Vendor Management: SSAE 18. Presented by Joseph Kirkpatrick CISSP, CISA, CGEIT, CRISC, QSA Managing Partner

Transcription

1 Vendor Management: SSAE 18 Presented by Joseph Kirkpatrick CISSP, CISA, CGEIT, CRISC, QSA Managing Partner

2 Audio Handouts Questions

3 Welcome Joseph Kirkpatrick is the Managing Partner at KirkpatrickPrice and holds the CISSP, CISA, CGEIT, CRISC, and QSA cer?fica?ons, specializing in data security, IT governance, and regulatory compliance. He enjoys helping our clients and stakeholders by naviga?ng them through the complex maze of compliance and regulatory requirements. 3

4 4

5 Overview Moving to SSAE 18 How Service Organiza?ons affect Financial Ins?tu?ons Internal Controls over Financial Repor?ng Using the SSAE 18 for Vendor Management 5

6 SSAE 18 became effec?ve May 1, 2018 Why the change? Convergence with interna?onal standards Simplifica?on 6

7 Convergence The Audi?ng Standards Board (ASB) seeks to converge its standards with those of the Interna?onal Audi?ng and Assurance Standards Board (IAASB) The corresponding Interna?onal Statement on A`esta?on Engagements (ISAE) is the ISAE

8 Simplifica?on The a`esta?on (AT) sec?on of the AICPA Professional Standards contains standards for Cer?fied Public Accountants (CPA) to affirm an asser?on to be true, using objec?vity and skep?cism These AT sec?ons are issued in the form of Statements on Standards for A`esta?on Engagements (SSAE) 8

9 Simplifica?on The following AT sec?ons are being codified into one SSAE AT sec. 20 AT sec. 50 AT sec. 101 (SOC 2) AT sec. 201 AT sec. 301 AT sec. 401 AT sec. 601 AT sec. 701 AT sec. 801 (SOC 1/SSAE 16) 9

10 SSAE No. 18 AT-C sec. 105 (SOC 1 and SOC 2) Concepts Common to All A`esta?on Engagements AT-C sec. 205 (SOC 1 and SOC 2) Examina?on Engagements AT-C sec. 210 Review Engagements AT-C sec. 215 Agreed-Upon Procedures Engagement AT-C sec. 305 Prospec?ve Financial Informa?on AT-C sec. 310 Repor?ng on Pro Forma Financial Informa?on AT-C sec. 315 Compliance A`esta?on AT-C sec. 320 (SOC 1) Repor?ng on an Examina?on of Controls at a Service Organiza?on Relevant to User En??es Internal Control Over Financial Repor?ng AT-C sec. 395 Management s Discussion and Analysis 10

11 SSAE No. 18 AT-C sec. 205 (SOC 1, SOC 2, CSA) Examina?on Engagements AT-C sec. 320 (SOC 1) Repor?ng on an Examina?on of Controls at a Service Organiza?on Relevant to User En??es Internal Control Over Financial Repor?ng 11

12 How do Service Organiza?ons affect Financial Ins?tu?ons? Data Processor Deposit/Loan Plajorm Data Center Payroll Provider Annual Report Print Provider Document Management Services Cloud Backup Provider 12

13 How do Service Organiza?ons affect Financial Ins?tu?ons? What is the Financial Ins?tu?on s responsibility? Assess Risk Determine Risk Implement Risk Management 13

14 How do Service Organiza?ons affect Financial Ins?tu?ons? FFIEC Examina?on Handbook Review audit and consultant reports, management's responses, and problem tracking systems to iden?fy poten?al issues for examina?on follow-up. Possible sources include Internal and external audit reports and A`esta?on Report (e.g. SSAE-16) and other reviews for service providers Security reviews/evalua?ons from internal risk review or external consultants (includes vulnerability and penetra?on tes?ng) Findings from GLBA security and control tests and annual GLBA reports to the board. 14

15 How do Service Organiza?ons affect Financial Ins?tu?ons? ICFR enhances the reliability of financial statements by reducing the risk of material errors or misstatements. Financial repor?ng controls are designed to provide reasonable assurance that the ins?tu?on s financial statements are reliable and prepared in accordance with generally accepted accoun?ng principles. Confiden?ality Integrity Availability 15

16 How do Service Organiza?ons affect Financial Ins?tu?ons? Data Processor Deposit/Loan Plajorm Data Center Payroll Provider Annual Report Print Provider Document Management Services Cloud Backup Provider 16

17 SSAE No. 18 AT-C Sec. 320 Beginning with reports issued as of May 1,

18 Service Organiza?on Control (SOC) Reports SOC 1 Type I, as of a date Type II, through an audit period SOC 2 Type I, as of a date Type II, through an audit period 18

19 Evalua?ng Service Organiza?on Controls How reasonable are the controls and the corresponding tests? 19

20 Control Objec?ves 20

21 Commonly Omi`ed Controls Be on the lookout for: Applica?on Development Configura?on Management Encryp?on Methodologies Log Management Vendor Management 21

22 New for the SSAE 18 AT-C Sec 320 Monitoring the Effec?veness of Controls at Subservice Organiza?ons 22

23 Subservice Organiza?ons Includes some combina?on of ongoing monitoring to determine that poten?al issues are iden?fied?mely and separate evalua0ons to determine that the effec?veness of internal control is maintained over?me. 23

24 Ongoing Monitoring Reviewing and reconciling output reports Holding periodic discussions with the subservice organiza?on Making regular site visits to the subservice organiza?on 24

25 Ongoing Monitoring Tes?ng controls at the subservice organiza?on by members of the service organiza?on s internal audit func?on Reviewing Type I or Type II reports on the subservice organiza?on s system Monitoring external communica?ons, such as customer complaints relevant to the services by the subservice organiza?on 25

26 Using the SSAE 18 for Monitoring Vendors Developing a fiduciary mindset with your vendors Annual Reviews Ongoing Performance Reports Site Visits 26

27 Using the SSAE 18 for Monitoring Vendors Implement processes for monitoring cri?cal controls Vulnerability Releases Incident Reports Technology Changes 27

28 Vendor Compliance Management Use the Online Audit Manager to ask ques?ons of your vendors Hire our specialized resources to perform site visits with your cri?cal vendors Access our webinar recordings for several topics dealing with vendor compliance management 28

29 OnlineAuditManager.co m 29

30 Ques?ons? For further informa?on, contact: Joseph Kirkpatrick 30

31 31

32 32

33 Joseph Kirkpatrick