Asset Manager Guide to SAS 70. Issue Date: October 7, 2007. Asset



Similar documents
Understanding SAS 70 Reports on Internal Control

SSAE 16 for Transportation & Logistics Companies. Chris Kradjan Kim Koch

Information for Management of a Service Organization

Effective Monitoring of Outsourced Plan Recordkeeping and Reporting Functions

Registration and Regulation of Investment Advisers. Presented by Chris Salter

Service Organization Control (SOC) Reports

Broker-Dealer and Investment Adviser Compliance Programs

PORTFOLIO MANAGEMENT ASSOCIATION OF CANADA

Effectively using SOC 1, SOC 2, and SOC 3 reports for increased assurance over outsourced operations. kpmg.com

FUND MANAGER CODE OF CONDUCT

Service Organization Control (SOC) Reports Focus on SOC 2 Reporting Standard

COMPLIANCE AND EXAMINATIONS; REPORTING AND RECORDKEEPING REQUIREMENTS

Shared Service System Audits: What User Management and Auditors Need to Know

Audit and Permitted Non-Audit Services Pre-Approval Policy (Pertaining to the Company s Independent Auditor)

DIVISION OF SECURITIES INVESTMENT ADVISOR SELF-INSPECTION CHECKLIST

What is an Investment Adviser?

Understanding SOC Reports for Effective Vendor Management. Jason T. Clinton January 26, 2016

KMH Wealth Management, LLC PO Box S. Main St. Suite 300 Victoria, TX FORM ADV PART 2 BROCHURE

Sarbanes-Oxley Section 404: Compliance Challenges for Foreign Private Issuers

Assessing the Adequacy and Effectiveness of a Fund s Compliance Policies and Procedures. December 2005

INTERNATIONAL STANDARD ON ASSURANCE ENGAGEMENTS (ISAE) 3402 ASSURANCE REPORTS ON CONTROLS AT A SERVICE ORGANIZATION

F I R M B R O C H U R E

How To Set Up A Committee To Check On Cit

Reporting on Controls at a Service Organization

Audit Considerations Relating to an Entity Using a Service Organization

FS Regulatory Brief SEC Proposes Amendments to Broker- Dealer Financial Reporting Rule

CHARTER OF THE AUDIT COMMITTEE OF THE BOARD OF DIRECTORS

3.B METHODOLOGY SERVICE PROVIDER

Keystone Financial Planning, Inc.

Using COBiT For Sarbanes Oxley. Japan November 18 th 2006 Gary A Bannister

Request for Information. Northern York County Regional Police Pension Fund. Pension Fund Investment Consulting Services

Effective Monitoring of Outsourced Plan Recordkeeping and Reporting Functions

Guidance Statement GS 007 Audit Implications of the Use of Service Organisations for Investment Management Services

INTERACTIVE BROKERS LLC (SEC I.D. No )

P L A N A D V I S O R Y. The Importance of Internal Controls in Financial Reporting and Safeguarding Plan Assets

Special Considerations Audits of Group Financial Statements (Including the Work of Component Auditors)

Firm Brochure (Part 2A of Form ADV) The Asset Advisory Group, Inc.

BASIS FOR CONCLUSIONS Canadian Standard on Assurance Engagements (CSAE) 3416, Reporting on Controls at a Service Organization

PURPOSE OF REPORT AND EXECUTIVE SUMMARY

Broker-Dealer Audit and Reporting Updates

Frequently asked questions: SOC 2 and 3

SSAE 16 and ISAE 3402: Preparing for New Service Company Control Standards Mastering Requirements Governing Your Next Controls Report

Form ADV Part 2A (Firm Brochure) HORAN Wealth Management 4990 East Galbraith Road Cincinnati, OH

SEC Adopts Rules on Compliance Programs for Funds & Advisers

Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement

10 Most Common Deficiencies Among Portfolio Managers

CLIENT RELATIONSHIP DISCLOSURE STATEMENT

VERDE WEALTH GROUP, LLC

Special Considerations Audits of Group Financial Statements (Including the Work of Component Auditors)

Special Considerations Audits of Group Financial Statements (Including the Work of Component Auditors)

Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement

Form ADV Part 2A Disclosure Brochure

Sarbanes-Oxley Section 404: Management s Assessment Process

Substantive Requirements for a Registered Investment Adviser under the U.S. Investment Advisers Act of 1940

Changes to Broker-Dealer Reporting & Auditing Requirements

The Changing SAS 70 Landscape Dan Hirstein Director Rebecca Goodpasture Senior Manager Deloitte & Touche LLP January 13, 2011

FORM ADV Part IIA March 31, 2015

Rockhaven Capital Management, LLC 132 Rock Haven Lane Pittsburgh, PA /30/12

Audit of NSERC Award Management Information System

Advance Capital Management The Villages, Florida ADV Brochure

Form ADV Part 2A Brochure March 30, 2015

Bollinger. Capital Management

PRACTICE NOTE 22 THE AUDITORS CONSIDERATION OF FRS 17 RETIREMENT BENEFITS DEFINED BENEFIT SCHEMES

Corporate Governance. Document Request List Funds

Myles Wealth Management, LLC. 59 North Main Street Florida, NY Form ADV Part 2A Firm Brochure.

IFIAR 2015 Member Profile - PCAOB

Commonwealth of Pennsylvania Department of Banking and Securities Bureau of Securities Division of Licensing, Compliance and Examinations

WISLAR WEALTH MANAGEMENT, LLC 10 East Broad Street Hopewell, NJ 08525

Exponent, Inc. Charter of the Audit Committee of the Board of Directors (as amended through December 10, 2015)

AUDIT COMMITTEE CHARTER of the Audit Committee of SPANISH BROADCASTING SYSTEM, INC.

REPORTING REQUIREMENTS AND SAMPLE REPORTS

STAFF GUIDANCE FOR AUDITORS OF SEC-REGISTERED BROKERS AND DEALERS JUNE 26, 2014

Risk Management of Outsourced Technology Services. November 28, 2000

Webinar: PCAOB Inspections of Small Firm Broker-Dealer Auditors. January 15, 2015

Investment Advisory Agreement

Solomon Hess SBA Management LLC 4301 North Fairfax Drive Arlington VA March 19, 2014

GAO. Government Auditing Standards: Implementation Tool

Danison & Associates, Inc Tremont Center Columbus, Ohio (614) March 31, 2011

AUSTIN INDEPENDENT SCHOOL DISTRICT INTERNAL AUDIT DEPARTMENT TRANSPORTATION AUDIT PROGRAM

Part 2A of Form ADV: Firm Brochure

BOTTOMLINE TECHNOLOGIES (DE), INC. AUDIT COMMITTEE CHARTER

INTERNATIONAL STANDARD ON REVIEW ENGAGEMENTS 2410 REVIEW OF INTERIM FINANCIAL INFORMATION PERFORMED BY THE INDEPENDENT AUDITOR OF THE ENTITY CONTENTS

INTERNATIONAL STANDARD ON AUDITING 580 WRITTEN REPRESENTATIONS CONTENTS

Statement of Policy for the Risk Management Program

GUIDELINES ON COMPLIANCE FUNCTION FOR FUND MANAGEMENT COMPANIES

Navigating the Standards for Information Technology Controls

THE GABELLI GLOBAL DEAL FUND (the Fund ) AUDIT COMMITTEE CHARTER I. ORGANIZATION AND QUALIFICATION OF COMMITTEE MEMBERS

Starting out as a Registered Investment Advisor The Basics of Registered Investment Advisors Compliance Obligations

DISCRETIONARY INVESTMENT ADVISORY AGREEMENT

REED SMITH LLP INVESTMENT ADVISER NEWS QUARTERLY UPDATE

Transcription:

Asset Manager Guide to SAS 70 Issue Date: October 7, 2007 Asset Management Group

A s s e t M a n a g e r G u i d e SAS 70 Table of Contents Executive Summary...3 Overview and Current Landscape...3 Service Organization Responsibilities...4 Service Auditor Responsibilities...5 Form and Content of Type 1 & Type 2 SAS 70 Reports...6 Global SAS 70 Equivalent Standards...7 Sample of International Standards...7 Defining the Description of Controls...8 Asset Manager Scope...8 Asset Manager Scope: The Control Environment...9 Asset Manager Scope: General Computer Controls...9 Asset Manager Scope: Operations...10 Determining the Control Objectives...11 Determining the Control Objectives Elements of Control Objectives...12 Baseline Control Objectives Operations...13 Baseline Control Objectives General Computer Controls...14 SAS 70 Key Terms...14 SAS 70 Guidance Resources...15 This document is meant to serve as a guide to developing a SAS 70 and does not substitute for professional standards, authoritative literature, or guidelines depicted in formal AICPA Audit and Accounting Guides.

A s s e t M a n a g e r G u i d e SAS 70 Executive Summary The Asset Management Group (AMG) of the Securities Industry and Financial Markets Association (SIFMA) has developed these recommended baseline areas of scope and control objectives for asset managers SAS 70 reports. This Asset Manager Guide to SAS 70 was developed in conjunction with Deloitte & Touche LLP, PricewaterhouseCoopers LLP, Ernst & Young LLP, KPMG LLP and AICPA guidelines. It is meant to provide the following: An overview and current landscape of SAS 70s; and Guidance for developing an asset manager s system description including baseline areas of scope and control objectives. These recommended asset manager baseline areas of scope and control objectives include asset management operations and the IT general computer controls and were developed to make the audit reports more understandable and provide a more consistent reporting model for the industry. This document is meant to serve as a guide to SAS 70 and does not substitute for guidelines depicted in formal AICPA Audit and Accounting Guides. Overview & Current Landscape SAS 70 reports, which are issued in accordance with guidance from the American Institute of Certified Public Accountants to demonstrate that a firm has appropriate internal controls, are typically requested by the customers of asset managers, such as pension funds and mutual funds. Asset managers utilize SAS 70 to meet client requests, help support the requirements of Sarbanes-Oxley and, to a certain extent, to meet the requirements of Rule 38A-1, the rule defining the responsibilities of the chief compliance officer. Prior to this project, there was no standard scope of activities or controls that managers include in these audit reports. Since asset mangers are fiduciaries for their clients, it is important that they demonstrate that they have sound financial controls and safeguards, particularly around areas of operations and technology. It is in the best interest of the client, the asset manager, and the auditor to be a part of an industry-developed and approved standard. Current Landscape Sarbanes-Oxley legislation does not mandate the issuance of SAS 70s. The Sarbanes-Oxley legislation, Sections 302 and 404 in particular, have increased the awareness and scrutiny of the design and operating effectiveness of internal controls.

A s s e t M a n a g e r G u i d e SAS 70 Recent industry and regulatory events have required organizations to have greater awareness over their service provider s control environment and controls in place to manage risk. Directors/Trustees have a fiduciary responsibility to understand and manage the risks presented by outsourcing critical aspects of their operations. Increasing number of organizations are outsourcing key components of their operations. Increased scrutiny of SAS 70 reports due to the current regulatory environment (i.e., 404). Increasing expectation of asset manager s customers to have a SAS 70 examination completed. Also viewed as a competitive advantage. Service Organization Responsibilities Primary Responsibilities: Determine type of report (Type 1 or 2) to be issued and the period covered; Determine scope (i.e., services, functional areas, application systems); Identify sub-service organizations and approach to include them in or exclude them from scope of the report (inclusive or carve-out method of reporting); Identify control objectives (unless established by a third-party); Prepare a description of controls that is fairly presented (complete and accurate), including disclosing significant changes in controls in the description of controls since the later of the date of the last report or within the last 12 months; Assess the design and operating effectiveness of internal controls and include a complete and accurate description of control activities; Identify complementary controls (i.e., user controls ) that a user organization should have in place; Include other information provided (i.e. Business Continuity Planning); Disclose any fraud, illegal acts, or uncorrected errors, design deficiencies in controls, test of operating effectiveness deficiencies, and subsequent events in which management is aware that would have a significant effect on a user organization;

A s s e t M a n a g e r G u i d e SAS 70 Tailor and obtain appropriate signatures on management s representation letter; Review and edit final draft of SAS 70 report; and Control and distribute SAS 70 report. Secondary Responsibilities: Identify project coordinator & key contacts. Assist the service auditor in determining logistical requirements for testing such as access to system, reports, and documentation. Service Auditor Responsibilities Primary Responsibilities: Assess control objectives (i.e., complete and reasonable); Assess description to form an opinion whether it...presents fairly...,...is suitably designed..., and...is in place... ; Perform tests of operating effectiveness to form an opinion whether controls are...operating effectively for the period... (for Type 2 SAS 70s only); Prepare description of tests and results; Perform procedures to address complementary controls that a user organization should have in place; Disclaim an opinion on other information provided by the service organization; Perform procedures to address any instances of fraud, illegal acts, or uncorrected errors, design deficiencies in controls, test of operating effectiveness deficiencies, and subsequent events in which management makes the service auditor aware that would have a significant effect on a user organization; Prepare Independent Service Auditors Report (opinion); and Obtain and review signed representations letter from authorized service organization management. Secondary Responsibilities: Meet with service organization to finalize scope, specific objectives to be accomplished by examination, responsibilities, schedule field work; Finalize engagement work plan and schedule staff; and Discuss findings & recommendations w/ service organization.

A s s e t M a n a g e r G u i d e SAS 70 Form and Content of Type 1 & Type 2 SAS 70 Reports There is no rigid standard proposed by AICPA guidance with regards to the organization of a Type 1 or Type 2 SAS 70 report; however, leading practices indicate that the report should be organized as follows: Independent Service Auditor s Report (the opinion) Description of Controls Information Provided by the Independent Service Auditor this section includes tests of operating effectiveness (Type 2 Reports only) Other Information Provided by the Service Organization - this is an optional section and the service auditor disclaims in the opinion on such information. Common coverage areas include disaster recovery plan, business continuity plan, or privacy. AICPA Audit Guide Reference: 2.04 2.09 Type 1 SAS 70 Type 2 SAS 70 Reports on controls placed in operation Report is as of point in time (i.e., as of 12/31/200X) Looks at the design of controls - not operating effectiveness Limited use & considered for information purposes only Not considered useful for purposes of reliance by user auditors Not used as a basis for reducing the assessment of control risk below the maximum Generally performed the first year a service organization has a SAS 70 Reports on controls placed in operation & tests of operating effectiveness Report covers a period of time, generally not less than 6 months and not more than 12 months Differentiating factor: Includes tests of operating effectiveness May provide the user auditor with a basis for reducing assessment of control risk below maximum Requires more internal and external effort Identifies instances of non-compliance of the stated control activity More emphasis on evidential matter For additional guidance regarding the Independent Service Auditor Reports for Type 1 and Type 2 reports, see the following: AICPA Audit Guide Reference: Service Organization Chapter 2 and 4 Service Auditor Chapter 4 and 5

A s s e t M a n a g e r G u i d e 7 SAS 70 Global SAS 70 Equivalent Standards Global Trends As organizations expand where they do business and whom they do business with, the need to obtain assurance over controls has become a global issue. The International Accounting and Auditing Standards Board is developing global standards for service organizations to be issued in the next few years. Many organizations with overseas operations are obtaining SAS 70s; however, other similar country-specific standards do exist. SAS 70 or Other International Standards to Consider If the service organization and the user organization are domiciled in the same country then consider using the local standard. If the service organization and/or the user organization are domiciled in different countries then consider using SAS 70 standards. The service organization should consult with their user organizations to determine what standards will be appropriate. Sample of International Standards Location Relevant Accounting Body Relevant Audit Standard Global International Accounting and Auditing Standards Board International Standards on Assurance Engagements (ISAE) 402 for users of service organizations New standard ISAE 3402 for Service Organization Reports U.S. Australia Canada Hong Kong Japan United Kingdom Chile American Institute of Certified Public Accountants CPA Australia and the Institute of Charted Accountants in Australia Canadian Institute of Chartered Accountants Hong Kong Institute of Certified Public Accountants Japanese Institute of Certified Public Accountants Institute of Chartered Accountants in England and Wales College of Accountancy of Chile A.G. Statement on Auditing Standards No. 70 (SAS 70) Auditing Guidance Statement 1042 Reporting on Control Procedures at Outsourcing Entities CICA Handbook Assurance and Related Services 5970 HKCPA Statements Auditing Practice Note 860.2 Audit Standards Committee Report No. 18 Audit and Assurance Faculty (AAF 01/06) Generally Accepted Auditing Standard No. 56 (NAGA56)

A s s e t M a n a g e r G u i d e SAS 70 Defining the Description of Controls The service auditor can assist in writing the description of controls; however, the accuracy, completeness, and method of presentation is the responsibility of the service organization. The description should provide information about the service organization s internal control that is relevant to the user organization s internal control relevance is determined based on the relevance of the information to a user organization s internal control as it relates to an audit of financial statements. At a minimum, the description of controls should include the following: Aspects of the service organization s control environment, risk assessment, information and communication and monitoring that may affect the services provided to the user organization, as it relates to an audit of financial statements; Control objectives, related controls, and user control considerations pertaining to operations and general computer controls; and Changes to the controls since the later of the date of the last report or within the last 12 months. AICPA Audit Guide Reference: 2.17 2.29 Asset Manager Scope Areas relevant to an Asset Manager are categorized as one of the following as it relates to the scope of an Asset Manager SAS 70: Baseline - this area is relevant to a user organization s internal control as it relates to an audit of financial statements and is common to the scope of SAS 70s issued by Asset Managers. Not Baseline - this area is not relevant to a user organization s internal control as it relates to an audit of financial statements and is not common to the scope of SAS 70s issued by Asset Managers. Other Area to Consider - this area is not common to the scope of SAS 70s issued by Asset Managers, but may be considered for inclusion in scope. Baseline areas, Not Baseline areas, and Other Areas to Consider for an Asset Manager SAS 70 are depicted on the following pages as it relates to: The Control Environment Operations General Computer Controls

A s s e t M a n a g e r G u i d e SAS 70 Asset Manager Scope: The Control Environment Baseline Not Baseline Integrity and ethical values Commitment to competence Board of directors or audit committee participation Management philosophy and operating style Organizational structure Assignment of authority and responsibility Human resource policies and procedures Risk assessment Information and communication Monitoring Privacy Policies and Procedures In General: The Control Environment is the foundation for all other aspects of internal control and therefore it is essential that the service organization describe the appropriate information in the description of controls based on what is relevant to the user organizations. The service auditor is also responsible for evaluating/testing the information included in the Control Environment description. Management is not precluded from presenting relevant aspects of its control environment in the form of a control objective with applicable controls listed. Asset Manager Scope: General Computer Controls Baseline Not Baseline Information Systems Operations Job scheduling Record backup Problem management Information Security Businesses Continuity Planning or Disaster Recovery* Note - in accordance with AICPA guidance, a service auditor cannot form an opinion on the design of controls or operating effectiveness over Business Continuity Planning or Disaster Recovery. Logical security Physical security Environmental protection Change Management Application changes System software changes Network changes Hardware changes

A s s e t M a n a g e r G u i d e 10 SAS 70 Asset Manager Scope: Operations Baseline New Account Set Up and Account Maintenance New Security Set Up and Maintenance Contributions / Distributions Trading - Trade Processing - Client Investment Guideline and Restriction Compliance - Trade Allocation - Trade Error and Investment Guideline Breaches - Trade Settlement Procedures Investment Income Valuation (Securities, Foreign Exchange Rates, and Derivatives) Corporate Actions Reconciliation (Cash and Position) Client Reporting Not Baseline Investment Adviser Registration, Form ADV and Delivery Requirements Policies and Procedures Section 13 filings under the Securities Exchange Act of 1934 Policies and Procedures Advertising and Marketing Investment Services Insider Trading Portfolio Pumping and Window Dressing Client Complaint Processing Product Development Cross Trading Managing Proprietary Accounts Cash Referral Fee Agreement Account Performance Laws and Regulations IRS Rules Other Areas to Consider Fee Calculation and Billing Custody or Possession of Client Assets (depends on if applicable) Brokerage Allocation (includes Best Execution, Affiliated Trading, Soft Dollars, Directed Brokerage and IPO or New Issues Allocation) Broker Selection and Retention Trading Aggregation Proxy Voting Personal Trading AML Review

A s s e t M a n a g e r G u i d e 11 SAS 70 Determining the Control Objectives The control objectives should be determined by the service organization, while taking into consideration the needs of the service organization s users and an audit of financial statements. However, the service auditor may assist the service organization with defining appropriate control objectives in the following ways: By providing examples of control objectives that may be relevant to user organizations, as it relates to an audit of financial statements; and By reviewing draft control objectives and providing feedback as to their appropriateness and adequacy. The control objectives may be designated by the service organization or by outside parties such as regulatory authorities, a user group, or others. If the control objectives are incomplete, the service auditor may qualify the SAS 70 report. AICPA Audit Guide Reference: 4.14 4.16 and 4.17 4.23 Control objectives help the user auditor determine how the service organization s controls affect the user organization s financial statement assertions (i.e., validity, completeness, cutoff, recording, valuation, and presentation). The service organization should establish control objectives that it believes relate to its users financial statement assertions and provide a framework for the user auditors to assess control risk as a whole. The service organization can modify control objectives after start of the engagement may need to disclose this in the report in an explanatory paragraph. However, the service organization cannot modify a control objective to get out of a control objective which would be considered significant by user organizations and their auditors, or if there is a significant deficiency in either the design or operating effectiveness of the controls. SAS 70 reports issued by a service auditor should include control objectives that start with the language, Controls provide reasonable assurance that AICPA Audit Guide Reference: 2.30 2.41 and 4.11

A s s e t M a n a g e r G u i d e 12 SAS 70 Determining the Control Objectives Elements of Control Objectives The following categories may assist in considering each of elements within the control objectives that would affect the user organization s financial statement assertions: Assertions in a User Organization s Financial Statements Validity Completeness Cutoff Recording Valuation Presentation Potential Errors Potential validity errors include recorded transactions or events that are not valid, including transactions and events that are unauthorized. Completeness relates to the accurate generation of a source document or direct computer input (input) for all transactions and the capture of all input in the subsidiary ledger. Potential cutoff errors relate to transactions that occur in one period but are recorded in another period. Potential recording errors relate to transactions or events that are inaccurately recorded, including recording of transactions or events in the wrong general ledger account or where transactions, events, or other matters are inaccurately disclosed. Potential valuation errors relate to transactions, events, or other disclosed matters are incorrectly valued. Potential presentation errors relate to (1) account balances being presented in a misleading way or (2) not all the information that is necessary for fair presentation and compliance with accounting standards or legal requirements being disclosed.

A s s e t M a n a g e r G u i d e 13 SAS 70 Baseline Control Objectives Operations Area Baseline Control Objectives Controls provide reasonable assurance that New Account Setup & Maintenance New accounts are authorized and established in accordance with client instructions and portfolio guidelines and restrictions in a complete, accurate, and timely manner. Modifications to accounts are authorized and established in accordance with client instructions and portfolio guidelines and restrictions in a complete, accurate, and timely manner. Trading / Settlement Allocation Processing Settlement Contributions / Distributions New Security Setup and Maintenance Valuation (Securities, Foreign Exchange Rates, and Derivatives) Investment Income Corporate Actions Reconciliation Client Reporting Trades are authorized and processed and recorded in accordance with portfolio guidelines and relevant account restrictions, accurately, completely and in a timely manner. Block orders are allocated to clients according to management established methodologies and allocations are approved by management. Contributions and distributions are authorized by the client and are processed and recorded accurately, completely, and in a timely manner. New securities and changes to existing securities made to the Security Master File ( SMF ) are authorized and processed accurately, completely, and in a timely manner. Valuation, including securities, foreign exchange rates, and derivatives, is received from an authorized source and updated accurately, completely, and in a timely manner. Interest and dividend income information is received from an authorized source and processed accurately, completely, and in a timely manner in the portfolio accounting system. Corporate actions are received from an authorized source and processed accurately, completely, and in a timely manner in the portfolio accounting system. Security positions and cash reflected in the portfolio accounting system reconciles to actual positions and balances held by custodians and discrepancies are identified, researched, and resolved in a timely manner. Account statements reflect the correct holdings and market value and are provided to clients in a complete and timely manner.

A s s e t M a n a g e r G u i d e 14 SAS 70 Baseline Control Objectives General Computer Controls Area Baseline Control Objectives Controls provide reasonable assurance that Information System Operations Information Security Change Management Production programs needed to process batch and online transactions are valid and executed and monitored timely and to normal completion. Data is backed up, retained, and retrievable. Processing incidents are identified, tracked, recorded, and resolved in a complete, accurate and timely manner. Logical security tools and techniques are configured, administered, and monitored to enable restriction of access to programs, data and other information resources. Physical access restrictions are implemented and administered to ensure that only authorized individuals have the ability to access or use information resources. Information resources are protected against environmental hazards and related damage. Modifications and upgrades to applications, the network, hardware, and systems software are authorized, approved by management, tested, and implemented accurately, completely, and in a timely manner. SAS 70 Key Terms User Organization the entity that has engaged a service organization and whose financial statements are being audited. User Auditor the auditor who reports on the financial statements of the user organization. Service Organization the entity (or segment of an entity) that provides services to the user organization that are part of the user organization s information system. Service Auditor the auditor who reports on controls of a service organization that may be relevant to a user organization s internal control as it relates to an audit of financial statements. Sub-service Organization an entity that performs functions or processing for the service organization that may be part of the user organization s information system as it relates to an audit of financial statements. Inclusive Method of Reporting method of reporting that allows the description of controls to include controls in place at the sub-service organizations.

A s s e t M a n a g e r G u i d e 15 SAS 70 Carve-out Method of Reporting method of reporting that does not allow the description of controls to include controls in place at the sub-service organizations. SAS 70 Guidance Resources AICPA Literature Audit and Accounting Guides: Service Organizations: Applying SAS No. 70 as Amended Issued in 1992 and most recently updated in May 2007 Based on the professional standards for performing a SAS 70 (AU 324) Prepared by the AICPA SAS No. 70 Task Force Useful when preparing and/or utilizing a SAS 70 report Provides guidance in applying generally accepted auditing standards in audits of financial statements of entities that use service organizations and in service auditors engagements Information provided could be used to help determine the relevant business activities/control objectives to include in SAS 70 Industry Guides Various industry guides published by the AICPA including Employee Benefits, Investment Companies, Brokers and Dealers, etc. Hard copies of the AICPA guides may be obtained directly from the AICPA SEC Literature New SEC Rules, Reports and Studies SEC s Management Report on Internal Controls over Financial Reporting and Certification of Disclosure in Exchange Act Periodic Reports

About the AMG The Asset Management Group ( AMG ) is the voice for the buy side within the securities industry and the broader financial markets. The AMG is one of the three major business groups of the Securities Industry and Financial Markets Association ( SIFMA ), which represents more than 650 member firms of all sizes, in all financial markets in the U.S. and around the world. As part of SIFMA, the members of the AMG have direct access to counterparts at broker-dealer firms. Together, asset managers and broker-dealers jointly and efficiently work to resolve common concerns. The leadership of AMG is comprised primarily of Chief Operating Officers and other senior executives at asset management firms. The members of the Group meet regularly to advance their advocacy efforts, develop enhancements to market practices, and work with trading partners in order to increase efficiency and reduce risks and costs. The Asset Management Group reports to the Board of Directors of SIFMA. John R. Gidman, Executive Vice President of Loomis, Sayles & Company and David L. Murphy, CFA, Senior Vice President and Head of Fixed-Income of Fidelity Investments, serve as Chair and Vice Chair, respectively, of the AMG Steering Committee. Joan Binstock, COO and Partner of Lord, Abbett & Co. serves as Chair of the AMG SAS 70 Working Group; and Joseph W. Sack, Managing Director of SIFMA, serves as principal staff advisor to the Steering Committee of the Asset Management Group. www.sifma.org New York Washington London Hong Kong

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information