OF TYPES I AND II REPORTS Information Type I Type II SAS 70 Service Auditor s Report Required Required Description of Controls Required Required Information Provided by the Service Auditor (a detailed listing of controls and testing of operating effectiveness) Information Provided by the Service Organization User Organization Control Considerations (controls that user organizations have in place) Optional Optional Optional Required Optional Optional ORGANIZATIONAL AREAS TO BE AUDITED Because of the very specialized nature of SAS 70 audits, your entire organization does not go through this audit. Instead, the identified platform or platforms that are currently being used to conduct outsourcing activities related to user organizations is what will be audited, along with other areas deemed vital by the auditor. For example, if your service organization is conducting outsourcing activities relating to claims processing, then all processes and transactions relating to that specific platform will be under the scope of a SAS 70 audit. Moreover, a number of operational general controls will also be observed, such as the following: What is your organization s corporate tone, known as tone at the top? Does your organization have effective hiring and termination policies? Does your organization have in place policies and manuals concerning workplace professionalism and use of company property? BENEFITS LAW JOURNAL 61 VOL. 20, NO. 1, SPRING 2007
5 What qualitative and quantitative procedures are in place throughout your organization that assist in maintaining effective internal controls? It must be noted that these controls are inquired upon primarily to gain a better understanding of the overall corporate tone of the organization. The theory is based on the following: good, sound controls in place for general operational areas are just as important as the highly specialized application controls found throughout software applications and the identified platforms. In essence, a SAS 70 audit is looking at a service organization that implements controls throughout various levels of its company, not just the identified platform being targeted by a SAS 70. INDUSTRY STANDARDS USED DURING SAS 70 AUDITING SAS 70 auditing procedures utilize a combination of standards derived primarily from institutions having extensive experience in analyzing and developing critical general and applications controls. Many of these standards are recognized as globally accepted best practices approaches, and have been adopted by accountants and consultants worldwide. Control Objectives for Information and Related Technology First released in 1996 and known as the Control Objectives for Information and Related Technology, COBIT is an internationally accepted standard for Information Technology security and control practices that is now in its third edition. Published by the IT Governance Institute, COBIT is fast becoming one of the key standards used by corporations around the globe who need a welldefined set of policies regarding internal control over information and related IT systems. COBIT is compliant with other standards, such as COSO and ISO 17799, and contains 34 high-level control objectives along with over 300 detailed control objectives. Essentially, COBIT represents an authoritative, up-to-date control framework, a set of generally accepted control objectives, along with a complementary product that allows the straightforward application of the Framework and Control Objectives called the Audit Guidelines. COBIT applies to enterprise-wide information systems, such as personal computers, mini-computers, mainframes, and distributed environments. Since the first edition of COBIT was released in 1996 it has been sold and implemented in over 100 countries throughout the world. BENEFITS LAW JOURNAL 62 VOL. 20, NO. 1, SPRING 2007
6 Committee of Sponsoring Organizations of the Treadway Commission The Committee of Sponsoring Organizations of the Treadway Commission, or COSO, originated in 1985 to address the questionable and fraudulent activities with financial reporting. Key concepts and principles of COSO are built on a theme advocating good, sound internal control practices within organizations. COSO defines internal control as a process, influenced by all personnel, such as the board of directors, senior management, and staff. Over time, COSO has grown to include additional elements deemed vital for implementing effective internal control procedures. To date, the key concepts for COSO regarding internal control are the following: Internal control is a process. It is a means to an end, not an end in itself. Internal control is influenced by people. It is not simply policy manuals and forms, but people at every level of an organization. Internal control can be expected to provide only reasonable assurance, not absolute assurance, to an organization s management and board. Internal control is geared to the achievement of objectives in one or more separate but overlapping categories. The Internal Control Integrated Framework, along with the Enterprise Risk Management- Integrated Framework, are two frameworks developed by COSO that spell out the critical principles and components of an effective enterprise risk management process, and how all important risks should be identified, assessed, responded to, and controlled. It also provides a common language, so that as executives, directors, and others converse about risk management, they are truly communicating and understand one another. ISO First published as a code of practice in the United Kingdom, it was renamed BS 7799 and published in Initially, there was not much acceptance due to a number of pressing IT issues, such as the coming Y2K compliance. A major overhaul was conducted in 1999, resulting in its being published as an ISO standard in December of ISO BENEFITS LAW JOURNAL 63 VOL. 20, NO. 1, SPRING 2007
7 17799 is a comprehensive set of controls comprising best practices in information security. Its main intention is to serve as a reference point for identifying a range of controls that are needed for situations where information systems are used in industry and commerce. The standard consists of eleven sections, as opposed to just ten in the 2000 standard editions. FFIEC Established in 1979, the Federal Financial Institutions Examination s Council (FFIEC) prescribes uniform principles and standards for the federal examination of financial institutions. Many well-known governmental bodies, such as the Federal Deposit Insurance Corporation (FDIC), the Office of the Comptroller of the Currency (OCC), and the Board of Governors of the Federal Reserve System (FRB) use these standards for reviewing financial organizations. The FFIEC routinely publishes information directly relating to such topics as Systems Development Life Cycle (SDLC), Business Continuity, and Disaster Recovery, along with guidelines for implementing general and application controls. DOCUMENTATION OF SAS 70 CERTIFICATION Upon completion of a SAS 70 audit, a CPA or accounting firm will then issue a SAS 70 Service Auditor s Report. This report will include a voluminous amount of data concerning a service organization, such as the following: Independent Service Auditor s Report Also named the Independent Accountant s Report, this signed letter will be presented at the beginning of the Service Auditor s Report, stating the opinion of the service auditor. If the SAS 70 audit conducted was a Type I, the service auditor would sign-off as either an unqualified (i.e., clean) opinion or a qualified opinion, on the report of controls placed in operation as of a specific point in time. If the audit conducted was a Type II, the service auditor would sign-off as either an unqualified or qualified opinion, on the report of controls placed in operation and tests of operating effectiveness. Great attention is given to this document by both the service organization and user organizations. Elements of Internal Control Within each service organization are a number of essential internal control components, which are examined during a SAS 70 audit. Each control gives valuable insight into the processes and procedures within BENEFITS LAW JOURNAL 64 VOL. 20, NO. 1, SPRING 2007
8 these service organizations. Developed by COSO and known as SAS 55/SAS 78, the internal control framework consists of the following: Control Environment. The control environment sets the tone of an organization and influences the control consciousness of its members. It is the foundation for all other components of internal control, providing discipline and structure. Control environment factors include the integrity, ethical values, and competence of the entity s people; management s philosophy and operating style; the way management assigns authority and responsibility and organizes and develops its people. Risk Assessment. Every entity faces a variety of risks from external and internal sources that must be assessed. A precondition to risk assessment is the establishment of operating objectives. Risk assessment is the identification and analysis of risks relevant to the achievement of objectives. This forms a basis for determining how the risks should be managed. Because of ongoing changes in economic, regulatory, and operating conditions, mechanisms are needed to identify and deal with the special risks associated with change. Control Activities. Control activities are the policies and procedures that help ensure that management directives are carried out and that necessary actions are taken to address risks to achieving the entity s objectives. Control activities operate throughout the organization, at all levels, and in all functions. They include a range of activities as diverse as authorizations, verifications, reconciliations, reviews of operating performance, security of assets, and segregation of duties. Information and Communication. Pertinent information must be identified, captured, and communicated in both a form and a timeframe that enable people to carry out their responsibilities. Information systems produce reports containing operations, financial, and compliance-related information that make it possible to run and control an operation. Such systems deal with both internally generated data, as well as information about external events, activities, and conditions. Monitoring. Internal control systems need to be monitored. This is accomplished through ongoing monitoring activities, separate evaluations, or a combination of the two. Ongoing BENEFITS LAW JOURNAL 65 VOL. 20, NO. 1, SPRING 2007
9 monitoring includes regular management and supervisory activities, and other actions personnel take in performing their duties. The scope and frequency of separate evaluations depends primarily on an assessment of risks and the effectiveness of ongoing monitoring procedures. Internal control deficiencies should be reported to the upper operational hierarchy. Systems Development Life Cycle and Change Management A vital piece of a SAS 70 service auditor s report lies within the processes that take place throughout the different cycles. In particular, attention is paid to the controls in the following environments and how an organization institutes and facilitates changes within the SDLC and the company: Design cycle; Development cycle; Testing cycle; Production cycle; and Maintenance cycle. General Computer Controls General controls are seen as the necessary framework that must be in place for the success of application controls. General controls can be found in the following areas: Logical security; Physical security; Environmental security; Network security; and Computer operations. Application Controls The primary function of these controls is to ensure the completeness and accuracy of the records and the validity of the entries made from both manual and programmed processing. Both Type I and Type II SAS 70 service auditor s reports will include a detailed examination of application controls. BENEFITS LAW JOURNAL 66 VOL. 20, NO. 1, SPRING 2007
10 Other Material Depending on the type of SAS 70 audit being conducted, the following additional areas may be included in the service auditor s report: Information Provided by the Service Auditor. This is reserved for a Type II engagement and details the testing and operating effectiveness of the control objectives and the controls specified by the user organization. Information Provided by the Service Organization. This material can be included for a Type I and Type II audit. Generally, it may include network topography diagrams or other types of miscellaneous materials, along with a service organization s business continuity and disaster recovery policies and procedures. Client Control Considerations. This section illustrates the important relationship between the service organization and users of SAS 70 audit. It stipulates that the company requiring the audit also has an obligation to adhere to sound internal control policies within their own corporation. CERTIFICATION AND RECERTIFICATION A service auditor report is valid for one full calendar year for both a SAS 70 Type I and a Type II audit. For example, if a service organization received a Type I service auditor s report for reporting of controls on July 1, 2004, then it is valid until July 1, For SAS 70 Type II service auditor s reports, if a report was issued that covered the period from June 1, 2004, to November 30, 2004, then the report is valid until November 30, Depending on a service organization s needs and their client s needs, testing for year two would begin approximately six months before the report expires. This is done to keep the SAS 70 certification valid at all times. Traditionally, service auditor reports were used primarily as an auditor-to-auditor document. This is dramatically changing as service organizations are making this document available to potential clients who are inquiring about a service organization s internal controls. With that said, its primary function is still a document used between an auditor of the service organization and the auditor of a user organization, but is now incorporating a marketing element within it. If your organization is being asked to become SAS 70 certified, then it is highly likely that continued certification will become a requirement. Why? Because organizations are now just beginning to feel the trickle-down effects of Sarbanes-Oxley and many other regulatory BENEFITS LAW JOURNAL 67 VOL. 20, NO. 1, SPRING 2007
11 provisions. In addition, user organizations that may not even fall under regulatory requirements are pushing service organizations to have their internal controls certified. Lastly, now more than ever, there is a huge push within the business community to have internal controls and related processes and procedures certified, no matter what the cost and who the industry is. The scope is quite enormous, and will more than likely continue to expand at an exponential rate. BENEFITS LAW JOURNAL 68 VOL. 20, NO. 1, SPRING 2007
12
Compliance Risk Management IT Governance Assurance
Compliance Risk Management IT Governance Assurance Sigma Technology Partners offers its clients number of assurance services including SAS 70 Type I and SAS 70 Type II audits. Our team of CPA s, CISA s
More informationGAO. Standards for Internal Control in the Federal Government. Internal Control. United States General Accounting Office.
GAO United States General Accounting Office Internal Control November 1999 Standards for Internal Control in the Federal Government GAO/AIMD-00-21.3.1 Foreword Federal policymakers and program managers
More informationUniversity Audit and Compliance. Internal Controls Enterprise-Wide Risk Assessment
Internal Controls Enterprise-Wide Risk Assessment Balancing Risk and Controls In order to achieve goals and objectives, management needs to effectively balance risks and controls. Control procedures need
More informationWeighing in on the Benefits of a SAS 70 Audit for Third Party Data Centers
Weighing in on the Benefits of a SAS 70 Audit for Third Party Data Centers With increasing oversight and growing demands for industry regulations, third party assurance has never been under a keener eye
More informationG24 - SAS 70 Practices and Developments Todd Bishop
G24 - SAS 70 Practices and Developments Todd Bishop SAS No. 70 Practices & Developments Todd Bishop Senior Manager, PricewaterhouseCoopers LLP Agenda SAS 70 Background Information and Overview Common SAS
More informationGuide to Internal Control Over Financial Reporting
Guide to Internal Control Over Financial Reporting The Center for Audit Quality prepared this Guide to provide an overview for the general public of internal control over financial reporting ( ICFR ).
More informationOn the Setting of the Standards and Practice Standards for. Management Assessment and Audit concerning Internal
(Provisional translation) On the Setting of the Standards and Practice Standards for Management Assessment and Audit concerning Internal Control Over Financial Reporting (Council Opinions) Released on
More informationWeighing in on the Benefits of a SAS 70 Audit for Payroll Service Providers
Weighing in on the Benefits of a SAS 70 Audit for Payroll Service Providers With increasing oversight and growing demands for industry regulations, third party assurance has never been under a keener eye
More informationInternal Control - Integrated Framework
Internal Control - Integrated Framework Executive Summary Senior executives have long sought ways to better control the enterprises they run. Internal controls are put in place to keep the company on course
More informationVendor Compliance Management Series: Performing an Effective Risk Assessment
Vendor Compliance Management Series: Performing an Effective Risk Assessment Legal Disclaimer This information is not intended to be legal advice and may not be used as legal advice. Legal advice must
More informationGuide to the Sarbanes-Oxley Act: IT Risks and Controls. Frequently Asked Questions
Guide to the Sarbanes-Oxley Act: IT Risks and Controls Frequently Asked Questions Table of Contents Page No. Introduction.......................................................................1 Overall
More informationSARBANES-OXLEY SECTION 404: A Guide for Management by Internal Controls Practitioners
SARBANES-OXLEY SECTION 404: A Guide for Management by Internal Controls Practitioners SARBANES-OXLEY SECTION 404: A Guide for Management by Internal Controls Practitioners The Institute of Internal Auditors
More informationSSAE 16 for Transportation & Logistics Companies. Chris Kradjan Kim Koch
SSAE 16 for Transportation & Logistics Companies Chris Kradjan Kim Koch 1 The material appearing in this presentation is for informational purposes only and should not be construed as advice of any kind,
More informationOutsourcing & Regulatory Compliance Risks
Outsourcing & Regulatory Compliance Risks By Matthew Sullivan Today s marketplace dictates that Financial Services Institutions (FSIs) consider using offshore IT services to remain competitive. However,
More informationB o a r d of Governors of the Federal Reserve System. Supplemental Policy Statement on the. Internal Audit Function and Its Outsourcing
B o a r d of Governors of the Federal Reserve System Supplemental Policy Statement on the Internal Audit Function and Its Outsourcing January 23, 2013 P U R P O S E This policy statement is being issued
More informationIndustry Sound Practices for Financial and Accounting Controls at Financial Institutions
Industry Sound Practices for Financial and Accounting Controls at Financial Institutions Federal Reserve Bank of New York January 2006 FINANCIAL AND ACCOUNTING CONTROLS: INDUSTRY SOUND PRACTICES FOR FINANCIAL
More informationIT Insights. Managing Third Party Technology Risk
IT Insights Managing Third Party Technology Risk According to a recent study by the Institute of Internal Auditors, more than 65 percent of organizations rely heavily on third parties, yet most allocate
More informationTHE COMMONWEALTH OF MASSACHUSETTS
THE COMMONWEALTH OF MASSACHUSETTS OFFICE OF CONSUMER AFFAIRS AND BUSINESS REGULATION DIVISION OF INSURANCE Report on the Comprehensive Market Conduct Examination of The Paul Revere Variable Annuity Insurance
More informationAdvisory Guidelines of the Financial Supervisory Authority. Requirements regarding the arrangement of operational risk management
Advisory Guidelines of the Financial Supervisory Authority Requirements regarding the arrangement of operational risk management These Advisory Guidelines have established by resolution no. 63 of the Management
More informationIntroduction Auditing Internal Controls in an IT Environment SOx and the COSO Internal Controls Framework Roles and Responsibilities of IT Auditors
Introduction Auditing Internal Controls in an IT Environment SOx and the COSO Internal Controls Framework Roles and Responsibilities of IT Auditors Importance of Effective Internal Controls and COSO COSO
More informationProfessional Certification Programs
Professional Certification Programs Certified Internal Control Specialists - CICS Certified Internal Control Professional - CICP Copyright 2009 by Internal Control Institute Introduction The Certified
More informationA Risk-Based Audit Strategy November 2006 Internal Audit Department
Mental Health Mental Retardation Authority of Harris County ENTERPRISE RISK MANAGEMENT A Framework For Assessing, Evaluating And Measuring Our Agency s Risk A Risk-Based Audit Strategy November 2006 Internal
More information1. FPO. Guide to the Sarbanes-Oxley Act: IT Risks and Controls. Second Edition
1. FPO Guide to the Sarbanes-Oxley Act: IT Risks and Controls Second Edition Table of Contents Introduction... 1 Overall IT Risk and Control Approach and Considerations When Complying with Sarbanes-Oxley...
More informationSarbanes-Oxley Control Transformation Through Automation
Sarbanes-Oxley Control Transformation Through Automation An Executive White Paper By BLUE LANCE, Inc. Where have we been? Where are we going? BLUE LANCE INC. www.bluelance.com 713.255.4800 info@bluelance.com
More informationFORUM ON TAX ADMINISTRATION
ORGANISATION FOR ECONOMIC CO-OPERATION AND DEVELOPMENT FORUM ON TAX ADMINISTRATION Information Note: Tax Compliance and Tax Accounting Systems April 2010 CENTRE FOR TAX POLICY AND ADMINISTRATION TABLE
More informationSupporting Effective Compliance Programs
October 2015 Supporting Effective Compliance Programs The Oversight Roles of the Board Audit and Risk Committees in Regulatory Compliance By Paul Osborne, CPA, CAMS, AMLP, and Peggy Sepp, CIA To be effective,
More informationPrüfung von Outsourcing mit SAS70
Prüfung von Outsourcing mit SAS70 AGENDA Historical flashback Reasons for the standard Major contents Potential areas of SAS 70 application Audit approach and Responsibility Client and Service Provider
More informationCloud Computing An Auditor s Perspective
Cloud Computing An Auditor s Perspective Sailesh Gadia, CPA, CISA, CIPP sgadia@kpmg.com December 9, 2010 Discussion Agenda Introduction to cloud computing Types of cloud services Benefits, challenges,
More informationEnterprise Risk Management Process Improvement. Secure Banking Solutions, LLC
Enterprise Risk Management Process Improvement 2 Contact Information Contact Information Chad Knutson Senior Information Security Consultant CISSP, CISA, CRISC Phone: 605-480-3366 chad.knutson@protectmybank.com
More informationUnderstanding the Entity and Its Environment and Assessing the Risks of Material Misstatement
Understanding the Entity and Its Environment 1667 AU Section 314 Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement (Supersedes SAS No. 55.) Source: SAS No. 109.
More informationMASSIVE NETWORKS Online Backup Compliance Guidelines... 1. Sarbanes-Oxley (SOX)... 2. SOX Requirements... 2
MASSIVE NETWORKS Online Backup Compliance Guidelines Last updated: Sunday, November 13 th, 2011 Contents MASSIVE NETWORKS Online Backup Compliance Guidelines... 1 Sarbanes-Oxley (SOX)... 2 SOX Requirements...
More informationAN AUDIT OF INTERNAL CONTROL OVER FINANCIAL REPORTING THAT IS INTEGRATED WITH AN AUDIT OF FINANCIAL STATEMENTS:
1666 K Street, NW Washington, D.C. 20006 Telephone: (202) 207-9100 Facsimile: (202) 862-8430 www.pcaobus.org STAFF VIEWS AN AUDIT OF INTERNAL CONTROL OVER FINANCIAL REPORTING THAT IS INTEGRATED WITH AN
More informationSelf-Service SOX Auditing With S3 Control
Self-Service SOX Auditing With S3 Control The Sarbanes-Oxley Act (SOX), passed by the US Congress in 2002, represents a fundamental shift in corporate governance norms. As corporations come to terms with
More informationEnterprise Risk Management: COSO, New COSO, ISO 31000. Review of ERM
Enterprise Risk Management: COSO, New COSO, Dr. Hugh Van Seaton, Ed. D., CSSGB, CGMA, CPA Review of ERM COSO a process, effected by an entity's board of directors, management and other personnel, applied
More informationApplying Integrated Risk Management Scenarios for Improving Enterprise Governance
Applying Integrated Risk Management Scenarios for Improving Enterprise Governance János Ivanyos Trusted Business Partners Ltd, Budapest, Hungary, ivanyos@trusted.hu Abstract: The term of scenario is used
More informationThis article will provide background on the Sarbanes-Oxley Act of 2002, prior to discussing the implications for business continuity practitioners.
Auditing the Business Continuity Process Dr. Eric Schmidt, Principal, Transitional Data Services, Inc. Business continuity audits are rapidly becoming one of the most urgent issues throughout the international
More informationSOC on Amazon Web Services (AWS) What You Need To Know Understanding the regulatory roadmap for SOC on AWS
SOC on Amazon Web Services (AWS) What You Need To Know Understanding the regulatory roadmap for SOC on AWS Jeff Cook November 2015 Summary Service Organization Control (SOC) reports (formerly SAS 70 or
More informationBADM 590 IT Governance, Information Trust, and Risk Management
BADM 590 IT Governance, Information Trust, and Risk Management Information Technology Infrastructure Library (ITIL) Spring 2007 By Po-Kun (Dennis), Tseng Abstract: This report is focusing on ITIL framework,
More informationNavigating the Standards for Information Technology Controls
Navigating the Standards for Information Technology Controls By Joseph B. O Donnell and Yigal Rechtman JULY 2005 - Pervasive use of computers, along with recent legislation such as the Sarbanes- Oxley
More informationSecurity Controls What Works. Southside Virginia Community College: Security Awareness
Security Controls What Works Southside Virginia Community College: Security Awareness Session Overview Identification of Information Security Drivers Identification of Regulations and Acts Introduction
More informationAsset Manager Guide to SAS 70. Issue Date: October 7, 2007. Asset
Asset Manager Guide to SAS 70 Issue Date: October 7, 2007 Asset Management Group A s s e t M a n a g e r G u i d e SAS 70 Table of Contents Executive Summary...3 Overview and Current Landscape...3 Service
More informationAssessing the Adequacy and Effectiveness of a Fund s Compliance Policies and Procedures. December 2005
Assessing the Adequacy and Effectiveness of a Fund s Compliance Policies and Procedures December 2005 Copyright 2005 Investment Company Institute. All rights reserved. Information may be abridged and therefore
More informationUNDERSTANDING INTERNAL CONTROLS. A Reference Guide for Managing University Business Practices
UNDERSTANDING INTERNAL CONTROLS A Reference Guide for Managing University Business Practices Table of Contents INTRODUCTION...1 OBJECTIVES...1 SCOPE...2 RESPONSIBILITY...2 BALANCING RISK AND CONTROL...3
More informationSarbanes-Oxley: Beyond. Using compliance requirements to boost business performance. An RIS White Paper Sponsored by:
Beyond Sarbanes-Oxley: Using compliance requirements to boost business performance The business regulatory environment in the United States has changed. Public companies have new obligations to report
More informationRECKENEN FOCUS ON SAS 70 & SSAE 16
RECKENEN FOCUS ON SAS 70 & SSAE 16 Hassan Sultan, CPA Managing Director 3001 Park Center Drive Suite 1000 Alexandria, VA 22302 Phone (703) 249 4509 Email hsultan@reckenen.com SAS 70 & SSAE 16 Overview
More informationFINANCIAL SERVICES FLASH REPORT
FINANCIAL SERVICES FLASH REPORT OCC Finalizes Its Heightened Standards for Large Financial Institutions September 15, 2014 Transforming Heightened Expectations to Minimum Standards On September 2, 2014,
More informationEffective Monitoring of Outsourced Plan Recordkeeping and Reporting Functions
PLAN ADVISORY Effective Monitoring of Outsourced Plan Recordkeeping and Reporting Functions PLAN ADVISORY Table of Contents Introduction 3 Selecting and Monitoring Third-Party Service Providers 4 Quality
More informationTransmittal Letter... 1. Objectives and Scope... 2. Approach... 3-7. Financial System... 8. Permitting Application... 9
Internal Audit Committee of Information Technology Risk Assessment Public Report Prepared By: Internal Auditors of Brevard County September 30, 2009 Table of Contents Transmittal Letter... 1 Objectives
More information2014 Financial Services Industry Compliance Benchmark Study
2014 Financial Services Industry Compliance Benchmark Study Presented By: and Executive Summary Beginning in early December 2013, SAI Global Compliance conducted a survey among compliance professionals
More informationTO CREDIT UNIONS DATE:, May 12, 1998
NATIONAL CREDIT UNION ADMINISTRATION NATIONAL CREDIT UNION SHARE INSURANCE FUND LETTER LETTER NO.: 98-CU-10 TO CREDIT UNIONS DATE:, May 12, 1998 TO: SUBJECT: FEDERALLY INSURED CREDIT UNIONS Testing for
More informationM-Aud. Comptroller of the Currency Administrator of National Banks. Internal and External Audits. Comptroller s Handbook. April 2003.
M-Aud Comptroller of the Currency Administrator of National Banks Internal and External Audits Comptroller s Handbook April 2003 M Management Internal and External Audits Table of Contents Introduction...1
More informationReports on Service Organizations Where we ve been?
Reports on Service Organizations Where we ve been? What s changing? How does this impact Internal Audit? Eric Wright Shareholder Frank Dezort Senior Manager Schneider Downs & Co., Inc. May 2, 2011 Overview
More informationService Organization Control (SOC) Reports Focus on SOC 2 Reporting Standard
Information Systems Audit and Controls Association Service Organization Control (SOC) Reports Focus on SOC 2 Reporting Standard February 4, 2014 Tom Haberman, Principal, Deloitte & Touche LLP Reema Singh,
More informationESET Secure Authentication
ESET Secure Authentication Second factor authentication and compliance Document Version 1.2 6 November, 2013 www.eset.com ESET Secure Authentication - second factor authentication and compliance 2 2 Summary
More informationInternational Institute of Management
Executive Education Executive Action Learning Seminars Executive Seminars Executive Courses International Institute of Management Executive Education Courses CIO & Sarbanes Oxley Compliance SOX Implementation
More informationTrends in Information Technology (IT) Auditing
Trends in Information Technology (IT) Auditing Padma Kumar Audit Officer May 21, 2015 Discussion Topics Common and Emerging IT Risks Trends in IT Auditing IT Audit Frameworks & Standards IT Audit Plan
More informationUnderstanding SAS 70 Reports on Internal Control
Understanding SAS 70 Reports on Internal Control PwC Agenda Internal Control Reporting: A Focus on SAS 70 Trends affecting internal control reporting Discussion points for Mutual Fund Directors with management
More informationAudit of the Test of Design of Entity-Level Controls
Audit of the Test of Design of Entity-Level Controls Canadian Grain Commission Audit & Evaluation Services Final Report March 2012 Canadian Grain Commission 0 Entity Level Controls 2011 Table of Contents
More informationCorporate Performance Management Framework
Version 1.0 Copyright 2004 Answerport, Inc. Table of Contents Table of Contents... 2 Conceptual Overview... 3 Conceptual Overview Diagram... 4 The Foundation... 4 Analytic Presentation Layer... 5 Reports...
More information10-005 Enterprise Risk Management
10-005 Enterprise Risk Management Current update: 09/16/10 Original Issuance: 03/31/08 Purpose This policy provides guidance and direction to State Board of Administration business unit heads for identifying,
More informationAN OVERVIEW OF INFORMATION SECURITY STANDARDS
AN OVERVIEW OF INFORMATION SECURITY STANDARDS February 2008 The Government of the Hong Kong Special Administrative Region The contents of this document remain the property of, and may not be reproduced
More informationWhite Paper: The Sarbanes-Oxley Act Public Company Accounting Reform and Investment Protection Act
White Paper: The Sarbanes-Oxley Act Public Company Accounting Reform and Investment Protection Act Pulling It All Together: Collaboration Required Executive Overview The Sarbanes-Oxley (SOX) Act was passed
More informationAudit and Permitted Non-Audit Services Pre-Approval Policy (Pertaining to the Company s Independent Auditor)
Audit and Permitted Non-Audit Services Pre-Approval Policy (Pertaining to the Company s Independent Auditor) Statement of Principles Pursuant to the Sarbanes-Oxley Act of 2002 (the Act ) and in accordance
More informationEssential Elements of FFIEC Vendor Due Diligence
Essential Elements of FFIEC Vendor Due Diligence Essential Elements of FFIEC Vendor Due Diligence Overview of the Whitepaper This CBIZ Credit Risk Advisory Group whitepaper was written for lenders, financial
More informationHow To Manage Risk At Atb Financial
Guidelines for Financial Institutions Legislative Compliance Management (LCM) Date: July 2004 Introduction Regulatory risk is the risk of non-compliance with applicable regulatory requirements. For the
More informationWhat Should IS Majors Know About Regulatory Compliance?
What Should IS Majors Know About Regulatory Compliance? Working Paper Series 08-12 August 2008 Craig A. VanLengen Professor of Computer Information Systems/Accounting Northern Arizona University The W.
More informationUNITED STATES DEPARTMENT OF EDUCATION OFFICE OF INSPECTOR GENERAL
UNITED STATES DEPARTMENT OF EDUCATION OFFICE OF INSPECTOR GENERAL Evaluation and Inspection Services Memorandum May 5, 2009 TO: FROM: SUBJECT: James Manning Acting Chief Operating Officer Federal Student
More informationWorking With Your Auditor
Working With Your Auditor Internal controls are used to ensure that financial statements are accurate and the plan is being operated effectively, efficiently and in compliance with laws and regulations.
More informationCOSO 2013: WHAT HAS CHANGED & STEPS TO TAKE TO ENSURE COMPLIANCE
COSO 2013: WHAT HAS CHANGED & STEPS TO TAKE TO ENSURE COMPLIANCE COMMITTEE OF SPONSORING ORGANIZATIONS (COSO) 2013 The Committee of Sponsoring Organizations (COSO) Internal Controls Integrated Framework,
More informationImplementing an Integrated City-wide Risk Management Framework
AUDITOR GENERAL S REPORT ACTION REQUIRED Implementing an Integrated City-wide Risk Management Framework Date: June 11, 2015 To: From: Wards: Audit Committee Auditor General All Reference Number: SUMMARY
More informationA Sarbanes-Oxley Roadmap to Business Continuity
A Sarbanes-Oxley Roadmap to Business Continuity NEDRIX Conference June 23, 2004 Dr. Eric Schmidt eschmidt@controlsolutions.com Control Solutions International TECHNOLOGY ADVISORY, ASSURANCE & RISK MANAGEMENT
More informationDISASTER RECOVERY PLANNING FOR CITY COMPUTER FACILITIES
APPENDIX 1 DISASTER RECOVERY PLANNING FOR CITY COMPUTER FACILITIES March 2008 Auditor General s Office Jeffrey Griffiths, C.A., C.F.E. Auditor General City of Toronto TABLE OF CONTENTS EXECUTIVE SUMMARY...1
More informationWorking with CPAs As part of your team of professionals that you work with to help you improve your business, a CPA is a valuable resource for you and your business. It is important to know how someone
More informationFAQs New Service Organization Standards and Implementation Guidance
FAQs New Service Organization Standards and Implementation Guidance During the past two years several significant changes have occurred in audit and attest standards for reporting on controls at service
More informationInformation overload: How to make data analytics work for the internal audit function
Information overload: How to make data analytics work for the internal audit function Danny Miller, Scott Higgins and Michael Rose Contents 1 A value proposition for internal audit 2 Leveraging data analytics
More informationTHE COMMONWEALTH OF MASSACHUSETTS. Division of Insurance. The Savings Bank Life Insurance Company of Massachusetts
THE COMMONWEALTH OF MASSACHUSETTS OFFICE OF CONSUMER AFFAIRS AND BUSINESS REGULATION Division of Insurance Report on the Comprehensive Market Conduct Examination of The Savings Bank Life Insurance Company
More informationPayroll Management - 5 Key Questions to Ask
Choosing the Right Solution For most organizations, providing employees with their paychecks on time and error-free is mission-critical. An important contributor to employee satisfaction, payroll is one
More informationInternal Audit Manual
COMPTROLLER OF ACCOUNTS Ministry of Finance Government of the Republic of Trinidad Tobago Internal Audit Manual Prepared by the Financial Management Branch, Treasury Division, Ministry of Finance TABLE
More informationThe Importance of Defining and Documenting Information Security Roles and Responsibilities By Charles Cresson Wood, CISSP, CISA, CISM
The Importance of Defining and Documenting Information Security Roles and Responsibilities By Charles Cresson Wood, CISSP, CISA, CISM Many organization's information security efforts are characterized
More information02 DEPARTMENT OF PROFESSIONAL AND FINANCIAL REGULATION CERTIFIED PUBLIC ACCOUNTANT LICENSE REQUIREMENTS
02-280 Chapter 5 page 1 02 DEPARTMENT OF PROFESSIONAL AND FINANCIAL REGULATION 280 BOARD OF ACCOUNTANCY Chapter 5: CERTIFIED PUBLIC ACCOUNTANT LICENSE REQUIREMENTS SUMMARY: This chapter sets forth: (a)
More informationAt a glance. A provision to require a written assertion from company management is the most notable difference between the two standards.
At a glance While there are some differences, SAS 70 and SSAE 16 are substantially the same. SAS 70 is an audit standard while SSAE 16 is an attest standard. Out with the old SAS 70 and in with the new
More informationCA HalvesThe Cost Of Testing IT Controls For Sarbanes-Oxley Compliance With Unified Processes.
TECHNOLOGY BRIEF: REDUCING COST AND COMPLEXITY WITH GLOBAL GOVERNANCE CONTROLS CA HalvesThe Cost Of Testing IT Controls For Sarbanes-Oxley Compliance With Unified Processes. Table of Contents Executive
More informationSSAE 16 & SAS 70 A Primer on Changes to Service Organization Audit Standards
A Member of OneBeacon Insurance Group SSAE 16 & SAS 70 A Primer on Changes to Service Organization Audit Standards Author: Jack Fletcher, Risk Control Technology Specialist Published: November 2014 Executive
More informationMapping COBIT 5 with IT Governance, Risk and Compliance at Ecopetrol S.A. By Alberto León Lozano, CISA, CGEIT, CIA, CRMA
Volume 3, July 2014 Come join the discussion! Alberto León Lozano will respond to questions in the discussion area of the COBIT 5 Use It Effectively topic beginning 21 July 2014. Mapping COBIT 5 with IT
More informationTHE COMMONWEALTH OF MASSACHUSETTS. Division of Insurance. Arbella Indemnity Insurance Company, Inc.
THE COMMONWEALTH OF MASSACHUSETTS OFFICE OF CONSUMER AFFAIRS AND BUSINESS REGULATION Division of Insurance Report on the Comprehensive Market Conduct Examination of Arbella Indemnity Insurance Company,
More informationINTERNATIONAL STANDARDS FOR THE PROFESSIONAL PRACTICE OF INTERNAL AUDITING (STANDARDS)
INTERNATIONAL STANDARDS FOR THE PROFESSIONAL PRACTICE OF INTERNAL AUDITING (STANDARDS) Introduction to the International Standards Internal auditing is conducted in diverse legal and cultural environments;
More informationSAS No. 70, Service Organizations
SAS No. 70, Service Organizations A standard for reporting on a service organization s controls affecting user entities' financial statements. Only for use by service organization management, existing
More informationExperienced professionals may apply for the Certified Risk Management Professional (CRMP) certification under the grandfathering provision.
Application for CRMP Certification (part 1) GRCSI is now offering the Certified Risk Management Professional (CRMP) certification to support and recognize professionals who have skills and experience in
More informationInstructions for Completing the Information Technology Officer s Questionnaire
Instructions for Completing the The (Questionnaire) contains questions covering significant areas of a bank s information technology (IT) function. Your responses to these questions will help determine
More informationAudit of the Policy on Internal Control Implementation
Audit of the Policy on Internal Control Implementation Natural Sciences and Engineering Research Council of Canada Social Sciences and Humanities Research Council of Canada February 18, 2013 1 TABLE OF
More informationManaging data security and privacy risk of third-party vendors
Managing data security and privacy risk of third-party vendors The use of third-party vendors for key business functions is here to stay. Routine sharing of critical information assets, including protected
More informationGuide to Understanding SAS 70 Reports
Guide to Understanding SAS 70 Reports Authors: Norm Parkerson, Business Advisory Services Executive Director and Brett Williams, Business Advisory Services Partner In today s global economy, service organizations
More informationEffectively using SOC 1, SOC 2, and SOC 3 reports for increased assurance over outsourced operations. kpmg.com
Effectively using SOC 1, SOC 2, and SOC 3 reports for increased assurance over outsourced operations kpmg.com b Section or Brochure name Effectively using SOC 1, SOC 2, and SOC 3 reports for increased
More informationIC Performance Standards
IC Performance Standards Final Version 1 23 April 2009 1 TABLE OF CONTENTS BACKGROUND... 3 OCCUPATIONAL STRUCTURE... 4 PERFORMANCE ELEMENT CONTENT MODELS... 7 Professional and Technician/Administrative
More informationVendor. Management. For sponsorship or to become our partner, contact: marketing@achromicpoint.com
Knowledge Partner Presents 27th May 2015 - Bengaluru 5th June 2015 - New Delhi 24th June 2015 - Mumbai Vendor Risk Management For sponsorship or to become our partner, contact: marketing@achromicpoint.com
More informationPreparing for the Convergence of Risk Management & Business Continuity
Preparing for the Convergence of Risk Management & Business Continuity Disaster Recovery Journal Webinar Series September 5, 2012 2012 Strategic BCP, Inc. All rights reserved. strategicbcp.com 1 Today
More informationWhite Paper on Financial Institution Vendor Management
White Paper on Financial Institution Vendor Management Virtually every organization in the modern economy relies to some extent on third-party vendors that facilitate business operations in a wide variety
More informationOptimizing Automation of Internal Controls for GRC and General Business Process Compliance
Optimizing Automation of Internal s for GRC and General Business Process Compliance Whitepaper Compliancy Software, Inc. www.compliancysoftware.com Telephone: +1.919.342.6212 Email: info@compliancysoftware.com
More informationRoles and Responsibilities Corporate Compliance and Internal Audit
Roles and Responsibilities and By Mark P. Ruppert, CPA, CIA, CISA, CHFP The focus group of Health Care Compliance Association (HCCA) and Association of Healthcare ors (AHIA) members continues to explore
More information