Using DoD SSAE 16/18 Service Organization Control (SOC) Reports (to Support Your Audit and A-123 Compliance)
|
|
- Barbra Bethanie Wiggins
- 6 years ago
- Views:
Transcription
1 Office of the Under Secretary of Defense (Comptroller) Office of the Deputy Chief Financial Officer Using DoD SSAE 16/18 Service Organization Control (SOC) Reports (to Support Your Audit and A-123 Compliance) American Society of Military Comptrollers (ASMC) PDI June 2, 2017 James Davila Accountant, FIAR Directorate, Office of the Deputy Chief Financial Officer, OUSD(C) Bradley Keith Director PwC Public Sector, LLP
2 Discussion Topics Using DoD SSAE 16/18 Service Organization Control (SOC) Reports 1) Service Organization Relationships Key Concepts End-to-End Process Relationships Service Organization Identification 2) Addressing Service Organization Controls Available Options Available SOC 1 Reports Relevant SOC 1 Reports 3) Using the Service Organization Controls Report Desired Outcomes SOC 1 Report Sections Areas for Consideration CUECs and CSOCs Reliability of Data (and Reports) Common Evaluation Pitfalls Reporting / User Entity Responsibilities 4) OUSD(C) FIAR Support and Available Resources 2
3 Service Organization Relationships Key Concepts
4 End to End Business Process Parts of audit relevant Reporting Entity business process are performed by one or more Third Parties. Reporting Entity Initiate / Execute Initiate / Execute Third Party Financial Statements The Reporting Entity is responsible for internal controls over financial reporting. 4
5 End to End Business Process It is critical to determine which Third Parties meet the definition of a Service Organization for A-123 and audit purposes (and which do not). Service Providers Vendors Third Parties Working Capital Funds Service Organizations Trading Partners What is the specific nature of the relationship (i.e., who does what)? 5
6 End to End Business Process AU-C 402: Audit Considerations Relating to an Entity Using a Service Organization.A7 The significance of the controls at the service organization to the user entity's internal control also depends on the degree of interaction between the service organization's activities and those of the user entity. The degree of interaction refers to the extent to which a user entity is able to and elects to implement effective controls over the processing performed by the service organization. For example, a high degree of interaction exists between the activities of the user entity and those at the service organization when the user entity authorizes transactions and the service organization processes and accounts for those transactions. In these circumstances, it may be practicable for the user entity to implement effective controls over those transactions. On the other hand, when the service organization initiates or initially records, processes, and accounts for the user entity's transactions, a lower degree of interaction exists between the two organizations. In these circumstances, the user entity may be unable to, or may elect not to, implement effective controls over these transactions at the user entity and may rely on controls at the service organization. Who Does What? Initiates Executes / Internally Records Accounting Processing? and? and? The Financial Statement Auditor will follow the Auditing Standards 6
7 End to End Business Process Why is this so important? If a Service Organization relationship / dependency exists. The Reporting Entity must address Service Organization (and Sub-service Organization) controls for OMB Circular A-123 (Appendix A) / ICOFR. Third Parties Service Providers Working Capital Funds Vendors Service Organizations The Reporting Entity financial statement auditor will also need to address the Service Organization (and Sub-service Organization) controls in financial statement audits and examinations. Trading Partners Service Organization Controls? You and / or your auditor can t ignore / assume what happens inside the Black Box. 7
8 End to End Business Process Reporting / User Entities User Auditors Service Organizations Sub-Service Organizations If a Service Organization relationship exists, all of the pieces need to fit. Roles and responsibilities must be aligned. 8
9 Addressing Service Organization Controls
10 Addressing Service Organization Controls How do I do this? There are a few options. Compliance with OMB Circular A-123 (Appendix A) / ICOFR Reporting Entity team documents and tests Service Organization controls. Reporting Entity obtains controls documentation and testing performed by Service Organization management and reviews for adequacy. Reporting Entity team or Service Organization management addresses gaps. Reporting Entity obtains / reviews Service Organization Controls (SOC 1) Reports on the design and operating effectiveness of internal controls over financial reporting at Service Organizations (and Sub-service Organizations). Service Organization Controls? Financial Statement Audit (must comply with audit independence requirements) Reporting Entity financial statement auditors (User Auditor) documents and tests Service Organization controls. Reporting Entity financial statement auditors (User Auditor) obtains / reviews Service Organization Controls (SOC 1) Reports on the design and operating effectiveness of internal controls over financial reporting at Service Organizations (and Sub-service Organizations). It is very inefficient for each / every Reporting Entity and their auditor to redundantly test Service Organization controls versus relying on the SOC 1 Reports. 10
11 Addressing Service Organization Controls How do I do this? What SOC 1 reports are available? 2018 U.S. Army GFEBS FY DFAS FBWT Treasury Reconciliation 2017 U.S. Army Conventional Munitions 2016 Compensation Benefit & Payment DFAS Vendor Pay (OWCP) Bill Processing 2016 Citigroup Technology Infrastructure (CTI) 2016 Treasury Admin Resource Center 2016 Treasury Invest & Borrowings Treasury Funds Management FY 2018 FY Total Systems Services Elavon, Inc Retail Payment Processing 2016 DFAS FBWT Treasury Distribution 2016 DLA SOIDC FY US Bank AXOL 2015 DISA (ATAAPS) 2015 DMDC DTS FY DFAS Contract Pay DCMA Contract Pay DFAS Financial Reporting DLA irapt DLA DAI FY DFAS Standard Disbursing DMDC DCPDS US Bank SYNCADA DFAS Military Pay 2013 DLA DAAS FY 2013 Legend 2012 AT&L / DLA DPAS DISA (EIS) DFAS Civilian Pay Unqualified / Unmodified Opinion Qualified / Modified Opinion TBD 0 FY 2012 FY 2005 Significant progress has been achieved but much remains to be done. 11
12 Addressing Service Organization Controls How do I do this? What SOC 1 reports are available? DoD SSAE 16/18s as of May 2017 SSAE 16/18 FY 2014 FY 2015 FY 2016 FY 2017 Service Provider Assessable Unit System(s) Included IPA Firm FY 14 Opinion Reporting Period IPA Firm FY 15 Opinion Reporting Period SSAE 16 for FY 16? IPA Firm FY 16 Opinion Reporting Period Report Issuance Date / Expected Issuance Date SSAE 16 for FY 17? IPA Firm FY 17 Opinion Projected Reporting Period for FY 17 Expected Report Issuance Date Civilian Pay DCPS KPMG Unmodified Oct Jun 2014 KPMG Unmodified Oct Jun 2015 Yes KPMG Unmodified Oct Jun 2016 Aug 12, 2016 Yes KPMG TBD Oct Jun 2017 Aug 15, 2017 Military Pay DJMS-AC, DJMS-RC, DMO (Web) KPMG Unmodified Oct Jun 2014 KPMG Modified Oct Jun 2015 Yes KPMG Modified Oct Jun 2016 Aug 17, 2016 Yes KPMG TBD Oct Jun 2017 Aug 17,2017 ADS, ADS IPAC MegaWizard 22 MicroApps: DFAS Standard Disbursing Service DD 2657 Statement of Accountability, State Tax Access Database, State Tax Microsoft Excel workbook, Post Certification Validation Tracking Workbook, GTN_Month_YR Excel Workbook, DJMSwkstmmyy excel workbook, Defense Civilian Payroll System (DCPS) Tracking Spreadsheet, 8522 IPAC Tracking Workbook (Excel), SSN 8522 ACH Spreadsheet, MMYYYY Batch Tracker, 6102 Voucher Workbook (Excel), Cleveland Consolidated Workbook (Excel), 2657 Workbook (Excel), E&C Reconciliation Workbook (Excel), DIT Tracker Workbook (Excel), IPAC Tracking Workbook (Excel), Kansas City Central Site IPAC Wizard (Access) KPMG Unmodified Oct Jun 2014 KPMG Unmodified Oct Jun 2015 Yes KPMG Unmodified Oct Jun 2016 Aug 15, 2016 Yes KPMG TBD Oct Jun 2017 Aug 15, 2017 Contract Pay Vendor Pay MOCAS, EAS, EUD (APVM / PPVM), SCRT, BAM ERMP OnePay, CAPS-W, CAPS-W Data Center, ODS, DCD/DCW, STARS, BAM, APVM GT Unmodified Nov Apr 2014 GT Unmodified Oct Jun 2015 Yes GT Unmodified Oct Jun 2016 Aug 15, 2016 Yes GT TBD Oct Jun 2017 Aug 15, 2017 NA NA NA NA NA NA No NA NA NA NA Yes GT TBD Feb Jul 2017 Sep 15, 2017 FBWT - Transaction Distribution DCAS, SAMS NA NA NA NA NA NA Yes KPMG Modified Mar Sep 2016 Nov 14, 2016 Yes KPMG TBD Oct Jun 2017 Aug 15, 2017 FBWT - Treasury Reconciliation DRRT, CMR NA NA NA NA NA NA No NA NA NA NA No NA NA NA NA DDRS (AFS, B, DCM), 8 MicroApps: Financial Reporting NWCF Trading Partner DB, Eliminator, MOCAS Data Call, Data Call Validation Tool, OMB Max Recon, Inventory Control, Employee Benefits, Buyer & Seller Side Elimations Kearney Modified Mar Nov 2014 Kearney Modified Dec Jul 2015 Yes Kearney Modified Oct Jul 2016 Sept 15, 2016 Yes Kearney TBD Oct Jul 2017 Sept 15, 2017 GT = Grant Thornton PwC - Price Waterhouse Coopers Kearney = Kearney & Company WACO= Williams Adley & Co. E&Y = Ernst & Young CBH = Cherry, Bekaert & Holland RMA = RMA Associates RESJ = Robins, Eskew, Smith & Jordan Multiple SOC 1s are underway or planned. 12
13 Addressing Service Organization Controls How do I do this? What SOC 1 reports are available? DoD SSAE 16/18s as of May 2017 SSAE 16/18 FY 2014 FY 2015 FY 2016 FY 2017 Service Provider Assessable Unit System(s) Included IPA Firm FY 14 Opinion Reporting Period IPA Firm FY 15 Opinion Reporting Period SSAE 16 for FY 16? IPA Firm FY 16 Opinion Reporting Period Report Issuance Date / Expected Issuance Date SSAE 16 for FY 17? IPA Firm FY 17 Opinion Projected Reporting Period for FY 17 Expected Report Issuance Date DMDC Defense Civilian Personnel Data System (DCPDS) DCPDS PwC Modified Oct Jun 2014 KPMG Unmodified Oct Jun 2015 Yes KPMG Unmodified Oct Jun 2016 Aug 15, 2016 Yes KPMG TBD Oct Jun 2017 Aug 15, 2017 Defense Travel System (DTS) DTS N/A N/A N/A WACO Modified Oct Jun 2015 Yes WACO Modified Oct Jun 2016 Sep 08, 2016 Yes KPMG TBD Oct Jun 2017 Aug 15, 2017 DCMA Contract Pay MOCAS, etools GT Modified Feb Oct 2014 GT Modified Feb Sept 2015 Yes GT Modified Jan June 2016 Aug 15, 2016 Yes GT TBD Oct Jun 2017 Aug 15,2017 Wide Area Work Flow - Invoices Receipt Acceptance and Property Transfer (WAWF - irapt) irapt RMA Modified Mar Aug 2014 WACO Modified Oct Jun 2015 Yes GT Modified Oct Jun 2016 Aug 15, 2016 Yes RMA TBD Oct Jun 2017 Aug 15, 2017 Defense Agency Initiative (DAI) DAI WACO Modified Jan Jun 2014 WACO Unmodified Oct Jun 2015 Yes GT Modified Oct Jun 2016 Aug 15, 2016 Yes RMA TBD Oct Jun 2017 Aug 15, 2017 DLA Defense Automatic Addressing System (DAAS) DAAS E&Y Modified Sep Feb 2014 WACO Modified Oct Jun 2015 Yes GT Modified Oct Jun 2016 Aug 15, 2016 Yes RMA TBD Oct Jun 2017 Aug 15, 2017 Service Owned Items in DLA Custody (SOIDC) DSS NA NA NA NA NA NA Yes Kearney Modified Jan Sept 2016 Apr 28, 2017 No NA NA NA NA Defense Property Accountability System (DPAS) DPAS CBH Unmodified Oct Jun 2014 CBH Unmodified Jul Jun 2015 Yes CBH Unmodified Oct Jun 2016 Aug 26, 2016 Yes CBH TBD Oct Jun 2017 Aug 15, 2017 Operations Center (FY Scope) Mechanicsburg, Ogden, Oklahoma City, Montgomery KPMG Unmodified Oct Jun 2014 E&Y Unmodified Oct Jun 2015 Yes E&Y Unmodified Oct Jun Aug-16 Yes E&Y TBD Oct Jun 2017 Aug 15, 2017 DISA Automated Time Attendance and Production System (ATAAPS) ATAAPS N/A N/A N/A E&Y Modified Oct Jun 2015 Yes E&Y Modified Oct Jun Aug-16 Yes E&Y TBD Oct Jun 2017 Aug 15, 2017 Conventional Ammunition LMP, WARS-NT, SAAS-MOD Yes KPMG TBD Oct Mar 2017 TBD U.S. Army General Fund Enetrprise Business System (GFEBS) GFEBS No NA NA NA NA Corporate Payment Systems (CPS) U.S. Bank Freight Payment Transaction Procerssing System Syncada E&Y Unmodified Oct Sept 2014 E&Y Unmodified Oct Sept 2015 Yes E&Y Unmodified Oct Jul 2016 Sept 19,2016 Yes E&Y TBD Aug Jul 2017 Sept 15, 2017 Total Systems Services (TSYS), Subservice Org to CPS, for credit management processing TS1 & TS2 Yes KPMG Unmodified Jan Sep 2016 Oct 31, 2016 Yes KPMG TBD Jan Sep 2017 Oct 2017 U.S. Bancorp Elavon, Inc., Subservice Org to CPS, for daily processing services related to carrier billing Merchant Processing System (MPS) Yes E&Y Unmodified Nov Oct 2016 Dec 19, 2016 Yes E&Y TBD Nov Oct 2017 Dec 2016 Retail Payment Processing (RPS), Subservice Org to CPS, for processing check, electronic payments & research payment discrepancies Integrated Card System, Triad, ACAPS, Falcon, SeQual, CASPER, CME, SAR, CA Web Viewer, IVR, ARMS Yes E&Y Unmodified Nov Oct 2016 Dec 19, 2016 Yes E&Y TBD Nov Oct 2017 Dec 2016 Commercial Card Transaction Processing System (ELAN) Access Online, SeQual, Corporate Payments Mgt Information System (CPMIS), Automated Credit Application Processing System (ACAPS) N/A N/A N/A E&Y Unmodified Nov Oct 2015 Yes E&Y Unmodified Nov Oct 2016 Dec 15, 2016 Yes E&Y TBD Nov Oct 2017 Dec 15, 2017 Multiple SOC 1s are underway or planned. 13
14 Addressing Service Organization Controls How do I do this? What SOC 1 reports are available? DoD SSAE 16/18s as of May 2017 SSAE 16/18 FY 2014 FY 2015 FY 2016 FY 2017 Service Provider Assessable Unit System(s) Included IPA Firm FY 14 Opinion Reporting Period IPA Firm FY 15 Opinion Reporting Period SSAE 16 for FY 16? IPA Firm FY 16 Opinion Reporting Period Report Issuance Date / Expected Issuance Date SSAE 16 for FY 17? IPA Firm FY 17 Opinion Projected Reporting Period for FY 17 Expected Report Issuance Date Compensation Benefit & Payment for Medical Services for Federal Civilian Employees U.S. Department of Labor Integrated Federal Employees' Compensation System (ifecs) Office of the Assistant Secretary for Administration and Management (OASAM) General Support System (GSS) Yes KPMG Unmodified Oct Jun 2016 Rec'd Oct Yes KPMG TBD Oct Jun 2016 Early Sept Office of Workers' Compensation Program (OWCP) Bill Processing / Central Bill Processing System Central Bill Processing System Yes RESJ Unmodified Oct Mar 2016 Rec'd Oct Yes RESJ TBD Oct Mar 2016 Early Sept Travel Card Mainframe Systems Include: IBM z/os, Unisys ClearPath Citi Citigroup Technology Infrastructure (CTI), Global Information Security (GIS), Global Identity Admin (GIDA) Midrange include: Stratus, Nonstop Tandem, & IBM series and various types of physical & virtual UNIX, Linux Windows operating systems) Yes KPMG Unmodified Jan Sep 2016 Rec'd Jan 26, 2017 Yes KPMG TBD Jan Sep 2017 Dec 2017 U.S. Treasury Oracle Federal Financials (Oracle) & Discoverer Admin Resource Accounting, Budgeting, Reporting, Travel, Procurement, Systems Support & Platform Services Feeder Systems: PRISM, IPP, CGE, movelinq & E- Payroll to Oracle Reporting (EOR). ARC provides Yes KPMG Unmodified Jul Jun 2016 Sep 1, 2016 Yes KPMG TBD Jul Jun 2017 Sep 2017 Center application admin of feeder systems. U.S. Treasury Federal Investment Transactions for Government Securities InvestOne Accounting System & FedInvest Subsystem Yes KPMG Unmodified Aug Jul 2016 Sep 23, 2016 Yes KPMG TBD Aug Jul 2017 Sep 2017 Investments & Borrowings U.S. Treasury Management & Accounting Services for Select Gov't Trust Funds, Treasury managed accounts, accounts Funds of Treasury's Office of the Asst Sec for Int'l Affairs Management InvestOne Accounting System & FedInvest Subsystem Yes KPMG Unmodified Aug Jul 2016 Sep 23, 2016 Yes KPMG TBD Aug Jul 2017 Sep 2017 Multiple SOC 1s are underway or planned. 14
15 Addressing Service Organization Controls How do I do this? Which SOC 1s do I need? Projected FY 2017 SSAE 18 Distribution List to DoD Components (Based on Components' Responses) As of Jan 27, 2017 DFAS - Service Provider DLA - Service Provider AT&L - Service Provider DoDHRA DMDC - Service Provider DCMA - Service Provider DISA - Service Provider Standard Disbursing Services Military Pay Financial Reporting Civilian Pay No. DoD Component Tier (ADS) (DJMS & DMO) (DDRS) (DCPS) Contract Pay Vendor Pay Fund Balance with Treasury - Wide Area Work Flow - Invoices Receipt Corporate Payment Systems - Freight (MOCAS, EAS, EUD (CAPSW, OnePay, ODS, Transaction Distribution Defense Automatic Addressing System Defense Agency Initiative Service Owned Items in DLA Custody - SOIDC Defense Property Accountability System Commercial Credit Card Processing System Defense Civilian Personnel Data System Defense Travel System Acceptance and Property Transfer Payments System (APVM/PPVM), SCRT, BAM- DCD/DCW, STARS, CAPSW Data Defesne Cash Accountability System (DAAS) (DAI) Distribution Standard System (DSS) (DPAS) (Access Online) (DCPDS) (DTS) (WAWF - irapt) (Syncada) ERMP) Center, BAM-ERMP, APVM) (DCAS) Contract Pay (MOCAS) Automated Time Attendance and Production System Enterprise Computing Service (ATAAPS) 1 Air Force GF 1 2 Air Force WCF 1 3 Army GF 1 4 Army WCF 1 5 Navy GF & WCF 1 6 USACE 1 7 USMC GF & WCF 1 8 DIA (Defense Intelligence Agency) 2 9 NGA (National Geospatial-Intelligence Agency) 2 10 NRO (National Reconnaissance Office) 2 11 NSA (National Security Agency) 2 See Note Below 12 DCAA 2 13 DeCA (GF & WCF) 2 14 DFAS (as reporting entity) 2 15 DHA-CRM 2 16 DHA (FOD, NCR, Comptroller) 2 17 SMA-Army 2 18 SMA-Navy 2 19 SMA-USAF 2 20 DISA (GF & WCF) 2 21 DLA (GF, WCF & Strategic Materials) 2 22 USSOCOM 2 23 USTRANSCOM 2 USTRANSCOM reviewing USTRANSCOM reviewing USTRANSCOM reviewing 24 USUHS 2 25 CBDP 3 26 DARPA 3 27 DCMA 3 28 DoDEA 3 29 DSCA 3 30 DTRA 3 31 MDA 3 32 Office of Chairman of JCS 3 33 WHS 3 34 DAU 4 35 DHRA 4 36 DLSA 4 37 DMA (Defense Media Activity) 4 38 DMEA (Defense Micro-Electronics Activity) 4 39 DoDIG 4 40 DPMO / DPAA (Def POW/MIA Accounting Agency) 4 41 DSS 4 42 DTIC 4 43 DTSA 4 44 NDU 4 45 OEA 4 46 AT&L DPAS (as a service provider) N/A 47 DCMA Contract Pay (as a service provider) N/A DFAS (Std Disb, Mil Pay, Fin Rpting, Civ Pay, Contract 48 N/A Pay, FBWT-DCAS (as a service provider) 49 DLA (irapt, DAI & DAAS) (as a service provider) N/A 50 DISA ATAAPS (as a service provider) N/A 51 DMDC DTS (as a service provider) N/A User Entities are responsible for report distribution within their organizations. 15
16 Addressing Service Organization Controls How do I do this? Which SOC 1s do I need? DISA Subservice Organizations Other (DoD) Other (Non-DoD) Service Organization - SOC 1 (expected FY 17) DISA Enterprise Services (ES) DISA Joint Interoperability Test Command (JITC) DFAS Accounting Operations Directorate Defense Finance and Accounting Service (DFAS) DFAS (ATAAPS) DFAS (DCPS) Defense Logistics Agency (DLA) Defense Contract Management Agency (DCMA) Defense Manpower Data Center (DMDC) Federal Retirement Thrift Investment Board (FRTIB) Total System Services, Inc. (TSYS) Elavon, Inc. Carpathia (Hosting Facility Contractor) Convergys Corporation U.S. Bank Retail Payment Solutions (RPS) U.S. Bank National Retail Lockbox Xerox Verizon First Federal Sprint and SunGard Edgeweb DFAS - Civilian Pay X X X DFAS - Military Pay X X X X DFAS - Standard Disbursing X X DFAS - Contract Pay X X X DFAS - Vendor Pay* DFAS FBWT - Transaction Distribution X X DFAS FBWT - Treasury Reconciliation* DFAS - Financial Reporting X DMDC - Defense Civilian Personnel Data System (DCPDS) DMDC - Defense Travel System (DTS) X DCMA - Contract Pay X DLA - Invoice Receipt Acceptance and Property Transfer (irapt) X X DLA - Defense Agency Initiative (DAI) X X DLA - Defense Automatic Addressing System (DAAS) DLA - Service Owned Items in DLA Custody (SOIDC) DLA - Defense Property Accountability System (DPAS) X X DISA - Enterprise Services (Hosting) DISA - Automated Time & Attendance Production System (ATAAPS) X X X U.S. Bancorp - Freight Payment Transaction Processing X X X U.S. Bancorp - Commercial Card Transaction Processing System X X X X U.S Department of Labor Integrated Federal Employees' Compensation System. X X X X X (Relates to Federal Employees' Compensation Act (FECA)) Expected FY 17 Subservice Organizations updates / changes are probable. 16
17 Addressing Service Organization Controls How do I do this? Which SOC 1s do I need? Civilian Pay SOC 1 Page 41 - DISA ES provides the physical hosting and administration of DCPS. Specific functions / responsibilities include: - Maintenance of the hardware and system software supporting DCPS. - Protection of computer platforms and resident software and data from unauthorized physical access and environmental hazards. - Administration of logical access to ACF 2. - Performance of certain computer operations activities for the mainframe platforms supporting DCPS, including monitoring of processing, and resolution of any deviations from the pre-defined processing schedule. - Administration of data transmission utilities and monitoring of data transmissions to and from the mainframe platforms supporting DCPS. - Performance of uptime monitoring and assistance with the resolution of availability issues related to DCPS. - System software, application, and data backup and recovery. Civilian Pay FY 16 SOC 1 Family DISA Enterprise Services Defense Civilian Personnel Data System (DCPDS) DAI / ATAAPS Time & Attendance DFAS Civilian Payroll (DCPS) DFAS Standardized Disbursing (ADS) DFAS FBWT Transaction Distribution (DCAS) Civilian Pay SOC 1 Page 41 - DCPDS is and HR information support system for maintaining civilian personnel data in the DoD. DCPDS is used to provide HR / personnel support such as applicant ratings, employee appointments, reassignments, and promotions. Civilian Pay SOC 1 Page 29 - Some user entities send their T&A data into DCPS using batch files generated from separate, userentity operated T&A systems. Civilian Pay SOC 1 Page 33 - The DD 592 file is sent to ADS for processing by Disbursing Operations and to the Defense Cash Accountability System (DCAS) for use in downstream reconciliations and financial reporting. - Check and EFT Payment Files: On a bi-weekly basis, DCPS produces check and EFT payment files interfaced to ADS for disbursement to user entity civilian employees. Note: The DLA DAAS SOC 1 may also be applicable for those entities routing interface files through this system. SOC 1 reports may point you / your auditor where to go. Follow the End-to-End Process. 17
18 Using the Service Organization Controls Report
19 How do I use the SOC 1 report? Desired Outcomes Reporting / User Entity What are we trying to achieve? Unqualified / Unmodified SOC 1 Opinions (performed under the examination standards SSAE 18, AT-C 105, AT-C 205, AT-C 320) Controls Reliance User Entities Place Reliance on the SOC 1 Reports (following A-123 Appendix A / ICOFR requirements) User Auditors Place Reliance on the SOC 1 Reports (as allowed by the auditing standards ex., AU-C 402) An Unqualified SOC 1 does not automatically result in User Auditor reliance. 19
20 How do I use the SOC 1 report? Desired Outcomes The User Auditor s ability to rely on internal controls directly affects audit and audit support costs Level of Controls Reliance Auditor Sample Sizes High Internal Controls Reliance Optimum for a large financial statement audit Minimum Sample Sizes Some Internal Controls Reliance Sufficient for a financial statement audit Reduced Sample Sizes No Internal Controls Reliance Inefficient and Unsustainable Maximum Sample Sizes 10s to 100s of thousands of sample items across DoD An Unqualified SOC 1 does not automatically result in User Auditor reliance. 20
21 How do I use the SOC 1 report? SOC 1 Report Structure A SOC 1 Report typically includes the following sections: Section 1 Independent Service Auditor s Report Section 2 Assertion Provided by Management of the Service Organization Section 3 Description of the Service Organization, including an overview of relevant operations and applications Complementary User Entity Controls (CUECs) Subservice Organizations and Complementary Subservice Organization Controls CSOCs Section 4 Service Organization s Control Objectives and Related Controls (Control Objectives, Controls, and Test of Operating Effectiveness) Section 5 Other Information Provided by Service Organization Management (UNAUDITED) Read the report and assess the impact on your risk of financial misstatement. 21
22 How do I use the SOC 1 report? Areas for Consideration 1 Service auditor competency 6 Evaluation of relevant controls 2 Scope exclusions 7 Reliability of data 3 Carve-outs 8 Results of tests CUECs 4 9 Opinion 5 CSOCs 10 Gap Periods Your auditor will consider these. So should you. 22
23 How do I use the SOC 1 report? What are CUECs and CSOCs Example DFAS Control Objective: Controls provide reasonable assurance that logical access to DCPS programs and data is restricted to authorized users. CSOCs (SSAE 18) DFAS controls were designed assuming certain controls were in place at the Subservice Organization (DISA). These assumptions will now be included in Management s Description for each Subservice Organization. Some basis is needed for the assumptions and DFAS is responsible for monitoring Sub-service providers. DFAS Controls Designed & Operating Effectively CUECs (SAS 70, SSAE 16, and SSAE 18) DFAS controls were designed assuming certain controls were in place at the customer (Reporting Entity). These assumptions have been and will continue to be included in Management s Description. Some basis is needed for the assumptions but DFAS is not responsible for monitoring customers. DISA Controls User Entity Controls Appropriate controls need to be in place at the Reporting Entity, Service Organization(s), and Sub-service Organization(s) to achieve the Control Objective. 23
24 How do I use the SOC 1 report? What are CUECs and CSOCs Reporting / User Entities Controls Controls CUECs (SSAE 16 & 18) DFAS controls were designed assuming certain controls were in place at the customer (Reporting Entity). CUECs DFAS Civilian Pay Service SOC 1 Controls Reporting Entity / User Auditors Controls CSOCs CUECs (SSAE 16 & 18) DISA controls were designed assuming certain controls were in place at the customer (DFAS). CSOCs (SSAE 18) DFAS controls were designed assuming certain controls were in place at the Subservice Organization (DISA). CUECs Controls DISA Hosting Services SOC 1 Appropriate controls need to be in place at the Reporting Entity, Service Organization(s), and Sub-service Organization(s) to achieve the Control Objective. 24
25 How do I use the SOC 1 report? Reliability of Data (and Reports) Background: The clarified standards require the service auditor to evaluate whether system generated information is sufficiently reliable for the service auditor s purposes by obtaining evidence about its accuracy and completeness and evaluating whether the information is sufficiently precise and detailed. They also require the service auditors and the service organization to validate system generated information and reports by detailing how they are generated, who prepares such reports and ensuring the requisite level of detail in such reports. Effectiveness of controls depends in part on the controls over the accuracy and completeness of the system-generated data or reports. Classes of system generated information: The following are the types of data that should be evaluated as part of the SOC 1 attestation: Information used in the execution of controls within the SOC 1 report. Information provided by the service organization to the service auditor to perform testing of controls. Information provided to the user entity. User Entities should understand what reports are being generated by the Service Organization and then confirm whether those reports are included in the SOC 1. 25
26 How do I use the SOC 1 report? Reliability of Data (and Reports) Translation: 1. Reports / data that are relied upon by the Service Organization to perform controls in their SOC 1 (e.g., user access list, reconciliation reports, spreadsheets, etc.) 2. Reports / data that are used by the Service Auditor to perform SOC 1 testing (e.g., user access listings, transaction populations). 3. Reports / data that are provided to the User Entity and are relied upon in your financial reporting (e.g., reporting package, external outputs). User Entities should understand what reports are being generated by the Service Organization and then confirm whether those reports are included in the SOC 1. 26
27 How do I use the SOC 1 report? Common Evaluation Pitfalls Certain applications, interface programs used by some user entities might not be included in the scope of the report and / or important IT controls may be scoped out. The report may be directed at only a limited number of user entities or the coverage is only for certain locations. Relevant reports from the Service Organization may not be included within the scope of the procedures performed by the Service Auditor. All exceptions (not just those within qualified objectives) are not considered for relevance and impact to the User Entity. Subservice Organization SOC 1 reports are not obtained and reviewed. Reporting / User Entities Service Organizations User Auditors Sub-Service Organizations Your auditor will consider these. So should you. 27
28 Reporting Entity Responsibilities for Service Organization Controls Establish MOUs that clearly identify who is responsible for what. 1. Identify all Service Organizations (Service Providers) that impact the Reporting Entity s internal controls over financial reporting. 2. Document an understanding of the Service Providers impact on the Reporting Entity s Financial Reporting and Associated Risks. 3. Document the Reporting Entity s Understanding of Service Provider Controls in Place to Mitigate Financial Reporting Risks. 4. Evaluate the Design and Operating Effectiveness of Service Provider Controls in Place to Mitigate Financial Reporting Risks. 5. Address Complementary User Entity Controls (CUECs) Identified by the Service Provider (i.e., implement effective controls within the Reporting Entity). D O C U M E M T 6. Establish Regular Communications with Service Providers to Monitor Performance and Identify Events that may Impact Internal Controls Over Financial Reporting. Attend and actively participate in the Service Provider Working Group meetings. 28
29 Reporting Entity Responsibilities for Service Organization Controls Other Important Responsibilities Update the FIAR System Database (FSD) to reflect changes. At a minimum, this should be completed to support the bi-annual FIAR Plan Status Report. Notify OUSD(C) FIAR of needed SOC 1s Notify OUSD(C) FIAR if points of contact for SOC 1 distribution have changed. Distribute SOC 1 reports within your own organization, in a timely manner, to all personnel who need them. Communication Protocols Must be Established and Maintained 29
30 OUSD(C) FIAR Support and Available Resources
31 OUSD(C) FIAR Support & Available Resources OUSD(C) FIAR Support Activities Service Provider Working Group Meetings (January, May, and August) Dates / timing requested by User Auditor s performing financial statement audits. Updates provided on SOC 1 scope changes, CUEC changes, status of NFRs, progress on current SOC 1s, etc. IPA Roundtable Meetings Periodic meetings with GAO, DOD IG, and IPA firms performing financial statement audits, audit readiness examinations, and SOC 1 engagements to solicit input on SOC 1 report usability and other audit relevant topics. CUEC Workshops Nine separate workshops were conducted covering audit relevant SOC 1 reports. Included participants from User/Reporting Entities and Service Organizations. MILSTRIP workshops with DLA and customer entities. Detailed walkthroughs of multiple MILSTRIP buy / sell scenarios. Focus on financial statement audit impacting roles and responsibilities. User / Reporting Entity participation is essential. 31
32 OUSD(C) FIAR Support & Available Resources Available Resources SOC 1 Improvement Policy Memo Deputy Chief Financial Officer Policy Memo Issued in February 2016 Identified Ten Required Changes to SOC 1 Reports 1. SOC 1 Reports to be Issued by August 15 th of each year. 2. Nine Month Attestation Period (October 1 June 30). 3. Bridge Letters to be Issued by October 8 th of each year. 4. CUECs to be Aligned to Control Objectives 5. Describe Service Provider Controls in Place to Monitor Subservice Providers and Identify Service Provider Controls in Place to Address Subservice Provider CUECs. 6. Establish an Interim Milestone of April 30 th to Obtain Service Auditor Feedback. 7. Identify Key Inputs and Management s Rationale / Approach. 8. Identify Edit Checks and Management s Rationale / Approach. 9. Identify Interfaces and Management s Rationale / Approach. 10. Identify Outputs and Management s Rationale / Approach. Action has been taken on IPA feedback and status updates provided. 32
33 OUSD(C) FIAR Support & Available Resources Available Resources SSAE 18 Policy Memo Memo was sent to Service Organizations for comment and addresses the following key points: 1. Service Organizations to meet with their IPA(s) to establish an understanding of SSAE 18 impact by January 13, Service Organization to validate the reliability of key output reports / data. 3. Service Organizations to document Complementary Subservice Organization Controls (CSOCs), their basis for assuming the CSOC is in place at the Subservice Organization, and the associated monitoring controls in place at the Service Organization. 4. Service Organizations to communicate of CSOCs to Subservice Organizations by January 23, Provides a deadline for Subservice Organizations to inform Service Organizations that they do not plan to have controls in place to address the CSOCs. 6. Provides a deadline for Subservice Organizations to provide corrective plans to Service Organizations for those instances where remediation is needed to put controls in place to address the CSOCs.. Input was solicited from IPAs performing financial statement audits and SOC 1 engagements. 33
34 OUSD(C) FIAR Support & Available Resources Available Resources FIAR Systems Database Home Page System Owner Data Entry System User Data Entry Important to make timely updates to support FIAR Plan Status Report and responses to ad-hoc requests. 34
35 OUSD(C) FIAR Support & Available Resources Available Resources CUECs OUSD(C) maintains and has distributed the following: An Excel file containing all CUECs from all relevant SOC 1 reports (with additions, deletions, changes from the prior year highlighted Baseline control descriptions that can be customized to address CUECs. Test plans for the Baseline controls. If you have questions or needs, please ask! 35
36 OUSD(C) FIAR Support & Available Resources Available Resources Service Organization Vs. Trading Partner Assessment & CSOCs Auditing Standards based Service Organization vs. Trading Partner Assessment Template Complementary Subservice Organization Controls (CSOCs) Identification Template If you have questions or needs, please ask! 36
37 OUSD(C) FIAR Support & Available Resources Available Resources Contact Information James Davila Accountant, FIAR Directorate, Office of the Deputy Chief Financial Officer, OUSD(C) (703) Bradley Keith Director, PwC Public Sector, LLP (571) (703) If you have questions or needs, please ask! 37
38 Questions
What are SSAE 16 Reports and How do I Use Them to Support my Audit and A-123 Compliance? Presentation to ASMC PDI May 29, 2015
What are SSAE 16 Reports and How do I Use Them to Support my Audit and A-123 Compliance? Presentation to ASMC PDI May 29, 2015 Agenda Internal Controls Over Financial Reporting - Internal Control Definition
More informationISACA Cincinnati Chapter March Meeting
ISACA Cincinnati Chapter March Meeting Recent and Proposed Changes to SOC Reports Impacting Service and User Organizations. March 3, 2015 Presenters: Sayontan Basu-Mallick Lori Johnson Agenda SOCR Overview
More informationWorkshop 71: Is Your Financial System Ready? An Overview of Effective Federal Information System Controls Audit Manual (FISCAM) Assessments
Workshop 71: Is Your Financial System Ready? An Overview of Effective Federal Information System Controls Audit Manual (FISCAM) Assessments ASMC PDI 2015 New Orleans, LA May 28, 2015 Workshop 71: Agenda
More informationMastering SOC-1 Attestation Reports Under SSAE 16: Auditing Service Organizations Controls in the Cloud
FOR LIVE POGRAM ONLY Mastering SOC-1 Attestation Reports Under SSAE 16: Auditing Service Organizations Controls in the Cloud TUESDAY, AUGUST 9, 2016, 1:00-2:50 pm Eastern IMPORTANT INFORMATION FOR THE
More informationService Organization Control (SOC) Reports: What they are and what to do with them MARCH 21, 2017
Service Organization Control (SOC) Reports: What they are and what to do with them MARCH 21, 2017 Presenter Colin Wallace, CPA/CFF, CFE, CIA, CISA Partner Colin has provided management consulting and internal
More informationUnderstanding and Evaluating Service Organization Controls (SOC) Reports
Understanding and Evaluating Service Organization Controls (SOC) Reports Kevin Sear, CPA, CIA, CISA, CFE, CGMA Agenda 1. Why are SOC reports important? 2. Understanding the new SOC-1, SOC-2, and SOC-3
More informationAudit Considerations Relating to an Entity Using a Service Organization
An Entity Using a Service Organization 355 AU-C Section 402 Audit Considerations Relating to an Entity Using a Service Organization Source: SAS No. 122; SAS No. 128; SAS No. 130. Effective for audits of
More informationWhy UID? LeAntha Sumpter May 11, 2005
Why UID? LeAntha Sumpter May 11, 2005 1 DoD, its coalition partners, and industry efficiently and effectively manage people, property, and intangible assets using globally unique identification 2 Ubiquitous
More informationC22: SAS 70 Practices and Developments Todd Bishop, PricewaterhouseCoopers
C22: SAS 70 Practices and Developments Todd Bishop, PricewaterhouseCoopers SAS No. 70 Practices & Developments Todd Bishop Director, Risk Assurance Services, PricewaterhouseCoopers Agenda SAS 70 Background
More informationAuditing IT General Controls
Auditing IT General Controls Amanthi Pendegraft and Nadine Yassine September 27, 2017 Agenda Introduction and Objectives IT Audit Fundamentals IT General Controls Overview Access to Programs and Data Program
More informationSOC Reporting / SSAE 18 Update July, 2017
SOC Reporting / SSAE 18 Update July, 2017 Agenda SOC Refresher Overview of SSAE 18 Changes to SOC 1 Changes to SOC 2 Quiz / Questions Various Types of SOC Reports SOC for Service Organizations (http://www.aicpa.org/soc4so)
More informationFederal Data Center Consolidation Initiative (FDCCI) Workshop I: Initial Data Center Consolidation Plan
Federal Data Center Consolidation Initiative (FDCCI) Workshop I: Initial Data Center Consolidation Plan June 04, 2010 FDCCI Workshop I Agenda for June 4, 2010 1. Welcome Katie Lewin GSA Director Cloud
More informationIT Attestation in the Cloud Era
IT Attestation in the Cloud Era The need for increased assurance over outsourced operations/ controls April 2013 Symeon Kalamatianos M.Sc., CISA, CISM Senior Manager, IT Risk Consulting Contents Introduction
More informationFederal Data Center Consolidation Initiative (FDCCI) Workshop III: Final Data Center Consolidation Plan
Federal Data Center Consolidation Initiative (FDCCI) Workshop III: Final Data Center Consolidation Plan August 10, 2010 FDCCI Agenda August 10 th, 2010 1. Welcome Katie Lewin GSA Director Cloud Computing
More informationCouncil, 8 February 2017 Information Technology Report Executive summary and recommendations
Council, 8 February 2017 Information Technology Report Executive summary and recommendations Introduction This report provides the Council with an update into the work of the Information Technology Directorate
More informationMaking trust evident Reporting on controls at Service Organizations
www.pwc.com Making trust evident Reporting on controls at Service Organizations 1 Does this picture look familiar to you? User Entity A User Entity B User Entity C Introduction and background Many entities
More informationSAS 70 & SSAE 16: Changes & Impact on Credit Unions. Agenda
SAS 70 & SSAE 16: Changes & Impact on Credit Unions John Mason CISM, CISA, CGEIT, CFE SingerLewak LLP October 19, 2010 Agenda Statement on Auditing Standards (SAS) 70 background Background & purpose Types
More informationSpecial Actions Security Office (SASO)
Defense Finance and Accounting Service Special Actions Security Office (SASO) Sharron Norris Walter Smith Melissa Dunlap 2016 Integrity - Service - Innovation Integrity - Service - Innovation SASO Mission
More informationBilling and Collection Agent Report For period ending January 31, To FCC Contract Oversight Sub-Committee. February 11, 2019
Billing and Collection Agent Report For period ending January 31, 2019 To FCC Contract Oversight Sub-Committee February 11, 2019 Welch LLP - Chartered Professional Accountants 123 Slater Street, 3 rd floor,
More informationPREPARING FOR SOC CHANGES. AN ARMANINO WHITE PAPER By Liam Collins, Partner-In-Charge, SOC Audit Practice
PREPARING FOR SOC CHANGES AN ARMANINO WHITE PAPER By Liam Collins, Partner-In-Charge, SOC Audit Practice On May 1, 2017, SSAE 18 went into effect and superseded SSAE 16. The following information is here
More informationEvaluating SOC Reports and NEW Reporting Requirements
Evaluating SOC Reports and NEW Reporting Requirements ISACA Kris Lonborg, EY Partner Maria Avedissian, EY Senior Manager September 12, 2013 Agenda Evaluating SOC reports Recent changes made to the SOC1
More informationPeopleSoft Finance Access and Security Audit
PeopleSoft Finance Access and Security Audit City of Minneapolis Internal Audit Department September 20, 2016 1 Contents Page Background... 3 Objective, Scope and Approach... 3 Audit Results and Recommendations...
More informationCompliance Enforcement Initiative
Compliance Enforcement Initiative Filing and Status Update November 2, 2011 Rebecca Michael Status of the Filings NERC filed several components of the Compliance Enforcement Initiative on September 30,
More informationWeighing in on the Benefits of a SAS 70 Audit for Third Party Administrators
Weighing in on the Benefits of a SAS 70 Audit for Third Party Administrators With increasing oversight and growing demands for industry regulations, third party assurance has never been under a keener
More informationREPORT 2015/149 INTERNAL AUDIT DIVISION
INTERNAL AUDIT DIVISION REPORT 2015/149 Audit of the information and communications technology operations in the Investment Management Division of the United Nations Joint Staff Pension Fund Overall results
More informationSAS70 Type II Reports Use and Interpretation for SOX
SAS70 Type II Reports Use and Interpretation for SOX November 19, 2007 Presented by: Erin Erickson, Senior Manager Enterprise Governance and Brenda Karl, Director Technology Risk Management Agenda Background
More informationLIST OF SUBSTANTIVE CHANGES AND ADDITIONS. PPC's Guide to Audits of Local Governments. Thirty first Edition (February 2016)
Route To: Partners Managers Staff File LIST OF SUBSTANTIVE CHANGES AND ADDITIONS PPC's Guide to Audits of Local Governments Thirty first Edition (February 2016) Highlights of This Edition The following
More informationA SERVICE ORGANIZATION S GUIDE SOC 1, 2, & 3 REPORTS
A SERVICE ORGANIZATION S GUIDE SOC 1, 2, & 3 REPORTS Introduction If you re a growing service organization, whether a technology provider, financial services corporation, healthcare company, or professional
More informationISO STANDARD IMPLEMENTATION AND TECHNOLOGY CONSOLIDATION
ISO STANDARD IMPLEMENTATION AND TECHNOLOGY CONSOLIDATION Cathy Bates Senior Consultant, Vantage Technology Consulting Group January 30, 2018 Campus Orientation Initiative and Project Orientation Project
More informationMiscellaneous Payment
Invoicing Receipt Acceptance Property Transfer Miscellaneous Payment To learn how to electronically submit and take action on irapt documents through simulations and step-by-step procedures, visit the
More informationDoD Environmental Security Technology Certification Program (ESTCP) Tim Tetreault DoD August 15, 2017
DoD Energy Testbed DoD Environmental Security Technology Certification Program (ESTCP) Tim Tetreault DoD August 15, 2017 Tampa Convention Center Tampa, Florida About ESTCP Established in 1995 to: Improve
More informationPowered by TCPDF (
Powered by TCPDF (www.tcpdf.org) 1 FINANCE AND ACCOUNTING FOR NON-FINANCIAL PROFESSIONALS 28th Feb - 3rd Mar, 2017 1st - 4th Aug, 2017 2 MODERN APPROACHES TO CORPORATE AND INDIVIDUAL TAX COMPLIANCE 28th
More informationWHICH SOC REPORT IS RIGHT FOR YOUR CLIENT?
CPAs & ADVISORS STRATEGIC ALLIANCE WEBINAR SERIES WHICH SOC REPORT IS RIGHT FOR YOUR CLIENT? June 20, 2017 Cindy Boyle TO RECEIVE CPE CREDIT Participate in entire webinar Answer polls when they are provided
More informationService Management. What an Acquisition Practitioner Needs to Know. Karen Gomez Defense Information Systems Agency Mission Support Division
Service Management DAU Symposium April 4, 2017 What an Acquisition Practitioner Needs to Know Karen Gomez Defense Information Systems Agency Mission Support Division 1 Topics DESMF The DESMF Realized Service
More informationDoes a SAS 70 Audit Leave you at Risk of a Security Exposure or Failure to Comply with FISMA?
Does a SAS 70 Audit Leave you at Risk of a Security Exposure or Failure to Comply with FISMA? A brief overview of security requirements for Federal government agencies applicable to contracted IT services,
More informationAdopting SSAE 18 for SOC 1 reports
Adopting SSAE 18 for SOC 1 reports Overview Since its adoption in 2011, service auditor reports issued in accordance with SSAE 16 have become increasingly common in the marketplace. In April 2016, the
More informationCONTROLS OVER ELECTRONIC DOCUMENT MANAGEMENT. Report No. D April 16, Office of the Inspector General Department of Defense
CONTROLS OVER ELECTRONIC DOCUMENT MANAGEMENT Report No. D-2001-101 April 16, 2001 Office of the Inspector General Department of Defense Form SF298 Citation Data Report Date ("DD MON YYYY") 16Apr2001 Report
More informationStrengthening the Cybersecurity of Federal Networks and Critical Infrastructure
Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure Executive Order 13800 Update July 2017 In Brief On May 11, 2017, President Trump issued Executive Order 13800, Strengthening
More informationCalifornia ISO Audit Results for 2011 SSAE 16 & Looking Forward for 2012 December 15, 2011
www.pwc.com California ISO Audit Results for 2011 SSAE 16 & Looking Forward for 2012 December 15, 2011 Agenda SSAE 16 Background Results of Audit Scope of Audit Looking Forward Closing Thoughts Slide 1
More informationSAS 70 SOC 1 SOC 2 SOC 3. Type 1 Type 2
SAAABA Changes in Reports on Service Organization Controls April 18, 2012 Changes in Reports on Service Organization Controls (formerly SAS 70) April 18, 2012 Duane M. Reyhl, CPA Andrews Hooper Pavlik
More informationFedRAMP: Understanding Agency and Cloud Provider Responsibilities
May 2013 Walter E. Washington Convention Center Washington, DC FedRAMP: Understanding Agency and Cloud Provider Responsibilities Matthew Goodrich, JD FedRAMP Program Manager US General Services Administration
More informationMetropolitan Washington Airports Authority PROCUREMENT AND CONTRACTS DEPT. AMENDMENT OF SOLICITATION
Metropolitan Washington Airports Authority PROCUREMENT AND CONTRACTS DEPT. AMENDMENT OF SOLICITATION Metropolitan Washington Airports Authority Procurement and Contracts Dept., MA-29 2733 Crystal Drive
More informationTransitioning from SAS 70 to SSAE 16
Industry Webinar Series SAS 70 ENDS EXIT TO SSAE 16 Transitioning from SAS 70 to SSAE 16 How Does This Apply to Your Organization? Cindy Boyle, Partner Rodney Walsh, Director BKD IT Risk Services Agenda
More informationArticle II - Standards Section V - Continuing Education Requirements
Article II - Standards Section V - Continuing Education Requirements 2.5.1 CONTINUING PROFESSIONAL EDUCATION Internal auditors are responsible for maintaining their knowledge and skills. They should update
More informationNYDFS Cybersecurity Regulations
SPEAKERS NYDFS Cybersecurity Regulations Lisa J. Sotto Hunton & Williams LLP (212) 309-1223 lsotto@hunton.com www.huntonprivacyblog.com March 9, 2017 The Privacy Team at Hunton & Williams Over 30 privacy
More informationT&E Workforce Development
T&E Workforce Development 2016 ITEA Cyber Security Workshop Mr. Thomas W. Simms Deputy Director, T&E Competency & Development Deputy Assistant Secretary of Defense (DT&E) March 17, 2016 Agenda Policy Overview
More informationInternal Audit Report. Electronic Bidding and Contract Letting TxDOT Office of Internal Audit
Internal Audit Report Electronic Bidding and Contract Letting TxDOT Office of Internal Audit Objective Review of process controls and service delivery of the TxDOT electronic bidding process. Opinion Based
More informationNational Defense University and IRMC. National Defense University
The Forgotten Information Assurance Professional - Educating the Senior IT Manager Robert C. Norris, Jr. Information Resources Management College National Defense University 1 Overview Intro to IRMC and
More informationRetirement of SAS 70 and a new generation of Service Organization Control (SOC) Reports
new generation of Service Organization Control (SOC) Reports Presented by: Nina Currigan, KPMG Advisory Manager Karen Krebsbach, Ernst & Young Advisory Manager With you today Nina Currigan Advisory Manager
More informationInformation Technology Services. Informational Report for the Board of Trustees October 11, 2017 Prepared effective August 31, 2017
Information Technology Services Informational Report for the Board of Trustees October 11, 2017 Prepared effective August 31, 2017 Information Technology Services TABLE OF CONTENTS UPDATE ON PROJECTS &
More informationThe date when this policy is posted to the online Company Policy Manual and communicated to all business lines: December 14, 2012
GENERAL POLICIES DATE: CP-134 RETENTION OF RECORDS The date when this policy is posted to the online Company Policy Manual and communicated to all business lines: December 14, 2012 SUPERSEDES POLICY DATED:
More informationOSC Guidance and Training for Internal Audit and Internal Control Practitioners. Tina Kim John Buyce
OSC Guidance and Training for Internal Audit and Internal Control Practitioners Tina Kim John Buyce Training Requirements for Auditors and Internal Control Professionals Yellow Book: Chapter 3 General
More information6/5/ Michael Hojnicki Chief of Technology and Administrative Services
Technology Update 6/5/2018 - Michael Hojnicki Chief of Technology and Administrative Services Projects Completed in 2017 Open Checkbook Published Network & Phone Upgrade High Level Design Competitive Bid
More informationISACA MANILA CHAPTER CALENDAR OF ACTIVITIES
MANILA CHAPTER 2017 CALENDAR OF ACTIVITIES 2017 MANILA CALENDAR OF ACTIVITIES GMM Professionals Night Public Trainings Reviews Conferences Technical Session & MANILA PROFILE HISTORY AND MISSION Who we
More informationNew York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines
New York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines New York Department of Financial Services ( DFS ) Regulation 23 NYCRR 500 requires that entities
More information10 Considerations for a Cloud Procurement. March 2017
10 Considerations for a Cloud Procurement March 2017 2017, Amazon Web Services, Inc. or its affiliates. All rights reserved. Notices This document is provided for informational purposes only. It represents
More informationLEADING WITH GRC. Common Controls Framework. Sundar Venkat, Sr. Director Technology Compliance Salesforce
LEADING WITH GRC Common Controls Framework Sundar Venkat, Sr. Director Technology Compliance Salesforce Forward-Looking Statements Statement under the Private Securities Litigation Reform Act of 1995:
More informationISACA MANILA CHAPTER CALENDAR OF ACTIVITIES
MANILA CHAPTER 2017 CALENDAR OF ACTIVITIES 2017 MANILA CALENDAR OF ACTIVITIES GMM Professionals Night Public Trainings Reviews Conferences Technical Session & MANILA PROFILE HISTORY AND MISSION Who we
More informationCitiManager Alerts
GSA SmartPay 2010 Conference CitiManager Email Alerts Mini Session 12 th Annual GSA SmartPay Conference Atlanta, GA August 10 12, 2010 Goals & Objectives This course is designed to assist you in achieving
More information2018 CALENDAR OF ACTIVITIES
2018 CALENDAR OF ACTIVITIES WHO WE ARE AND WHAT WE OFFER Ý Public Trainings Technical Sessions Reviews GMM Other Chapter Activities Conferences Professionals Night ISACA was incorporated by individuals
More informationREPORT 2015/186 INTERNAL AUDIT DIVISION
INTERNAL AUDIT DIVISION REPORT 2015/186 Audit of information and communications technology operations in the Secretariat of the United Nations Joint Staff Pension Fund Overall results relating to the effective
More informationUNIQUE IDENTIFICATION (UID) Unique Identification (UID) of Items
UNIQUE IDENTIFICATION (UID) Unique Identification (UID) of Items DoD Vision for Item Marking To implement a policy establishing a strategic imperative for uniquely identifying tangible items relying to
More informationSSAE 18 & new SOC approach to compliance. Moderator Name: Patricio Garcia Managing Partner ControlCase Attestation Services
SSAE 18 & new SOC approach to compliance Moderator Name: Patricio Garcia Managing Partner ControlCase Attestation Services Agenda 1. SSAE 18 overview 2. SOC 2 + 3. 2017 Trust Services Criteria SSAE 18
More informationDan Lobb CRISC Lisa Gable CISM Katie Friebus
Dan Lobb CRISC Lisa Gable CISM Katie Friebus AGENDA Meet the speakers Compliance between QSA visits - Dan Lobb Transitioning from PCI DSS 3.1-3.2 - Katie Friebus Tips for Managing a PCI Compliance Program
More informationNAC Institutional Committee Meeting
Meeting Jet Propulsion Lab July 28-29, 2015 Kathryn Schmoll Chair Membership Committee Members Current Employer Current Position 1 CHAIR: Kathryn (Katy) Schmoll Kathryn Schmoll and Associates, LLC 2 James
More informationMyInvoice. Defense Finance and Accounting Service. Devona Mathis DFAS Columbus Customer Care Office October 24, Integrity - Service - Innovation
This document contains graphics and images that may not be read by a screen reader. If you have trouble viewing this document please contact the Columbus Customer Care Center at 800-756-4571 MyInvoice
More informationDHS Overview of Sustainability and Environmental Programs. Dr. Teresa R. Pohlman Executive Director, Sustainability and Environmental Programs
DHS Overview of Sustainability and Environmental Programs Dr. Teresa R. Pohlman Executive Director, Sustainability and Environmental Programs DHS Mission DHS Organization Getting to Know DHS Mission: Secure
More informationFiXs - Federated and Secure Identity Management in Operation
FiXs - Federated and Secure Identity Management in Operation Implementing federated identity management and assurance in operational scenarios The Federation for Identity and Cross-Credentialing Systems
More informationSafeguarding unclassified controlled technical information (UCTI)
Safeguarding unclassified controlled technical information (UCTI) An overview Government Contract Services Bulletin Safeguarding UCTI An overview On November 18, 2013, the Department of Defense (DoD) issued
More informationHong Kong Institute of Certified Public Accountants Practising Certificate ("PC") Business Assurance
Hong Kong Institute of Certified Public Accountants Practising Certificate ("PC") Business Assurance Examinable Auditing Standards December 2017 Session and June 2018 session This document contains the
More informationCOUNTY OF RIVERSIDE ENTERPRISE SOLUTIONS FOR PROPERTY TAXATION
COUNTY OF RIVERSIDE ENTERPRISE SOLUTIONS FOR PROPERTY TAXATION PRESENTERS PANEL GUESTS DON KENT RIVERSIDE COUNTY TREASURER- TAX COLLECTOR LARRY WARD ASSESSOR - COUNTY CLERK - RECORDER KAN WANG PROPERTY
More informationSolutions Technology, Inc. (STI) Corporate Capability Brief
Solutions Technology, Inc. (STI) Corporate Capability Brief STI CORPORATE OVERVIEW Located in the metropolitan area of Washington, District of Columbia (D.C.), Solutions Technology Inc. (STI), women owned
More informationMHBE Compliance Program SECOND QUARTER FY 2019 REPORT. TO MHBE BOARD OF TRUSTEES January 22, 2019
MHBE Compliance Program SECOND QUARTER FY 2019 REPORT TO MHBE BOARD OF TRUSTEES January 22, 2019 Presented by: Caterina Pañgilinan Audit Status Report Total Audit Findings Open Findings (3) SMART PY17
More informationAbout GSA changes to IPAC data fields for Local Telecom Service and WITS customers
About GSA changes to IPAC data fields for Local Telecom Service and WITS customers This guide is designed to be a useful reference for those GSA customers who pull data from Treasury s Intergovernmental
More informationSection One of the Order: The Cybersecurity of Federal Networks.
Summary and Analysis of the May 11, 2017 Presidential Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure. Introduction On May 11, 2017, President Donald
More informationSUBJECT: PRESTO operating agreement renewal update. Committee of the Whole. Transit Department. Recommendation: Purpose: Page 1 of Report TR-01-17
Page 1 of Report TR-01-17 SUBJECT: PRESTO operating agreement renewal update TO: FROM: Committee of the Whole Transit Department Report Number: TR-01-17 Wards Affected: All File Numbers: 465-12, 770-11
More informationDefense Hotline Allegations Concerning Contractor-Invoiced Travel for U.S. Army Corps of Engineers' Contracts W912DY-10-D-0014 and W912DY-10-D-0024
Report No. DODIG-2013-056 March 15, 2013 Defense Hotline Allegations Concerning Contractor-Invoiced Travel for U.S. Army Corps of Engineers' Contracts W912DY-10-D-0014 and W912DY-10-D-0024 Report Documentation
More informationBest Practices in CIS Implementation. TECO s CRB Implementation
Best Practices in CIS Implementation TECO s CRB Implementation Katie Guice, Director, Customer Solutions & Strategic Projects Tampa Electric & Peoples Gas System 1 TECO Energy: An Emera Company Energy-related
More informationIT Auditing and IT Fraud Detection
IT Auditing and IT Fraud Detection Page 1 of 7 Why Attend In today s world, IT fraud prevention and investigation have become an everyday part of corporate life and auditors must gain expertise in this
More informationCover Slide. Third Party Risk and the Role of the Cyber Security/IT Risk Officer. Robert Satchmo Anderson
Cover Slide Third Party Risk and the Role of the Cyber Security/IT Risk Officer Robert Satchmo Anderson Overview Third Party Risk Management (TPRM) (vendor management, new acquisitions, and joint ventures),
More informationCity of Portland Audit: Follow-Up on Compliance with Payment Card Industry Data Security Standard BY ALEXANDRA FERCAK SENIOR MANAGEMENT AUDITOR
City of Portland Audit: Follow-Up on Compliance with Payment Card Industry Data Security Standard BY ALEXANDRA FERCAK SENIOR MANAGEMENT AUDITOR Examples of Government data breaches in 2016, listing number
More informationDepartment of Defense Fiscal Year (FY) 2014 IT President's Budget Request Defense Media Activity Overview
Mission Area Department of Defense Overview Business System Breakout Appropriation BMA 0.163 Total 24.846 Defense Business Systems 0.163 All Other Resources 24.683 EIEMA 24.683 FY 2014 ($M) FY 2014 ($M)
More informationQUIACLE TECHNOLOGY SOLUTIONS, INC. CLOUD SERVICES MANAGED SECURITY SERVICES
QUIACLE TECHNOLOGY SOLUTIONS, INC. CLOUD SERVICES MANAGED SECURITY SERVICES WHO WE ARE Founded in 2014 Headquartered in Frederick County, MD Registered in the System for Award Management (SAM) Women's
More informationInformation System Security
July 29, 2002 Information System Security User Authentication Protection at Central Design Activities (D-2002-135) Department of Defense Office of the Inspector General Quality Integrity Accountability
More informationTen Innovative Financial Services Applications Powered by Data Virtualization
Ten Innovative Financial Services Applications Powered by Data Virtualization DATA IS THE NEW ALPHA In an industry driven to deliver alpha, where might financial services firms find opportunities when
More informationChapter 2 Introduction to Transaction Processing
Chapter 2 Introduction to Transaction Processing TRUE/FALSE 1. Processing more transactions at a lower unit cost makes batch processing more efficient than real-time systems. T 2. The process of acquiring
More informationInstructions for Gaining Access to PMRT
31 October 2017 General Information: Instructions for Gaining Access to PMRT Project Management Resource Tools (PMRT) is accessed via https://pmrt.altess.army.mil/pmrt/. A Common Access Card (CAC) is required
More informationDEFENSE SECURITY SERVICE PRIVACY IMPACT ASSESSMENT GUIDANCE AND TEMPLATE
DEFENSE SECURITY SERVICE PRIVACY IMPACT ASSESSMENT GUIDANCE AND TEMPLATE Version 1.0 28 October 2008 1 DSS PRIVACY IMPACT ASSESSMENT For Industrial Security Facilities Database (ISFD) Project Identifying
More informationAMC MINI-PDI. March 2, 2017 Mr. Anson Smith UNCLASSIFIED 1 AMERICA S ARMY: THE STRENGTH OF THE NATION
AMC MINI-PDI AMERICA S ARMY: THE STRENGTH OF THE NATION March 2, 2017 Mr. Anson Smith 1 Agenda Program Management Percentage Certified by Components Members to be certified by Agencies New CET Policy Update
More informationJune 2012 First Data PCI RAPID COMPLY SM Solution
June 2012 First Data PCI RAPID COMPLY SM Solution You don t have to be a security expert to be compliant. Developer: 06 Rev: 05/03/2012 V: 1.0 Agenda Research Background Product Overview Steps to becoming
More informationThe U.S. Manufacturing Extension Partnership - MEP
The U.S. Manufacturing Extension Partnership - MEP Roger D. Kilmer Director, MEP National Institute of Standards and Technology (NIST) U.S. Department of Commerce roger.kilmer@nist.gov 301-975-5020 http://www.nist.gov/mep/
More informationFlorida PALM Project Update Agenda
AUGUST 31, 2018 Florida PALM Project Update Agenda Contract Introduction Software and Services Requirements Update Team Structure Timeline Phase Initiation Embrace the Journey Agency Engagement 3 FASAASD
More informationRequest MyBiz+ Update MySupervisor Assistance Employee User Guide (for AF, AR, NV, DLA and WHS)
Request MyBiz+ Update MySupervisor Assistance Employee User Guide (for AF, AR, NV, DLA and WHS) http://www.cpms.osd.mil/ Aug 30, 2015 1 MyBiz+ Update MySupervisor Assistance Employee User Guide Table of
More informationSOC Updates: Understanding SOC for Cybersecurity and SSAE 18. May 23, 2017
SOC Updates: Understanding SOC for Cybersecurity and SSAE 18 May 23, 2017 Baker Tilly refers to Baker Tilly Virchow Krause, LLP, an independently owned and managed member of Baker Tilly International.
More informationOracle Buys Automated Applications Controls Leader LogicalApps
Oracle Buys Automated Applications Controls Leader LogicalApps To strengthen Oracle s Governance, Risk and Compliance Suite with Real-time Policy Enforcement October 26, 2007 Disclaimer The following is
More information1Q17 RESULTS M AY / 2017
RESULTS M AY / 2017 Positivo Tecnologia recorded a net revenue of R$453.5 million in, an increase of 20.7% Continuous progress in the diversification of the business, with mobile phones reaching 32.6%
More informationProposed Increase In Rates In Water, Sewer and Reclaimed. June 9, 2009
Proposed Increase In Rates In Water, Sewer and Reclaimed June 9, 2009 1 WATER 2 3 Reclaimed Water Accounts 27,500 25,000 22,500 20,000 17,500 15,000 12,500 10,000 7,500 5,000 2,500 387-24,863 4 FY 96 FY
More informationCOMPUTERIZATION. Bilateral Screening Chapter 29 Customs Union Presentation by the Republic of Serbia Brussels, 3-4 June 2014
COMPUTERIZATION Bilateral Screening Chapter 29 Customs Union Presentation by the Republic of Serbia Brussels, 3-4 June 2014 CONTENT 1) Legal Framework 2) Strategic documents 3) Short historical overview
More informationSTRENGTHENING THE CYBERSECURITY OF FEDERAL NETWORKS AND CRITICAL INFRASTRUCTURE
STRENGTHENING THE CYBERSECURITY OF FEDERAL NETWORKS AND CRITICAL INFRASTRUCTURE By the authority vested in me as President by the Constitution and the laws of the United States of America, it is hereby
More informationCouncil, 26 March Information Technology Report. Executive summary and recommendations. Introduction
Council, 26 March 2014 Information Technology Report Executive summary and recommendations Introduction This report sets out the main activities of the Information Technology Department since the last
More information