Embed Size (px)
Citation preview
Information tech-nology (IT) serviceproviders permit a
pay-as-you-go modelfor information sys-tem processing. Busi-ness leaders find themodel attractivebecause it alleviatesthe need for up-frontinvestment and reduces leadtime to production dates. Tech-nology leaders find the modelattractive because it reduces theamount of work required ontheir part to deliver technologyservices.
A VISION OF THE FUTURE
At a recent Securities Indus-try Association conference,Jonathan Schwartz, presidentand chief operating officer ofSun Microsystems, presented avision of the future where mostdata and business applicationswould be hosted by technologyservices firms;1 the payoff to thebusiness customer would be thatthe only thing businesses wouldbe required to purchase anddeploy would be a PC. In thisvision, there is no need for com-puter rooms, disk drives, orHVAC2 systems—and there is
no cost unless the customer usesthe service.
But before one starts revis-ing IT cost allocations to debitby transaction, it is of courseprudent to investigate whetherthe service provider is a reliablebusiness partner. In a legal andregulatory context, such investi-gations are referred to as “duediligence.” Broadly speaking,due diligence is a requirement toreview evidence and makeassessments based on objectivecriteria. With respect to contract-ing for IT services, due diligenceis a good-faith effort on the partof a business to ascertain thatthe service provider is reputableand capable of fulfilling its con-tract obligations, which ordinar-ily would include requirementsto protect and safeguard infor-mation entrusted to the serviceprovider.
There is a fundamentalquandary for a business that
must evaluate an ITservice provider. Bythe act of outsourcingthe service, a corpora-tion loses the ability todirectly specify theprocesses by which thetechnology will bemanaged. Even if theability were to con-
tinue, actually doing so wouldcut considerably into the benefitside of the cost-benefit calcula-tions that led to the decision tooutsource. The due diligenceeffort must gather enough infor-mation about service providermanagement as possible withouthaving to directly supervise it.Hence, there is a growingreliance on IT attestationservices.
The first IT attestation serv-ices were performed in the1970s. Companies that marketedaccounting software began tocontract electronic data process-ing (EDP) audits from reputableaccounting firms. The account-ing firms performed “datain/data out” audits on the con-tracting company’s software. Anauditor would collect batch data-entry sheets (“data in”), manu-ally compute financial state-ments, and then compare his/her
The rapid growth in outsourcing information tech-nology (IT)—and increased reliance on softwareapplication service providers—are fueling ademand for IT attestation services. The authorexplains what you need to know about them.
© 2007 by Information Systems Audit and Control Association.
Jennifer Bayuk
IT Attestation Services:
What You Need to Know
featur
e artic
le
61
© 2007 by Information Systems Audit andControl Association.Published online in Wiley InterScience (www.interscience.wiley.com).DOI 10.1002/jcaf.20341
jcaf_1003.qxp 8/18/07 2:32 AM Page 61
version of the financial state-ments with those produced bythe computer (“data out”). Thissaved customers the expense ofan individual information sys-tems (IS) audit. Moreover, if thesoftware passed the audit, thecompany could use the accoun-tant’s seal of approval in itsadvertising.
Rapid growth in IT out-sourcing and increased relianceon software application serviceproviders (ASPs) are fueling thefire for attestation services.Today, IT attestation servicestake for granted that softwarecalculations meet businessrequirements. Checkingthe math has become abusiness operations func-tion. Instead, a typical ITdue diligence review willevaluate whether the serv-ice provider is capable of:
• handling the businessvolume,
• meeting quality-of-servicerequirements,
• securing business-sensitivedata,
• recovering within areasonable amount of timefrom unforeseen calamities,and
• responding to changing ITrequirements.
Today’s IT outsourcers andASPs,3 like the accounting soft-ware firms of the late 1970s,contract independent technologyaudits of themselves. A success-ful assessment is a positiveadvertising statement. It alsosaves the time that the com-pany’s own staff members wouldhave to spend if all of its cus-tomers sent separate teams ofauditors to the site to performtheir own due diligence.
However, unlike the calcula-tions of the 1970s EDP auditors,
it is not possible for a corpora-tion to check the work of today’sIT assessment teams. At one endof the spectrum of IT attestationservices are independent controltesting of complex environ-ments, or full-blown audits; atthe other is pure marketing.Moreover, the two-prongedmotivation for attestation serv-ices, assurance and advertise-ment, has led not only to a widevariety of attestation services,but also to confusion betweenattestation services and market-ing tools. This confusion issometimes on the side of thecorporation performing due dili-
gence, but it also manifestsitself on the part of the out-sourcers and service providersseeking to satisfy the due dili-gence requirement.
This article differentiatesthe different types of IT attesta-tion reports that are offered asevidence that IT controls are inplace and describes the attesta-tion service process that pro-duced them. As a corporationdevises a program for perform-ing IT service provider due dili-gence, it must set a stake in theground on the type and amountof evidence it will need to beassured that the serviceprovider can meet require-ments. This article shouldenable its readers to makeinformed decisions on whethera given IT attestation report canbe relied upon as evidence insupport of a due diligenceprogram.
SCOPE
The level of due diligence inexamining information technol-ogy controls should be commen-surate with the risk of uncon-trolled systems operations. Atypical objective in a due dili-gence review is to establish thata third party has adequate safe-guards in place to secure andprocess data with integrity on anongoing basis. The scope of thereview is the systems operationsrequired to fulfill the statementof work or other informationservices description.
However, the scope of workfor an attestation reportoffered to a due diligencereviewer is rarely as broadas the business customer’srequirement for due dili-gence. The level deliveredfrom a given attestationservice will be set by theassessor’s objective. Ser-vice providers may have
conducted external audits, inter-nal security reviews, and/or con-sulting engagements that overlapin scope with a given customer’sdue diligence efforts.4 However,the objective of the assessmentmay not be the same as theobjective of the due diligence atall. Nevertheless, when asked forevidence in support of a due dili-gence review, the serviceprovider is well within the realmof reasonableness in offering thecustomer a copy of any availableattestation report. Whether or notthe proffered documents fullycover the scope of customerneeds for service provider duediligence is within the realm ofcaveat emptor.
TYPES OF ATTESTATION
The following is a list oftypical attestation services thatservice providers offer customers
62 The Journal of Corporate Accounting & Finance / September/October 2007
DOI 10.1002/jcaf © 2007 Wiley Periodicals, Inc.
The due diligence effort must gatherenough information about serviceprovider management as possiblewithout having to directly supervise it.
jcaf_1003.qxp 8/18/07 2:32 AM Page 62
as proof that IT services are con-trolled. They are presented inorder from most comprehensivein due diligence to least.
External Audit
External audit is the goldstandard in due diligence activ-ity. In these engagements, theexternal audit firm’s charter is toattest that financial statementsare accurate and in compliancewith generally accepted account-ing principles (GAAP). Theexternal audit firm will assign astatutory auditor5 to acceptresponsibility for the overallaudit engagement. Once thatresponsibility is accepted,the scope of that statutoryauditor’s assignment is todetect material misstate-ments in the financialstatements. He/she is calledthe lead and will, at theend of the review, affixhis/her signature to thereport that attests that thefinancial statements are correct.Generally accepted auditingstandards (GAAS) require thelead to allocate sufficient staffmembers and resources toachieve assurance that the judg-ment of a reasonable personwould not be influenced by anyfinancial misstatement notcaught in the course of theaudit.6 To accomplish this staffallocation for a large corpora-tion, the lead must break theaudit down into a series ofsmaller projects and provideeach with its own scope. It isthrough this process that ISaudits are conducted in supportof financial statement audits. Onthe basis of the completeness ofaudit evidence and perhaps anindependent peer review byother qualified technical experts,the lead statutory auditor may beconfident enough in the assess-
ment work done by the IS auditteam to sign the consolidatedaudit report.
SAS 70 Services
The scope in a normal exter-nal IS audit must be flexibleenough to serve the combinedgoal of financial statement andcontrol practice verification. Butin the context of a typical serv-ice provider assessment, theservice provider is often notusing the software provided toits customers for its own busi-ness. In addition, the serviceprovider is often not subject tothe same regulatory and legal
requirements as its customers. Inthis case, even a successfulfinancial statement externalaudit provides no assurance thatcontrols over IT services pro-vided by the entity to others arethe same caliber as those used toproduce the entity’s own finan-cial statements. That is why theAmerican Institute of CertifiedPublic Accountants (AICPA)introduced Statement on Audit-ing Standards No. 70 (SAS 70).7
Again, the focus is on financialstatements, but in this case, thefinancial statement of the cus-tomer.
SAS 70 guidelines werespecifically developed to provideguidance to auditors of compa-nies that outsource transactionprocessing to IT serviceproviders. SAS 70 clearlydefines the differences betweenIT control objectives themselves,
their implementation by manage-ment, and the auditor’s testing ofthem. Two types of audits aredescribed in the SAS 70 guide-line: an audit of the financialstatements of the user of theservice and an audit of the serv-ices provided. The SAS 70 serv-ice provider attestations aredirected at the second type—thatis, the activities of the serviceorganization and the serviceauditor. Within this second typeof audit, the service organizationaudit, there are two subtypes: anassessment of management-iden-tified controls and an assessmentof management-identified con-trols plus tests of these controls.
The two subtypes of anSAS 70 service organiza-tion audit are colloquiallyreferred to by informationservice auditors as SAS 70Type 1 or SAS 70 Type 2audits.
In both types of SAS70 service organizationaudits, the service auditor
is presented with a documentdescribing management’s controlobjectives and associated controlpractices. This is not necessarilythe entire company internal con-trol structure but the subset of itthat provides the specific serviceunder review. The auditor willreview controls with respect tothe control objectives. In a SAS70 Type 1 audit, the audit reportwill reflect whether the controlsare adequate to achieve the con-trol objectives and whether theyhave been implemented. In aSAS 70 Type 2 audit, the auditreport will also identify weak-nesses in control implementa-tion.
Certifications Assessments
IT assessment teams areoften hired as consultants todetermine whether IT
The Journal of Corporate Accounting & Finance / September/October 2007 63
© 2007 Wiley Periodicals, Inc. DOI 10.1002/jcaf
This article should enable its readersto make informed decisions onwhether a given IT attestation reportcan be relied upon as evidence insupport of a due diligence program.
jcaf_1003.qxp 8/18/07 2:32 AM Page 63
management has actually imple-mented the control structure asdescribed in some document.The document may be written bymanagement, a “best practice”published by the consulting firm,or a “standards” document pub-lished by a third party. Depend-ing on the agreement betweenthe consultant and the serviceprovider, the report produced bythe assessor may or may notinclude all control weaknessesuncovered in the course of thereview.
Where assessments areaimed at showing compliancewith published standards, it issometimes possible to rely onthe standards organizationsto enforce some measureof due diligence in claim-ing certification compli-ance with standards.8
However, not all certifica-tion assessments have theendorsement of the associ-ated standards bodies. Forexample, the InternationalOrganization for Standard-ization (ISO) develops standardsbut does not operate anyschemes for assessing conform-ity with them.9
The extent to which non-statutory assessment reportscan be relied upon is the extentto which those performing thework are objective in itsperformance. Questions onemay ask to determine the extent of an assessor’s objectiv-ity are:
• Reporting hierarchy—Doesthe auditor report to a personwho is responsible for main-taining the controls beingaudited?
• Financial independence—Does the auditor’s salary orfee in any way depend onthe favorable opinion of aperson who is responsible
for maintaining the controlsbeing audited?
• Participation in systemdesign—Does the auditorwork for an organization thathelped design or implementcontrols that are underreview, or did the auditorparticipate in these activi-ties?
Where these questions areanswered negatively, the work isnot covered by the standards ofprofessional practice that applyto auditors.10 Therefore, the duediligence reviewer should havesome alternative source of evi-dence with respect to the inde-
pendence on the part of theassessor in order to rely on theassessment results.
Generally, certificationassessments fall into two cate-gories: technical and process. Incompliance assessments of bothtypes, best practices in IT con-trols are regularly published byrespected organizations, andconsulting organizations offerattestation services that will cer-tify a given service provider tobe in compliance with the bestpractice.11
Penetration Studies
In the domain of IT security,several IT consulting servicesprovide “penetration studies.”These are attempts to breaksecurity controls that IT manage-ment has put in place. Penetra-
tion study reports are oftenoffered as attestations that con-trol objectives are met. Manyapplication service providershand them out in lieu of auditsor certification assessments.These services are entirely con-sulting-oriented and often mar-keting-oriented. Due diligencereviewers should be wary of theclaims that systems cannot bepenetrated when the reports nei-ther identify the controls thatmanagement has put in place northe methodology used to main-tain the control environment.The scope of the review willoften have been limited to a setof systems that management is
confident it protects, andthe scope may have beenchanged in mid-review.
Documentation Reviews
Where there is no attes-tation report available fromany kind of external asses-sor, due diligence reviewersrely on a service provider’s
own documentation with respectto their IT control environment.A service provider that has giventhought and planning to IT con-trols will invariably have pub-lished an internal policy and/orset of procedures that describeshow customer data are protectedand how systems are designedand operated for resiliency.However, it is sometimes thecase that even though these doc-uments exist, the serviceprovider will not allow them tobe taken out of house. Thisforces the due diligence reviewerto visit the service provideroffices to read the documenta-tion. It also indicates a lack ofconfidence on the part of theservice provider to securelydeliver documents and maintainits security when the cloak ofobscurity is lifted.
64 The Journal of Corporate Accounting & Finance / September/October 2007
DOI 10.1002/jcaf © 2007 Wiley Periodicals, Inc.
SAS 70 guidelines were specificallydeveloped to provide guidance toauditors of companies that outsourcetransaction processing to IT serviceproviders.
jcaf_1003.qxp 8/18/07 2:32 AM Page 64
Questionnaires and Surveys
Service providers offer sucha wide variety of attestationmaterials as proof of internalcontrols that many large corpo-rations have developed their owncontrol requirements for serviceproviders and send them out asquestionnaires. Though it iscumbersome to the serviceprovider and not always inde-pendently verified, it has becomea fairly common method ofreviewing third-party data han-dling.12 Potential IT serviceproviders are requested toanswer as many as 100 or morequestions about systems security,operations monitoring,resiliency, and disaster recoveryprocesses. The level of detailrequired in the answers varies.
CONCLUSION
Note that a report that is mostcomprehensive from a due dili-gence standpoint may still fail tomeet a due diligence objective.For example, though an externalaudit is most comprehensive froma due diligence standpoint, it isactually the least likely of all theattestation services to cover thescope of the services for which agiven customer has contracted.Therefore, a corporate due dili-gence program usually combinesreliance on a combination ofattestation reports with some kindof analysis that demonstratescomprehensive coverage.
However, if the scope of theservices to be rendered is cov-ered by an attestation report, thetype of report is the next consid-eration. An external audit willtypically only be useful to thecustomer as evidence that the
service provider is a going con-cern. However, there is valueadded from an IT control stand-point if the service provider is inthe same business as the cus-tomer. The SAS 70 Type 2 auditclearly provides more valuableinformation than the SAS 70Type 1, though at least a SAS 70Type 1 demonstrates that theservice provider has given someserious thought to what the ITcontrols should look like. Tech-nical or process standard compli-ance reports may indicate thatinternal controls are in place.However, using them as evidenceof due diligence may be prob-lematic because the fact that atechnical implementation is cor-rect or a management processexists is no indication that dataare actually safeguarded accord-ing to customer requirements.Penetration studies are similar tothese compliance assessments inthat they are reliable only to theextent that both the skill andindependence of the assessor canbe ascertained. Penetration stud-ies are dissimilar from compli-ance reports in that it is moredifficult to determine scope.Internal documentation shows atleast that resources have beenallocated for IT control tasks.Service provider answers todirect questionnaires and surveyscan be relied upon a little morethan marketing material.
The most important thing toremember about all IT attesta-tion services is that none ofthem provide verification thatthe service provider’s controlsare appropriate for due dili-gence required from the cus-tomer standpoint; only the cus-tomer can make thatdetermination.
NOTES
1. www.sia.com/tmc2005/pdf/Schwartz.pdf.2. HVAC is a computer industry term for
specialized heating, ventilating, and airconditioning systems.
3. Hereafter referred to as “serviceproviders.”
4. For an explanation of why various typesof non-audit IT attestation services mayhave been commissioned by the serviceprovider, see Bayuk, J. (2005, Fall). Secu-rity review alternatives. Computer Secu-rity Journal, Volume XXI, Number 4.
5. “Statutory auditor” is a generic termused to describe a person licensed in agiven environment to perform independ-ent audits. A more correct term for agiven country may be certified publicaccountant (CPA), chartered accountant,or independent auditor.
6. American Institute of Certified PublicAccountants (AICPA) Auditing Stan-dards Board (ASB), AICPA ProfessionalStandards, AICPA, June 2003. Thesestandards govern the conduct of externalaudits conducted by CPAs.
7. See AICPA Auditing Practice ReleaseNo. 021056: Implementing SAS No. 70Reports on the Processing of Transac-tions by Service Organizations. Note alsothat similar associations in other coun-tries have published similar standards(e.g., Chartered Accountants of Canada).
8. For example, the PCI Security StandardsCouncil (www.pcisecuritystandards.org)and the AICPA SysTrust standards(www.aicpa.org).
9. See http://www.iso.org/iso/en/iso9000-14000/certification/publicizing/publicizing_4.html.
10. For examples of these standards, seewww.isaca.org, www.theiia.org, andwww.aicpa.org.
11. Examples of best practices that are oftenthe subject of technical certificationreports are the Center for Internet Secu-rity (www.cisecurity.com), BITS(www.bitsinfo.org), the National Insti-tute of Standards and Technology(csrc.ncsl.nist.gov), and SANS(www.sans.org). Examples of best prac-tices that are often the subject of processcertification reports are the InternationalOrganization for Standardization(www.iso.org) and the IT InfrastructureLibrary (www.itil.org).
12. See “BITS IT Service ProvidersExpectations Matrix,” www.bitsinfo.org,January 2004.
The Journal of Corporate Accounting & Finance / September/October 2007 65
© 2007 Wiley Periodicals, Inc. DOI 10.1002/jcaf
jcaf_1003.qxp 8/18/07 2:32 AM Page 65
66 The Journal of Corporate Accounting & Finance / September/October 2007
DOI 10.1002/jcaf © 2007 Wiley Periodicals, Inc.
Jennifer Bayuk, CISM, CISA, is a senior managing director and chief information security officer for BearStearns & Co. Inc. She is responsible for information security policy, process, management, architecture,and metrics. She has been a manager of information systems audit, a Big 4 security consultant and audi-tor, and security software engineer at AT&T Bell Laboratories. She has published on information securityand audit topics ranging from security process management to client/server application controls, includ-ing two editions of an Information Systems Audit and Control Association (ISACA) textbook on the IS auditprocess. She chairs the Securities Industry and Financial Markets Association Information Security Sub-committee and the Financial Services Sector Coordinating Council Technology R&D Committee. She haslectured for organizations that include ISACA, the National Institute of Standards and Technology, the Com-puter Security Institute, and the Federal Deposit Insurance Corporation. She is a Certified Information Sys-tems Auditor and Certified Information Security Manager. She has master’s degrees in computer scienceand philosophy.
This article is based in part on Chapter 1.2.2 of Stepping Through the IS Audit by Jennifer Bayuk, a2005 ISACA publication, available at www.isaca.org/bookstore.This article is © 2007 by Information Systems Audit and Control Association.
jcaf_1003.qxp 8/18/07 2:32 AM Page 66
