Prüfung von Outsourcing mit SAS70

Similar documents
SERVICE ORGANIZATION CONTROL REPORTS SM. Formerly SAS 70 Reports

Compliance Risk Management IT Governance Assurance

GUIDELINES FOR AUDITS OF COUNTY AND CITY HOSPITALS BY INDEPENDENT CERTIFIED PUBLIC ACCOUNTING FIRMS

SAS No. 70, Service Organizations

COSO 2013 Internal Control Framework

.OR.AT.ATTORNEY.AUCTION.BARGAINS.BAYERN.BERLIN.BLACKFRIDAY.BOUTIQUE.BRUSSELS.BUILDERS

Monitoring Outside Service Providers, Part III: SAS 70 Updates

THE ROLE OF AN SOC 1 REPORT (formerly SAS 70) IN FREIGHT PAYMENT

G24 - SAS 70 Practices and Developments Todd Bishop

Understanding SAS 70 Reports on Internal Control

P L A N A D V I S O R Y. The Importance of Internal Controls in Financial Reporting and Safeguarding Plan Assets

WRITTEN TESTIMONY OF AICPA EMPLOYEE BENEFIT PLAN AUDIT QUALITY CENTER EXECUTIVE COMMITTEE

TIS Section 9520, SSAE No. 16, Reporting on Controls at a Service Organization

University Audit and Compliance. Internal Controls Enterprise-Wide Risk Assessment

GAO. Government Auditing Standards Revision. By the Comptroller General of the United States. United States Government Accountability Office

There are a number of reasons why more and more organizations

Service Organization Control (SOC) Reports

RECKENEN FOCUS ON SAS 70 & SSAE 16

Obtaining Quality Employee Benefit Plan Audit Services: The Request for Proposal and Auditor Evaluation Process

Special Considerations Audits of Group Financial Statements (Including the Work of Component Auditors)

Effective Monitoring of Outsourced Plan Recordkeeping and Reporting Functions

Navigating the Standards for Information Technology Controls

Audit Considerations Relating to an Entity Using a Service Organization

SOX105. Sarbanes-Oxley for Dummies- 20 hours. Objectives

MORRISON I FOERSTER. Legal Updates & News. A Guide to the Impact of SAS 70 on Outsourcing Projects January 2008 by Alistair Maughan, Susan McLean

At a glance. A provision to require a written assertion from company management is the most notable difference between the two standards.

Guide to Public Company Auditing

Copyright 2015, American Institute of Certified Public Accountants, Inc. All Rights Re... STATEMENT ON STANDARDS FOR CONSULTING SERVICES

Employee Benefit Plans Financial Statement Audits

FS Regulatory Brief SEC Proposes Amendments to Broker- Dealer Financial Reporting Rule

SAS 70: A Strategic Advantage in Challenging Times

STAFF QUESTIONS AND ANSWERS

Update on AICPA Assurance Services Executive Committee Activities

The 7 Deadly Sins of SAS 70 s

Article 5.--CODE OF PROFESSIONAL CONDUCT

BDO Seidman, LLP Accountants and Consultants

ACC 215 ETHICS IN ACCOUNTING. Upon completion of this course, the student will be able to:

G24: Audits of Controls at a Service Organization: New Standards SSAE 16 and ISAE 3402 Duff Donnelly and Jeffrey Spivack, Grant Thornton LLP

October 1, Ms. Sherry Hazel American Institute of Certified Public Accountants 1211 Avenue of the Americas, 19 th Floor New York, NY

Roles and Responsibilities Corporate Compliance and Internal Audit

STANDING ADVISORY GROUP MEETING

International Institute of Management

UNITED STATES OF AMERICA BEFORE THE SECURITIES AND EXCHANGE COMMISSION

BC54: Preparing for a SAS 70 Audit

Authorized By: Steven M. Goldman, Commissioner, Department of Banking and Insurance

EPCS Third party audits the CPA perspective. 13 September 2012

Questions from GAQC Conference Call The Impact of SAS 112 on Governmental Financial Statement Audits January 4, 2007

Developing an Effective Enterprise Risk Management Program

Consultation Response

Guide to Internal Audit

The Litigators Guide to Auditors Malpractice Liability: Consequences of Failures to Understand the Reporting Entity s Internal Controls

Industry Sound Practices for Financial and Accounting Controls at Financial Institutions

Understanding Vendor Risk And Analyzing the SSAE No. 16

Service Organization Control Reports

Framework for Performing and Reporting on Compilation and Review Engagements

RULES OF THE AUDITOR GENERAL

SAS70 US Experience of KPMG Russia Team

GUIDE FOR AUDITING STATE DISBURSEMENT UNITS


Guide to Internal Control Over Financial Reporting

CPCAF Comfort Letter Procedures. Copyright 2005 by the American Institute of Certified Public Accountants, Inc., New York, New York.

Auditing Derivative Instruments, Hedging Activities, and Investments in Securities 1

Impact of New Internal Control Frameworks

Special Considerations Audits of Group Financial Statements (Including the Work of Component Auditors)

Role is Broader and More Strategic

) ) ) ) ) ) ) ) ) ) ) )

COSO 2013: WHAT HAS CHANGED & STEPS TO TAKE TO ENSURE COMPLIANCE

Chapter 5 SUPERVISORY COMMITTEE TABLE OF CONTENTS

AICPA Single Audit Update MACPA Government and NPO Conference

MASSIVE NETWORKS Online Backup Compliance Guidelines Sarbanes-Oxley (SOX) SOX Requirements... 2

26 February Ms. Nancy M. Morris, Secretary Securities and Exchange Commission 100 F Street NE Washington, DC

Documentation of Use of a Type 2 Service Auditor s Report In an Audit of an Employee Benefit Plan s Financial Statements

The 2013 COSO Framework & SOX Compliance

Sarbanes-Oxley Compliance Workbook. From Zero to SOX. Sarbanes-Oxley Compliance Workbook. sensiba san filippo

Farewell to SAS 70. What you need to know about the New Standard for Service Organization Reporting

A Simulation Study of the Effects of Perceived Risk. on the Internal Control Reporting Process

This article will provide background on the Sarbanes-Oxley Act of 2002, prior to discussing the implications for business continuity practitioners.

This release of the FISCAM document has been reformatted from the January 1999 version.

Sarbanes-Oxley Section 404: Management s Assessment Process

SECURITY AND EXTERNAL SERVICE PROVIDERS

Cloud Computing An Auditor s Perspective

How To Write A Financial Audit

Service Organization Control (SOC) reports What are they?

Planning for An Employee Benefit Plan Audit For the Auditor

Sept , 2011 Ft. Lauderdale

Learning Objectives. After studying this chapter, you should be able to: Auditing standards relevant to this topic. For private companies

Effective Monitoring of Outsourced Plan Recordkeeping and Reporting Functions

Here comes SSAE 16 SAS 70 EVOLUTION: How will the new standard affect my business? How do I prepare to meet the new requirements?

A Sarbanes-Oxley Roadmap to Business Continuity

Clackamas County. Office of the Treasurer. Investment Policy Kaen Rd, #430. Oregon City, Oregon FAX

Appendix G Implementation Guide (Guide) for the Annual Financial Reporting Model Regulation (Model)

COSO 2013 Internal Control Integrated Framework FRED J. PETERSON, PARTNER MOSS ADAMS LLP

Strengthening Business Practices:

100 What Are They? Agreed upon procedures. Audits, reviews, compilations, or preparations of specified elements of a financial statement.

Public Safety Vehicle Repair Audit

Ethics for CPAs. Meeting Expectations in Challenging Times

Service Organizations: Auditing Interpretations of Section 324

WELCOME TO SECURE

Guide to the Sarbanes-Oxley Act:

FAQs New Service Organization Standards and Implementation Guidance

Transcription:

Prüfung von Outsourcing mit SAS70 AGENDA Historical flashback Reasons for the standard Major contents Potential areas of SAS 70 application Audit approach and Responsibility Client and Service Provider benifits Presented by Tamer Basman, CISA Seite 1 Historical flashback I As early as the 1960 s the Auditing Standards Board recognized the need for service providers to report on their controls to their customers (the users ) Historically, a CPA s primary service was the audit of financial services Generally Accepted Auditing Standards (GAAS) was created to provide uniform standards for the profession GAAS was promulgated via Statements on Auditing Standards (or SAS) (pre-sox) All SAS s collectively have been codified in the AICPA literature in the AU (short for audit ) series of pronouncements AICPA=American Institute of Certified Public Accountants Seite 2 1

Historical flashback II The concept of Internal Control is fundamental to an audit of Financial Statement (F/S) SAS 55 first documented standards for the auditor s consideration of Internal Controls (I/C) in a F/S audit SAS 78 updated SAS 55 to incorporate the COSO framework SAS 94 updated SAS 55/78 to reflect the impact of current technologies on I/C These SASs are codified in Section AU319 SAS 70 is codified in GAAS as section AU 324 COSO:Committee of Sponsoring Organizations of the Treadway Commission Seite 3 Reasons for the standard I Applying a Service Organization to a User Organization Service Organization Services Provided Scope of a SAS 70 Report Services Outsourced User Organization Seite 4 2

Reasons for the standard II The early service providers were computer service bureaus, offering single applications The F/S auditor of a user of a service provider is NOT relieved of their professional responsibilities under AU319 Internal Controls at the service provider that relate to the financial statements of the user organization must still be considered Seite 5 Reasons for the standard III What is SAS 70? An audit conducted in accordance with Statement on Auditing Standard (SAS) No. 70 is a highly specialized audit of the design and operational effectiveness of a service organization s internal controls over processing transactions for user organizations. A report issued by an independent auditor under Statement on Auditing Standards No. 70 Covers controls exercised by a service organization on behalf of its customers Relates to the user organization s financial statement assertions SOX 404 Audit relevance Seite 6 3

Major contents I Parties involved in SAS 70 Company A (Service Organization) CPA Firm (Service Auditor) Company A s Customers (User Organizations and Internal Auditors) CPA Firm (User Organization Third Party Auditor) Seite 7 Major contents II Audit approach Control environment Risk assessment Information and communication systems Monitoring Control Activities COSO Framework is also adopted by the PCAOB Standard No.2 refer to PCAOB p.a-11, paragraph 14 SAS 70 recognizes COSO Framework refer to AICPA Audit Guide(May 2004) par 2.17 and 2.28 Seite 8 4

Major contents III Audit approach COSO Framework Control Environment The control environment sets the tone of an organization, influencing the control consciousness of its people Risk Assessment Every entity faces a variety of risks from external and internal sources that must be assessed both at the entity and the activity level Control Activities These policies and procedures help ensure management directives are carried out Information and Communication Pertinent information must be identified, captured and communicated in a form and timeframe that supports all other control components Monitoring Internal control systems need to be monitored a process that assesses the quality of the system s performance over time Seite 9 Major contents IV SAS 70 Report Components Report Contents Type I Type II 1. Independent service auditor's report (i.e. opinion). 2. Service organization's description of controls. 3. Information provided by the independent service auditor; includes a description of the service auditor's tests of operating effectiveness and the results of those tests. 4. Other information provided by the service organization (e.g. glossary of terms). Optional Optional Optional Seite 10 5

Potential areas of SAS 70 application Application Service Providers Medical Claims Processing Employee Benefits Processing Banking Service Bureaus Credit Card Processing Internet Service Providers Trust Departments of banks and insurance companies Transfer agents, custodians or record-keepers for investment companies Mortgage services or depository institutions that service loans for others Regional Transmission Organizations Seite 11 Responsibility I Report Sections and Responsibility I. SECTION Independent Service Auditors Report II. Company A Description of Controls and Procedures RESPONSIBILITY External Auditor (Service Provider) Service Provider III. Tests of Operating Effectiveness External Auditor (Service Provider) IV. Other Information Provided by Company A (Optional) Service Provider Seite 12 6

Responsibility II Refer to AICPA Audit Guide (May 2004) Section 4.05 to 4.28 The Service Provider is responsible for: Determining control objectives Providing description of internal controls Determining the report type Communicating significant changes to environment The Service auditor is responsible for: Being independent first and foremost Determining appropriateness of control objectives Examining description of controls Conducting appropriate tests of controls Expressing an opinion Seite 13 Client and Service Provider benifit To reduce disruption from multiple user audits Communicate information about the service provider s internal control s SAS reports are for the benefit of our client, their customers and their customers auditors only. Seite 14 7

Questions and Answers? http://www.aicpa.org http://www.itacs.ch/deutsch/pages/ku/ku_kt_sas_70.htm Contact: Tamer Basman 044.249.4780 tbasman1@kpmg.com Seite 15 8

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information