Revisorns syn på ISO 27000- serien och SAS 70



Similar documents
FM Trends and visions

Cybersecurity and the AICPA Cybersecurity Attestation Project

Core Fittings C-Core and CD-Core Fittings

Weighing in on the Benefits of a SAS 70 Audit for Payroll Service Providers

Effectively using SOC 1, SOC 2, and SOC 3 reports for increased assurance over outsourced operations. kpmg.com

Lundin Petroleum - CR Management System review

SERVICE ORGANIZATION CONTROL REPORTS SM. Formerly SAS 70 Reports

Weighing in on the Benefits of a SAS 70 Audit for Third Party Data Centers

Outsourcing and third party access

INTRODUCTION TO ISO 9001 REVISION - COMMITTEE DRAFT

SAS No. 70, Service Organizations

SSAE 16 Everything You Wanted To Know But Are Afraid To Ask. Kurt Hagerman CISA, CISSP, QSA Managing Director, Coalfire December 8, 2011

Understanding Your Training Process

Bylaws of the Supervisory Board of K+S Aktiengesellschaft. Version of 21 November 2012 The German Version is binding.

The Auditor s Communication With Those Charged With Governance

Inspection of Chang G Park (Headquartered in San Diego, California) Public Company Accounting Oversight Board

Here comes SSAE 16 SAS 70 EVOLUTION: How will the new standard affect my business? How do I prepare to meet the new requirements?

Driving performance and value through strategic vendor management

Update on AICPA Assurance Services Executive Committee Activities

Supplementary Information in Relation to the Financial Statements as a Whole

Change of Auditors of a Listed Issuer of The Stock Exchange of Hong Kong

MASSIVE NETWORKS Online Backup Compliance Guidelines Sarbanes-Oxley (SOX) SOX Requirements... 2

GUIDELINES ON COMPLIANCE FUNCTION FOR FUND MANAGEMENT COMPANIES

SOC Readiness Assessments. SOC Report - Type 1. SOC Report - Type 2. Building Trust and Confidence in Third-Party Relationships

Aerospace Guidance Document

UNITED STATES OF AMERICA before the SECURITIES AND EXCHANGE COMMISSION

Letters for Underwriters and Certain Other Requesting Parties

Financial Forecasts and Projections

SSAE 16 for Transportation & Logistics Companies. Chris Kradjan Kim Koch

Inspection of MS Group CPA L.L.C. (Headquartered in Edison, New Jersey) Public Company Accounting Oversight Board

SSAE 16 and ISAE 3402: Preparing for New Service Company Control Standards Mastering Requirements Governing Your Next Controls Report

BASIS FOR CONCLUSIONS Canadian Standard on Assurance Engagements (CSAE) 3416, Reporting on Controls at a Service Organization

Shared Assessments Program Case Study

employee benefits update february/march 2016

Service Organization Control Reports

Sarbanes-Oxley Section 404 Implementation Practices of Leading Companies

Contractor Purchasing System Reviews (CPSRs)

IT Audit in the Cloud

Significant Revisions to OMB Circular A-127. Section Revision to A-127 Purpose of Revision Section 1. Purpose

WHITEPAPER. Compliance: what it means for databases

The Committee of Sponsoring Organizations of the Treadway Commission

BOTTOMLINE TECHNOLOGIES (DE), INC. AUDIT COMMITTEE CHARTER

5.5. Penetration Tests. Report of the Auditor General of the Ville de Montréal to the City Council and to the Urban Agglomeration Council

Special Considerations Audits of Group Financial Statements (Including the Work of Component Auditors)

Mount Gibson Iron Limited Corporate Governance Policies and Practices Manual Shareholder Communication Policy

How To Be A Successful Businessperson

Technical Accounting Alert

Corporate Governance - Implementation, Challenges and Trends

SOX105. Sarbanes-Oxley for Dummies- 20 hours. Objectives

Risk & Assurance. Tailored to your needs. Internal audit solutions

QUALITY MANAGEMENT SYSTEM REQUIREMENTS General Requirements. Documentation Requirements. General. Quality Manual. Control of Documents

Continuous Controls Monitoring. Virginia ISACA January Meeting 19 January 2010

Impact of New Internal Control Frameworks

Service Organizations and the Internal Audit function conference Institute of Internal Auditors in Israel

Quest InTrust. Change auditing and policy compliance for the secure enterprise. May Copyright 2006 Quest Software

Information for Management of a Service Organization

G24: Audits of Controls at a Service Organization: New Standards SSAE 16 and ISAE 3402 Duff Donnelly and Jeffrey Spivack, Grant Thornton LLP

Review of Financial Statements

Boliden. Sustainable development

1 To assist the Financial Operations Manager to meet all reporting deadlines

Whitepaper. Canopy Security. Simplicity, Agility, Transparency. An Atos company. Powered by EMC 2 and VMware

Re: PCAOB Release No (Docket Matter No. 41) Concept Release on Audit Quality Indicators ( Concept Release )

Farewell to SAS 70. What you need to know about the New Standard for Service Organization Reporting

Inspection of Jewett, Schwartz, Wolfe & Associates (Headquartered in Hollywood, Florida) Public Company Accounting Oversight Board

Cloud Computing: Contracting and Compliance Issues for In-House Counsel

FS Regulatory Brief. How the SEC s Custody Rule Impacts Private Fund Advisers. Introduction. The Custody Rule: An overview

IT Insights. Managing Third Party Technology Risk

Information Security ISO Standards. Feb 11, Glen Bruce Director, Enterprise Risk Security & Privacy

The Convergence of IT Security and Compliance with a Software as a Service (SaaS) approach

WEST LOTHIAN COUNCIL RECORDS MANAGEMENT POLICY. Data Label: Public

IT Security Compliance PCI DSS FOR MERCHANTS THE PAYMENT CARD INDUSTRY DATE SECURITY STANDARD WHITE PAPER

Transcription:

Revisorns syn på ISO 27000- serien och SAS 70 Rätt Säkerhet 2009 Andreas Halvarsson 25 maj, 2009

What is SAS 70 AICPA STANDARDS The AICPA s Statement on Auditing Standards No. 70 Service Organizations (SAS 70) provides your customers and their auditors information to assist them in evaluating the system of internal control related the services you provide. The AICPA standards provide for the issuance of two types of reports: Type I - A report on controls placed in operation as of a point in time Type II - A report on controls placed in operation and tests of operating effectiveness covering a period of time TYPE I REPORTS Type I reports are designed to provide information regarding: the services that the Company provides to its customers controls over relevant processes and supporting technology whether such controls were suitably designed and had been placed in operation Testing of controls is not performed for a Type I report, and therefore, provides limited value to users and their auditors. TYPE II REPORTS In a Type II engagement, the procedures for a Type I engagement are performed as well as tests of specific controls to evaluate their operating effectiveness in achieving the specified control objectives. To be useful to user auditors, the report should cover a minimum reporting period of six months. 2

Why do customers require SAS70 and/or ISO 27001 statements/certificates Customers have outsourced significant parts of their revenue streams to service organizations. The customer s shareholders require reliable internal controls in place for management of the service organizations customers financial data. The customers place SAS70 requests to the service organization to be able to rely on the service organizations internal control of customers revenue streams without performing further audits. A common misunderstanding is that when a service organization is SOX (US SOX, J- SOX, Bolagsstyrningskoden) compliant, a service organizations systems are all SOX compliant. This is not the case. A service organizations own financial systems are SOX compliant. Significant increase during 2008-2009 3

Objectives with SAS70 and ISO 27001 initiative The overall objective is to manage the customer s demands via a global cost efficient solution. This will benefit both the service organization and the customers. A global approach to SAS70 and ISO 27001 will reduce current costs through the following means Reaching economies of scale; knowledge and experiences will be reused Leveraging on common areas in the SAS70 reviews among the contracts Establishing consistent standards among the contracts Clarifying roles, responsibilities and controls Enhancing the service organizations position in the sales process and in negotiations with customers 4

What is the difference between SAS 70 and ISO 27001 ISO 27001 contains around 130 controls. SAS 70 within a typical service organization contains around 35-40 controls. The SAS 70 controls are based on ISO 27001 so both a SAS 70 and a ISO 27001 equals around 130 controls. ISO 27000 for a service organization only is sometimes insufficient. A ISO certificate issuer can not issue a SAS 70. A audit firm can issue both a SAS 70 and an ISO 27000 certificate. Due to customer demands audit firms have started to move into the ISO market. A service organization can obtain a ISO certificate if they in a plan can show remediation. SAS 70 is not forgiving and a service organization will not receive a complete SAS 70 if there are any remarks. An IT-auditor can trust a SAS 70 but never a ISO certificate regarding financial statements. 5

Why organizations succeed in ISO and SAS 70 observations Implement controls the current processes! No one will read your MS Word documents Do not mix legal (law), legal (contract) demands with business (for example KPI) demands Always assess the price for a control Always demand the right to audit in contracts but do not use it to over audit your supplier (the service organization) Withdraw al company directives(!), look at the demands (ISO and SAS 70) and then rewrite the directives (and save some pain within your organization) Do not attempt to do everything by your self (Directives, Controls, Implementation, pre-assessment, audit) 6

And finally vad vill vi säga till IT Sverige idag? http://csblogg.idg.se/bloggar/it-risker/ http://csblogg.idg.se/bloggar/it-risker 7

Andreas Halvarsson +46 8 520 594 55 andreas.halvarsson@se.ey.com www.ey.com/se The information contained within this document and any related oral presentation conducted by Ernst & Young AB (EY) contains proprietary information and may not be disclosed, used or duplicated - in whole or in part - for any purpose without the express written consent of EY.

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information