Service Organizations and the Internal Audit function conference Institute of Internal Auditors in Israel
|
|
- Clinton Bishop
- 8 years ago
- Views:
Transcription
1 Service Organizations and the Internal Audit function 2015 conference Institute of Internal Auditors in Israel
2 Proprietary This work product/document is intended solely for the information and use of the 2015 IIA Israel conference and is not intended to be and should not be used by anyone other than the participants. Do not distribute without written permission. Page 2
3 Contact info Olivier Mandel CISA, Macc, CRISC, PMP Executive Director Advisory Services Kost Forer Gabbay & Kasierer 3 Aminadav St. Tel-Aviv 67067, Israel Office: Mob: Olivier.Mandel@il.ey.com Page 3
4 Agenda What is a service organization? Objectives and risks of outsourcing SOC / AUP reports Using reports Checklist Page 4
5 What is a service organization? Objectives and risks of outsourcing SOC / AUP reports Using reports Checklist Page 5
6 What is outsourcing? Service organization: An organization or segment of an organization that provides services to user entities, which are likely to be relevant to those user entities internal control over financial reporting. Page 6
7 Regulatory landscape SOX PCAOB HIPAA FISMA/NIST FedRAMP PCI OCC Cloud FFIEC ISO Israeli SOX Data protection Page 7
8 So? Your responsibility does not change, if you use a vendor to perform some business functions Page 8
9 What is a service organization? Objectives and risks of outsourcing SOC / AUP reports Using reports Checklist Page 9
10 Outsourcing: Objectives Vs. Risks Objectives Improve business focus Improve capabilities Improve use of capital/resources Improve operations Reduce cost Improve compliance Reduce risk/share risk with others Risks Financial reporting Operational Cost Processing integrity Data security/confidentiality Lack of availability Failure to deliver on requirements Compliance / Regulatory Page 10
11 Industry trends for outsourcing are evolving, but questions around benefits realization remain Outsourcing has its own set of issues, but effectively managing an increasingly complex and specialized supplier landscape is fraught with challenges. Many of these apply to both the suppliers and the retained organization. Without effective control of these areas, delivery costs can spiral out of control. 10 challenges facing the multi-sourced technology environment Business implications 1 Contract compliance without value 2 Poor performance visibility 3 4 Impotent governance Lack of data/information access Lack of direction and innovation Out-of-control costs 5 Poor architectural and system integration 6 Convoluted and labor-intensive reporting and analytics 7 8 Unclear delineation of responsibilities and accountability Insufficient collaboration across suppliers Low customer satisfaction Damage to brand reputation 9 Ineffective and tactical contract terms/slas 10 Incompatible delivery culture Companies that take a strategic and service-focused approach to service management can reduce delivery costs by as much as 30% and the application footprint for service management by as much as 33%. High-profile service outages Page 11
12 What is a service organization? Objectives and risks of outsourcing SOC / AUP reports Using reports Checklist Page 12
13 The relationship of the parties Entity s processes & controls Service organization s processes & controls Internal OR Financial statement auditors Service auditor Page 13
14 Summary of the different reporting types Report type Intended users Format Distribution limitations Example SOC 1 (SSAE 16, required after 6/15/11, replaces SAS 70) Customers financial statement auditors Long -form report Description of controls and systems Tests performed and results of testing Restricted to current customers Payroll processing Credit card transaction processing Claims processing SOC 2 Users seeking assurance over information handling SOC1 look-alike report : Long -form report Description of controls /systems Tests performed &results Scope relates to information handling objectives (security, availability, processing integrity, confidentiality and/or privacy ) Organization reports controls in place to meet prescribed principles/criteria Restricted to users with sufficient knowledge e.g., current and prospective customers, business partners, regulators, employees Supply chain information handler reporting on processing integrity Data center outsourcer reporting on security and availability Organization s alignment with ISO or Cloud Security Alliance framework SOC 3 Same as SOC 2 Short-form report Limited description of controls/systems No restrictions (e.g., mass distribution, website, current and prospective customers) Bank reporting on security and availability of an e-banking application AUP (Agreed Upon Report) Page 14 AT Section 201 The specified parties take Restricted to the two responsibility for the sufficiency of parties the agreed-upon procedures for their purposes Payroll outsourcing
15 What is a service organization? Objectives and risks of outsourcing SOC / AUP reports Using reports Checklist Page 15
16 Checklist 7 steps in the checklist Not the best and final, but includes all the relevant elements Page 16
17 1. Identify the What Can Go Wrongs (WCGWs) The WCGWs should cover the entire process What s done by the entity What s done by the service organization What s done by relevant subservice organizations The WCGWs for the service and subservice organizations should be the inverse of the control objectives Page 17
18 2. Identify the controls that address the WCGWs The controls will be At the entity and At the service organization and At the subservice organization, if used and relevant Document Business controls IT general controls Page 18
19 3. Identify the controls that address the WCGWs CUECs Complementary User Entity Controls (CUECs) These are the controls the service organization expects your organization (user organization) to have in order for the service organization's controls to achieve the control objectives CUECs relevant to your organization s financial statement risks need to be matched to entity (user organization) controls May include IT general controls under the entity s control (e.g., user set-up) All relevant user organization controls need to be tested in order to conclude on the effectiveness of controls Document Page 19
20 4. Testing Perform tests of key controls at your organization and evaluate the results Read the testing performed by the service auditor of the key controls at the service organization (and subservice organizations) identified by the service auditor Testing must be appropriate Just as we would not only inquire, the service auditor testing should not consist solely of inquiry for all controls related to a relevant control objective Exceptions (a.k.a., deviations) noted in the performance of the testing are required to be reported in the SOC 1 report Page 20
21 5. Factors to consider to address differences between SOC 1 reporting period & audit period The additional audit evidence to be obtained for the remaining period is based on the following factors The influence of the control environment The risk associated with the controls Whether the entity has designed and implemented controls that monitor the effective functioning of the transaction-level controls The effectiveness of ITGCs when we intend to rely on automated aspects of controls for application or IT-dependent manual controls The length of the remaining period The degree to which we intend to rely on the controls Control exceptions identified during the interim period Changes to controls tested in the interim period Substantive procedures to be performed in the remaining period Audit evidence obtained during the interim period. Page 21
22 6. Steps to consider related to SOC 1 report period and audit period difference Inquire of management as to changes in accuracy or timeliness of the service organization's processing Inquire of service organization as to changes in the processes and controls reported on in the SOC 1 report Commonly called a 'bridge letter' Request additional walkthroughs or tests of controls at the service organization be performed by the service auditor Perform walkthrough and/or tests of controls at the service organization Page 22
23 7. Other requirements Read the service auditor s opinion for Existence of subservice organizations Complementary user entity controls The auditing standard(s) used in the work The opinion on whether (paraphrased) Management s description of the service organization s system fairly presents the service organization s system that was designed and implemented throughout the period The controls related to the control objectives stated in management s description were suitably designed The controls tested were the appropriate controls to be tested and whether they operated effectively throughout the period Unusual restrictions on the use of the report Page 23
24 7. Other requirements (continued) What standard is used? Who is this firm? What is the timing? Where was it issued? Any carve-out or unusual items noted in the scope description? Any qualifications? For SOC 2 reports, are there any opinions on subject matter other than internal control (e.g., compliance)? Any inconsistencies with professional standards or unusual items? Page 24
25 Checklist 1 Identify the What Can Go Wrongs 2 Identify the controls that address the WCGWs 3 Identify the controls that address the WCGWs CUECs 4 Testing 5 Factors to consider to address differences between SOC 1 reporting period & audit period 6 Steps to consider related to SOC 1 report period and audit period difference 7. Other requirements Page 25
26 One minute recap Page 26
27 Thank you
Documentation of Use of a Type 2 Service Auditor s Report In an Audit of an Employee Benefit Plan s Financial Statements
Documentation of Use of a Type 2 Service Auditor s Report In an Audit of an Employee Benefit Plan s Financial Statements PLAN NAME: PLAN YEAR END: CLIENT NUMBER: SCOPE OF PLAN AUDIT: LIMITED FULL Note:
More informationSSAE 16 for Transportation & Logistics Companies. Chris Kradjan Kim Koch
SSAE 16 for Transportation & Logistics Companies Chris Kradjan Kim Koch 1 The material appearing in this presentation is for informational purposes only and should not be construed as advice of any kind,
More informationG24 - SAS 70 Practices and Developments Todd Bishop
G24 - SAS 70 Practices and Developments Todd Bishop SAS No. 70 Practices & Developments Todd Bishop Senior Manager, PricewaterhouseCoopers LLP Agenda SAS 70 Background Information and Overview Common SAS
More informationService Organization Control (SOC) Reports
Service Organization Control (SOC) Reports Transitioning from SAS 70 to SSAE 16 Deloitte & Touche LLP Agenda Overview SAS 70/SSAE 16 Historical Perspective The New Framework Under SSAE 16 (SOC 1) Impact
More informationGoodbye, SAS 70! Hello, SSAE 16!
Goodbye, SAS 70! Hello, SSAE 16! A Session to Provide Insight on the New Standard and What Service Providers and End-Users Need to Know January 3, 2012 Agenda Introduction Background on what was SAS 70
More informationService management integration (SMI)
www.iaop.org Sean Harapko, Principal, Ernst & Young LLP Aristide Toundzi, Sr. Manager, Ernst & Young LLP Steven Decker, Manager of Technical Services, PSEG Agenda What is service integration (SMI)? Building
More informationFeeley & Driscoll, P.C. Certified Public Accountants / Business Consultants www.fdcpa.com. Visit us on the web: www.fdcpa.com Or Call: 888-875-9770
Feeley & Driscoll, P.C. Certified Public Accountants / Business Consultants www.fdcpa.com SAS 70 Background 2 SAS No. 70 Reports on the Processing of Transactions by Service Organizations Independent examination
More informationCloud Security and Managing Use Risks
Carl F. Allen, CISM, CRISC, MBA Director, Information Systems Security Intermountain Healthcare Regulatory Compliance External Audit Legal and ediscovery Information Security Architecture Models Access
More informationWeighing in on the Benefits of a SAS 70 Audit for Third Party Data Centers
Weighing in on the Benefits of a SAS 70 Audit for Third Party Data Centers With increasing oversight and growing demands for industry regulations, third party assurance has never been under a keener eye
More informationService Organization Control Reports
SAS 70 ENDS EXIT TO SSAE 16 Service Organization Control Reports What Did We Learn from Year One? Agenda Definitions Service Organization Reports What are they? Year One Experiences SSAE 16 Year One Experiences
More informationWeighing in on the Benefits of a SAS 70 Audit for Payroll Service Providers
Weighing in on the Benefits of a SAS 70 Audit for Payroll Service Providers With increasing oversight and growing demands for industry regulations, third party assurance has never been under a keener eye
More information3.B METHODOLOGY SERVICE PROVIDER
3.B METHODOLOGY SERVICE PROVIDER Approximately four years ago, the American Institute of Certified Public Accountants (AICPA) issued Statement on Standards for Attestation Engagements (SSAE) No. 16, Reporting
More informationHow To Audit Cloud Computing
Assessing the Audit Impact of Cloud Computing kpmg.com 1 Assessing the Audit Impact of Cloud Computing Cloud Computing Cloud computing is becoming an important IT strategy for entities that need varying
More informationMicrosoft s Compliance Framework for Online Services
Microsoft s Compliance Framework for Online Services Online Services Security and Compliance Executive summary Contents Executive summary 1 The changing landscape for online services compliance 4 How Microsoft
More informationUnderstanding SOC Reports for Effective Vendor Management. Jason T. Clinton January 26, 2016
Understanding SOC Reports for Effective Vendor Management Jason T. Clinton January 26, 2016 MEMBER OF PKF NORTH AMERICA, AN ASSOCIATION OF LEGALLY INDEPENDENT FIRMS 2012 Wolf & Company, P.C. Before we
More informationWELCOME TO SECURE360 2013
WELCOME TO SECURE360 2013 Don t forget to pick up your Certificate of Attendance at the end of each day. Please complete the Session Survey front and back, and leave it on your seat. Are you tweeting?
More informationThe Changing SAS 70 Landscape Dan Hirstein Director Rebecca Goodpasture Senior Manager Deloitte & Touche LLP January 13, 2011
The Changing SAS 70 Landscape Dan Hirstein Director Rebecca Goodpasture Senior Manager Deloitte & Touche LLP January 13, 2011 Table of Contents A Short History of SAS 70 Overview of SSAE 16 and ISAE 3402
More informationSECURITY AND EXTERNAL SERVICE PROVIDERS
SECURITY AND EXTERNAL SERVICE PROVIDERS How to ensure regulatory compliance and manage risks with Service Organization Control (SOC) Reports Jorge Rey, CISA, CISM, CGEIT Director, Information Security
More informationUnderstanding Vendor Risk And Analyzing the SSAE No. 16
Understanding Vendor Risk And Analyzing the SSAE No. 16 Accelerate your Credit Union s Performance June 19, 2014 AUSTIN, TEXAS www.cuaccelerator.com Agenda Vendor Management Key Outsourcing Risk Areas
More informationSSAE 16 and ISAE 3402: Preparing for New Service Company Control Standards Mastering Requirements Governing Your Next Controls Report
Presenting a live 110 minute teleconference with interactive Q&A SSAE 16 and ISAE 3402: Preparing for New Service Company Control Standards Mastering Requirements Governing Your Next Controls Report WEDNESDAY,
More informationFarewell to SAS 70. What you need to know about the New Standard for Service Organization Reporting
Farewell to SAS 70 What you need to know about the New Standard for Service Organization Reporting ADVISORY rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International Cooperative
More informationSSAE 16 & SAS 70 A Primer on Changes to Service Organization Audit Standards
A Member of OneBeacon Insurance Group SSAE 16 & SAS 70 A Primer on Changes to Service Organization Audit Standards Author: Jack Fletcher, Risk Control Technology Specialist Published: November 2014 Executive
More informationwww.pwc.com Third Party Risk Management 12 April 2012
www.pwc.com Third Party Risk Management 12 April 2012 Agenda 1. Introductions 2. Drivers of Increased Focus on Third Parties 3. Governance 4. Third Party Risks and Scope 5. Third Party Risk Profiling 6.
More informationIT Cloud / Data Security Vendor Risk Management Associated with Data Security. September 9, 2014
IT Cloud / Data Security Vendor Risk Management Associated with Data Security September 9, 2014 Speakers Brian Thomas, CISA, CISSP In charge of Weaver s IT Advisory Services, broad focus on IT risk, security
More informationShared Service System Audits: What User Management and Auditors Need to Know
Shared Service System Audits: What User Management and Auditors Need to Know JFMIP May 2014 Presented by: Robert Dacey GAO Session Objectives Properly using SSAE 16 service organization audit reports Revisions
More informationProtecting your brand in the cloud Transparency and trust through enhanced reporting
Protecting your brand in the cloud Transparency and trust through enhanced reporting Third-party Assurance November 2011 At a glance Cloud computing has unprecedented potential to deliver greater business
More informationCitation for published version (APA): Berthing, H. H. (2014). Vision for IT Audit 2020. Abstract from Nordic ISACA Conference 2014, Oslo, Norway.
Aalborg Universitet Vision for IT Audit 2020 Berthing, Hans Henrik Aabenhus Publication date: 2014 Document Version Early version, also known as pre-print Link to publication from Aalborg University Citation
More informationIT audit updates. Current hot topics and key considerations. IT risk assessment leading practices
IT audit updates Current hot topics and key considerations Contents IT risk assessment leading practices IT risks to consider in your audit plan IT SOX considerations and risks COSO 2013 and IT considerations
More informationAudit Considerations Relating to an Entity Using a Service Organization
Audit Considerations Relating to an Entity 349 AU-C Section 402 Audit Considerations Relating to an Entity Using a Service Organization Source: SAS No. 122; SAS No. 128. Effective for audits of financial
More informationInformation for Management of a Service Organization
Information for Management of a Service Organization Copyright 2011 American Institute of Certified Public Accountants, Inc. New York, NY 10036-8775 All rights reserved. For information about the procedure
More informationSSAE 16 Everything You Wanted To Know But Are Afraid To Ask. Kurt Hagerman CISA, CISSP, QSA Managing Director, Coalfire December 8, 2011
SSAE 16 Everything You Wanted To Know But Are Afraid To Ask Kurt Hagerman CISA, CISSP, QSA Managing Director, Coalfire December 8, 2011 1 Agenda SAS 70 Misunderstood and Overused o Why the change? SSAE
More informationInformation Security Management System for Microsoft s Cloud Infrastructure
Information Security Management System for Microsoft s Cloud Infrastructure Online Services Security and Compliance Executive summary Contents Executive summary 1 Information Security Management System
More informationFAQs New Service Organization Standards and Implementation Guidance
FAQs New Service Organization Standards and Implementation Guidance During the past two years several significant changes have occurred in audit and attest standards for reporting on controls at service
More informationRisks (Audit Risk Formula)
Risks (Audit Risk Formula) Component of Audit Risk Inherent risk Errors likely to occur In client s financial statements Control risk Detection risk Audit risk Errors not detected by controls Errors that
More informationReports on Service Organizations Where we ve been?
Reports on Service Organizations Where we ve been? What s changing? How does this impact Internal Audit? Eric Wright Shareholder Frank Dezort Senior Manager Schneider Downs & Co., Inc. May 2, 2011 Overview
More informationEffectively using SOC 1, SOC 2, and SOC 3 reports for increased assurance over outsourced operations. kpmg.com
Effectively using SOC 1, SOC 2, and SOC 3 reports for increased assurance over outsourced operations kpmg.com b Section or Brochure name Effectively using SOC 1, SOC 2, and SOC 3 reports for increased
More informationIIA Conference. September 18, 2015. Paige Needling Director, Global Information Security Recall, Inc.
IIA Conference September 18, 2015 Paige Needling Director, Global Information Security Recall, Inc. IT SECURITY UMBRELLA Compliance for IT Data Privacy Protection Privacy Risk Assessment Vulnerability
More informationThe silver lining: Getting value and mitigating risk in cloud computing
The silver lining: Getting value and mitigating risk in cloud computing Frequently asked questions The cloud is here to stay. And given its decreased costs and increased business agility, organizations
More informationReporting on Controls at a Service Organization
Reporting on Controls at a Service Organization 1529 AT Section 801 Reporting on Controls at a Service Organization (Supersedes the guidance for service auditors in Statement on Auditing Standards No.
More informationVendor Management: An Enterprise-wide Focus. Susan Orr, CISA CISM CRISC CRP Susan Orr Consulting, Ltd.
Vendor Management: An Enterprise-wide Focus Susan Orr, CISA CISM CRISC CRP Susan Orr Consulting, Ltd. Why Focus on Vendor Management Increased financial regulatory scrutiny GLBA and Identity Theft Red
More informationVENDOR MANAGEMENT An Update & Discussion
VENDOR MANAGEMENT An Update & Discussion Ground Rules TO ENCOURAGE FREE DISCUSSION, NO RECORDING DEVICES OF ANY KIND INCLUDING CELL PHONES, CAMERAS, ETC, ARE ALLOWED NO EXCEPTIONS VIOLATORS WILL BE ASKED
More information3 rd Party Vendor Risk Management
3 rd Party Vendor Risk Management Session 402 Tuesday, June 9, 2015 (11 to 12pm) Session Objectives The need for enhanced reporting on vendor risk management Current outsourcing environment Key risks faced
More informationVendor Management Best Practices
23 rd Annual and One Day Seminar Vendor Management Best Practices Catherine Bruder CPA, CITP, CISA, CISM, CTGA Michigan Texas Florida Insight. Oversight. Foresight. SM Doeren Mayhew Bruder 1 $100 billion
More informationCloud Computing: Security, Risk and Governance Issues & International Developments in the Banking Sector. Panagiotis Droukas CISA, CRISC, CGEIT
Cloud Computing: Security, Risk and Governance Issues & International Developments in the Banking Sector Panagiotis Droukas CISA, CRISC, CGEIT Business Case for Cloud Computing www.c-ebs.org average traffic
More informationCloud Security Panel: Real World GRC Experiences. ISACA Atlanta s 2013 Annual Geek Week
Cloud Security Panel: Real World GRC Experiences ISACA Atlanta s 2013 Annual Geek Week Agenda Introductions Recap: Overview of Cloud Computing and Why Auditors Should Care Reference Materials Panel/Questions
More informationThe Changing IT Risk Landscape Understanding and managing existing and emerging risks
The Changing IT Risk Landscape Understanding and managing existing and emerging risks IIA @ Noon Kareem Sadek Senior Manager, Deloitte Canada Chris Close Senior Manager, Deloitte Canada December 2, 2015
More informationEffectively Assessing IT General Controls
Effectively Assessing IT General Controls Tommie Singleton UAB AGENDA Introduction Five Categories of ITGC Control Environment/ELC Change Management Logical Access Controls Backup/Recovery Third-Party
More informationCloud Computing An Auditor s Perspective
Cloud Computing An Auditor s Perspective Sailesh Gadia, CPA, CISA, CIPP sgadia@kpmg.com December 9, 2010 Discussion Agenda Introduction to cloud computing Types of cloud services Benefits, challenges,
More informationHans Bos Microsoft Nederland. hans.bos@microsoft.com
Hans Bos Microsoft Nederland Email: Twitter: hans.bos@microsoft.com @hansbos Microsoft s Cloud Environment Consumer and Small Business Services Software as a Service (SaaS) Enterprise Services Third-party
More informationInternal audit value optimization for insurance organizations
Internal audit value optimization for insurance organizations Webinar May 13, 2015 Baker Tilly refers to Baker Tilly Virchow Krause, LLP, an independently owned and managed member of Baker Tilly International.
More informationRisk Considerations for Internal Audit
Risk Considerations for Internal Audit Cecile Galvez, Deloitte & Touche LLP Enterprise Risk Services Director Traci Mizoguchi, Deloitte & Touche LLP Enterprise Risk Services Senior Manager February 2013
More informationAbout the Presenter. Presentation Objectives. SaaS / Cloud Computing Risk Management AICPA Attest Alternatives
SaaS / Cloud Computing Risk Management AICPA Attest Alternatives Presenter: Dan Schroeder, CPA/CITP Habif, Arogeti, & Wynne, LLP Georgia Society of CPAs Annual Convention June 16, 2010 About the Presenter
More informationERIC M. WRIGHT, cpa, citp
ERIC M. WRIGHT, cpa, citp ERIC M. WRIGHT, CPA, CITP Eric has been involved with Information Technology with Schneider Downs since 1983. He specializes in and oversees the design, setup, installation and
More informationSOC on Amazon Web Services (AWS) What You Need To Know Understanding the regulatory roadmap for SOC on AWS
SOC on Amazon Web Services (AWS) What You Need To Know Understanding the regulatory roadmap for SOC on AWS Jeff Cook November 2015 Summary Service Organization Control (SOC) reports (formerly SAS 70 or
More information3rd Party Assurance & Information Governance 2014-2016 outlook IIA Ireland Annual Conference 2014. Straightforward Security and Compliance
3rd Party Assurance & Information Governance 2014-2016 outlook IIA Ireland Annual Conference 2014 Continuous Education Services (elearning/workshops) Compliance Management Portals Information Security
More informationThe Elephant in the Room: What s the Buzz Around Cloud Computing?
The Elephant in the Room: What s the Buzz Around Cloud Computing? Warren W. Stippich, Jr. Partner and National Governance, Risk and Compliance Solution Leader Business Advisory Services Grant Thornton
More informationIT risk management discussion 2013 PIAA Leadership Camp May 15, 2013
IT risk management discussion 2013 PIAA Leadership Camp May 15, 2013 Debbie Lew Agenda Review what is IT governance Review what is IT risk management A discussion of key IT risks to be aware of Page 2
More informationIT Vendor Due Diligence. Jennifer McGill CIA, CISA, CGEIT IT Audit Director Carolinas HealthCare System December 9, 2014
IT Vendor Due Diligence Jennifer McGill CIA, CISA, CGEIT IT Audit Director Carolinas HealthCare System December 9, 2014 Carolinas HealthCare System (CHS) Second largest not-for-profit healthcare system
More informationKey Considerations of Regulatory Compliance in the Public Cloud
Key Considerations of Regulatory Compliance in the Public Cloud W. Noel Haskins-Hafer CRMA, CISA, CISM, CFE, CGEIT, CRISC 10 April, 2013 w_haskins-hafer@intuit.com Disclaimer Unless otherwise specified,
More informationOutsourced Third Party Relationship Management/ Vendor Management. TTS Webinar July 15, 2015 Susan Orr CISA, CISM, CRISC, CRP
Outsourced Third Party Relationship Management/ Vendor Management TTS Webinar July 15, 2015 Susan Orr CISA, CISM, CRISC, CRP 1 Risk Management Guidance 2 3 Appendix J: 4 - Key Elements Third Party Management
More informationEffective Monitoring of Outsourced Plan Recordkeeping and Reporting Functions
PLAN ADVISORY Effective Monitoring of Outsourced Plan Recordkeeping and Reporting Functions PLAN ADVISORY Table of Contents Introduction 3 Selecting and Monitoring Third-Party Service Providers 4 Quality
More informationSAS No. 70, Service Organizations
SAS No. 70, Service Organizations A standard for reporting on a service organization s controls affecting user entities' financial statements. Only for use by service organization management, existing
More informationUpdate on AICPA Assurance Services Executive Committee Activities
Update on AICPA Assurance Services Executive Committee Activities Amy Pawlicki Director Business Reporting, Assurance & Advisory Services and XBRL AICPA Agenda ASEC overview Summary of work streams by
More informationIT Insights. Managing Third Party Technology Risk
IT Insights Managing Third Party Technology Risk According to a recent study by the Institute of Internal Auditors, more than 65 percent of organizations rely heavily on third parties, yet most allocate
More informationThird-Party Cybersecurity and Data Loss Prevention
Third-Party Cybersecurity and Data Loss Prevention SESSION ID: DSP-W04A Brad Keller Sr. Vice President Santa Fe Group Jonathan Dambrot, CISSP CEO, Co-Founder Prevalent Networks 3rd Party Risk Management
More informationKeeping up with the World of Cloud Computing: What Should Internal Audit be Thinking About?
Keeping up with the World of Cloud Computing: What Should Internal Audit be Thinking About? IIA San Francisco Chapter October 11, 2011 Agenda Introductions Cloud computing overview Risks and audit strategies
More informationElectronic Audit Evidence (EAE) and Application Controls. Tulsa ISACA Chapter December 11, 2014
Electronic Audit Evidence (EAE) and Application Controls Tulsa ISACA Chapter December 11, 2014 Agenda Recent IT-related PCAOB inspection themes: Internal control over financial reporting Multi-location
More informationEffective Monitoring of Outsourced Plan Recordkeeping and Reporting Functions
Effective Monitoring of Outsourced Plan Recordkeeping and Reporting Functions Plan Advisory The AICPA EBPAQC is a firm-based, volunteer membership center created with the goal of promoting quality employee
More informationApplication controls testing in an integrated audit
Application controls testing in Application controls testing in an integrated audit Learning objectives Describe types of controls Describe application controls and classifications Discuss the nature,
More informationA Flexible and Comprehensive Approach to a Cloud Compliance Program
A Flexible and Comprehensive Approach to a Cloud Compliance Program Stuart Aston Microsoft UK Session ID: SPO-201 Session Classification: General Interest Compliance in the cloud Transparency Responsibility
More informationService Organization Control (SOC) Reports Focus on SOC 2 Reporting Standard
Information Systems Audit and Controls Association Service Organization Control (SOC) Reports Focus on SOC 2 Reporting Standard February 4, 2014 Tom Haberman, Principal, Deloitte & Touche LLP Reema Singh,
More informationHow to survive an Audit
How to survive an Audit Eric Tan PwC Harshul Joshi PwC Objectives Preparation - You can never prepare enough; Mock audit - Running a mock audit Documentation to prove the processes and controls - Documentation
More informationInformation Security Management System (ISMS) Overview. Arhnel Klyde S. Terroza
Information Security Management System (ISMS) Overview Arhnel Klyde S. Terroza May 12, 2015 1 Arhnel Klyde S. Terroza CPA, CISA, CISM, CRISC, ISO 27001 Provisional Auditor Internal Auditor at Clarien Bank
More informationMAINTAINING COMPLIANCE AND MANAGING RISK IN OUTSOURCED ENGAGEMENTS. Nick Harrahill PayPal Global Security Operations
MAINTAINING COMPLIANCE AND MANAGING RISK IN OUTSOURCED ENGAGEMENTS Nick Harrahill PayPal Global Security Operations AGENDA Inception of an engagement The legal agreement Assessing the risk Customer call
More informationF&I Administration Processing Controls An SSAE 16 Perspective
F&I Administration Processing Controls An SSAE 16 Perspective Tim Roncevich Partner, SSAE 16 Professionals Kelvin Walker Director, SSAE 16 Professionals Session Speakers Tim Roncevich Co-founder of SSAE
More informationTOP 10 Security Questions Introduction Breaches and other privacy and security incidents in healthcare are on the rise due to the vast size of the industry and the oneoffs of protected health information
More informationPharma CloudAdoption. and Qualification Trends
Pharma CloudAdoption and Qualification Trends OurCloudExperience Numerous implementations of EDMS systems with external hosting for smaller life science clients Development of qualification strategy for
More informationThe Importance of IT Controls to Sarbanes-Oxley Compliance
Hosted by Deloitte, PricewaterhouseCoopers and ISACA/ITGI The Importance of IT Controls to Sarbanes-Oxley Compliance 15 December 2003 1 Presenters Chris Fox, CA Sr. Manager, Internal Audit Services PricewaterhouseCoopers
More informationSECURITY RISK MANAGEMENT
SECURITY RISK MANAGEMENT ISACA Atlanta Chapter, Geek Week August 20, 2013 Scott Ritchie, Manager, HA&W Information Assurance Services Scott Ritchie CISSP, CISA, PCI QSA, ISO 27001 Auditor Manager, HA&W
More informationThe supporting information for audit/engagement procedures is part of the required Audit/Engagement Documentation (See Section 240.00).
LAST REVISED: DECEMBER 31, 2012 PAGE 1 OF 7 AUDIT/ENGAGEMENT PROGRAM DEFINITION Set of specific audit/engagement procedures that are designed to meet identified audit/engagement objectives, reduce AR,
More information9/14/2015. Before we begin. Learning Objectives. Kevin Secrest IT Audit Manager, University of Pennsylvania
Evaluating and Managing Third Party IT Service Providers Are You Really Getting The Assurance You Need To Mitigate Information Security and Privacy Risks? Kevin Secrest IT Audit Manager, University of
More informationRISK MANAGEMENT PROGRAM THAT WORKS FOUR KEYS TO CREATING A VENDOR. HEADQUARTERS 33 Bradford Street Concord, MA 01742 PHONE: 978-451-7655
FOUR KEYS TO CREATING A VENDOR RISK MANAGEMENT PROGRAM THAT WORKS HEADQUARTERS 33 Bradford Street Concord, MA 01742 PHONE: 978-451-7655 FOUR KEYS TO CREATING A VENDOR RISK MANAGEMENT PROGRAM THAT WORKS
More informationCloud Computing An Internal Audit Perspective. Heather Paquette, Partner Tom Humbert, Manager
Cloud Computing An Internal Audit Perspective Heather Paquette, Partner Tom Humbert, Manager March10 2011 Discussion Agenda Introduction to cloud computing Types of cloud services Benefits, challenges,
More informationOur Services. Unlocking IT Value - Transforming IT Enabled Investments into Business Value
Our Services Unlocking IT Value - Transforming IT Enabled Investments into Business Value Our core services IT Auditing IT Governance Consulting IT Projects Advisory Training Enterprise Risk Management
More informationG24: Audits of Controls at a Service Organization: New Standards SSAE 16 and ISAE 3402 Duff Donnelly and Jeffrey Spivack, Grant Thornton LLP
G24: Audits of Controls at a Service Organization: New Standards SSAE 16 and ISAE 3402 Duff Donnelly and Jeffrey Spivack, Grant Thornton LLP Audits of controls at a service organization Roadmap to the
More informationS. SHLOMO INSURANCE COMPANY LTD FINANCIAL STATEMENTS AS AT DECEMBER 31, 2011
Translated from the Hebrew original S. SHLOMO INSURANCE COMPANY LTD FINANCIAL STATEMENTS AS AT DECEMBER 31, 2011 S. SHLOMO INSURANCE COMPANY LTD FINANCIAL STATEMENTS AS AT DECEMBER 31, 2011 INDEX Page
More informationIT Governance, Risk and Compliance (GRC) : A Strategic Priority. Joerg Asma
IT Governance, Risk and Compliance (GRC) : A Strategic Priority Joerg Asma Agenda Introductions An Overview of IT Governance Risk & Compliance (IT-GRC) The Value Proposition Implementing an IT-GRC Program
More informationHot Topics in IT. CUAV Conference May 2012
Hot Topics in IT CUAV Conference May 2012 Baker Tilly Virchow Krause, LLP Baker Tilly refers to Baker Tilly Virchow Krause, LLP, an independently owned and managed member of Baker Tilly International.
More informationCFPB Readiness Series: Compliant Vendor Management Overview
CFPB Readiness Series: Compliant Vendor Management Overview Legal Disclaimer This information is not intended to be legal advice and may not be used as legal advice. Legal advice must be tailored to the
More informationThe Emergence of the ISO in Community Banking Patrick H. Whelan CISA IT Security & Compliance Consultant
THE MARKET LEADER IN IT, SECURITY AND COMPLIANCE SERVICES FOR COMMUNITY FINANCIAL INSTITUTIONS The Emergence of the ISO in Community Banking Patrick H. Whelan CISA IT Security & Compliance Consultant Agenda
More informationHere comes SSAE 16 SAS 70 EVOLUTION: How will the new standard affect my business? How do I prepare to meet the new requirements?
SAS 70 EVOLUTION: Here comes SSAE 16 PLANNING FOR THE NEW SERVICE ORGANIZATION REPORTING STANDARDS The prevalence of SAS 70 audits has grown dramatically since the standards issuance in April of 1992.
More informationTHE ROLE OF AN SOC 1 REPORT (formerly SAS 70) IN FREIGHT PAYMENT
THE ROLE OF AN SOC 1 REPORT (formerly SAS 70) IN FREIGHT PAYMENT White Paper www.a3freightpayment.com THE ROLE OF AN SOC 1 REPORT (formerly SAS 70) IN FREIGHT PAYMENT Introduction An essential element
More informationVendor Management Compliance Top 10 Things Regulators Expect
Vendor Management Compliance Top 10 Things Regulators Expect Paul M. Phillips, CFA Attorney, Adams and Reese Pamela T. Rodriguez, AAP, CIA, CISA EVP, Risk Management & Education, EastPay 2014 EastPay.
More informationVENDOR RISK MANAGEMENT UPDATE- ARE YOU AT RISK? Larry L. Llirán, CISA, CISM December 10, 2015 ISACA Puerto Rico Symposium
1 VENDOR RISK MANAGEMENT UPDATE- ARE YOU AT RISK? Larry L. Llirán, CISA, CISM December 10, 2015 ISACA Puerto Rico Symposium 2 Agenda Introduction Vendor Management what is? Available Guidance Vendor Management
More informationRisk & Control Considerations for Outsourced IT Operations
Risk & Control Considerations for Outsourced IT Operations Adnan Dakhwe, MS, CISA, CRISC, CRMA Safeway Inc. Core Competencies C32 CRISC CGEIT CISM CISA Introductions & Poll Organization has outsourced
More informationOrchestrating the New Paradigm Cloud Assurance
Orchestrating the New Paradigm Cloud Assurance Amsterdam 17 January 2012 John Hermans - Partner Current business challenges versus traditional IT Organizations are challenged with: Traditional IT seems
More informationAudit Phases. Phase 1: Planning and Risk Identification
Audit Phases Phase 1: Planning and Risk Identification Remember the Audit Risk Model of the client, Susceptibility to fraud Control risk Errors likely to occur In client s financial statements Detection
More informationISE Northeast Executive Forum and Awards
ISE Northeast Executive Forum and Awards October 3, 2013 Company Name: Project Name: Presenter: Presenter Title: University of Massachusetts Embracing a Security First Approach Larry Wilson Chief Information
More informationCloud Computing Security Audit
Cloud Computing Security Audit Teddy Sukardi tedsuka@indo.net.id Indonesia IT Consultant Association IKTII Chairman Agenda The data center and the cloud Concerns with cloud implementation The role of cloud
More informationWhite Paper September 2013 By Peer1 and CompliancePoint www.peer1.com. PCI DSS Compliance Clarity Out of Complexity
White Paper September 2013 By Peer1 and CompliancePoint www.peer1.com PCI DSS Compliance Clarity Out of Complexity Table of Contents Introduction 1 Businesses are losing customer data 1 Customers are learning
More information