End of the SAS 70 Era

Similar documents
Security Awareness: Looking Beyond Regulations

Banking Industry Regulations: Don t Burn A Hole In Your Pocket

VoIP Security: Do You Have a Good Voice over IP?

A Walk In The Clouds

Identity Theft: Are You Really You?

You Need To Comply With HIPAA And You Probably Don t Even Know It!

G24: Audits of Controls at a Service Organization: New Standards SSAE 16 and ISAE 3402 Duff Donnelly and Jeffrey Spivack, Grant Thornton LLP

Keeping watch over your best business interests.

Social Engineering: People Hacking

Goodbye, SAS 70! Hello, SSAE 16!

The Changing SAS 70 Landscape Dan Hirstein Director Rebecca Goodpasture Senior Manager Deloitte & Touche LLP January 13, 2011

Feeley & Driscoll, P.C. Certified Public Accountants / Business Consultants Visit us on the web: Or Call:

Here comes SSAE 16 SAS 70 EVOLUTION: How will the new standard affect my business? How do I prepare to meet the new requirements?

The end of SAS70 what next for Performance Assurance?

At a glance. A provision to require a written assertion from company management is the most notable difference between the two standards.

Farewell to SAS 70. What you need to know about the New Standard for Service Organization Reporting

Reporting on Controls at a Service Organization

G24 - SAS 70 Practices and Developments Todd Bishop

Shared Service System Audits: What User Management and Auditors Need to Know

BASIS FOR CONCLUSIONS Canadian Standard on Assurance Engagements (CSAE) 3416, Reporting on Controls at a Service Organization

Service Organization Control (SOC) Reports

SSAE 16 and ISAE 3402: Preparing for New Service Company Control Standards Mastering Requirements Governing Your Next Controls Report

Vendor Management Best Practices

MHM S PERSPECTIVE: CHANGES COMING TO SAS 70.KNOW THE FACTS

ISAE 3402 and SSAE 16 (replacing SAS 70) Reinforcing confidence through demonstration of effective controls

Service Organization Control Reports

Reports on Service Organizations Where we ve been?

Information for Management of a Service Organization

SAS No. 70, Service Organizations

SSAE 16 for Transportation & Logistics Companies. Chris Kradjan Kim Koch

Weighing in on the Benefits of a SAS 70 Audit for Third Party Data Centers

Weighing in on the Benefits of a SAS 70 Audit for Payroll Service Providers

Frequently asked questions: SOC 2 and 3

SSAE 16 & SAS 70 A Primer on Changes to Service Organization Audit Standards

About the Presenter. Presentation Objectives. SaaS / Cloud Computing Risk Management AICPA Attest Alternatives

Understanding Vendor Risk And Analyzing the SSAE No. 16

Understanding SOC Reports for Effective Vendor Management. Jason T. Clinton January 26, 2016

HIPAA Compliance and Reporting Requirements

WELCOME TO SECURE

Monitoring Outside Service Providers, Part III: SAS 70 Updates

The 21 st Century Version of SAS 70..SSAE 16

HOW SECURE IS YOUR PAYMENT CARD DATA?

FAQs New Service Organization Standards and Implementation Guidance

SSAE 16 Everything You Wanted To Know But Are Afraid To Ask. Kurt Hagerman CISA, CISSP, QSA Managing Director, Coalfire December 8, 2011

SERVICE ORGANIZATION CONTROL REPORTS SM. Formerly SAS 70 Reports

IT Security Compliance PCI DSS FOR MERCHANTS THE PAYMENT CARD INDUSTRY DATE SECURITY STANDARD WHITE PAPER

Service Organizations: Auditing Interpretations of Section 324

Baker Tilly refers to Baker Tilly Virchow Krause, LLP, an independently owned and managed member of Baker Tilly International. Understanding SOC 3

TIS Section 9520, SSAE No. 16, Reporting on Controls at a Service Organization

Service Organization Controls. Managing Risks by Obtaining a Service Auditor s Report

SECURITY AND EXTERNAL SERVICE PROVIDERS

Documentation of Use of a Type 2 Service Auditor s Report In an Audit of an Employee Benefit Plan s Financial Statements

SSAE 16 SOC 1 Type 2

GAO. Government Auditing Standards: Implementation Tool

CFPB Readiness Series: Compliant Vendor Management Overview

Audit Considerations Relating to an Entity Using a Service Organization

Asset Manager Guide to SAS 70. Issue Date: October 7, Asset

Service Organization Control (SOC) Reports Focus on SOC 2 Reporting Standard

SOC on Amazon Web Services (AWS) What You Need To Know Understanding the regulatory roadmap for SOC on AWS

HOW SECURE IS YOUR PAYMENT CARD DATA? COMPLYING WITH PCI DSS

Brown Smith Wallace, LLC

Ayla Networks, Inc. SOC 3 SysTrust 2015

SECTION I INDEPENDENT SERVICE AUDITOR S REPORT

GAO. Government Auditing Standards Revision. By the Comptroller General of the United States. United States Government Accountability Office

How mature is the internal control framework at your service organisation? ISAE 3402 and SSAE 16: Reinforcing confidence through demonstration of

Update on AICPA Assurance Services Executive Committee Activities

The silver lining: Getting value and mitigating risk in cloud computing

2010 AICPA Top Technology Initiatives. About the Presenter. Agenda. Presenter: Dan Schroeder, CPA/CITP Habif, Arogeti, & Wynne, LLP

9/13/ /20 Vision for Vendor Management & Oversight. Disclaimer. Bank Service Company Act - FIL-49-99

Service Organization Control (SOC) reports What are they?

Strategies To Effective PCI Scoping ISACA Columbus Chapter Presentation October 2008

Protecting your brand in the cloud Transparency and trust through enhanced reporting

Guided HIPAA Compliance

How Secure is Your Payment Card Data?

SOC Readiness Assessments. SOC Report - Type 1. SOC Report - Type 2. Building Trust and Confidence in Third-Party Relationships

IT Insights. Managing Third Party Technology Risk

Service Organization Controls. Managing Risks by Obtaining a Service Auditor s Report

Cloud Computing An Auditor s Perspective

Third-Party Risk Management: Busting Myths and Telling Truths

PCI DSS Compliance - what you need to know

INTERNATIONAL STANDARD ON ASSURANCE ENGAGEMENTS (ISAE) 3402 ASSURANCE REPORTS ON CONTROLS AT A SERVICE ORGANIZATION

On Demand Unlimited Network Vulnerability Scanning. February 2013

Risky Business. Is Your Cybersecurity in Cruise Control? ISACA Austin Chapter Meeting May 5, 2015

Compliance Risk Management IT Governance Assurance

Citation for published version (APA): Berthing, H. H. (2014). Vision for IT Audit Abstract from Nordic ISACA Conference 2014, Oslo, Norway.

Close-Up on Cloud Security Audit

{Are you protected?} Overview of Cybersecurity Services

Effectively using SOC 1, SOC 2, and SOC 3 reports for increased assurance over outsourced operations. kpmg.com

SECURITY CONSIDERATIONS FOR LAW FIRMS

9/11/2015. Auditing PCI Compliance. Introductions. Introductions

3.B METHODOLOGY SERVICE PROVIDER

Data Security Standard (DSS) Compliance. SIFMA June 13, 2012

ADMINISTRATIVE POLICY # (2014) Information Security Roles and Responsibilities

Aberdeen City Council IT Asset Management

The 7 Deadly Sins of SAS 70 s

Data Security Breach. How to Respond

Social Networking and its Implications on your Data Security

Testimony. Marilyn A. Pendergast, CPA. Chair, Ethics Committee. International Federation of Accountants (IFAC) before the

Vendor Compliance Management Series: Performing an Effective Risk Assessment

Understanding ISO and Preparing for the Modern Era of Cloud Security

Transcription:

End of the SAS 70 Era For years businesses that outsource have relied on SAS 70 reports on the internal controls of third party providers. The standard for those reports is changing. New Standards Replacing the SAS 70 The Statement on Auditing Standard No. 70 (SAS 70) has been widely used since 1992 when the American Institute of Certified Public Accountants (AICPA) first issued the standard. As of June 15, 2011, the SAS 70 standard will be replaced by two new standards. These standards are the Statement on Standards for Attestation Engagement 16 (SSAE 16) and the International Standard on Assurance Engagements 3402 (ISAE 3402). The SSAE 16 was developed by the American Institute of Certified Public Accountants (AICPA). The ISAE 3402 was developed by the International Auditing and Assurance Standards Board (IAASB). Reasons for New Standards There have been various reasons that contributed to the development of the SSAE 16 and ISAE 3402 standards that are replacing the SAS 70 standard. One of the reasons for the new standards is the globalization of information technology and significant increase in business process outsourcing. Another reason is the highly demanding and constantly changing regulatory environment. Also, another reason is the fact that there was no international standard to perform the function of the SAS 70 and the fact that the AICPA aimed to converge with the international standards. Purpose of New Standards As with the SAS 70, the two new standards main purpose is to report on the internal controls of service organizations that provide services to different user entities which outsource services to third party providers. Comparison of SAS 70 and New Standards The SSAE 16 and ISAE 3402 are very similar, yet they are both different from the SAS 70 standard. The following sections provide a high level comparison of the standards.

SAS 70 SSAE 16 Audit Standard Attestation Standard Type 1 and Type 2 reports may be issued by the ser- Same Reports may include or exclude services provided by Same Service auditor s report usage is restricted to service organization management, user entities of the ser- Scope is focused on controls that are likely to be relevant to user entities internal controls over financial reporting Uses a Description of Control Section Service organization s description of controls is more limited The auditor s report need not to include management s written assertion The report does not need to include the assertion of subservice organizations if the inclusive method is used Same SSAE 16 focuses in internal controls over financial statements, but it can be used as a guide to report on other types of controls (e.g., compliance) Uses a Description of System Section Service organization s description of system is more extensive Management s written assertion must be included as part of the report Management s assertion must include the suitable criteria used for its assessment Management is required to identify the risks that threaten the achievement of the control objectives stated in the description If a service organization uses subservice organizations and selects to use the inclusive method, the subservice organizations assertion need to be included in the report The service auditor opinion is as of a point in time Service auditor is not required to disclose reliance on Internal Audit work Does not require the service auditor to investigate the nature and cause of any deviations identified The assessment does not have to be wholly based on evidence obtained during the current period SAS 70 opinion format and content The service auditor opinion is as of a period cov- Service auditor is required to disclose reliance on Internal Audit work and service auditor proce- Require the service auditor to investigate the nature and cause of any deviations identified The assessment must be wholly based on evidence obtained during the current period SSAE 16 format and content Representation letter required from service organi- Same One Guide available on examining and reporting on Two new guides will be available 1) Control over service organizations - Control over financial reporting focus other than financial financial reporting 2) Control over subject matter reporting

SSAE 16 ISAE 3402 Service auditor must investigate the nature and cause of Not required any deviation resulted from intentional acts by service organization personnel Requires a management representation letter Deviation identified in tests of controls involving sampling is representative of the population Not required Deviation identified in tests of controls involving sampling is not representative of the population Internal audit direct assistance is permitted Disclosure of significant subsequent events is required Not permitted Limited disclosure required Requires a statement restricting the use of the service auditor report Requires documentation completion within 60 days after the report release date Statement inclusion is not mandatory Timely completion of documentation is required, but there is no specific number of days Engagement acceptance and continuance requires a Not required management representation letter Lack of management representation letter results in Lack of management representation letter results in disclaiming an opinion or withdrawing from the engagement disclaiming an opinion Requires additional content requirements for the report Requires less content requirements for the report New Responsibilities of Service Organizations Service organizations will have additional responsibilities with the new standards replacing the SAS 70. Management will be responsible for preparing a complete and accurate description of the service organization s system. The description should cover the following aspects: Types of services provided to user organizations Procedures (manual and automated) by which the services are provided Description of the classes and flow of transactions (including - initiation, authorization, recording, processing, reporting) Control objectives, controls and complementary controls Significant events and conditions other than transactions Controls performed by the subservice organization, if applicable The process used to prepare reports provided to user organizations Changes to the system during the period covered by the report Other aspects of the service organization s control environment Risk assessment process Information and communication systems Control activities and monitoring controls

With the new standards, management will have to identify the risks that threaten the achievement of the control objectives stated in management s description of the system. Also, management will have to provide a written assertion that will state that the controls are fairly presented, suitably designed and operating effectively to achieve the defined control objectives. If the service organization includes in the report the description of controls of sub-service organizations, it will also have to provide a written assertion for the sub-service organization. Additionally, the management s assertion must be included as part of the report and the assertion needs to be based on suitable criteria. Suggestions for Service Organizations Service organizations will need to prepare for the new standards. It is highly recommended that service organizations start their preparation soon in order to be ready prior to the effective date of the two new standards, June 15, 2011. Service organizations should consider addressing the following tasks: Obtain more information about the new standards from a qualified and experience auditor. Determine if early adoption of the standards is applicable to the organization. Determine which of the two new standards is applicable to the organization. Determine if subservice organizations need to be considered as part of the report. Evaluate if the existing SAS 70 description of controls can be used and determine additional aspects that need to be included. Identify the assertion and suitable criteria for the service organization and subservice organizations, if applicable. Determine the members of management who will be responsible for the report using the new standards. Identify the risk that threatens the achievement of control objectives. Evaluate existing monitoring and testing practices to determine if they are adequate to support the service organization assertion. Establish adequate communication of the new standards implementation within the service organization and with user entities. Consider revisions of legal contracts to reflect the use of the new standards. Suggestions for User Entities User entities that outsource services to service organizations will also have to transition from the SAS 70 to service organization reports created under the new standards. User entities will need to understand the new standards to ensure that the outsourced services have adequate controls. User entities should address the following before the effective date of the new standards: Initiate discussions with auditors to obtain an understanding of the new standards and its implementation requirements. Ensure the service organization report is performed by reputable and qualified professionals. Ensure the service organization provides a type II report because it includes tests of the effectiveness of controls. Ensure the service organization provides a report developed in accordance to the new standards. Ensure the report covers a scope that is adequate for your organization. Ensure the report covers the control objectives required by the organization. Ensure the report covers the regulations and\or control standards required by the organization (e.g., GLBA, FACT Act, HIPAA, HITECH, Ensure proper assignment of someone at the organization to be responsible to handle aspects related to the service organization report.

Ensure the period covered is adequate for the organization. Ensure adequate control testing is performed. Ensure the contracts with service organizations address the new standards. Ensure proper assignment of someone at the organization to be responsible to handle aspects related to the service organization report. Implications of the New Standards There are a series of implications of the new standards. First, the new standards will impose additional responsibilities and requirements on service organizations and service auditors. It will increase the reliability of the service organization s controls through more management accountability and provide better disclosure of service organization s controls and status of controls. The new standards are expected to enhance the consistency on the reporting of controls by all service organizations. Also, the new standards will require additional work to plan for and implement, at least during the first year. Last, but not least, the new standards will improve the ability of service organizations to compete internationally. Early Adoption of the New Standards Although the new standards are effective for reports with periods ending on or after June 15, 2011, early adoption of the standards is permitted. Early adoption of the standards can be beneficial for organizations. It will provide more time to plan and ensure the proper implementation of the processes and practices required to comply with the new standards. Also, service organizations that are early adopters of the standards may be perceived as having a stronger control environment. They may also be perceived as leaders and may therefore have a competitive advantage.

ERM wants to hear from YOU. With this edition of our newsletter, we re rolling out a new format and new features. Tell us what you think! What features or topics would you like to see covered in future issues? Who else should receive this newsletter? Your feedback is welcome and encouraged. Please send your comments to editor@emrisk.com. Enterprise Risk Management: At a Glance ERM brings clients the highest level of expertise to assess and address risks, comply with standards and regulations and mitigate risks, using integrated and reasonably priced security services and solutions. Our practice provides organizations with the tools they need to address the compliance and risk management issues of today, as well as the broader and ever-increasing security challenges of the future. Services IT Security Regulatory Compliance IT Audit Computer Forensics Risk Management Attestation Certifications Certified Public Accountant (CPA) Certified Information Systems Security Professional (CISSP) Certified Information Systems Auditor (CISA) Certified Information Systems Manager (CISM) Certified Information Technology Professional (CITP) GIAC Security Essentials Certification GIAC Systems and Network Auditor Qualified Security Assessor (QSA) Approved Scanning Vendor (ASV) Some of our Clients ABN-AMRO Private Banking Bacardi-Martini, Inc. Bancafe International Banco Industrial de Venezuela Banco ITAU Bank United Caja Madrid Bank Carnival Cruise Lines, LLC CitiBank Coconut Grove Bank Commerce Bank E-data Financial Florida International University Florida Power & Light Company Heico Aerospace Helm Bank Knight Ridder Nova Southeastern University Rinker Materials Rudy, Exelrod & Zieff, LLP Seabourn Cruise Line TecniCard, Inc. The International Bank of Miami TransAtlantic Bank U.S. Century Bank For more information, visit www.emrisk.com E-mail: info@emrisk.com Phone: 305-447-6750 800 Douglas Road North Tower, Suite 835 Coral Gables, FL 33134

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information