SSAE 16 SOC 1 Type 2

Similar documents
SECTION I INDEPENDENT SERVICE AUDITOR S REPORT

Reporting on Controls at a Service Organization

Information for Management of a Service Organization

INTERNATIONAL STANDARD ON ASSURANCE ENGAGEMENTS (ISAE) 3402 ASSURANCE REPORTS ON CONTROLS AT A SERVICE ORGANIZATION

Tom J. Hull & Company Type 1 SSAE

Shared Service System Audits: What User Management and Auditors Need to Know

Service Organization Control Reports

The Changing SAS 70 Landscape Dan Hirstein Director Rebecca Goodpasture Senior Manager Deloitte & Touche LLP January 13, 2011

3.B METHODOLOGY SERVICE PROVIDER

Goodbye, SAS 70! Hello, SSAE 16!

SSAE 16 and ISAE 3402: Preparing for New Service Company Control Standards Mastering Requirements Governing Your Next Controls Report

Human Capital Management Application Development and Processing Services

Service Organization Control (SOC) Reports

SSAE 16 & SAS 70 A Primer on Changes to Service Organization Audit Standards

Here comes SSAE 16 SAS 70 EVOLUTION: How will the new standard affect my business? How do I prepare to meet the new requirements?

Frequently asked questions: SOC 2 and 3

IAASB Main Agenda (June 2010) Agenda Item. April 28, 2009

Stone Vault, LLC SOC 1 (SSAE NO. 16) TYPE 1 REPORT ON CONTROLS PLACED IN OPERATION FOR TAX RETURN AND FINANCIAL STATEMENT PORTAL SERVICES

SAS No. 70, Service Organizations

Guidance Statement GS 007 Audit Implications of the Use of Service Organisations for Investment Management Services

Financial Forecasts and Projections

Orange County Industrial Development Authority (a component unit of Orange County, Florida)

Documentation of Use of a Type 2 Service Auditor s Report In an Audit of an Employee Benefit Plan s Financial Statements

G24: Audits of Controls at a Service Organization: New Standards SSAE 16 and ISAE 3402 Duff Donnelly and Jeffrey Spivack, Grant Thornton LLP

Audit Considerations Relating to an Entity Using a Service Organization

SERVICE ORGANIZATION CONTROL REPORTS SM. Formerly SAS 70 Reports

Management s Discussion and Analysis

KPMG s National Broker-Dealer Practice Survey Results

Communications Between Predecessor and Successor Auditors

FEDERAL TRADE COMMISSION. Office of Inspector General

BASIS FOR CONCLUSIONS Canadian Standard on Assurance Engagements (CSAE) 3416, Reporting on Controls at a Service Organization

Report on FTHC, LLC d/b/a Miami Data Vault s Description of its Data Center System and on the Suitability of the Design and Operating Effectiveness

Agreed-Upon Procedures Engagements

Comparison of ISA 330 with AS-402 Objectives and Requirements Only

PayData Payroll Services, Inc.

(Effective for audits of financial statements for periods beginning on or after December 15, 2009) CONTENTS

Service Organization Control 3 Report

SECTION I: REPORT OF INDEPENDENT SERVICE AUDITORS... 3 SECTION II: MANAGEMENT OF INTERNAP NETWORK SERVICES CORPORATION'S ASSERTION 5

Orange County Industrial Development Authority (a component unit of Orange County, Florida)

Ayla Networks, Inc. SOC 3 SysTrust 2015

Farewell to SAS 70. What you need to know about the New Standard for Service Organization Reporting

Audit Findings Letter

Service Organization Control 1 Type II Report

3. PAYROLL SOFTWARE/SERVICES:

Special Reports See section 9623 for interpretations of this section.

(Effective for audits for periods beginning on or after December 15, 2009) CONTENTS

INTERNATIONAL STANDARD ON AUDITING (UK AND IRELAND) 200


Service Organization Control (SOC) Reports Focus on SOC 2 Reporting Standard

SSARS 21 Review, Compilation, and Preparation of Financial Statements

FAQs New Service Organization Standards and Implementation Guidance

SSAE 16 for Transportation & Logistics Companies. Chris Kradjan Kim Koch

INTERNATIONAL STANDARD ON AUDITING 610 USING THE WORK OF INTERNAL AUDITORS CONTENTS

Report to Governors on the Quality Report 2013/14

SOC 1 (SSAE NO. 16) TYPE 2 REPORT ON CONTROLS PLACED IN OPERATION FOR DATA CENTER SERVICES BROADRIVER INC. AUGUST 1, 2014 TO JULY 31, 2015

Copyright 2015, American Institute of Certified Public Accountants, Inc. All Rights Re... STATEMENT ON STANDARDS FOR CONSULTING SERVICES

PRACTICE NOTE 1013 ELECTRONIC COMMERCE - EFFECT ON THE AUDIT OF FINANCIAL STATEMENTS

STANDING ADVISORY GROUP MEETING

June 30, Ms. Benita Manglona Director Department of Administration Government of Guam P.O. Box 884 Hagatna, GU Dear Ms.

Understanding SOC Reports for Effective Vendor Management. Jason T. Clinton January 26, 2016

Effective Monitoring of Outsourced Plan Recordkeeping and Reporting Functions

REALTYSCAPE CO-LIST AGREEMENT DBA LAKEPLACE.COM & LANDBIN.COM

CSA Position Paper on AICPA Service Organization Control Reports

Communicating Internal Control Related Matters Identified in an Audit

VIDEO GAMING TERMINAL COLLATERAL LENDER REGISTRATION FORM (Pursuant to Video Gaming Adopted Rule )

Mc Graw Hill Education

2012 AICPA Newly Released Questions Auditing

Vendor Compliance Management Series: Performing an Effective Risk Assessment

Trial Period License Agreement

CPCAF Comfort Letter Procedures. Copyright 2005 by the American Institute of Certified Public Accountants, Inc., New York, New York.

External assurance on the Trust's Quality Report

Audit Evidence. AU Section 326. Introduction. Concept of Audit Evidence AU

Auditing Derivative Instruments, Hedging Activities, and Investments in Securities 1

Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement

EXAMPLES OF AUDITOR'S REPORTS ON COMPLIANCE

Service Organization Controls. Managing Risks by Obtaining a Service Auditor s Report

Compliance Audits Effective for compliance audits for fiscal periods ending on or after June 15, Earlier application is permitted.

Transcription:

SSAE 16 SOC 1 Type 2 Independent Service Auditor s Report on Management s Description of a Service Organization s System and the Suitability of the Design and Operating Effectiveness of Controls September 1, 2011 August 31, 2012

I. Independent Service Auditor s Report D&D Associates SSAE 16 SOC 1 Type 2 2

INDEPENDENT SERVICE AUDITOR S REPORT 3000 Bayport Drive, Suite 480 Tampa, FL 33607 O: 866.446.4038 F: 727.499.6867 www.auditwerx.com Anthony Minichini DDA Management Services, LLC dba D&D Associates P.O. Box 9150 Garden City, NY 11530 Scope We have examined DDA Management Services, LLC dba D&D Associates (D&D or the Company) description of its information technology, independent medical examination, peer review, and related services, which include litigation support services, administrative support services, and medical record retrieval services (collectively referred to as IME) systems for processing user entities transactions throughout the period September 1, 2011 to August 31, 2012 (description) and the suitability of the design and operating effectiveness of controls to achieve the related control objectives stated in the description. The description indicates that certain control objectives specified in the description can be achieved only if complementary user entity controls contemplated in the design of the Company s controls are suitably designed and operating effectively, along with related controls at the service organization. We have not evaluated the suitability of the design or operating effectiveness of such complementary user entity controls. D&D uses a third-party data center for colocation services. The description Section II includes only the controls and related control objectives of D&D and excludes the control objectives and related controls of the subservice organization. Our examination did not extend to controls of the third-party data center. D&D Associates Responsibilities Beginning in Section II of the description, the Company has provided an assertion about the fairness of the presentation of the description and suitability of the design and operating effectiveness of the controls to achieve the related control objectives stated in the description. The Company is responsible for preparing the description and for the assertion, including the completeness, accuracy, and method of presentation of the description and the assertion; providing the services covered by the description; specifying the control objectives and stating them in the description; identifying the risks that threaten the achievement of the control objectives; selecting the criteria; and designing, implementing, and documenting controls to achieve the related control objectives stated in the description. Auditwerx Responsibilities Our responsibility is to express an opinion on the fairness of the presentation of the description and on the suitability of the design and operating effectiveness of the controls to achieve the related control objectives stated in the description, based on our examination. We conducted our examination in accordance with attestation standards established by the American Institute of Certified Public Accountants. Those standards require that we plan and perform our examination to obtain reasonable assurance about whether, in all material respects, the description is fairly presented and the controls were suitably designed and operating effectively to achieve the related control objectives stated in the description throughout the period September 1, 2011 to August 31, 2012. D&D Associates SSAE 16 SOC 1 Type 2 3

An examination of a description of a service organization s system and the suitability of the design and operating effectiveness of the service organization s controls to achieve the related control objectives stated in the description involves performing procedures to obtain evidence about the fairness of the presentation of the description and the suitability of the design and operating effectiveness of those controls to achieve the related control objectives stated in the description. Our procedures included assessing the risks that the description is not fairly presented and that the controls were not suitably designed or operating effectively to achieve the related control objectives stated in the description. Our procedures also included testing the operating effectiveness of those controls that we consider necessary to provide reasonable assurance that the related control objectives stated in the description were achieved. An examination engagement of this type also includes evaluating the overall presentation of the description and the suitability of the control objectives stated therein, and the suitability of the criteria specified by the service organization and described beginning in Section II. We believe that the evidence we obtained is sufficient and appropriate to provide a reasonable basis for our opinion. Inherent Limitations Because of their nature, controls at a service organization may not prevent, or detect and correct, all errors or omissions in processing or reporting transactions. Also, the projection to the future of any evaluation of the fairness of the presentation of the description, or conclusions about the suitability of the design or operating effectiveness of the controls to achieve the related control objectives is subject to the risk that controls at a service organization may become inadequate or fail. Opinion In our opinion, in all material respects, based on the criteria described in the Company s assertion in Section II, a. the description fairly presents the information technology and IME systems that were designed and implemented throughout the period September 1, 2011 to August 31, 2012. b. the controls related to the control objectives stated in the description were suitably designed to provide reasonable assurance that the control objectives would be achieved if the controls operated effectively throughout the period September 1, 2011 to August 31, 2012 and user entities applied the complementary user entity controls contemplated in the design of the Company s controls throughout the period September 1, 2011 to August 31, 2012. c. the controls tested, which together with the complementary user entity controls referred to in the scope paragraph of this report, if operating effectively, were those necessary to provide reasonable assurance that the control objectives stated in the description were achieved, operated effectively throughout the period September 1, 2011 to August 31, 2012. Description of Tests of Controls The specific controls tested and the nature, timing, and results of those tests are listed in Section III. D&D Associates SSAE 16 SOC 1 Type 2 4

Restricted Use This report, including the description of tests of controls and results thereof in Section III, is intended solely for the information and use of the Company, user entities of the Company s information technology and IME systems during some or all of the period September 1, 2011 to August 31, 2012, and the independent auditors of such user entities, who have a sufficient understanding to consider it, along with other information including information about controls implemented by user entities themselves, when assessing the risks of material misstatements of user entities financial statements. This report is not intended to be and should not be used by anyone other than these specified parties. Auditwerx January 28, 2013 D&D Associates SSAE 16 SOC 1 Type 2 5

II. Information Provided by D&D Associates D&D Associates SSAE 16 SOC 1 Type 2 6

DESCRIPTION OF RELEVANT CONTROLS PROVIDED BY D&D ASSOCIATES Management Assertions Letter We have prepared the description of D&D Associates information technology, independent medical examination, peer review, and related services, which include litigation support services, administrative support services, and medical record retrieval services (collectively referred to as IME) systems for user entities of the systems during all or some of the period September 1, 2011 to August 31, 2012, and their user auditors who have sufficient understanding to consider it, along with other information, including information about controls implemented by user entities of the system themselves, when assessing the risks of material misstatements of user entities financial statements. We confirm to the best of our knowledge and belief, that: a. The description fairly presents the system made available to user entities of the system during some or all of the period September 1, 2011 to August 31, 2012 for processing their information technology and IME transactions. The criteria we used in making this assertion were that the description: i. Presents how the system made available to user entities of the system was designed and implemented to process relevant transactions, including: 1) the classes of transactions processed. 2) the procedures, within both automated and manual systems, by which those transactions are initiated, authorized, processed, corrected as necessary, and transferred to the reports presented to user entities of the system. 3) the related accounting records, supporting information, and specific accounts that are used to initiate, authorize, record, process, and report transactions; this includes the correction of incorrect information and how information is transferred to the reports presented to user entities of the system. 4) how the system captures and addresses significant events and conditions, other than transactions. 5) the process used to prepare reports or other information provided to user entities of the system. 6) specified control objectives and controls designed to achieve those objectives. 7) other aspects of the control environment, risk assessment process, information and communication systems (including the related business processes), control activities, and monitoring controls that are relevant to processing and reporting transactions of user entities of the system. ii. Does not omit or distort information relevant to the scope of the information technology and IME systems, while acknowledging that the description is prepared to meet the common needs of a broad range of user entities of the system and the independent auditors of those user entities, and may not, therefore, include every aspect of the information technology and IME systems that each individual user entity of the system and its auditor may consider important in its own particular environment. b. The description includes relevant details of changes to the service organization s system during the period covered by the description when the description covers a period of time. D&D Associates SSAE 16 SOC 1 Type 2 7

c. The controls related to the control objectives stated in the description were suitably designed and operated effectively throughout the period September 1, 2011 to August 31, 2012 to achieve those control objectives. The criteria we used in making this assertion were that: i. the risks that threaten the achievement of the control objectives stated in the description have been identified by the service organization, ii. iii. the controls identified in the description would, if operating as described, provide reasonable assurance that those risks would not prevent the control objectives stated in the description from being achieved; and the controls were consistently applied as designed, including whether manual controls were applied by individuals who have the appropriate competence and authority. By: /S/ Anthony Minichini Anthony Minichini January 28, 2013 D&D Associates SSAE 16 SOC 1 Type 2 8

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information