Embed Size (px)
DESCRIPTION
Regulatory References FFIEC Outsourcing Technology Services IT Exam Handbook June 2004 FFIEC Supervision of Technology Service Providers Handbook March 2003 OCC Bulletin “Third Party Relationships” OCC Advisory Letter AL “Third Party Risk”
Citation preview
FIRMA National Risk Management Training Conference – Orlando, FL
Wednesday April 9, 2008
Third Party / SAS 70 Reports A Regulatory and Standards Update
Francis P. ThomasThe Glenmede Trust Co., N.A.
Background If you use an outside service
organization to accomplish a task, you need to know something about that organization’s control structure.
If clients hire your firm to make investment decisions for them, (especially employee benefit clients) they want to know about your controls.
Regulatory References FFIEC Outsourcing Technology Services
IT Exam Handbook June 2004 FFIEC Supervision of Technology
Service Providers Handbook March 2003 OCC Bulletin 2001-47 “Third Party
Relationships” OCC Advisory Letter AL 2000-9 “Third
Party Risk”
Board and Management Responsibilities Ensuring each outsourcing relationship
supports the institution’s overall requirements and strategic plans
Ensuring the institution has sufficient expertise to oversee and manage the relationship
Evaluating prospective providers based on the scope and criticality of oursourced services
Board and Management Responsibilities (continued) Tailoring the enterprise-wide, service
provider monitoring program based on initial and ongoing risk assessments of outsourced services; and
Notifying the primary regulator regarding outsourced relationships when required (OTS needs 30 day notice before establishing a relationship with a foreign service provider)
Risk Management approach to Vendor Management Inventory all vendors – establish
database to record information Establish initial due diligence criteria Identify “significant” vendors Establish annual due diligence criteria for
significant vendors Vendor Management Com. oversight
What is a significant vendor? Someone with access to client or
employee NPI High business impact if product or
service not available from vendor High business impact due to vendor
interaction with clients/prospects High business impact if vendor fails
Vendor Management Committee Duties Oversee the establishment of all
practices and procedures Review exceptions to the program and
recommend or implement responses Report up in the committee structure and
escalate any security concerns Report any risk concerns to the Risk
Management Committee
Using a vendor SAS-70 What type of report is supplied (Type I/A
or Type II/B – with testing results)? Is the product or service you purchase
specifically addressed in the report? Go to results and look for disclosures
about the controls over your product or service. Are they acceptable?
Using a vendor SAS-70 cont. If control weaknesses were identified, do they
have a management response. Are the situations deemed significant to you?
If significant, do you have an action plan to discuss with the vendor?
If vendor is unwilling to address your concerns, can you modify or exit the contract? If you are locked in, what alternate controls can be used?
Does your SAS-70 give away too much information? Don’t give flowcharts on how data moves
and is controlled. Don’t identify the actual systems you
use. Say “trust accounting system” or “trade order entry system”
Don’t identify your strategic partners by name (telecommunications vendor, name brand routers and switches, etc.)
Questions / commentsQuestions / comments
Thank you for attending this Thank you for attending this session and we hope you take session and we hope you take home some good information to home some good information to implement in your shops!implement in your shops!
Have a safe trip home.Have a safe trip home.
