What are SSAE 16 Reports and How do I Use Them to Support my Audit and A-123 Compliance? Presentation to ASMC PDI May 29, 2015

Size: px
Start display at page:

Download "What are SSAE 16 Reports and How do I Use Them to Support my Audit and A-123 Compliance? Presentation to ASMC PDI May 29, 2015"

Transcription

1 What are SSAE 16 Reports and How do I Use Them to Support my Audit and A-123 Compliance? Presentation to ASMC PDI May 29, 2015

2 Agenda Internal Controls Over Financial Reporting - Internal Control Definition - Management s Responsibility Gaining Comfort Over Service Organization Controls - OMB Circular A-123 (Appendix A) Requirements - Financial Statement Audit Requirements Using SSAE 16 Reports - Background and Purpose of the SSAE 16 Report - DoD Service Organizations and SSAE 16 Reports - Structure of the Report - Subservice Organizations - Evaluation of CUEC s - Exceptions, Responses, and Other Considerations Questions 2

3 Internal Controls Over Financial Reporting

4 Internal Control: Definition Internal control is a process effected by an entity s oversight body, management, and other personnel that provides reasonable assurance that the objectives of an entity will be achieved. An internal control system is a continuous built-in component of operations, effected by people, that provides reasonable assurance, not absolute assurance, that an entity s objectives will be achieved. These objectives and related risks can be broadly classified into one or more of the following three categories. Operations - Effectiveness and efficiency of operations Compliance - Compliance with applicable laws and regulations Reporting - Reliability of reporting for internal and external use The GAO Green Book (GAO G) defines the standards for internal control in the federal government. 4

5 Internal Control: Management s Responsibility Oversight Body - The oversight body is responsible for overseeing the strategic direction of the entity and obligations related to the accountability of the entity. This includes overseeing management s design, implementation, and operation of an internal control system. Management - Management is directly responsible for all activities of an entity, including the design, implementation, and operating effectiveness of an entity s internal control system. Personnel - Personnel help management design, implement, and operate an internal control system and are responsible for reporting issues noted in the entity s operations, reporting, or compliance objectives. External auditors and the office of the inspector general (OIG), if applicable, are not considered a part of an entity s internal control system. FMFIA requires federal executive branch entities to establish internal control in accordance with these (GAO Green Book) standards. 5

6 Internal Control: Management s Responsibility Service Organizations Management may engage external parties to perform certain operational processes for the entity, such as accounting and payroll processing, security services, or health care claims processing. For the purpose of the Green Book, these external parties are referred to as Service Organizations. Therefore, management needs to understand the controls each Service Organization has designed, has implemented, and operates for the assigned operational process and how the Service Organization s internal control system impacts the entity s internal control system. If controls performed by the Service Organization are necessary for the entity to achieve its objectives and address risks related to the assigned operational process, the entity s internal controls may include Complementary User Entity Controls (CUECs) identified by the service organization or its auditors that are necessary to achieve the service organization s control objectives. Management retains responsibility for the performance of processes assigned to Service Organizations. 6

7 Internal Control: Management s Responsibility Reporting Entity Service Provider(s) Service Level Agreements (SLAs) Memos of Understanding (MOUs) Communicate, Communicate, Communicate We can t assume the other organization has it covered. 7

8 Gaining Comfort Over Service Organization Controls

9 Gaining Comfort: A-123 Requirements Evaluating Controls of Cross-Servicing Providers and Service Organizations When evaluating the controls in place at cross-servicing providers or Service Organizations, the Senior Assessment Team should determine the extent of procedures needed, which may include: A. User Organizations Test the Controls Performing tests of the entity s controls over the activities of the cross-servicing organization or service organization (e.g., re-performance of selected items processed by the cross-servicing organization or service organization, or reconciling output reports with source documents); or Performing tests of controls at the cross-servicing organization or Service Organization; or B. Service Organization Controls Report Obtaining a service auditor s report on controls placed in operation and tests of operating effectiveness (e.g., Type II SSAE 16 report) or a report on the application of agreed-upon procedures that describes the relevant tests of controls. Test it yourself or obtain an opinion from an independent auditor. 9

10 Gaining Comfort: Audit Requirements OMB Bulletin (Effective October 21, 2013) Supersedes the provisions in OMB Bulletin 07-04, Audit Requirements for Federal Financial Statements, and OMB Technical Bulletin 08-24, Technical Amendments to OMB Bulletin 07-04, Audit Requirements for Federal Financial Statements. In addition to the requirements set forth in AU-C 402, Audit Considerations Relating to an Entity Using a Service Organization, for those Service Organization controls that are relevant to the audit and have been suitably designed and implemented, service organizations must: A. Allow user auditors to perform tests of controls at the Service Organization; or B. Provide its user organizations with an audit report (referred to as a type 2 report) on whether: (1) management's description of the Service Organization's system fairly presents the Service Organization's system that was designed and implemented throughout the specified period, (2) internal controls were suitably designed to achieve the specified objectives and implemented throughout the specified period, and (3) the controls that were tested were operating effectively to provide reasonable assurance that the related control objectives were met during the period specified; or Each financial statement auditor tests themselves or obtain an SSAE 16 (SOC 1 Type II) opinion. 10

11 Background and Purpose

12 What is an SSAE 16 Report? A Statement on Standards for Attestation Engagements No. 16 (SSAE 16) is an independent third party report identifying the control structure, policies, and procedures of a service organization. An SSAE 16 is internationally recognized as an industry standard in providing user organizations and their auditors comfort surrounding the service organization s internal controls. Management s report on internal control, describing the control environment, risk assessment, control activities, information, and communication and monitoring. SSAE 16 reports are also referred to as AT 801 and SOC 1 reports. Recognized standard for providing user organizations and their auditors comfort relating to Service Organization Controls. 12

13 What are the Key Benefits? A SSAE 16 report may eliminate or significantly reduce the requirement for the company s auditor to do additional testing of a service provider s controls. An auditor to auditor communication which provides reliance to support the financial statement audit at user organizations. A reduction in service organization audit hours and business interruption by user organization auditors. A SSAE 16 shows a demonstration of proactive control and the ability to highlight controls over new/enhanced products or services. The degree to which redundant testing may be reduced is influenced by the scope and period covered by the SSAE

14 Using SSAE 16 Reports

15 Overview Provides management and user entities with an opinion on: - Fair presentation of the system description, - Controls related to the control objectives are suitably designed, & - Controls related to the control objectives are operating effectively. Report covers controls relevant to user entity s financial statements DFAS Civilian Pay Army DFAS Standardized Disbursing Defense Civilian Personnel Data System DISA Automated Time & Attendance Production System DISA Enterprise Computing Services SSAE 16 Report(s) Navy Air Force USMC Other Defense Organizations SSAE 16 reports minimize redundant testing of Service Organization controls by user entities and their auditors. 15

16 DoD Service Providers and SSAE 16 Reports Current DoD SSAE 16s Updated April 13, 2015 Assertion Status FY 2014 FY 2015 FY 2016 Service Provider Assessable Unit System(s) Included FY 14 Opinion Current Reporting Period or Projected SSAE 16 for FY 15? Projected Reporting Period for FY 15 Expected Report Issuance Date SSAE 16 for FY 16? Projected Reporting Period for FY 16 Expected Report Issuance Date Civilian Pay DCPS Unmodified Oct Jun 2014 Yes Oct Jun 2015 Aug 14, 2015 Yes Oct Jun 2016 Aug 12, 2016 Military Pay DJMS-AC, DJMS-RC, DMO (Legacy), DMO (Web) Unmodified Oct Jun 2014 Yes Oct Jun 2015 Aug 17, 2015 Yes Oct Jun 2016 Aug 17, 2016 Standard Disbursing Service ADS, ADS IPAC MegaWizard, 22 MicroApps Unmodified Oct Jun 2014 Yes Oct Jun 2015 Aug 14, 2015 Yes Oct Jun 2016 Aug 12, 2016 DFAS Contract Pay MOCAS, EAS, EUD (APVM / PPVM), SCRT, BAM ERMP Unmodified Nov Apr 2014 Yes Oct Jun 2015 Aug Yes Oct Jun 2016 Aug 15, 2016 Financial Reporting DDRS (AFS, B, DCM), 8 MicroApps Modified Mar Nov 2014 Yes Dec Jul 2015 Sept 15, 2015 Yes Oct Jul 2016 Sept 15, 2016 Fund Balance With Treasury (DCAS) DCAS N/A N/A No N/A N/A Yes Jan Jun 2016 Aug 15, 2016 Fund Balance With Treasury (DRRT) DRRT, 1 MicroApp N/A N/A No N/A N/A Yes Jan Jun 2016 Aug 15, 2016 DCPAS Defense Civilian Personnel Data System (DCPDS) DCPDS Modified Oct Jun 2014 Yes Oct Jun 2015 Aug 15 Yes Oct Jun 2016 Aug 15 DCMA Contract Pay MOCAS, etools Modified Feb Oct 2014 Yes Feb Jul 2015 Sept 15 Yes Oct Jun 2016 Aug 15 The Department has a number of SSAE 16 examinations underway and has received several unmodified opinions. 16

17 DoD Service Providers and SSAE 16 Reports Current DoD SSAE 16s Updated April 13, 2015 Assertion Status FY 2014 FY 2015 FY 2016 Service Provider Assessable Unit System(s) Included FY 14 Opinion Current Reporting Period or Projected SSAE 16 for FY 15? Projected Reporting Period for FY 15 Expected Report Issuance Date SSAE 16 for FY 16? Projected Reporting Period for FY 16 Expected Report Issuance Date Wide Area Work Flow - Invoices Receipt Acceptance and Property Transfer (WAWF irapt Modified Mar Aug 2014 Yes Oct Jun 2015 Sept 15 Yes Oct Jun 2016 Aug 15 - irapt) DLA Defense Agency Initiative (DAI) DAI Modified Jan Jun 2014 Yes Oct Jun 2015 Sept 15 Yes Oct Jun 2016 Aug 15 Defense Automatic Addressing System (DAAS) DAAS Modified Sep Feb 2014 Yes Oct Jun 2015 Sept 15 Yes Oct Jun 2016 Aug 15 Defense Travel System (DTS) DTS N/A N/A Yes Oct Jun 2015 Sept 15 Yes Oct Jun 2016 Aug 15 MilDeps Owned Items in DLA Custody DSS N/A N/A No N/A N/A Yes Oct June 2016 Aug 15 Enterprise Information Services (FY14 Scope) Mechanicsburg, Ogden, Oklahoma City Unmodified Oct Jun 2014 N/A N/A N/A N/A N/A N/A DISA Enterprise Computing Services (FY Scope) Mechanicsburg, Ogden, Oklahoma City, Montgomery N/A N/A Yes Oct Jun 2015 Jul 31 Yes Oct Jun 2016 Jul 31 AT&L U.S. Bancorp Automated Time Attendance and Production System (ATAAPS) Defense Property Accountability System (DPAS) Corporate Payment Systems U.S. Bank Freight Payment Transaction Procerssing System ATAAPS N/A N/A Yes Oct Jun 2015 Jul 31 Yes Oct Jun 2016 Jul 31 DPAS Unmodified Oct Jun 2014 Yes Jul Jun 2015 Aug 15 Yes Jul Jun 2016 Aug 15 Syncada Unmodified Oct Sept 2014 Yes Oct Sept 2015 Nov 15 Yes Oct Sept 2016 Nov 16 The Department has a number of SSAE 16 examinations underway and has received several unmodified opinions. 17

18 DoD Service Providers and SSAE 16 Reports Fiscal 2014 Fiscal 2015 Fiscal Attestation / Audit Sept. Oct. Nov. Dec. Jan. Feb. Mar. Apr. May Jun. Jul. Aug. Sept. Oct. Nov. Dec. Jan. Feb. Mar. Apr. May Jun. Jul. Aug. Sept. Oct. Nov. Dec. Jan. Feb. Mar. Apr. May Jun. Jul. Aug. Sept. ODO Examination Period ODO FS Audit Period SSAE 16s DFAS - Civilian Pay UNMODIFIED OPINION DFAS - Military Pay DFAS - Disbursing DFAS - Contract Pay UNMODIFIED OPINION UNMODIFIED OPINION UNMODIFIED OPINION DFAS - Financial Reporting MODIFIED OPINION DFAS - FBWT (DCAS) NO SSAE 16 GAP Period DFAS - FBWT (DRRT) NO SSAE 16 GAP Period DCPAS - DCPDS MODIFIED OPINION DCMA - Contract Pay MODIFIED OPINION DLA - irapt (WAWF) MODIFIED OPINION DLA - DAI MODIFIED OPINION DLA - DAAS MODIFIED OPINION DLA - DTS DLA - SOIDC NO SSAE 16 AT&L - DPAS UNMODIFIED OPINION US Bank - SYNCADA UNMODIFIED OPINION DISA - ATAAPS DISA - ESD UNMODIFIED OPINION SSAE 16 reports will continue to be obtained in subsequent fiscal years. 18

19 Structure of the Report

20 What are the Key Terms? Key Terms Control Objective Control Activity Operating Effectiveness Service Auditor Definitions Statements intended to provide reasonable assurance regarding the achievement of objectives in the following categories: (1) reliability of financial reporting, (2) effectiveness and efficiency of operations, and (3) compliance with applicable laws and regulations. Policies and procedures at a service organization that may affect a user organization s internal control structure and the assertions in its financial statements. How a control is applied, the consistency with which it is applied, and by whom it is applied. Testing is performed by the service auditor to validate the operating effectiveness of key controls. The auditor who reports on the processing of transactions by a service organization. Service Organization The entity (or segment of an entity) that provides services to the user organization. User Organization The entity that has engaged a service organization and whose financial statements are being audited. The Service Auditor performs the SSAE 16 for the Service Organization. 20

21 Report Breakdown Section 1 Section 2 Section 3 Section 4 Section 5 Report of Independent Auditor Opinion on the design and operating effectiveness of controls and their ability to meet the control objective. Management s Assertion A written assertion by management of the service organization about the service organization s system that was designed, implemented, and operated effectively throughout the specified period. Service organization s description of systems The description of controls should contain aspects of the service organization s control environment, risk assessment, information and communication, monitoring of controls, and control activities that may impact the services provided to user organizations. This section may also include control objectives and related controls, description of information technology systems and controls narratives and user controls. Service organizations control objectives and related controls and independent service auditors test of controls and results of tests This section lists out the control objectives, control activities, types of tests performed by the independent auditor, and results of the tests performed by the independent auditor. Other information provided by the service organization Additional information which the service organization may desire to include in the report, which are not included within the scope of the audit opinion (e.g., business continuity / disaster recovery planning). Section 4 provides detailed information regarding the controls in place at the Service Organization and results of testing. 21

22 Types of Tests Inquiry - Inquire of appropriate personnel to obtain knowledge and additional information regarding the control and corroborating evidence of the control. (Usually employed to validate non-key or low risk controls). Observation - Observe the flow of transactions through the system, observe personnel performing day to day functions and applying controls, and review relevant documents and records as necessary. Inspection - Inspect a sample of documents and records which indicate or evidence the performance of controls. Reperformance - Test a sample of transactions and other items through re-performance of the control or processing application (e.g., ITF, CAATs). The degree of testing is significantly more rigorous than required by internal certification and accreditation. 22

23 Audit Opinions Unqualified opinion - Ideal result: States that the control system is fairly presented and designed as well as operating effectively - Achieved by having adequate controls in place and having no or minimal control exceptions found in testing Qualified opinion - States that, except for the effects of the matter(s) to which the qualification relates, the control system is fairly presented and designed as well as operating effectively - Can be triggered by lacking efficient controls or by having multiple control exceptions An unqualified opinion doesn t mean no action is required and a qualified opinion doesn t mean all hope is lost. 23

24 Audit Opinions (continued) Adverse opinion - States that the report does not present fairly the control system. Disclaimer opinion - States that the auditor does not express an opinion. Emphasis of Matter - Typically is used to inform user that a control did not operate during the period and therefore, the control objective cannot be achieved. - Also used to provide information about a subsequent event or other matter that does not result in qualification but needs to be disclosed to the user. Disclaimers or Adverse opinions have the most severe impact on Service Organization control reliance. 24

25 Subservice Organizations

26 Definitions Subservice Organization - A service organization used by another service organization to perform some of the services provided to user entities that are relevant to those user entities' internal control over financial reporting. Vendor and Other Service Providers - Similar to subservice organizations, but they are not required to achieve any of the control objectives. We should consider the degree of interaction as well as the nature and materiality of the transactions processed by the service organization and the subservice organizations to determine the significance of the service organization's and subservice organization's controls to the user entity's controls. If we determine that the services provided by the subservice organization are relevant, we should obtain the subservice organization s SOC 1 report and evaluate it in the same manner that we evaluated the service organization's SOC 1 report. Subservice Organization controls must also be considered. 26

27 Examples of Subservice Organizations DFAS, DLA, DCMA, AT&L, use the services of DISA (Enterprise Computing Services) for application hosting. The description includes only the controls and related control objectives of the Service Organizations and exclude the control objectives and related controls of DISA Enterprise Computing Services. Auditors examination did not extend to controls of DISA Enterprise Computing Services. Subservice Organization reliance is pervasive in DoD. 27

28 Evaluation of CUECs

29 Complementary User Entity Controls (CUECs) A service provided by the service organization may be designed with the assumption that certain controls will be implemented by the user entity. For example, the service may be designed with the assumption that the user entity will have controls in place for authorizing the transactions before they are sent to the service organization for processing. We should determine whether the complementary user entity controls identified by the services organization are relevant in addressing the risk of material misstatement relating to the relevant assertions in the financial statements and, if so, obtain an understanding of whether the user entity has designed and implemented such controls. User auditor is responsible for testing controls related to CUEC s that are in place at the user organization CUECs can impact reliance on the SSAE 16 report. 29

30 Examples DFAS - FEDERAL CIVILIAN PAY SERVICE Domain Payroll Related Data/File Maintenance and Input: Personnel Actions Control Objective 8 - Controls provide reasonable assurance that payroll data, including personnel and payroll adjustments, is received from authorized sources, and is input into DCPS completely, accurately, and timely. Payroll Related Data/File Maintenance and Input: Personnel Actions Control Objective 8 - Controls provide reasonable assurance that payroll data, including personnel and payroll adjustments, is received from authorized sources, and is input into DCPS completely, accurately, and timely. Payroll Related Data/File Maintenance and Input: Personnel Actions Control Objective 8 - Controls provide reasonable assurance that payroll data, including personnel and payroll adjustments, is received from authorized sources, and is input into DCPS completely, accurately, and timely. Payroll Related Data/File Maintenance and Input: Personnel Actions Control Objective 8 - Controls provide reasonable assurance that payroll data, including personnel and payroll adjustments, is received from authorized sources, and is input into DCPS completely, accurately, and timely. User Entity Controls All changes to the DCPS MER are approved by appropriate user entity management before submission for payroll processing. If a pseudo Social Security Number (SSN) is created, it has been authorized by appropriate user entity management and, if necessary, is accurately tied to a primary and valid SSN. All personnel actions are properly authorized and completely and accurately entered into DCPS or the interfacing system by the user entity HROs on a timely basis. The user entity HRO ensures employees that have no future payroll payment have submitted the proper notification to DCPS to stop payroll payment in a timely manner. Applicable to Reporting Entity Description of User Entity Control(s) (or Justification of Non-Applicability) Significant attention has been placed on identifying the CUECs. 30

31 Examples (continued) DFAS Financial Reporting Unless otherwise specified, DDRS refers to DDRS-B, DDRS-AFS, and DDRS-DCM. DFAS - Financial Reporting SSAE16 COMPLEMENTARY USER ENTITY CONTROLS SUMMARY Red Text = DFAS Responsibility Orange Text = Dual Responsibility Black Text - Entity Responsibility Reference # Domain User Entity Controls Responsible Party (DFAS or Reporting Entity) User Entity Control Considerations Relevant to Financial Reporting and/or DDRS Comments Proposed new wording* KSDs Recommended to address CUEC 1 Access Controls Reporting entity new Financial Reporting CUEC Logical access to computer terminals and/or other computer devices, used to access DDRS, which are located at and/or administered by user entities, is restricted to authorized user entity staff. 1. System Authorization Access Request form (e.g., DD 2875) authorizing network access 2. Common Access Card authorization 3. Policies and procedures relating to user access, computer issuance, and CACs. 4. Listing of system users and their privileges 2 Access Controls Reporting Entity new Financial Reporting CUEC Physical access to workstations and/or other computer devices used to access DDRS that are located at and/or administered by user entities is restricted to authorized user entity staff. 1. System Authorization Access Request form (e.g., DD 2875) authorizing network access 2. Common Access Card authorization 3. Policies and procedures relating to user access, computer issuance, and CACs. 4. Listing of system users and their privileges 3 Security Management User entity is responsible to ensure their staff received appropriate security awareness training (Control Objective 1) Reporting Entity Revised CUEC wording User entity staff receives appropriate security awareness training. 1. Listing of user entity employees and training record 2. Listing of system users and their privileges 3. Policies and procedures relating to user access, computer issuance, and CACs. 4. Policies and procedures relating to security training 4 Security Management User entity is responsible to ensure that requests for DDRS user accounts are submitted only for those staff appropriately approved to receive access. (Control Objective 1) Reporting Entity Revised CUEC wording User entity staff access to DDRS has been duly authorized by an appropriate member of user entity management. 1. Policies and procedures relating to user access, computer issuance, and CACs. 2. Listing of system users and their privileges 3. DD 2875's 4. List of authorized approvers/submitters Efforts have been made to solicit user entity input. 31

32 Exceptions, Responses, and Other Considerations

33 Responding to Exceptions Identified in SSAE 16 Reports Auditee Understand the risk and how it may be mitigated. 33

34 Other Considerations Management s (Service Organization s) response Management s response to the identified exception(s) is often included in the unaudited section of the report, which means that the auditor did not test or verify that the information provided by management is accurate. The user entity and their auditor can use management s response to assist in determining the status of exceptions / remediation, but simply referencing management s response is typically not sufficient. Additional testing may be required by the user entity and their auditor. 34

35 Other Considerations GAP Period The Service Organization and Service Auditor must balance the competing needs of maximizing the period covered versus delivering the SSAE 16 report in time for it to be useful to the user entities and their auditors. Fiscal 2014 Fiscal 2015 Fiscal Attestation / Audit Sept. Oct. Nov. Dec. Jan. Feb. Mar. Apr. May Jun. Jul. Aug. Sept. Oct. Nov. Dec. Jan. Feb. Mar. Apr. May Jun. Jul. Aug. Sept. Oct. Nov. Dec. Jan. Feb. Mar. Apr. May Jun. Jul. Aug. Sept. ODO Examination Period ODO FS Audit Period SSAE 16s DFAS - Civilian Pay UNMODIFIED OPINION DFAS - Military Pay DFAS - Disbursing DFAS - Contract Pay UNMODIFIED OPINION UNMODIFIED OPINION UNMODIFIED OPINION DFAS - Financial Reporting MODIFIED OPINION DFAS - FBWT (DCAS) NO SSAE 16 GAP Period DFAS - FBWT (DRRT) NO SSAE 16 GAP Period DCPAS - DCPDS MODIFIED OPINION DCMA - Contract Pay MODIFIED OPINION DLA - irapt (WAWF) MODIFIED OPINION DLA - DAI MODIFIED OPINION DLA - DAAS MODIFIED OPINION DLA - DTS DLA - SOIDC NO SSAE 16 AT&L - DPAS UNMODIFIED OPINION US Bank - SYNCADA UNMODIFIED OPINION DISA - ATAAPS DISA - ESD UNMODIFIED OPINION 35

36 Other Considerations GAP Period As a result, SSAE 16 reports do not typically cover all twelve months of the fiscal year resulting in a gap period. The user entities and their auditors will need to perform some additional procedures to obtain comfort Service Organization controls continued to operate effectively during this period. It is typical for user entities and their auditors to obtain some comfort for the gap period by requesting a Bridge Letter but this alone may not be sufficient. Additional testing may be required by the user entity and their auditor. 36

37 Questions

Using DoD SSAE 16/18 Service Organization Control (SOC) Reports (to Support Your Audit and A-123 Compliance)

Using DoD SSAE 16/18 Service Organization Control (SOC) Reports (to Support Your Audit and A-123 Compliance) Office of the Under Secretary of Defense (Comptroller) Office of the Deputy Chief Financial Officer Using DoD SSAE 16/18 Service Organization Control (SOC) Reports (to Support Your Audit and A-123 Compliance)

More information

C22: SAS 70 Practices and Developments Todd Bishop, PricewaterhouseCoopers

C22: SAS 70 Practices and Developments Todd Bishop, PricewaterhouseCoopers C22: SAS 70 Practices and Developments Todd Bishop, PricewaterhouseCoopers SAS No. 70 Practices & Developments Todd Bishop Director, Risk Assurance Services, PricewaterhouseCoopers Agenda SAS 70 Background

More information

Audit Considerations Relating to an Entity Using a Service Organization

Audit Considerations Relating to an Entity Using a Service Organization An Entity Using a Service Organization 355 AU-C Section 402 Audit Considerations Relating to an Entity Using a Service Organization Source: SAS No. 122; SAS No. 128; SAS No. 130. Effective for audits of

More information

Understanding and Evaluating Service Organization Controls (SOC) Reports

Understanding and Evaluating Service Organization Controls (SOC) Reports Understanding and Evaluating Service Organization Controls (SOC) Reports Kevin Sear, CPA, CIA, CISA, CFE, CGMA Agenda 1. Why are SOC reports important? 2. Understanding the new SOC-1, SOC-2, and SOC-3

More information

Making trust evident Reporting on controls at Service Organizations

Making trust evident Reporting on controls at Service Organizations www.pwc.com Making trust evident Reporting on controls at Service Organizations 1 Does this picture look familiar to you? User Entity A User Entity B User Entity C Introduction and background Many entities

More information

PREPARING FOR SOC CHANGES. AN ARMANINO WHITE PAPER By Liam Collins, Partner-In-Charge, SOC Audit Practice

PREPARING FOR SOC CHANGES. AN ARMANINO WHITE PAPER By Liam Collins, Partner-In-Charge, SOC Audit Practice PREPARING FOR SOC CHANGES AN ARMANINO WHITE PAPER By Liam Collins, Partner-In-Charge, SOC Audit Practice On May 1, 2017, SSAE 18 went into effect and superseded SSAE 16. The following information is here

More information

Transitioning from SAS 70 to SSAE 16

Transitioning from SAS 70 to SSAE 16 Industry Webinar Series SAS 70 ENDS EXIT TO SSAE 16 Transitioning from SAS 70 to SSAE 16 How Does This Apply to Your Organization? Cindy Boyle, Partner Rodney Walsh, Director BKD IT Risk Services Agenda

More information

SOC Reporting / SSAE 18 Update July, 2017

SOC Reporting / SSAE 18 Update July, 2017 SOC Reporting / SSAE 18 Update July, 2017 Agenda SOC Refresher Overview of SSAE 18 Changes to SOC 1 Changes to SOC 2 Quiz / Questions Various Types of SOC Reports SOC for Service Organizations (http://www.aicpa.org/soc4so)

More information

Service Organization Control (SOC) Reports: What they are and what to do with them MARCH 21, 2017

Service Organization Control (SOC) Reports: What they are and what to do with them MARCH 21, 2017 Service Organization Control (SOC) Reports: What they are and what to do with them MARCH 21, 2017 Presenter Colin Wallace, CPA/CFF, CFE, CIA, CISA Partner Colin has provided management consulting and internal

More information

LIST OF SUBSTANTIVE CHANGES AND ADDITIONS. PPC's Guide to Audits of Local Governments. Thirty first Edition (February 2016)

LIST OF SUBSTANTIVE CHANGES AND ADDITIONS. PPC's Guide to Audits of Local Governments. Thirty first Edition (February 2016) Route To: Partners Managers Staff File LIST OF SUBSTANTIVE CHANGES AND ADDITIONS PPC's Guide to Audits of Local Governments Thirty first Edition (February 2016) Highlights of This Edition The following

More information

Evaluating SOC Reports and NEW Reporting Requirements

Evaluating SOC Reports and NEW Reporting Requirements Evaluating SOC Reports and NEW Reporting Requirements ISACA Kris Lonborg, EY Partner Maria Avedissian, EY Senior Manager September 12, 2013 Agenda Evaluating SOC reports Recent changes made to the SOC1

More information

Internal Audit Report. Electronic Bidding and Contract Letting TxDOT Office of Internal Audit

Internal Audit Report. Electronic Bidding and Contract Letting TxDOT Office of Internal Audit Internal Audit Report Electronic Bidding and Contract Letting TxDOT Office of Internal Audit Objective Review of process controls and service delivery of the TxDOT electronic bidding process. Opinion Based

More information

Mastering SOC-1 Attestation Reports Under SSAE 16: Auditing Service Organizations Controls in the Cloud

Mastering SOC-1 Attestation Reports Under SSAE 16: Auditing Service Organizations Controls in the Cloud FOR LIVE POGRAM ONLY Mastering SOC-1 Attestation Reports Under SSAE 16: Auditing Service Organizations Controls in the Cloud TUESDAY, AUGUST 9, 2016, 1:00-2:50 pm Eastern IMPORTANT INFORMATION FOR THE

More information

Workshop 71: Is Your Financial System Ready? An Overview of Effective Federal Information System Controls Audit Manual (FISCAM) Assessments

Workshop 71: Is Your Financial System Ready? An Overview of Effective Federal Information System Controls Audit Manual (FISCAM) Assessments Workshop 71: Is Your Financial System Ready? An Overview of Effective Federal Information System Controls Audit Manual (FISCAM) Assessments ASMC PDI 2015 New Orleans, LA May 28, 2015 Workshop 71: Agenda

More information

SAS70 Type II Reports Use and Interpretation for SOX

SAS70 Type II Reports Use and Interpretation for SOX SAS70 Type II Reports Use and Interpretation for SOX November 19, 2007 Presented by: Erin Erickson, Senior Manager Enterprise Governance and Brenda Karl, Director Technology Risk Management Agenda Background

More information

Hong Kong Institute of Certified Public Accountants Practising Certificate ("PC") Business Assurance

Hong Kong Institute of Certified Public Accountants Practising Certificate (PC) Business Assurance Hong Kong Institute of Certified Public Accountants Practising Certificate ("PC") Business Assurance Examinable Auditing Standards December 2017 Session and June 2018 session This document contains the

More information

SAS 70 SOC 1 SOC 2 SOC 3. Type 1 Type 2

SAS 70 SOC 1 SOC 2 SOC 3. Type 1 Type 2 SAAABA Changes in Reports on Service Organization Controls April 18, 2012 Changes in Reports on Service Organization Controls (formerly SAS 70) April 18, 2012 Duane M. Reyhl, CPA Andrews Hooper Pavlik

More information

Weighing in on the Benefits of a SAS 70 Audit for Third Party Administrators

Weighing in on the Benefits of a SAS 70 Audit for Third Party Administrators Weighing in on the Benefits of a SAS 70 Audit for Third Party Administrators With increasing oversight and growing demands for industry regulations, third party assurance has never been under a keener

More information

ISACA Cincinnati Chapter March Meeting

ISACA Cincinnati Chapter March Meeting ISACA Cincinnati Chapter March Meeting Recent and Proposed Changes to SOC Reports Impacting Service and User Organizations. March 3, 2015 Presenters: Sayontan Basu-Mallick Lori Johnson Agenda SOCR Overview

More information

IT Attestation in the Cloud Era

IT Attestation in the Cloud Era IT Attestation in the Cloud Era The need for increased assurance over outsourced operations/ controls April 2013 Symeon Kalamatianos M.Sc., CISA, CISM Senior Manager, IT Risk Consulting Contents Introduction

More information

International Standard on Auditing (Ireland) 505 External Confirmations

International Standard on Auditing (Ireland) 505 External Confirmations International Standard on Auditing (Ireland) 505 External Confirmations MISSION To contribute to Ireland having a strong regulatory environment in which to do business by supervising and promoting high

More information

New York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines

New York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines New York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines New York Department of Financial Services ( DFS ) Regulation 23 NYCRR 500 requires that entities

More information

RISK ASSESSMENTS AND INTERNAL CONTROL CIS CHARACTERISTICS AND CONSIDERATIONS CONTENTS

RISK ASSESSMENTS AND INTERNAL CONTROL CIS CHARACTERISTICS AND CONSIDERATIONS CONTENTS CONTENTS Paragraphs Introduction... 1 Organizational Structure... 2 Nature of Processing... 3 Design and Procedural Aspects... 4 Internal Controls in a CIS Environment... 5 General CIS Controls... 6-7

More information

Council, 8 February 2017 Information Technology Report Executive summary and recommendations

Council, 8 February 2017 Information Technology Report Executive summary and recommendations Council, 8 February 2017 Information Technology Report Executive summary and recommendations Introduction This report provides the Council with an update into the work of the Information Technology Directorate

More information

Special Actions Security Office (SASO)

Special Actions Security Office (SASO) Defense Finance and Accounting Service Special Actions Security Office (SASO) Sharron Norris Walter Smith Melissa Dunlap 2016 Integrity - Service - Innovation Integrity - Service - Innovation SASO Mission

More information

INTERNATIONAL STANDARD ON AUDITING 505 EXTERNAL CONFIRMATIONS CONTENTS

INTERNATIONAL STANDARD ON AUDITING 505 EXTERNAL CONFIRMATIONS CONTENTS INTERNATIONAL STANDARD ON AUDITING 505 EXTERNAL CONFIRMATIONS (Effective for audits of financial statements for periods beginning on or after December 15, 2009) CONTENTS Paragraph Introduction Scope of

More information

Does a SAS 70 Audit Leave you at Risk of a Security Exposure or Failure to Comply with FISMA?

Does a SAS 70 Audit Leave you at Risk of a Security Exposure or Failure to Comply with FISMA? Does a SAS 70 Audit Leave you at Risk of a Security Exposure or Failure to Comply with FISMA? A brief overview of security requirements for Federal government agencies applicable to contracted IT services,

More information

A SERVICE ORGANIZATION S GUIDE SOC 1, 2, & 3 REPORTS

A SERVICE ORGANIZATION S GUIDE SOC 1, 2, & 3 REPORTS A SERVICE ORGANIZATION S GUIDE SOC 1, 2, & 3 REPORTS Introduction If you re a growing service organization, whether a technology provider, financial services corporation, healthcare company, or professional

More information

Within our recommendations for editorial changes, additions are noted in bold underline and deletions in strike-through.

Within our recommendations for editorial changes, additions are noted in bold underline and deletions in strike-through. 1633 Broadway New York, NY 10019-6754 Mr. Jim Sylph Executive Director, Professional Standards International Federation of Accountants 545 Fifth Avenue, 14th Floor New York, NY 10017 Dear Mr. Sylph: We

More information

SSAE 18 & new SOC approach to compliance. Moderator Name: Patricio Garcia Managing Partner ControlCase Attestation Services

SSAE 18 & new SOC approach to compliance. Moderator Name: Patricio Garcia Managing Partner ControlCase Attestation Services SSAE 18 & new SOC approach to compliance Moderator Name: Patricio Garcia Managing Partner ControlCase Attestation Services Agenda 1. SSAE 18 overview 2. SOC 2 + 3. 2017 Trust Services Criteria SSAE 18

More information

EXTERNAL CONFIRMATIONS SRI LANKA AUDITING STANDARD 505 EXTERNAL CONFIRMATIONS

EXTERNAL CONFIRMATIONS SRI LANKA AUDITING STANDARD 505 EXTERNAL CONFIRMATIONS SRI LANKA STANDARD 505 EXTERNAL CONFIRMATIONS (Effective for audits of financial statements for periods beginning on or after 01 January 2014) CONTENTS Paragraph Introduction Scope of this SLAuS... 1 External

More information

WHICH SOC REPORT IS RIGHT FOR YOUR CLIENT?

WHICH SOC REPORT IS RIGHT FOR YOUR CLIENT? CPAs & ADVISORS STRATEGIC ALLIANCE WEBINAR SERIES WHICH SOC REPORT IS RIGHT FOR YOUR CLIENT? June 20, 2017 Cindy Boyle TO RECEIVE CPE CREDIT Participate in entire webinar Answer polls when they are provided

More information

REPORT 2015/149 INTERNAL AUDIT DIVISION

REPORT 2015/149 INTERNAL AUDIT DIVISION INTERNAL AUDIT DIVISION REPORT 2015/149 Audit of the information and communications technology operations in the Investment Management Division of the United Nations Joint Staff Pension Fund Overall results

More information

FedRAMP: Understanding Agency and Cloud Provider Responsibilities

FedRAMP: Understanding Agency and Cloud Provider Responsibilities May 2013 Walter E. Washington Convention Center Washington, DC FedRAMP: Understanding Agency and Cloud Provider Responsibilities Matthew Goodrich, JD FedRAMP Program Manager US General Services Administration

More information

Data Processing Agreement for Oracle Cloud Services

Data Processing Agreement for Oracle Cloud Services Data Processing Agreement for Oracle Cloud Services Version January 12, 2018 1. Scope, Order of Precedence and Term 1.1 This data processing agreement (the Data Processing Agreement ) applies to Oracle

More information

NYDFS Cybersecurity Regulations: What do they mean? What is their impact?

NYDFS Cybersecurity Regulations: What do they mean? What is their impact? June 13, 2017 NYDFS Cybersecurity Regulations: What do they mean? What is their impact? Gus Coldebella Principal, Boston Caroline Simons Principal, Boston Agenda 1) Overview of the new regulations 2) Assessing

More information

SAS 70 & SSAE 16: Changes & Impact on Credit Unions. Agenda

SAS 70 & SSAE 16: Changes & Impact on Credit Unions. Agenda SAS 70 & SSAE 16: Changes & Impact on Credit Unions John Mason CISM, CISA, CGEIT, CFE SingerLewak LLP October 19, 2010 Agenda Statement on Auditing Standards (SAS) 70 background Background & purpose Types

More information

SUBJECT: Training Policy-04 Defense Finance and Accounting Service Civilian Certifications, and Related Expenses

SUBJECT: Training Policy-04 Defense Finance and Accounting Service Civilian Certifications, and Related Expenses DFAS-HR/AR MEMORANDUM FOR DFAS EMPLOYEES SUBJECT: Training Policy-04 Defense Finance and Accounting Service Civilian Licenses, Certifications, and Related Expenses References: (a) Title 5, United States

More information

Battery Program Management Document

Battery Program Management Document Battery Program Management Document Revision 5.1 February 2011 CTIA Certification Program 1400 16 th Street, NW, Suite 600 Washington, DC 20036 e-mail: certification@ctia.org Telephone: 1.202.785.0081

More information

Retirement of SAS 70 and a new generation of Service Organization Control (SOC) Reports

Retirement of SAS 70 and a new generation of Service Organization Control (SOC) Reports new generation of Service Organization Control (SOC) Reports Presented by: Nina Currigan, KPMG Advisory Manager Karen Krebsbach, Ernst & Young Advisory Manager With you today Nina Currigan Advisory Manager

More information

International Standard on Auditing (UK) 505

International Standard on Auditing (UK) 505 Standard Audit and Assurance Financial Reporting Council July 2017 International Standard on Auditing (UK) 505 External Confi rmations The FRC s mission is to promote transparency and integrity in business.

More information

* - Note: complete submissions are to be submitted at least two weeks before any deadline to ensure timely closure.

* - Note: complete submissions are to be submitted at least two weeks before any deadline to ensure timely closure. PAGE 1 of 11 PROCESS OBJECTIVE : To effectively manage all feedback (as defined in QM-00-01 / 02) and associated correction and corrective action in an effective and objective manner. Feedback includes

More information

GDPR AMC SAAS AND HOSTED MODULES. UK version. AMC Consult A/S June 26, 2018 Version 1.10

GDPR AMC SAAS AND HOSTED MODULES. UK version. AMC Consult A/S June 26, 2018 Version 1.10 GDPR AMC SAAS AND HOSTED MODULES UK version AMC Consult A/S June 26, 2018 Version 1.10 INDEX 1 Signatures...3 2 General...4 3 Definitions...5 4 Scoping...6 4.1 In scope...6 5 Responsibilities of the data

More information

June 2012 First Data PCI RAPID COMPLY SM Solution

June 2012 First Data PCI RAPID COMPLY SM Solution June 2012 First Data PCI RAPID COMPLY SM Solution You don t have to be a security expert to be compliant. Developer: 06 Rev: 05/03/2012 V: 1.0 Agenda Research Background Product Overview Steps to becoming

More information

Solutions Technology, Inc. (STI) Corporate Capability Brief

Solutions Technology, Inc. (STI) Corporate Capability Brief Solutions Technology, Inc. (STI) Corporate Capability Brief STI CORPORATE OVERVIEW Located in the metropolitan area of Washington, District of Columbia (D.C.), Solutions Technology Inc. (STI), women owned

More information

IATF Transition Strategy Presenter: Mrs. Michelle Maxwell, IAOB

IATF Transition Strategy Presenter: Mrs. Michelle Maxwell, IAOB IATF 16949 Transition Strategy Presenter: Mrs. Michelle Maxwell, IAOB IATF 16949 Transition Strategy IATF 16949 transition strategy was presented at the IATF global stakeholder conference in Rome, Italy

More information

CASA External Peer Review Program Guidelines. Table of Contents

CASA External Peer Review Program Guidelines. Table of Contents CASA External Peer Review Program Guidelines Table of Contents Introduction... I-1 Eligibility/Point System... I-1 How to Request a Peer Review... I-1 Peer Reviewer Qualifications... I-2 CASA Peer Review

More information

OFFICE OF INTERNAL AUDIT Information Technology (IT) Audit Plan

OFFICE OF INTERNAL AUDIT Information Technology (IT) Audit Plan 2017 Information Technology (IT) Audit Plan Priority IT Audit Hours Start Duration 1 IT Vendors Selection (Procurement) 250 Apr 5-7 Weeks 2 Application Audit HUB (itslearning) 250 Apr 6 8 Weeks 3 Disaster

More information

Miscellaneous Payment

Miscellaneous Payment Invoicing Receipt Acceptance Property Transfer Miscellaneous Payment To learn how to electronically submit and take action on irapt documents through simulations and step-by-step procedures, visit the

More information

State of Florida Enterprise

State of Florida Enterprise State of Florida Enterprise E-mail Florida House of Representatives Appropriations Committee October 6, 2011 AGENCY FOR ENTERPRISE INFORMATION TECHNOLOGY David Taylor, Executive Director Coleen Birch,

More information

ATTACHMENT SAF/FM POLICY ON REIMBURSEMENT OF EXPENSES TO OBTAIN/ MAINTAIN PROFESSIONAL CREDENTIALS (REVISED Apr 2015)

ATTACHMENT SAF/FM POLICY ON REIMBURSEMENT OF EXPENSES TO OBTAIN/ MAINTAIN PROFESSIONAL CREDENTIALS (REVISED Apr 2015) ATTACHMENT SAF/FM POLICY ON REIMBURSEMENT OF EXPENSES TO OBTAIN/ MAINTAIN PROFESSIONAL CREDENTIALS (REVISED Apr 2015) 1. REFERENCES: a. Title 5, United States Code, section 5757, enacted by section 1112

More information

NEW YORK CYBERSECURITY REGULATION COMPLIANCE GUIDE

NEW YORK CYBERSECURITY REGULATION COMPLIANCE GUIDE COMPLIANCE ADVISOR NEW YORK CYBERSECURITY REGULATION COMPLIANCE GUIDE A PUBLICATION BY THE EXCESS LINE ASSOCIATION OF NEW YORK One Exchange Plaza 55 Broadway 29th Floor New York, New York 10006-3728 Telephone:

More information

26 February Office of the Secretary Public Company Accounting Oversight Board 1666 K Street, NW Washington, DC

26 February Office of the Secretary Public Company Accounting Oversight Board 1666 K Street, NW Washington, DC 3701 Algonquin Road, Suite 1010 Telephone: 847.253.1545 Rolling Meadows, Illinois 60008, USA Facsimile: 847.253.1443 Web Sites: www.isaca.org and www.itgi.org 26 February 2007 Office of the Secretary Public

More information

REVIEW OF MANAGEMENT AND OVERSIGHT OF THE INTEGRATED BUSINESS MANAGEMENT SYSTEM (IBMS) January 16, 2009

REVIEW OF MANAGEMENT AND OVERSIGHT OF THE INTEGRATED BUSINESS MANAGEMENT SYSTEM (IBMS) January 16, 2009 APPENDIX 1 REVIEW OF MANAGEMENT AND OVERSIGHT OF THE INTEGRATED BUSINESS MANAGEMENT SYSTEM (IBMS) January 16, 2009 Auditor General s Office Jeffrey Griffiths, C.A., C.F.E. Auditor General City of Toronto

More information

Information for entity management. April 2018

Information for entity management. April 2018 Information for entity management April 2018 Note to readers: The purpose of this document is to assist management with understanding the cybersecurity risk management examination that can be performed

More information

CERTIFICATION BODY (CB) APPROVAL REQUIREMENTS FOR THE IFFO RESPONSIBLE SUPPLY (IFFO RS) AUDITS AND CERTIFICATION

CERTIFICATION BODY (CB) APPROVAL REQUIREMENTS FOR THE IFFO RESPONSIBLE SUPPLY (IFFO RS) AUDITS AND CERTIFICATION CERTIFICATION BODY (CB) APPROVAL REQUIREMENTS FOR THE IFFO RESPONSIBLE SUPPLY (IFFO RS) AUDITS AND CERTIFICATION Introduction The IFFO RS Certification Programme is a third party, independent and accredited

More information

Audit Report. Chartered Management Institute (CMI)

Audit Report. Chartered Management Institute (CMI) Audit Report Chartered Management Institute (CMI) 10 October 2012 Note Restricted or commercially sensitive information gathered during SQA Accreditation monitoring activities is treated in the strictest

More information

Adopting SSAE 18 for SOC 1 reports

Adopting SSAE 18 for SOC 1 reports Adopting SSAE 18 for SOC 1 reports Overview Since its adoption in 2011, service auditor reports issued in accordance with SSAE 16 have become increasingly common in the marketplace. In April 2016, the

More information

Subject: University Information Technology Resource Security Policy: OUTDATED

Subject: University Information Technology Resource Security Policy: OUTDATED Policy 1-18 Rev. 2 Date: September 7, 2006 Back to Index Subject: University Information Technology Resource Security Policy: I. PURPOSE II. University Information Technology Resources are at risk from

More information

SERVICE ORGANIZATION CONTROL (SOC) REPORTS: WHAT ARE THEY?

SERVICE ORGANIZATION CONTROL (SOC) REPORTS: WHAT ARE THEY? WHITE PAPER SERVICE ORGANIZATION CONTROL (SOC) REPORTS: WHAT ARE THEY? JEFF COOK DIRECTOR CPA, CITP, CIPT, CISA North America Europe 877.224.8077 info@coalfire.com coalfire.com TABLE OF CONTENTS Summary...

More information

Payment Card Industry (PCI) 3-D Secure (PCI 3DS) Qualification Requirements for 3DS Assessors

Payment Card Industry (PCI) 3-D Secure (PCI 3DS) Qualification Requirements for 3DS Assessors Payment Card Industry (PCI) 3-D Secure (PCI 3DS) Qualification Requirements for 3DS Assessors Version 1.0 November 2017 Document Changes Date Version Description November 2017 1.0 Initial Release of the

More information

CSF to Support SOC 2 Repor(ng

CSF to Support SOC 2 Repor(ng CSF to Support SOC 2 Repor(ng Ken Vander Wal, CPA, CISA, HCISPP Chief Compliance Officer, HITRUST * ken.vanderwal@hitrustalliance.net Agenda Introduction to SOC Reporting SOC 2 and HITRUST CSF AICPA and

More information

REPORT 2015/010 INTERNAL AUDIT DIVISION

REPORT 2015/010 INTERNAL AUDIT DIVISION INTERNAL AUDIT DIVISION REPORT 2015/010 Audit of information and communications technology strategic planning, governance and management in the Investment Management Division of the United Nations Joint

More information

APPROVAL SHEET PROCEDURE INFORMATION SECURITY MANAGEMENT SYSTEM CERTIFICATION. PT. TÜV NORD Indonesia PS - TNI 001 Rev.05

APPROVAL SHEET PROCEDURE INFORMATION SECURITY MANAGEMENT SYSTEM CERTIFICATION. PT. TÜV NORD Indonesia PS - TNI 001 Rev.05 APPROVAL SHEET PROCEDURE INFORMATION SECURITY MANAGEMENT SYSTEM CERTIFICATION PT. TÜV NORD Indonesia PS - TNI 001 Rev.05 Created : 20-06-2016 Checked: 20-06-2016 Approved : 20-06-2016 Indah Lestari Karlina

More information

October Broward County Government Human Services Department. Community Partnerships Division FY2015 Provider Information

October Broward County Government Human Services Department. Community Partnerships Division FY2015 Provider Information October 2014 Broward County Government Human Services Department Community Partnerships Division FY2015 Provider Information TOPICS Provider Resources Invoicing Quarterly Reports Other Required Reports

More information

DFARS Cyber Rule Considerations For Contractors In 2018

DFARS Cyber Rule Considerations For Contractors In 2018 Portfolio Media. Inc. 111 West 19 th Street, 5th Floor New York, NY 10011 www.law360.com Phone: +1 646 783 7100 Fax: +1 646 783 7161 customerservice@law360.com DFARS Cyber Rule Considerations For Contractors

More information

IATF Transition Strategy Presenter: Cherie Reiche, IAOB

IATF Transition Strategy Presenter: Cherie Reiche, IAOB IATF 16949 Transition Strategy Presenter: Cherie Reiche, IAOB IATF 16949 Transition Strategy IATF 16949 transition strategy was presented at the IATF global stakeholder conference in Rome, Italy in April

More information

CYBER SECURITY BRIEF. Presented By: Curt Parkinson DCMA

CYBER SECURITY BRIEF. Presented By: Curt Parkinson DCMA CYBER SECURITY BRIEF Presented By: Curt Parkinson DCMA September 20, 2017 Agenda 2 DFARS 239.71 Updates Cybersecurity Contracting DFARS Clause 252.204-7001 DFARS Clause 252.239-7012 DFARS Clause 252.239-7010

More information

NY DFS Cybersecurity Regulations August 8, 2017

NY DFS Cybersecurity Regulations August 8, 2017 NY DFS Cybersecurity Regulations August 8, 2017 23 NYCRR Part 500 Asking Questions Anti-Trust Policy As a CPCU approved education program related to The Institutes Chartered Property Casualty Underwriter

More information

NYDFS Cybersecurity Regulations

NYDFS Cybersecurity Regulations SPEAKERS NYDFS Cybersecurity Regulations Lisa J. Sotto Hunton & Williams LLP (212) 309-1223 lsotto@hunton.com www.huntonprivacyblog.com March 9, 2017 The Privacy Team at Hunton & Williams Over 30 privacy

More information

ISO STANDARD IMPLEMENTATION AND TECHNOLOGY CONSOLIDATION

ISO STANDARD IMPLEMENTATION AND TECHNOLOGY CONSOLIDATION ISO STANDARD IMPLEMENTATION AND TECHNOLOGY CONSOLIDATION Cathy Bates Senior Consultant, Vantage Technology Consulting Group January 30, 2018 Campus Orientation Initiative and Project Orientation Project

More information

Description of the certification procedure MS - ISO 9001, MS - ISO 14001, MS - ISO/TS and MS BS OHSAS 18001, MS - ISO 45001, MS - ISO 50001

Description of the certification procedure MS - ISO 9001, MS - ISO 14001, MS - ISO/TS and MS BS OHSAS 18001, MS - ISO 45001, MS - ISO 50001 The certification of a management system based on standard ISO 9001, ISO 14001, ISO/TS 29001, BS OHSAS 18001, ISO 45001 or ISO 50001, consists of the offer and contract phase, the audit preparation, performance

More information

MHBE Compliance Program SECOND QUARTER FY 2019 REPORT. TO MHBE BOARD OF TRUSTEES January 22, 2019

MHBE Compliance Program SECOND QUARTER FY 2019 REPORT. TO MHBE BOARD OF TRUSTEES January 22, 2019 MHBE Compliance Program SECOND QUARTER FY 2019 REPORT TO MHBE BOARD OF TRUSTEES January 22, 2019 Presented by: Caterina Pañgilinan Audit Status Report Total Audit Findings Open Findings (3) SMART PY17

More information

Request for Qualifications for Audit Services March 25, 2015

Request for Qualifications for Audit Services March 25, 2015 Request for Qualifications for Audit Services March 25, 2015 I. GENERAL INFORMATION A. Purpose This Request for Qualifications (RFQ) is to solicit a CPA firm with which to contract for a financial and

More information

Google Cloud & the General Data Protection Regulation (GDPR)

Google Cloud & the General Data Protection Regulation (GDPR) Google Cloud & the General Data Protection Regulation (GDPR) INTRODUCTION General Data Protection Regulation (GDPR) On 25 May 2018, the most significant piece of European data protection legislation to

More information

Welcome To The. Broward County Human Services Department. Community Partnerships Division FY2016 Provider Information Workshop

Welcome To The. Broward County Human Services Department. Community Partnerships Division FY2016 Provider Information Workshop Welcome To The Broward County Human Services Department Community Partnerships Division FY2016 Provider Information Workshop Topics Of Discussion Provider Resources Invoicing Quarterly Reports Other Required

More information

IBM Managed Security Services - Vulnerability Scanning

IBM Managed Security Services - Vulnerability Scanning Service Description IBM Managed Security Services - Vulnerability Scanning This Service Description describes the Service IBM provides to Client. 1.1 Service IBM Managed Security Services - Vulnerability

More information

Studio Guggino and Newtonpartner S.r.l. a team of professionals at the service of your Company

Studio Guggino and Newtonpartner S.r.l. a team of professionals at the service of your Company Studio Guggino and Newtonpartner S.r.l. a team of professionals at the service of your Company To get where the others fail, we have to achieve even higher goals www.sas70.it MISSION Our Mission consists

More information

Billing and Collection Agent Report For period ending January 31, To FCC Contract Oversight Sub-Committee. February 11, 2019

Billing and Collection Agent Report For period ending January 31, To FCC Contract Oversight Sub-Committee. February 11, 2019 Billing and Collection Agent Report For period ending January 31, 2019 To FCC Contract Oversight Sub-Committee February 11, 2019 Welch LLP - Chartered Professional Accountants 123 Slater Street, 3 rd floor,

More information

SAS 70 Audit Concepts. and Benefits JAYACHANDRAN.B,CISA,CISM. August 2010

SAS 70 Audit Concepts. and Benefits JAYACHANDRAN.B,CISA,CISM. August 2010 JAYACHANDRAN.B,CISA,CISM jb@esecurityaudit.com August 2010 SAS 70 Audit Concepts and Benefits Agenda Compliance requirements Overview Business Environment IT Governance and Compliance Management Vendor

More information

INFORMATION ASSURANCE DIRECTORATE

INFORMATION ASSURANCE DIRECTORATE National Security Agency/Central Security Service INFORMATION ASSURANCE DIRECTORATE Digital Policy Management consists of a set of computer programs used to generate, convert, deconflict, validate, assess

More information

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire A and Attestation of Compliance

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire A and Attestation of Compliance Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire A and Attestation of Compliance No Electronic Storage, Processing, or Transmission of Cardholder Data Version 1.2 October

More information

Audit Absolutes DHS/USCG Perspectives. Jeff Bobich DHS Director of Financial Management Mark Rose USCG Comptroller 10 March 2016

Audit Absolutes DHS/USCG Perspectives. Jeff Bobich DHS Director of Financial Management Mark Rose USCG Comptroller 10 March 2016 Audit Absolutes DHS/USCG Perspectives Jeff Bobich DHS Director of Financial Management Mark Rose USCG Comptroller 10 March 2016 1 DHS Audit Requirements & Overview 2 DHS Audit Requirements Chief Financial

More information

Chapter 10. Administration

Chapter 10. Administration Chapter 10 Administration This Page Left Blank Intentionally CTAS User Manual 10-1 Administration: Introduction The Admin section is where you enter your local government s required and optional system

More information

AUDIT OF ICT STRATEGY IMPLEMENTATION

AUDIT OF ICT STRATEGY IMPLEMENTATION APPENDIX A 2 1. Background AUDIT OF ICT STRATEGY IMPLEMENTATION 1.1. This report summarises the findings from the audit of ICT Strategy Implementation. This was a planned audit assignment which was undertaken

More information

Birmingham Community Healthcare NHS Foundation Trust. 2017/17 Data Security and Protection Requirements March 2018

Birmingham Community Healthcare NHS Foundation Trust. 2017/17 Data Security and Protection Requirements March 2018 1.0 Executive Summary Birmingham Community Healthcare NHS Foundation Trust 2017/17 Data Security and Protection Requirements March 2018 The Trust has received a request from NHS Improvement (NHSI) to self-assess

More information

Virginia Commonwealth University School of Medicine Information Security Standard

Virginia Commonwealth University School of Medicine Information Security Standard Virginia Commonwealth University School of Medicine Information Security Standard Title: Scope: Personnel Security Standard This standard is applicable to all VCU School of Medicine personnel. Approval

More information

INTERNAL AUDIT DIVISION REPORT 2017/037

INTERNAL AUDIT DIVISION REPORT 2017/037 INTERNAL AUDIT DIVISION REPORT 2017/037 Audit of business continuity and disaster recovery in the secretariat of the United Nations Joint Staff Pension Fund There was need to align the business continuity

More information

REPORT 2015/186 INTERNAL AUDIT DIVISION

REPORT 2015/186 INTERNAL AUDIT DIVISION INTERNAL AUDIT DIVISION REPORT 2015/186 Audit of information and communications technology operations in the Secretariat of the United Nations Joint Staff Pension Fund Overall results relating to the effective

More information

SME License Order Working Group Update - Webinar #3 Call in number:

SME License Order Working Group Update - Webinar #3 Call in number: SME License Order Working Group Update - Webinar #3 Call in number: Canada Local: +1-416-915-8942 Canada Toll Free: +1-855-244-8680 Event Number: 662 298 966 Attendee ID: check your WebEx session under

More information

"Charting the Course... Certified Information Systems Auditor (CISA) Course Summary

Charting the Course... Certified Information Systems Auditor (CISA) Course Summary Course Summary Description In this course, you will perform evaluations of organizational policies, procedures, and processes to ensure that an organization's information systems align with overall business

More information

Data Processing Agreement

Data Processing Agreement Data Processing Agreement Merchant (the "Data Controller") and Nets (the "Data Processor") (separately referred to as a Party and collectively the Parties ) have concluded this DATA PROCESSING AGREEMENT

More information

MNsure Privacy Program Strategic Plan FY

MNsure Privacy Program Strategic Plan FY MNsure Privacy Program Strategic Plan FY 2018-2019 July 2018 Table of Contents Introduction... 3 Privacy Program Mission... 4 Strategic Goals of the Privacy Office... 4 Short-Term Goals... 4 Long-Term

More information

Solution Pack. Managed Services Virtual Private Cloud Security Features Selections and Prerequisites

Solution Pack. Managed Services Virtual Private Cloud Security Features Selections and Prerequisites Solution Pack Managed Services Virtual Private Cloud Security Features Selections and Prerequisites Subject Governing Agreement DXC Services Requirements Agreement between DXC and Customer including DXC

More information

SAC PA Security Frameworks - FISMA and NIST

SAC PA Security Frameworks - FISMA and NIST SAC PA Security Frameworks - FISMA and NIST 800-171 June 23, 2017 SECURITY FRAMEWORKS Chris Seiders, CISSP Scott Weinman, CISSP, CISA Agenda Compliance standards FISMA NIST SP 800-171 Importance of Compliance

More information

SOC Reports The 2017 Update: What s new, What s not, and What you should be doing with the SOC Reports you receive! Presented by Jeff Pershing

SOC Reports The 2017 Update: What s new, What s not, and What you should be doing with the SOC Reports you receive! Presented by Jeff Pershing SOC Reports The 2017 Update What s new, What s not, and What you should be doing with the SOC Reports you receive! presented to Northeast Ohio ISACA Thursday, April 20, 2017 Jeff Pershing, CISA, CISM,

More information

This document/guide contains dated material; always check the ASMC website for the most recent information, policies, and other information.

This document/guide contains dated material; always check the ASMC website for the most recent information, policies, and other information. December 2010 CDFM OVERVIEW The American Society of Military Comptrollers offers the Certified Defense Financial Manager (CDFM) program to those persons desiring to demonstrate proficiency in the core

More information

Defense Hotline Allegations Concerning Contractor-Invoiced Travel for U.S. Army Corps of Engineers' Contracts W912DY-10-D-0014 and W912DY-10-D-0024

Defense Hotline Allegations Concerning Contractor-Invoiced Travel for U.S. Army Corps of Engineers' Contracts W912DY-10-D-0014 and W912DY-10-D-0024 Report No. DODIG-2013-056 March 15, 2013 Defense Hotline Allegations Concerning Contractor-Invoiced Travel for U.S. Army Corps of Engineers' Contracts W912DY-10-D-0014 and W912DY-10-D-0024 Report Documentation

More information

National Defense University and IRMC. National Defense University

National Defense University and IRMC. National Defense University The Forgotten Information Assurance Professional - Educating the Senior IT Manager Robert C. Norris, Jr. Information Resources Management College National Defense University 1 Overview Intro to IRMC and

More information

Personnel Certification Program

Personnel Certification Program Personnel Certification Program ISO 9001 (QMS) / ISO 14001 (EMS) Form PC1000 Last Updated 9/11/2017 Page 1 of 14 INDEX Auditor Certification Quality or Environmental Program Pg 3-4 Certification Status

More information