The 7 Deadly Sins of SAS 70 s

Similar documents
CITY OF SAN ANTONIO OFFICE OF THE CITY AUDITOR. Follow-Up Audit of Finance Department. San Antonio eprocurement System (SAePS) Controls

Audit Sampling 101. BY: Christopher L. Mitchell, MBA, CIA, CISA, CCSA

SAS 70: A Strategic Advantage in Challenging Times

SAS No. 70, Service Organizations

AUD105-2nd Edition. Auditor s Guide to IT - 20 hours. Objectives

SOC on Amazon Web Services (AWS) What You Need To Know Understanding the regulatory roadmap for SOC on AWS

AHIA HCCA Auditing & Monitoring Focus Group Defining the Key Roles and Responsibilities Corporate Compliance and Internal Audit.

Roles and Responsibilities Corporate Compliance and Internal Audit

Prüfung von Outsourcing mit SAS70

Effective Monitoring of Outsourced Plan Recordkeeping and Reporting Functions

G24 - SAS 70 Practices and Developments Todd Bishop

RISK ADVISORY SERVICES. HYDRO UTILITIES Overview of Internal Audit & Control Services: 2014 Credentials

Assessing the Adequacy and Effectiveness of a Fund s Compliance Policies and Procedures. December 2005

Asset Manager Guide to SAS 70. Issue Date: October 7, Asset

There are a number of reasons why more and more organizations

Reporting on Control Procedures at Outsourcing Entities

OUTSOURCING AND SERVICE AUDITOR S REPORTS

Reports on Service Organizations Where we ve been?

Guide to Understanding SAS 70 Reports

SECURITY AND EXTERNAL SERVICE PROVIDERS

Vendor Management Best Practices

EPCS Third party audits the CPA perspective. 13 September 2012

End of the SAS 70 Era

MICHIGAN AUDIT REPORT OFFICE OF THE AUDITOR GENERAL. Doug A. Ringler, C.P.A., C.I.A. AUDITOR GENERAL ENTERPRISE DATA WAREHOUSE

SAS 70 Exams Of EBT Controls And Processors

IT Architecture Review. ISACA Conference Fall 2003

THE ROLE OF AN SOC 1 REPORT (formerly SAS 70) IN FREIGHT PAYMENT

WRITTEN TESTIMONY OF AICPA EMPLOYEE BENEFIT PLAN AUDIT QUALITY CENTER EXECUTIVE COMMITTEE

THIRD-PARTY RISK: HOW TO BETTER UTILIZE ENERGY VENDOR AUDITS 8/25/2015. August 27, 2015

CLOUD COMPUTING for Construction Accounting BY BRIAN J. THOMAS

ERIC M. WRIGHT, cpa, citp

MICHIGAN AUDIT REPORT PERFORMANCE AUDIT OF THE QUALIFIED VOTER FILE AND DIGITAL DRIVER'S LICENSE SYSTEMS

CITY OF SAN ANTONIO OFFICE OF THE CITY AUDITOR. Follow-up Audit of San Antonio Fire Department. Fleet Maintenance Division. Project No.

CREATE YOUR OWN INVESTMENT FUND

AUGUST 28, 2013 INFORMATION TECHNOLOGY INCIDENT RESPONSE PLAN Siskiyou Boulevard Ashland OR 97520

The Importance of IT Controls to Sarbanes-Oxley Compliance

ISAE 3402 and SSAE 16 (replacing SAS 70) Reinforcing confidence through demonstration of effective controls

PKI Audit Methodology

RESPONSE Department Audits

Table of Contents. Auditor's Guide to Information Systems Auditing Richard E. Cascarino Copyright 2007, John Wiley & Sons, Inc.

The 21 st Century Version of SAS 70..SSAE 16

The Panoptix Building Efficiency Solution: Ensuring a Secure Delivery of Building Efficiency

Certified Information Systems Auditor (CISA)

RISK ADVISORY SERVICES CONSTRUCTION AUDIT SERVICES

Practice Guide COORDINATING RISK MANAGEMENT AND ASSURANCE

ISACA PROFESSIONAL RESOURCES

Understanding Vendor Risk And Analyzing the SSAE No. 16

CITY OF SAN ANTONIO INTERNAL AUDIT DEPARTMENT

OFFICE OF AUDITS & ADVISORY SERVICES SHAREPOINT SECURITY AUDIT FINAL REPORT

IT Insights. Managing Third Party Technology Risk

The Finance & Audit (F&A) Committee is expected to consider F&A Committee Agenda Item 4: at its meeting on December 7, 2015.

CITY OF SAN ANTONIO OFFICE OF THE CITY AUDITOR. Audit of Contract Procurement and Monitoring. HD Supply Facilities Management Contract

Health and Human. Services. Commission. InternalAutht Division. Internal Audit Plan. Fiscal Year 2016

HUMAN RESOURCES MANAGEMENT NETWORK (HRMN) SELF-SERVICE

Sarbanes-Oxley Section 404: Management s Assessment Process

Risk-Based Assessment of User Access Controls and Segregation of Duties for Companies Running Oracle Applications

Electronic Audit Evidence (EAE) and Application Controls. Tulsa ISACA Chapter December 11, 2014

SOC Readiness Assessments. SOC Report - Type 1. SOC Report - Type 2. Building Trust and Confidence in Third-Party Relationships

Documentation of Use of a Type 2 Service Auditor s Report In an Audit of an Employee Benefit Plan s Financial Statements

Understanding SOC Reports for Effective Vendor Management. Jason T. Clinton January 26, 2016

WELCOME TO SECURE

3.B METHODOLOGY SERVICE PROVIDER

Introduction to the ISO 9000 Quality Standard William E. Perry

LEVERAGING COSO ACROSS THE THREE LINES OF DEFENSE

PRACTICE NOTE 1013 ELECTRONIC COMMERCE - EFFECT ON THE AUDIT OF FINANCIAL STATEMENTS

BC54: Preparing for a SAS 70 Audit

Update on AICPA Assurance Services Executive Committee Activities


2. Auditing Objective and Structure What Is Auditing?

FOLLOW-UP REPORT Change Management Practices

AUDITOR GENERAL WILLIAM O. MONROE, CPA

2016 Audit service S plan North Simcoe Muskoka Local Health Integration Network

Major IT Projects: Continue Expanding Oversight and Strengthen Accountability

The 7 Deadly Sins of Contact Centers

Innovation and Technology Department

Understanding SAS 70 Reports on Internal Control

Performance Measures for Internal Auditing

The Importance of Internal Control Over Financial Reporting For Service Provider

SRI LANKA AUDITING PRACTICE STATEMENT 1013 ELECTRONIC COMMERCE EFFECT ON THE AUDIT OF FINANCIAL STATEMENTS

FAIRCHILD SEMICONDUCTOR INTERNATIONAL, INC. CHARTER OF THE AUDIT COMMITTEE OF THE BOARD OF DIRECTORS (As Amended through December 11, 2013)

Cloud Computing Risk Assessment

Baker Tilly refers to Baker Tilly Virchow Krause, LLP, an independently owned and managed member of Baker Tilly International. Understanding SOC 3

INTERNATIONAL AUDITING PRACTICE STATEMENT 1013 ELECTRONIC COMMERCE EFFECT ON THE AUDIT OF FINANCIAL STATEMENTS

At a glance. A provision to require a written assertion from company management is the most notable difference between the two standards.

Evolving Technology Issues: Cloud Computing

Feature. A Framework for Estimating ROI of Automated Internal Controls. Do you have something to say about this article?

Information for Management of a Service Organization

The Elephant in the Room: What s the Buzz Around Cloud Computing?

Outsourcing & Regulatory Compliance Risks

SSAE 16 & SAS 70 A Primer on Changes to Service Organization Audit Standards

OFFICE OF AUDITS & ADVISORY SERVICES CLOUD COMPUTING AUDIT FINAL REPORT

OFFICE OF AUDITS & ADVISORY SERVICES SUNGARD TREASURY MANAGEMENT SYSTEM CONTRACT COMPLIANCE FINAL AUDIT REPORT

ACCOUNTING INFORMATION SYSTEMS

NCUA LETTER TO CREDIT UNIONS

7 Deadly Sins of Sales Forecasting

DEPARTMENT OF MINORITY BUSINESS ENTERPRISE

CITY OF SAN ANTONIO OFFICE OF THE CITY AUDITOR. Audit of the Finance Department. Payroll. Project No. AU June 9, 2014

SSAE 16 and ISAE 3402: Preparing for New Service Company Control Standards Mastering Requirements Governing Your Next Controls Report

HIPAA Compliance and Reporting Requirements

Emerging Strategies for Performance Auditing

Transcription:

ASSURANCE AND ADVISORY BUSINESS SERVICES The 7 Deadly Sins of SAS 70 s Presented by: Christopher Mitchell, MBA, CIA, CISA, CCSA 1

Seven Deadly Sins Lust (obsessive or excessive thoughts) Gluttony (over-indulgence) Greed (sin of excess) Sloth (uneasiness of the mind) Wrath (hatred or anger) Envy (insatiable desire) www.kbagroupllp.com 2

Points of Discussion Who needs a SAS 70 assessment? What are the steps in the SAS process? Preliminary preparation for a SAS 70 assessment Common issues found during a Type II assessment Benefits of a SAS 70 Report Open discussion and questions www.kbagroupllp.com 3

Who needs a SAS 70 Report? Service providers who serve public and private companies by providing a service that materially impacts the company s financial statements will be required by their customers to provide a SAS 70 report. www.kbagroupllp.com 4

What is a Service Organization? Providing services that impact a customer (or user ) organization s internal control Organization that host or support customer hardware and software. Data center providers Application service providers (ASPs) Managed information security services Web-hosting or ecommerce infrastructure services Organizations that assist customers with initiating, authorizing, recording, or processing transactions. Transfer agents and custodians Third-party administrators (TPAs) Claims processing facilities Data warehouses Call center and customer service centers www.kbagroupllp.com 5

SAS 70 Examination The AICPA s Statement on Auditing Standards No. 70 (SAS 70) Service Organizations provides your customers and their auditors information to assist them in evaluating the system of internal control related to your services. There are two types of SAS 70 reports: Type I Reports Type II Reports Usually a minimum period of six months will be reviewed for Type II Reports. www.kbagroupllp.com 6

SAS 70 Examination Evaluating service organization controls Type I Reports are designed to provide information regarding: Controls over relevant systems and the underlying technology at your organization. Whether such controls were suitably designed and had been placed in operation as of a point in time. No detailed testing of controls is performed. CPA firm concludes and gives an opinion on the controls placed in operation as of a point in time and the effective design of those controls. www.kbagroupllp.com 7

SAS 70 Examination Testing the operating effectiveness of controls Type II Reports provide additional information about the nature, timing, extent, and results of the service auditor's tests of specified controls at your organization. This information is highly useful to your customers and their auditors. The purpose of this review is to provide reasonable, but not absolute, assurance that the identified controls are operating with sufficient effectiveness during the examination period. User auditors can place reliance on the results from the Type II procedures. External Auditor concludes and gives an opinion on the controls placed in operation and the operating effectiveness of those controls during a minimum six-month period. www.kbagroupllp.com 8

SAS 70 Examination Scope and description of controls Services that would be considered part of the customer organization s information system would be included in the scope of the examination. Management is responsible for preparing a description of controls that provides user auditors with enough information to plan their own audits. The description of controls generally includes the following: Aspects of the service organization s control environment; risk assessment; monitoring; and information and communication processes. Control objectives and related control activities. Complimentary controls at user organizations. Control objectives generally address key processes such as application development and maintenance; logical access and security; data transmission security; physical access and security; and transaction processing. www.kbagroupllp.com 9

KBA SAS 70 Methodology Initial Planning Perform Examination Expectations Communicate Results Your Key Team Members KBA Users Validate Expectations Establish Relationship Protocols Client Service Charter Understand key business processes and system design Understand Company s business, contractual relations and user expectations Perform preliminary assessment of controls Perform Pre-assessment Evaluate system description Evaluate system design and perform tests of operating effectiveness Design is suitable for effective internal control environment General controls Application controls Conclude on operating effectiveness Periodic Issues List Industry Tailored Control Objectives Pre-assessment Automated Assessment Tools Delivered Reports Pre-assessment Report Service Auditor s Report Control Recommendations Report SAS 70 Report Feedback www.kbagroupllp.com 10

Common Issues Discovered Policies and Procedures not defined, documented and communicated Roles & Responsibilities not defined and documented Key personnel are not adequately trained on job responsibilities Control gaps are not timely resolved Lack of segregation of duties Lack of adequate controls around change management Inappropriate access to the key applications and the network www.kbagroupllp.com 11

SAS 70 Benefits What is gained from this service? Benefits Service Provider Respond to Sarbanes-Oxley inquiries Marketing tool to potential clients Stronger Control Environment Eliminate or mitigate repeat audits Independent assurance Client service Competitive expectation Process improvement Benefits Users Provides information to assess the overall control environment for customer (user) auditors Satisfy certain client Sarbanes-Oxley 404 requirements Recommended user controls Can control some audit costs Provides time efficiencies to customer auditors by already having information available/prepared www.kbagroupllp.com 12

Questions? 13

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information