Upload
isaca-new-england
View
4.442
Download
1
Embed Size (px)
DESCRIPTION
Citation preview
Evaluating Vendor RisksDo you know if they have
Evaluating Vendor RisksDo you know if they haveDo you know if they have
controls?Do you know if they have
controls?May 5, 2010
Introductions
• Relevant Participant Experiencesp p
• Participant Objectives for this class
Page 2
Copyright 2010 Riebeeck Stevens Ltd
Course Objective
To educate participants regarding the nature f d i k d th h i tof vendor risks and the mechanisms to
effectively assess, manage and control those risks by providing a learning forum whererisks by providing a learning forum where individuals with greater audit and third party assurance experience can share theirassurance experience can share their knowledge with peers who are interested in learning about third party assurance and the different mechanisms and standards available to accomplish it.
Page 3
Copyright 2010 Riebeeck Stevens Ltd
Today’s Discussion Topics
• Overview of outsourcing arrangementsRi h di• Rights to audit
• Diversity of service organizations• Assessment mechanisms• Assessment mechanisms
o SAS 70o Shared Assessmentso ISAE 3402
• SAS 70 No MoreC d ti t t• Conducting an assessment engagement
• Using a third party assessment• Project management considerations
Page 4
Copyright 2010 Riebeeck Stevens Ltd
Project management considerations
Outsourcing Business Processes
Page 5
Copyright 2010 Riebeeck Stevens Ltd
Background
• Many entities use outside service organizations li h k h ff h i ’to accomplish tasks that affect the entity’s
management and information system
I t th h b i i• In recent years, there has been an increase in the use of service organizations
• Why do you think BPO (business process• Why do you think BPO (business process outsourcing) has increased so much?
• “Practical IT Auditing” Checklist to evaluate• Practical IT Auditing Checklist to evaluate candidates for outsourcing
Page 6
Copyright 2010 Riebeeck Stevens Ltd
Typical Service Organizations
• Fund accounting agents/Fund administrators• Custodians/Trustees/Investment advisors• Transfer agents/Retirement plan record keepers
Cl i• Claims processors• ASPs• ISPsISPs• Payroll processors• Network/Security management• Thoughts on Cloud Computing Providers?
Page 7
Copyright 2010 Riebeeck Stevens Ltd
Outsourcing Arrangements
• Total outsourcing – complete business or business function
• Production outsourcing – Call centers• Processing outsourcing – Payroll• Recordkeeping outsourcing – Transfer agent• Reporting outsourcing – FISERV and Crawford
Technologies• Physical Facilities outsourcing – Hosting/Co‐
location
Page 8
Copyright 2010 Riebeeck Stevens Ltd
Sample Outsourcing Agreements
• 2002: $4 billion / 7‐year utility based deal between American Express and IBMAmerican Express and IBM
• 1998: $3 billion application development and maintenance agreement between BellSouth and gAndersen Consulting
• 1998: $4 billion infrastructure outsourcing agreement b t B llS th d EDSbetween BellSouth and EDS
• 1996: $4.5 billion / 10 year outsourcing and strategic alliance agreements between Dupont and CSC and g pAndersen Consulting
• 1994: $3 billion / 10‐year IT services between Xerox and EDS
Page 9
Copyright 2010 Riebeeck Stevens Ltd
EDS
Classification of Vendor Risks
• Operational Risk
• Reputation Risk
• Strategic RiskStrategic Risk
• Compliance Risk
Fi i l Ri k• Financial Risk
• Support Risk
Page 10
Copyright 2010 Riebeeck Stevens Ltd
Classification of Vendor Risks
• Operational Risk ‐ Operational risk not only includes operations and transaction processing, but also areas such as customer service, Information Technology security and the protection of non‐public data, systems development and support programs, internal control processes, and capacity and contingency planning.
Page 11
Copyright 2010 Riebeeck Stevens Ltd
Classification of Vendor Risks
• Reputation Risk – Errors, delays, or omissions i t d i th t b bliin outsourced services that become public knowledge or directly affect the company's customers can significantly affect reputationcustomers can significantly affect reputation. For example, a vendor's failure to maintain adequate service levels and contingencies foradequate service levels and contingencies for key items such as cash deliveries, network hardware devices or ATM servicing could disrupt the ability to deliver service to customers.
Page 12
Copyright 2010 Riebeeck Stevens Ltd
Classification of Vendor Risks
• Strategic Risk – Inadequate management experience and expertise can lead to a lack of understanding of key risks facing the industry today and into the future. Additionally, inaccurate information from vendors can cause the company's management and board of directors to make poor strategic decisions.
Page 13
Copyright 2010 Riebeeck Stevens Ltd
Classification of Vendor Risks
• Compliance Risk – Outsourced activities that fail to comply with legal or regulatory requirements can subject the company to legal sanctions. For example, inaccurate or untimely consumer compliance disclosures or unauthorized disclosure of confidential customer information could expose the company to civil money penalties or litigation.
Page 14
Copyright 2010 Riebeeck Stevens Ltd
Classification of Vendor Risks
• Financial Risk – financial strength of the vendor, cash position, credit rating, bankruptcy history, historical financial performance indicators – return on equity, return on investment, return on assets
Page 15
Copyright 2010 Riebeeck Stevens Ltd
Classification of Vendor Risks
• Support Risk – ability to perform according to service level agreements, professional diversity and capacity of staff, experienced of workers, staff rotation policy, operational performance in the market – are they losing customers, is their quality falling
Page 16
Copyright 2010 Riebeeck Stevens Ltd
Rights to Audit
• Contract clause allowing the user i ti t dit h t ditorganization to audit or have access to audits
of the services contractedSh ld b t d d t f• Should be a standard part of every outsourcing contractU f tl• Use more frequently
• Demanding specific types of audits• Make sure you are specific in terms of period
of audits
Page 17
Copyright 2010 Riebeeck Stevens Ltd
Case StudyNew York ‐ 30 Dec 2002: J.P. Morgan Chase & Co. today finalized with IBM a groundbreaking seven‐year outsourcing agreement, in excess of $5 billion, the largest of its kind. The agreement will enable JPMorgan Chase , g g gto transform its technology infrastructure through absolute costs savings, increased cost variability, access to the best research and innovation, and improved service levels. By moving from a traditional fixed‐cost approach to one with increased capacity and cost variability, JPMorgan Chase will be able to respond more quickly to changing market conditions.
JPMorgan Chase will outsource a significant portion of its data processing technology infrastructure, including data centers, help desks, distributed computing, data networks and voice networks. The agreement includes the transfer of approximately 4,000 JPMorgan Chase employees and contractors as well as selected resources and systems to IBM in the first half of 2003. Application delivery and development, desktop support and
Page 18
Copyright 2010 Riebeeck Stevens Ltd
other core competencies will largely be retained inside JPMorgan Chase.
Case Study ‐ Instructions
• Study the JPM/IBM press release
• Identify the key risks faced by JPM when transferring functions to IBM
• Discuss methods JPM can use to stay informed of controls at IBM to address those risks
• Discuss impact to security, audit and compliance
• Should JPM require IBM to include a right to q gaudit clause in their contract? Why?
Page 19
Copyright 2010 Riebeeck Stevens Ltd
Summary
After completing this module, you should now:• Understand the business drivers behind the
outsourcing decision• Understand the various types of outsourcing
arrangements• Understand the key classes of vendor risk• Begin to understand the need to evaluate
controls at service organizations
Page 20
Copyright 2010 Riebeeck Stevens Ltd
Assessment Mechanisms
Page 21
Copyright 2010 Riebeeck Stevens Ltd
Definition of Key Players
Service Organization – The entity that provides i t i tiservices to a user organization
Subservice Organization – An entity that is a service organization of another serviceservice organization of another service organizationService Auditor – Reports on the processing of p p gtransactions by a service organizationUser Organization – The entity that has engaged
i i tia service organizationUser Auditor – Auditor of a user organization
Page 22
Copyright 2010 Riebeeck Stevens Ltd
Key Players
Service AuditorUser Organization
Service Organization
SubserviceOrganizationUser Auditor OrganizationUser Auditor
Page 23
Copyright 2010 Riebeeck Stevens Ltd
Evaluating Internal Controlat Service Organizations
• How can a user of a service organization (and its i l/ l di ) b i ffi iinternal/external auditor) obtain a sufficient level of comfort that there is an effective control environment at the service organization?environment at the service organization?
• How can user management ensure that outsourced processes are managed followingoutsourced processes are managed following policies, procedures and practices that are aligned with those of his/her own company?
Page 24
Copyright 2010 Riebeeck Stevens Ltd
Assessment Mechanism: Traditional Approach
• User management submits an internal control questionnaire to service organization
• Service organization provides a self‐assessment report to clients
• User organization management (internal audit) performs audit procedures at service organization
• User auditor performs audit procedures at service organizations
Page 25
Copyright 2010 Riebeeck Stevens Ltd
Assessment Mechanisms:Third Party Assurance Approach
• One independent firm (third party) is brought in to issue an opinion as to whether management’s description of the control environment is presented fairly.
• In many cases, the independent firm is also engaged to perform tests of specific g g p pcontrols and report on the result of those tests.
Page 26
Copyright 2010 Riebeeck Stevens Ltd
Assessment Mechanisms:Third Party Assurance Approach
• Agreed‐Upon Procedures
• Shared Assessments
• Standard Compliance AuditStandard Compliance Audit
• SAS 70
Att t ti• Attestation• Who can issue reports using these
h i ?mechanisms?
Page 27
Copyright 2010 Riebeeck Stevens Ltd
Assessment Mechanisms:Third Party Assurance Approach
• Agreed‐Upon ProceduresIssued by independent CPA
• Shared AssessmentsIssued by independent CPA or assessment firmIssued by independent CPA or assessment firm
• Standard Compliance AuditIssued by certified party – i.e. PCI and ISOy p y
• SAS 70Issued by CPA or CA
• AttestationIssued by CPA or CA
Page 28
Copyright 2010 Riebeeck Stevens Ltd
Module Summary
After completing this module, you should now:d d h l l
After completing this module, you should now:d d h l l• Understand the process to evaluate internal
controls at Service Organizationsd d h b i f hi d
• Understand the process to evaluate internal controls at Service Organizations
d d h b i f hi d• Understand the basic concepts of Third Party Assurance (TPA)d if diff h i f d i
• Understand the basic concepts of Third Party Assurance (TPA)d if diff h i f d i• Identify different mechanisms for conducting TPA engagementsU d d h i hi d
• Identify different mechanisms for conducting TPA engagementsU d d h i hi d• Understand who can issue third party assurance reports
• Understand who can issue third party assurance reports
Page 29
Copyright 2010 Riebeeck Stevens Ltd
Agreed‐Upon Procedures
Page 30
Copyright 2010 Riebeeck Stevens Ltd
What are Agreed Upon Procedures
• Section 201 of the AICPA Statements on Standards f A i E (SSAE)for Attestation Engagements (SSAE)
• An agreed‐upon procedures engagement is one in which a practitioner is engaged by a Responsiblewhich a practitioner is engaged by a Responsible Party to issue a report of findings based on specific procedures performed on subject matterspecific procedures performed on subject matter. The Responsible Party engages the practitioner to assist Specified Parties in evaluating subject p g jmatter or an assertion as a result of a need or needs of the Specified Parties.
Page 31
Copyright 2010 Riebeeck Stevens Ltd
What is an AUP Report
• An AUP Report is a report issued according to SSAE 10 Section 201
• An AUP Report contains the procedures agreed‐upon by the parties and the findings identified by the auditor
• An AUP Report does not contain an opinion from the auditor just the facts of the resultsfrom the auditor just the facts of the results
Page 32
Copyright 2010 Riebeeck Stevens Ltd
Who Uses a AUP report
• Agreed‐Upon procedures are used by the service organization, user management, external auditors and regulators
• Internal users include senior management, compliance, internal audit, security and risk management
• External users typically limited to externalExternal users typically limited to external auditors and regulators
Page 33
Copyright 2010 Riebeeck Stevens Ltd
Distribution of the Report
• As an Attestation report, AUP reports have limited distribution
• The Service Organization and the specified parties can have access to the report
• Other parties interested in the report needOther parties interested in the report need to agree as to the sufficiency of the procedures with respect to the subjectprocedures with respect to the subject matter or assertion prior to receiving the report
Page 34
Copyright 2010 Riebeeck Stevens Ltd
report
AUP Auditor’s Responsibilities
• Carry out the procedures
• Report the findings in accordance with the professional standards (general, fieldwork and reporting)
• Adequately plan and supervise the audit andAdequately plan and supervise the audit and exercise due professional care in performing the procedures, determining the findings,the procedures, determining the findings, and preparing the report
Page 35
Copyright 2010 Riebeeck Stevens Ltd
AUP Auditor’s Responsibilities
• Risk that misapplication of the procedures may l i i i fi di b i dresult in inappropriate findings being reported
• Risk that appropriate findings may not be reported or may be reported inaccuratelyreported or may be reported inaccurately
• These risks are reduced by becoming knowledgeable about the subject matter andknowledgeable about the subject matter and thoroughly planning and executing the work
• The AUP Auditor has no responsibility to p ydetermine completeness or adequacy of the agreed‐upon procedures
Page 36
Copyright 2010 Riebeeck Stevens Ltd
Layout of a Typical AUP Report
• A title that includes the word independent
• Identification of the specified parties
• Identification of the subject matter (or theIdentification of the subject matter (or the written assertion related thereto) and the character of the engagementcharacter of the engagement
• Identification of the responsible party
A t t t th t th bj t tt i th• A statement that the subject matter is the responsibility of the responsible party
Page 37
Copyright 2010 Riebeeck Stevens LtdExtracted from “AICPA Attestation Standards Section 201”
Layout of a Typical AUP Report
• A statement that the procedures performed were h d b h ifi d i id ifi dthose agreed to by the specified parties identified in the report
• A statement that the agreed upon procedures• A statement that the agreed‐upon procedures engagement was conducted in accordance with attestation standards established by the AICPAattestation standards established by the AICPA
• A statement that the sufficiency of the procedures is solely the responsibility of the specified parties y p y p pand a disclaimer of responsibility for the sufficiency of those procedures
Page 38
Copyright 2010 Riebeeck Stevens LtdExtracted from “AICPA Attestation Standards Section 201”
Layout of a Typical AUP Report
• A list of the procedures performed (or reference th t ) d l t d fi di (Th titithereto) and related findings (The practitioner should not provide negative assurance
• Where applicable a description of any agreed‐uponWhere applicable, a description of any agreed‐upon materiality limits
Page 39
Copyright 2010 Riebeeck Stevens LtdExtracted from “AICPA Attestation Standards Section 201”
Layout of a Typical AUP Report
• A statement that the practitioner was not engaged t d did t d t i ti f thto and did not conduct an examination of the subject matter, the objective of which would be the expression of an opinion a disclaimer of opinion onexpression of an opinion, a disclaimer of opinion on the subject matter, and a statement that if the practitioner had performed additional procedures, p p p ,other matters might have come to his or her attention that would have been reported
Page 40
Copyright 2010 Riebeeck Stevens LtdExtracted from “AICPA Attestation Standards Section 201”
Layout of a Typical AUP Report
• A statement of restrictions on the use of the report because it is intended to be used solely by the specifiedbecause it is intended to be used solely by the specified parties
• Where applicable, reservations or restrictions pp ,concerning procedures or findings.
• For an agreed‐upon procedures engagement on ti fi i l i f tiprospective financial information.
• Where applicable, a description of the nature of the assistance provided by a specialist.p y p
• The manual or printed signature of the practitioner's firmTh d f h
Page 41
Copyright 2010 Riebeeck Stevens Ltd
• The date of the report
Extracted from “AICPA Attestation Standards Section 201”
Procedures to be Performed
• Can be as limited or as extensive as the specified ti d iparties desire
• Mere description of assertion or subject matter does not constitute a valid proceduredoes not constitute a valid procedure
• There is flexibility in determining the procedures• Changes to the procedures are acceptable as long g p p g
as the specified parties accept responsibility for the sufficiency of the procedures
• Matters that need to be agreed upon include the nature, timing and extent of the procedures
Page 42
Copyright 2010 Riebeeck Stevens Ltd
Procedures to be Performed
• Procedures should not be subjective and open to interpretations
• Terms of uncertain meaning (such as general review, limited review or check) should be avoided
• For each procedure, there should be evidential matter supporting the finding orevidential matter supporting the finding or findings
Let’s explore the Q‐Services report
Page 43
Copyright 2010 Riebeeck Stevens Ltd
Let s explore the Q‐Services report
Project Management Considerations
• Use Of a Specialist
• Internal Auditors and Other Personnel
• FindingsFindings
• Working Papers
Page 44
Copyright 2010 Riebeeck Stevens Ltd
AUP Sample Findings
• Procedure: Inspect the shipment dates for a sample (agreed upon) of specified shippingsample (agreed‐upon) of specified shipping documents, and determine whether any such dates were subsequent to December 31, 20XX.q ,
• Finding (Appropriate description): No shipment dates shown on the sample of shipping doc ments ere s bseq ent to December 31documents were subsequent to December 31, 20XX.
• Finding (Inappropriate description): Nothing came g ( pp p p ) gto my attention as a result of applying that procedure.S l fi di t i f AT 201
Page 45
Copyright 2010 Riebeeck Stevens Ltd
• Sample findings matrix from AT 201
AUP Auditor Considerations
• Validate that the Specified Parties have agree to the dprocedures
• Document the steps taken in performing the proceduresprocedures
• Obtain and maintain appropriate evidence of the work conducted
• Ensure all changes to the procedures are approved by the Specified Parties
• Obtain representations from management
Page 46
Copyright 2010 Riebeeck Stevens Ltd
Using a AUP Report
• A AUP Report contains the results of applying the procedures only – No Opinion
• Each procedure and related result must be evaluated by the user in the context of its entity’s internal control
• Be careful not to extrapolate the findings to systems or dates not related to the AUPssystems or dates not related to the AUPs
Page 47
Copyright 2010 Riebeeck Stevens Ltd
AUP Exercise
• With the JPM/IBM agreement, multiple systems are being processed and supported at IBMbeing processed and supported at IBM
• You work for JPM and some of your clients (your team members) want to audit the system at IBM to evaluate ) ythe security controls at IBM
• Identify and describe 5 audit procedures and discuss th i til ththem in your group until everyone agrees they are sufficient to meet your objective
• Ensure the wording of the procedures is specific and g p pavoid vague terms
• Draft the result of applying the procedure and share h i h h
Page 48
Copyright 2010 Riebeeck Stevens Ltd
them with the group
Module Summary
After completing this module, you now have an understanding of:
• What Agreed‐Upon Procedures are• What an AUP Report is• The content of AUPs• The responsibilities of the AUP Auditor• Key considerations of managing an AUP
project• The usability of AUP reports
Page 49
Copyright 2010 Riebeeck Stevens Ltd
Shared Assessments
Page 50
Copyright 2010 Riebeeck Stevens Ltd
Shared Assessments
• Special application of the AICPA AUP standard
• Shared Assessments is a program created by BITS, a division of the Financial Services Roundtable
• Initially targeted the financial services industry, it is quickly expanding to otherindustry, it is quickly expanding to other industries such as health care
• Program managed by the Santa Fe Group
Page 51
Copyright 2010 Riebeeck Stevens Ltd
• Program managed by the Santa Fe Group
Shared Assessments
• Standardized Information Gathering (SIG) Questionnaire
• Agreed‐Upon Procedures (AUP)
• Created under the principle of getting everyone involvedeveryone involved
• Sort of like Skype and IP telephony, when everyone is connected there is no need toeveryone is connected, there is no need to pay for phone service
Page 52
Copyright 2010 Riebeeck Stevens Ltd
Who uses a Shared Assessments Report?
• SIG is used by the Service Organization and the Outsourcer
• AUP report can be used by all related parties who approved the procedures
• Limited distribution report – others can use itLimited distribution report others can use it but need to agree to the sufficiency of the procedures to evaluate the related controlsprocedures to evaluate the related controls
Page 53
Copyright 2010 Riebeeck Stevens Ltd
Shared Assessments Risk Domains
• Information security policy• Organization of information securityOrganization of information security• Asset management• Human resources security• Physical and environmental security• Communications and operations management• Access controlAccess control• Information systems acquisition, development and
maintenanceI f ti it i id t t• Information security incident management
• Business continuity management• Compliance
Page 54
Copyright 2010 Riebeeck Stevens Ltd
p• Privacy
Shared Assessments Project
• Scoping questions – determine:S i id d it b i d l• Service provider and its business model
• Target systems and processes• Data that it collects stores uses shares transportsData that it collects, stores, uses, shares, transports,
retains, secures and/or deletes:o Target Datao Protected Target Datao Privacy Target Datao Protected Privacy Target Datao Protected Privacy Target Data
• Based on this information, identify hardware, software and procedures to be tested
Page 55
Copyright 2010 Riebeeck Stevens Ltd
software and procedures to be tested.
Shared Assessments Lite
• SIG v5 Level 1
• Contains 91 questions
• Intended for low risk scenariosIntended for low risk scenarios
• Inquiry of Service Organization management
N t ti i i l d• No testing is involved
SIG v5 L1 Questions
Page 56
Copyright 2010 Riebeeck Stevens Ltd
Shared Assessments AUP
• Full SIG v5 and management tools• AUP v5AUP v5• 12 Risk Domains• Specific procedures to be executed by assessor
E h AUP t l t i• Each AUP control area contains:o Objective(s): Statement(s) describing the business interest
behind assessing the DomainC t l( ) St t t( ) b t th t l io Control(s): Statement(s) about the controls service providers should have in place
o Procedure(s): The action or actions a practitioner will perform to test each control Areaperform to test each control Area
o Industry Relevance: Reference(s) to other standards that apply to the same objective and control as the procedure
Page 57
Copyright 2010 Riebeeck Stevens Ltd
Shared Assessments Sample Procedure
F.5 Secure Workspace Access Reporting
Objective:
An organization should maintain access andAn organization should maintain access and incident reports.
Control:Control:
Access to Secure Workplace is logged and i id t t i t i dincident reports are maintained.
Page 58
Copyright 2010 Riebeeck Stevens Ltd
.
Extracted from the Shared Assessments AUP document
Shared Assessments Sample Procedure
Procedures:a. Obtain the access and incident logs (physical or electronic) from the service provider for the Secure Workspace Perimeter, and inspect for evidence of the following attributes:Access Logs (Staff):
1. Name2. Date and time3 Point of access3. Point of access4. Date of last update
Access Logs (Visitor):1. Name2. Date and time3 Point of access
Page 59
Copyright 2010 Riebeeck Stevens Ltd
3. Point of access
Extracted from the Shared Assessments AUP document
Shared Assessments Sample Procedure
4. Company name5. Visiting6. Equipment7. Sign out and return of badge8. Date of last update8. Date of last update
Incident Logs:1. Name2 D t d ti2. Date and time3. Company name4. Incident typeyp5. Date of last update
b. Report the attributes listed in step a not in evidence, the date the access logs and incident log was last updated or
Page 60
Copyright 2010 Riebeeck Stevens Ltd
date the access logs and incident log was last updated, or the nonexistence of the access log or incident log.
Extracted from the Shared Assessments AUP document
Shared Assessments
Exercise
• Review the JPM/IBM outsourcing arrangement and based on the limited information provided, review the questions on Section C2.2 of SIG v5 and the corresponding procedures in Section C of Shared Assessments AUP v5
• Could this provide any comfort when performed by a trusted party?
Page 61
Copyright 2010 Riebeeck Stevens Ltd
performed by a trusted party?
Shared Assessments Report Layout
• The Shared Assessments report follows the AUP standard of the AICPA
• Description of scope• Domain area• Control objective• Control• Procedure• Results of applying the procedure
Page 62
Copyright 2010 Riebeeck Stevens Ltd
Using a Shared Assessments Report
• The Shared Assessments report does not d f h lprovide assurance just attestation of the result
• Each user of the report must evaluate the lt i th t t f th i i k iresults in the context of their own risk universe
• Some controls may be applicable others may notnot
• The absence of certain controls may not be relevant to the user’s environmentrelevant to the user s environment
• Do not extrapolate in time and space
Page 63
Copyright 2010 Riebeeck Stevens Ltd
Using a Shared Assessments Report
• Limitations of the Shared Assessment Reportd b d• Limited to Security, business continuity and
privacyN thi d t i i• No third party opinion
• Can it be relied upon for purposes of an audit of financial statements? Only if issued by CPA?financial statements? Only if issued by CPA? What about internal audit of the user organization?g
• What about sub‐service organizations? What options are there to report on that relationship?
Page 64
Copyright 2010 Riebeeck Stevens Ltd
Module Summary
After completing this module, you should now d t dunderstand:
• What are Shared Assessments• What is a Shared Assessments Report• What is a Shared Assessments Report• The content of a Shared Assessments Report• The responsibilities of the Shared AssessmentsThe responsibilities of the Shared Assessments
Auditor• Key considerations of managing a Shared y g g
Assessments project• The usability of Shared Assessments reports
Page 65
Copyright 2010 Riebeeck Stevens Ltd
SAS 70 Audits
Page 66
Copyright 2010 Riebeeck Stevens Ltd
What is “SAS 70”?
• Statement on Auditing Standards (SAS) No. 70, S i O i i d dService Organizations, as amended
• Issued by the American Institute of Certified P bli A t t (AICPA)Public Accountants (AICPA)
Page 67
Copyright 2010 Riebeeck Stevens Ltd
What is a “SAS 70” Report?
A report containing:
• Description of the control environment• Description of management’s control objectives
f f l l d• Description of specific controls, policies and procedures
• Description of tests of those specific controls, p ppolicies and procedures
• Results of those tests• Independent auditor’s opinionIndependent auditor s opinion• Supplemental information provided by the Service
Organization (optional)
Page 68
Copyright 2010 Riebeeck Stevens Ltd
Who uses the SAS 70 report?
Primary external users (outside of service organization)
• Clients of service organizations and their auditors
• Auditors of service organization
• Prospective clients of service organizations
Page 69
Copyright 2010 Riebeeck Stevens Ltd
Who uses the SAS 70 report?
Benefits of the report to external users
• Enhanced understanding of the control environment
• Additional level of comfort
• Contained audit costs• Contained audit costs
• Ability to compare service organizations
• Reliance on controls
Page 70
Copyright 2010 Riebeeck Stevens Ltd
Who uses the SAS 70 report?
Primary internal users (within service organization)
• Management
• Internal Audit
• Legal and Compliance
• Risk Management
• Marketing
Page 71
Copyright 2010 Riebeeck Stevens Ltd
Who uses the SAS 70 report?
Benefits of the report to internal users• Independent evaluation of processes and controls
• Standard documentation of processes and controls for f l i f ffi i ifuture evaluation of efficiencies
• Improved risk management
P t ti l d ti f di ti ith li t’• Potential reduction of coordination with your client’s auditors
• MarketingMarketing
Page 72
Copyright 2010 Riebeeck Stevens Ltd
Distribution of the Report
Controlled by service organization
Generally limited to:
• Service organization
• Clients of service organization
• Auditors of clients of service organization
• Prospective clients of service organization
Page 73
Copyright 2010 Riebeeck Stevens Ltd
Types of Reports
• Type I – Report on Controls placed in Operation as of a specified date
• Type II – Report on Controls placed in Operation as of a specified dateOperation as of a specified date
AND
R lt f T t f O ti Eff tiResults of Tests of Operating Effectiveness during a specified period
Page 74
Copyright 2010 Riebeeck Stevens Ltd
Service Auditor’s Responsibilities:Type I Engagement
• Determine whether the description of controlsDetermine whether the description of controls presents fairly the relevant aspects of the controls placed in operation as of the date of report
h h h l bl• Determine whether the controls are suitably designed to achieve the specified control objectivesobjectives
Page 75
Copyright 2010 Riebeeck Stevens Ltd
Service Auditor’s Responsibilities :Type II Engagement
• Same as in Type I Engagement
AND
• Determine whether the controls that were• Determine whether the controls that were tested were operating with sufficient effectiveness to achieve control objectives for the specified period of the report
Page 76
Copyright 2010 Riebeeck Stevens Ltd
Sub‐Service Organizations: Carve‐out
• Exclude sub‐service organization’s relevant controls and control objectives from report and from auditor’s scopecontrol objectives from report and from auditor s scope
• If Carve‐Out sub‐servicer, then: Modify scope paragraph in the auditor’s report for the controls of
the sub‐service organizationthe sub service organizationo Describe the functions and nature of processing performed by sub‐
service organizationo That the description of the controls includes only the controls and
related control objectives of the service organizationo That our examination does not extend to the controls at the sub‐service organization
Service Organization modifies description of controls to summarize h f i d f h i f d b h bthe functions and nature of the processing performed by the sub‐service organization that are omitted from the report
• May be necessary to modify opinion paragraph in auditor’s
Page 77
Copyright 2010 Riebeeck Stevens Ltd
report
Sub‐Service Organizations: Inclusive
• Include sub‐service organization’s relevant controls and control objectives in report and in auditor’s scope
• Ensure description of controls and control objective discussion in report clearly differentiates controls at service organization and at sub‐service organization, but includes both in reporting
• Modify auditor’s report throughout (scope, opinion, Company references) to include sub‐service organization (and its related controls, etc.)
• Perform procedures at the sub‐servicer to determine whether: controls (functions/nature of processing and controls) are fairly
presented controls are suitably designed to achieve the related control objectives controls are operating with sufficient effectiveness (For Type II
Page 78
Copyright 2010 Riebeeck Stevens Ltd
controls are operating with sufficient effectiveness (For Type II engagements)
User Control Considerations
• Complementary Controls that may be required at the User Organization
• Include in report’s description of controls
• Include in auditor’s report• Include in auditor s report
• Sample UCC: User Organization should t i t d l hremove terminated employees when access
no longer needed
Page 79
Copyright 2010 Riebeeck Stevens Ltd
Service Auditor’s Responsibilities
• Addressing the representations in the service auditor’s reportp
• Adhere to the AICPA general standards and with the relevant AICPA fieldwork andwith the relevant AICPA fieldwork and reporting standards
Page 80
Copyright 2010 Riebeeck Stevens Ltd
Layout of Typical SAS 70 Report
OpinionSection I Information provided by the Service Organi ationSection I – Information provided by the Service Organization Overview of the business Control Environment Applicability of Report Description of ControlsSection II – Information Provided by the Service AuditorSection II Information Provided by the Service AuditorSection III – Controls, Control Objectives and Tests of
Operating EffectivenessSection IV – Other information provided by the Service
Organization
Page 81
Copyright 2010 Riebeeck Stevens Ltd
Module Summary
After completing this module, you should now be blable to:
• Understand the basic SAS 70‐related terms and definitions
• Understand the basic overview of SAS 70
• Understand who uses SAS 70 reports and why
Page 82
Copyright 2010 Riebeeck Stevens Ltd
Project Management: j gUseful information for the Service Auditor Engagement TeamService Auditor Engagement Team
Page 83
Copyright 2010 Riebeeck Stevens Ltd
Define and UnderstandEngagement/Report Scope
Collaborative process with the Client Scope should be driven by USER needs and
requirementso Include Core Areas
o Include desired Locations
Page 84
Copyright 2010 Riebeeck Stevens Ltd
Engagement Time Management
Time Management• Activity Definition
• Activity Sequencing
• Activity Duration Estimating
• Schedule Development
• Schedule Control• Schedule Control
Page 85
Copyright 2010 Riebeeck Stevens Ltd
Service Organization Involvement
• Project Sponsor (leader/owner) of the Process
• Project Coordinator (daily task j ( ymanagement)
• Internal Pre‐Assessment and RemediationInternal Pre Assessment and Remediation• “Buy‐In” of Senior Management within all
functional departments/areasfunctional departments/areas
Page 86
Copyright 2010 Riebeeck Stevens Ltd
Senior Management Buy‐In
• Assists in obtaining information timely• Ensures right personnel/contacts are met• Ensures personnel/contacts will provide all
necessary assistance • Ensures personnel/contacts know the
importance of the project to their department leaders
Page 87
Copyright 2010 Riebeeck Stevens Ltd
Responsibilities
May impact:May impact:• Timing
• Deadlines• Deadlines
• Budgets/fees
• Staffing mix• Staffing mix
• Expectations set by client or by auditor
S ti f ti ith ti t ti d• Satisfaction with meeting expectations and
• The ability to manage expectations
Page 88
Copyright 2010 Riebeeck Stevens Ltd
Reporting Responsibilities
Generally, Client should draft most areas the Report• Overview of Operations (Organization Definition)
• Description of Controls and Control Environment
• Control Objecti es and Controls• Control Objectives and Controls
• Other Information provided by the Service Organization
Generally the Service Auditor should focus on:Generally, the Service Auditor should focus on:• Opinion
• Information Provided by Service AuditorInformation Provided by Service Auditor
• Testing of Controls and Results of Testing
Page 89
Copyright 2010 Riebeeck Stevens Ltd
Managing Expectations
• Expectations of Significant Changes During Report Period (mid‐year significant changes in controls/processes to consider)
• Presence of Exceptions in the Report• Multi‐location Considerations
R i l i• Report is evolving
• Recommendations to be Provided to Client
• Regular Status Meetings with Project Champion andDay‐to‐Day Contact Person is important
Page 90
Copyright 2010 Riebeeck Stevens Ltd
Managing Expectations
• Timeline/Deadline for Stages of Engagement• Timeline/Deadline for Stages of Engagement Setting project milestones minimizes time overages
• Detailed Project Plan by Control Objective• Detailed Project Plan by Control Objective Breaking down project plan to task level increases
accuracy of cost estimation and subsequent budgetingy q g g
• Monitor Timing/Fees (budget to actual) Enhanced cost control through frequent budget to actual g q g
monitoring
Page 91
Copyright 2010 Riebeeck Stevens Ltd
Module Summary
After completing this module, you should now:After completing this module, you should now:
• Understand key aspects of managing a SAS 70 project effectively and efficiently.
• Understand key aspects of managing a SAS 70 project effectively and efficiently.
• Understand common pitfalls/challenges and successes that we have encountered in our
• Understand common pitfalls/challenges and successes that we have encountered in our experience with SAS 70 engagements. experience with SAS 70 engagements.
Page 92
Copyright 2010 Riebeeck Stevens Ltd
Service Auditor ConsiderationsService Auditor Considerations
Page 93
Copyright 2010 Riebeeck Stevens Ltd
Service Auditor Considerations
• Workpaper documentation
• Design of Tests
• Types of tests
• Sampling
• FindingsFindings
• Testing strategies
Page 94
Copyright 2010 Riebeeck Stevens Ltd
Design of Tests
Control TestControl Test
Page 95
Copyright 2010 Riebeeck Stevens Ltd
Types of Tests
• Inquiry
• Inspection
• Observation
• Re‐performance of the control
Page 96
Copyright 2010 Riebeeck Stevens Ltd
Sample Sizes
• No definitive guidance
• Driven by four variables Significance of controlg
Frequency
Past experience Past experience
Client expectation
Page 97
Copyright 2010 Riebeeck Stevens Ltd
Sample Sizes (continued)
• Frequently used numbers (influenced primarily by SOX developments):primarily by SOX developments):
Type of ControlPrimary Secondary OtherPrimary Secondary Other
25 15 5
Page 98
Copyright 2010 Riebeeck Stevens Ltd
Findings
Findings should be classified into:g• Nominal
M L C (“MLC”)• Management Letter Comment (“MLC”)
• Exceptionsp
Page 99
Copyright 2010 Riebeeck Stevens Ltd
Findings (continued)
• Quantitative materiality thresholds do not apply
• How to deal with exceptions Identify compensating controls
Redefine control objectivesj
Timely validation
Page 100
Copyright 2010 Riebeeck Stevens Ltd
Testing Strategies
• Report must be applicable to internal controls in place during the entire testing period.
• Narrative update can occur at six month point
• Controls can be tested at any time during the testing periodtesting period
Page 101
Copyright 2010 Riebeeck Stevens Ltd
Module Summary
After completing this module, you should now:After completing this module, you should now:
• Understand important items to consider when performing a SAS 70 engagement including
• Understand important items to consider when performing a SAS 70 engagement including sample sizes, testing strategies and addressing findings.sample sizes, testing strategies and addressing findings.
Page 102
Copyright 2010 Riebeeck Stevens Ltd
User Auditor Considerations:User Auditor Considerations:How to Use a SAS 70 Report
Page 103
Copyright 2010 Riebeeck Stevens Ltd
Is the SAS 70 Useful?
• Address the applications and/or locations used by the Service Organization that are relevant tothe Service Organization that are relevant to financial statement assertions?
• Adequate to understand flow of transactions?Adequate to understand flow of transactions?• Sufficient detail of controls that prevent or detect
possible errors?• Are there findings within control tests?• Does opinion address any exceptions?• Are any areas being carved‐out?
Page 104
Copyright 2010 Riebeeck Stevens Ltd
Procedures when using a SAS 70 Report
• Read report to:U d t d th fl f t ti d th t l• Understand the flow of transactions and the controls
• Determine that controls were operating as intended• Determine whether significant control deficiencies• Determine whether significant control deficiencies
were noted• Inquire of client as to changes since date of SAS 70• Consider whether additional procedures are
necessary
Page 105
Copyright 2010 Riebeeck Stevens Ltd
Assessing User Control Considerations
• Read service auditor’s report to determine: Whether the considerations are relevant to your cliento If relevant, ensure during your planning that the
controls have been implemented by the client
Nature of complementary controls that should Nature of complementary controls that should be in place at our client
Page 106
Copyright 2010 Riebeeck Stevens Ltd
Updating a SAS 70
When date of SAS 70 report is within the client’s fiscal year (and assessed controls as effective):
• Update through client discussions
When date of SAS 70 is outside of our client’s fiscal year (and anticipate assessing controls as y ( p geffective):
• Can use the report as a starting point in gaining p g p g gan understanding of the control environment
• You may not rely on this report as audit evidence
Page 107
Copyright 2010 Riebeeck Stevens Ltd
y y p
Using a SAS 70 Report
READ IT!READ IT!
READ IT!
READ IT!!
Page 108
Copyright 2010 Riebeeck Stevens Ltd
Using a SAS 70 Report
• Make sure you understand which significant processes are covered
• Can you rely on the testing which was performed?
• Determine the results of any testing that wasDetermine the results of any testing that was performed
Page 109
Copyright 2010 Riebeeck Stevens Ltd
Using a SAS 70 Report
• If the report does not cover the entire period of the user organization’s fiscal year, gain an understanding for the period not covered.
Page 110
Copyright 2010 Riebeeck Stevens Ltd
Module Summary
After completing this module, you should now:After completing this module, you should now:
• Understand when you can rely on a SAS 70 report.
• Understand when you can rely on a SAS 70 report.
• Understand the documentation requirements when leveraging a SAS 70 report.
• Understand the documentation requirements when leveraging a SAS 70 report.g g p
• Understand how you can benefit from a SAS 70 report
g g p
• Understand how you can benefit from a SAS 70 report70 report.
Discuss the SAS 70 Reliance Decision Tree
70 report.
Discuss the SAS 70 Reliance Decision Tree
Page 111
Copyright 2010 Riebeeck Stevens Ltd
Attest Engagement
Page 112
Copyright 2010 Riebeeck Stevens Ltd
What is an Attest Engagement?
• Examination, audit or review of subject matter or management assertion
• Higher level of assurance
• Generally includes an opinion of the auditor
• Follows the Statement on Standards for• Follows the Statement on Standards for Attestation Engagements of the AICPA
Page 113
Copyright 2010 Riebeeck Stevens Ltd
Why Do We Need Attest Reports?
• Many financial situations require an attest report
• In the controls space, they can cover areas that are not possible to cover in SAS 70 or other reports
• An example is business continuity planning and the availability principleand the availability principle
Page 114
Copyright 2010 Riebeeck Stevens Ltd
Who uses Attest Reports?
• Attest reports are limited distribution reports
• Can be used by external auditors for evaluating audit risk
• Can be used by the service organization managementmanagement
• Can be used by the user organization managementmanagement
Page 115
Copyright 2010 Riebeeck Stevens Ltd
Attest Engagements
Definition and Underlying Concepts• Subject matter
• Assertion
• Responsible party
Page 116
Copyright 2010 Riebeeck Stevens Ltd
Attest Engagements
• Suitability of Criteria Objectivity
Measurability
Completeness
Relevance
• Availability of Criteria
Page 117
Copyright 2010 Riebeeck Stevens Ltd
Attest Auditor Responsibilities
• Training and proficiency
• Adequate knowledge of the subject matter
• IndependenceIndependence
• Due professional care
If t i d di t th AICPA• If report issued according to the AICPA standard then auditor should be a CPA
Page 118
Copyright 2010 Riebeeck Stevens Ltd
Layout of Attest Report
• Differences in content for an Examination and a Review report
• Considerations as to whether opining on subject matter or management assertion
• Statement that the work conducted supportsStatement that the work conducted supports the opinion provided
• Compliance with AICPA standards• Compliance with AICPA standards
Page 119
Copyright 2010 Riebeeck Stevens Ltd
Project Management Considerations
• Obtain clear management assertion
• Ensure there are suitable criteria
• Delineate an plan every activityDelineate an plan every activity
• Discuss and walkthrough every risk and area of controlof control
• Establish a clearly defined timeline
• Obtain concurrence from management on all identified findings
Page 120
Copyright 2010 Riebeeck Stevens Ltd
Attest Auditor Considerations
• Planning and supervision
• Obtaining sufficient evidence
• Management representationsManagement representations
• Reporting
A l i f th i f ti t d b• Analysis of other information presented by management
Page 121
Copyright 2010 Riebeeck Stevens Ltd
Using an Attest Report
• Ensure focus and scope are relevant
• Review criteria
• Evaluate findingsEvaluate findings
• Consider period of the attestation
D t i h th b t t• Determine whether subsequent events occurred
• Integrate controls in the report with risks in your organization
Page 122
Copyright 2010 Riebeeck Stevens Ltd
Module Summary
After completing this module, you should now be able to understand:
• What are Attest engagements• What is an Attestation Report• The content of an Attestation Report• The responsibilities of the Attest Auditor• Key considerations of managing a Attest
project• The usability of Attest reports
Page 123
Copyright 2010 Riebeeck Stevens Ltd
Good Bye SAS 70
Page 124
Copyright 2010 Riebeeck Stevens Ltd
SAS 70 No More
• Recent Developments
• International Demand
• IFAC ‐ ISAE 3402IFAC ISAE 3402
• AICPA SSAE 16 – Reporting on Controls at a Service OrganizationService Organization
• New SAS – Audit Considerations Relating to E tit U i S i O i tian Entity Using a Service Organization
Page 125
Copyright 2010 Riebeeck Stevens Ltd
SAS 70 No More
• New Standards do not affect inquiries of management
• New Standards do not affect AUP/Shared Assessments
• New Standards do not affect the AttestNew Standards do not affect the Attest Engagements
Page 126
Copyright 2010 Riebeeck Stevens Ltd
AICPA SSAE 16
• Separates Service Audit from existing SAS
• Falls under different family of standards
• Instead of an audit standard, it is an attestInstead of an audit standard, it is an attest standard
• Requires a written management assertion• Requires a written management assertion
• And suitable criteria
• Does not consider the usability in a financial statement audit ONLY
Page 127
Copyright 2010 Riebeeck Stevens Ltd
SSAE 16 – Impact
• Management of the service organization required t id th i dit ith ittto provide the service auditor with a written assertion about1 The fairness of the presentation of the description of1. The fairness of the presentation of the description of
the service organization’s system2. The suitability of the design of the controls to
achieve the related control objectives stated in the description, and, in a type 2 engagement
3 The operating effectiveness of those controls to3. The operating effectiveness of those controls to achieve the related control objectives stated in the description.
Page 128
Copyright 2010 Riebeeck Stevens Ltd
SSAE 16 – Impact
• A service auditor is able to report on controls at a service organization other than controls that are relevant to user entities’ financial reporting, for example, controls related to user entities’ regulatory compliance, production, or quality control.
• This is probably the greatest benefit of all!
Page 129
Copyright 2010 Riebeeck Stevens Ltd
SSAE 16 – Impact
• In a type 2 report, the service auditor’s opinion on the fairness of the presentation of the description of the service organization’s system and on the suitability of the design of the controls is for a period of time rather than as of a specified date, as is the case in the current standard
Page 130
Copyright 2010 Riebeeck Stevens Ltd
SSAE 16 – Impact
• When obtaining an understanding of the service organization‘s system, the service auditor would be required to obtain information to identify risks that the description of the service organization’s system is not fairly presented or that the control objectives stated in the description were not achieved due to intentional acts by service organization personnel.
Page 131
Copyright 2010 Riebeeck Stevens Ltd
SSAE 16 – Impact
• Indicates that when assessing the operating effectiveness of controls in a type 2 engagement, evidence obtained in prior engagements about the satisfactory operation of controls in prior periods does not provide a basis for a reduction in testing, even if supplemented with evidence obtained during the current period.
Page 132
Copyright 2010 Riebeeck Stevens Ltd
SSAE 16 – Impact
• A service auditor’s type 2 report would identify the customers to whom use of the report is restricted as "customers of the service organization’s system during some or all of the period covered by the service auditor’s report,"and in a service auditor’s type 1 report, as, "customers as of the date of the service organization’s description covered by the report."
Page 133
Copyright 2010 Riebeeck Stevens Ltd
SSAE 16 – Key Considerations
• Effective date – the AICPA/ASB has proposed making the SSAE effective concurrently with the new ISAE 3402
• Management assertion – An assertion‐based engagement includes an explicit acknowledgement by management of its responsibility for the matters addressed in its assertion
• Convergence with International Standards
Page 134
Copyright 2010 Riebeeck Stevens Ltd
IFAC – ISAE 3402
• ISAE 3402 – Assurance Reports on Controls at a Service Organization
• Based on original structure of SAS 70 but very l hsimilar to the New SSAE
• Applies to all countries where IFAC is i drecognized
• Scope – applies to engagements that convey bl h th ireasonable assurance when the service
organization is responsible for the suitable design of controls
Page 135
Copyright 2010 Riebeeck Stevens Ltd
design of controls
ISAE 3402
• The standard deals with assurance engagements by professional accountants in public practice to provide a report for use by the user entities and their auditors on the controls at a service organization that provides a service to user entities that is likely to be relevant to user entities’ internal control, as it relates to financial reporting.
Page 136
Copyright 2010 Riebeeck Stevens Ltd
ISAE 3402
The standard does not deal with assurance engagements:
• To report on whether controls at a service organization operated as described, or
• To report ONLY on controls at a serviceTo report ONLY on controls at a service organization that are not related to a service that is likely to be relevant to user entities’that is likely to be relevant to user entities internal controls as it relates to financial reporting
Page 137
Copyright 2010 Riebeeck Stevens Ltd
reporting
Why is ISAE 3402 Important
• Impact at domestic and international levelsIt d t / l ( t ti ll )/ l t• It updates/replaces (potentially)/complements:• US ‐ Statement on Auditing Standards (SAS) No. 70• CA ‐ Canadian Institute of Chartered AccountantsCA Canadian Institute of Chartered Accountants
(CICA) 5970• UK ‐ Audit and Assurance Faculty Standard (AAF)
/01/06• AU ‐ Guidance Statement (GS) 007• HK ‐ HKSA Statements – Auditing Practice Note 860 2HK HKSA Statements Auditing Practice Note 860.2• JP ‐ Audit Standards Committee Report No. 18• DE (Germany) ‐ IDW PS 951
Page 138
Copyright 2010 Riebeeck Stevens Ltd
IFAC – ISAE 3402
• Introduces the concept of materiality• Not with respect to the financial statements
but with respect to the system The concept of materiality takes into account that
the service auditor’s assurance report provides information about the service organization’s systeminformation about the service organization s system to meet the common information needs of a broad range of user entities and their auditors who have an understanding of the manner in which that system has been used.
Page 139
Copyright 2010 Riebeeck Stevens Ltd
IFAC – ISAE 3402
• Materiality with respect to the fair presentation of th i i ti ’ d i ti f it tthe service organization’s description of its system, and with respect to the design of controls, includes primarily the consideration of qualitative factorsprimarily the consideration of qualitative factors, for example: whether the description includes the significant aspects of processing significant g p p g gtransactions; whether the description omits or distorts relevant information; and the ability of controls, as designed, to provide reasonable assurance that control objectives would be achieved
Page 140
Copyright 2010 Riebeeck Stevens Ltd
achieved.
IFAC – ISAE 3402
• Materiality with respect to the service auditor’s opinion on the operating effectiveness of controls includes the consideration of both quantitative and qualitative factors, for example, the tolerable rate and observed rate of deviation (a quantitative matter), and the nature and cause of any observed deviation (a qualitative matter).
Page 141
Copyright 2010 Riebeeck Stevens Ltd
Critical Steps in Assurance Reporting Under ISAE 3402
• Assessing the Suitability of the Criteria• Obtaining an Understanding of the Service
Organization’s System• Obtaining Evidence Regarding the
Description• Obtaining Evidence Regarding Design of
Controls• Obtaining Evidence Regarding the Operating
Effectiveness of Controls
Page 142
Copyright 2010 Riebeeck Stevens Ltd
Critical Steps in Assurance Reporting Under ISAE 3402
• The Work of an Internal Audit Function
• Other Information
• Preparing the Service Auditor’s AssurancePreparing the Service Auditor s Assurance Report
• Other Communication Responsibilities• Other Communication Responsibilities
Page 143
Copyright 2010 Riebeeck Stevens Ltd
/
Comparison of SAS 70 with ISAE/SSAE
Topic Existing SAS 70 Standard ISAE 3402 / SSAE
Scope SAS 70 is limited to controls over the processing of
Report can be extended beyond financial p g
financial transactions by aservice organization.
yreporting.
Opinion / Assertion
The auditor provides an opinion based directly on
In addition to the auditor's opinion,
fthe subject matter with no formal management assertion.
management of the service organization provides a formal passertion affirming its responsibilities for the controls in the report
Page 144
Copyright 2010 Riebeeck Stevens Ltd
controls in the report.
Extracted from “Good‐bye SAS 70” by Fiona Gaskin
/
Comparison of SAS 70 with ISAE/SSAE
Topic Existing SAS 70 Standard ISAE 3402 / SSAE
Disclosurerequirementsf f IA
Work performed by internal audit to support the service
di ' i i i
Work performed by internal audit used in part to form the service
di ’ i i h ll i l dfor use of IA auditor's opinion is not disclosed.
auditor’s opinion shall include a description of the internal auditor’s work and of the service auditor’s procedures with respectauditor’s procedures with respect to that work.
Audit Guidance Guidance is provided in an d d d
Guidance for the service auditor dannually updated Audit
Guide, which includesillustrative control objectives for various types of service
will be solely contained in the ISAE itself and will not contain illustrative control objectives.The US will continue to providefor various types of service
organizations.The US will continue to provide audit guidance to support the SSAE/SAS 70standards
Page 145
Copyright 2010 Riebeeck Stevens Ltd
standards.
Extracted from “Good‐bye SAS 70” by Fiona Gaskin
Comparison of SAS 70 with ISAE/SSAE
Topic Existing SAS 70 Standard ISAE 3402 / SSAE
Example ofTerminology
Type I - report on the fairness of the
Type 1 - report on the fairness of the descriptionTerminology
Differencesfairness of the description of controls and whether those
fairness of the description of controls and whether those controls were suitably
controls were suitably designed.
designed.
Type II - report also includes an opinion on
Type 2 - report also includes an opinion on the operating
the operating effectiveness of the controls.
effectiveness of the controls.
Page 146
Copyright 2010 Riebeeck Stevens Ltd
controls.
Extracted from “Good‐bye SAS 70” by Fiona Gaskin
ISAE 3402 Report
• Internal control is a process designed to provide bl di th hi t freasonable assurance regarding the achievement of
objectives related to the reliability of financial reporting, effectiveness and efficiency of operationsreporting, effectiveness and efficiency of operations and compliance with applicable laws and regulations.
• Control objectives and controls at the User Organizations
• Control objectives and controls at the Service OrganizationOrganization
• Controls at the Service Organization that need to be complemented at User Organizations
Page 147
Copyright 2010 Riebeeck Stevens Ltd
p g
Module Summary
After completing this module, you should now be able to understand:able to understand:• The latest developments in Third Party Assurance
StandardsSta da ds• The impact of new Standards• The benefits of the new Standards• Key differences and similarities between domestic
and international standardsK id ti d ibiliti f• Key considerations and responsibilities of a service auditor and the user of a third party assurance report
Page 148
Copyright 2010 Riebeeck Stevens Ltd
p
Wrap-Up
Wrap‐Up and SummaryWrap Up and Summary
Page 149
Copyright 2010 Riebeeck Stevens Ltd
Using Third Party Reports
• A report is not relevant if it does not address your ’ i kcompany’s risks
• Prepare your own ICQ or use a standard one as a di lpre‐audit tool
• Use your company’s risk and control matrices as h b i l ICQ AUP SAS 70 ISAE dthe basis to evaluate ICQ, AUP, SAS 70, ISAE and SSAE findings
St ti i t i ’ i k t h t i• Starting point is your company’s risks not what is in the reports
Page 150
Copyright 2010 Riebeeck Stevens Ltd
Third Party Assurance – Final Comments
• Businesses will continue to look for opportunities to increase efficiency and effectiveness ofto increase efficiency and effectiveness of business processes
• Globalization will not stopGlobalization will not stop• Cloud Computing will make this field more
interesting and complexg p• Third party assurance practice will continue to
grow• We will be either auditing or will be audited by a
service auditor …
Page 151
Copyright 2010 Riebeeck Stevens Ltd
Contact
Felix Ramirez
(W) 646‐290‐8998(W) 646 290 8998
(C) 908‐230‐4562
( ) f li i @ i b k t(e) [email protected]
Page 152
Copyright 2010 Riebeeck Stevens Ltd