Service Organization Control (SOC) Reports: What they are and what to do with them MARCH 21, 2017
|
|
- Lambert Shelton
- 5 years ago
- Views:
Transcription
1 Service Organization Control (SOC) Reports: What they are and what to do with them MARCH 21, 2017
2 Presenter Colin Wallace, CPA/CFF, CFE, CIA, CISA Partner Colin has provided management consulting and internal audit services to public, private, government, and not-for-profit organizations since He has organized and performed financial, operational, and compliance audits throughout the United States and abroad, and has worked on all aspects of the internal audit process including planning, analysis, reporting, and project management. Colin has led numerous fraud investigations involving misappropriation and misuse of company assets, the Foreign Corrupt Practices Act, and management override of internal controls. In addition, he has managed significant SOC examination and SOX 404 assessment projects from initial implementation to final reporting. Colin is an active member of the firm s Technology, Communications and Media Group and is a leader of the firm s forensic and investigative services team. He currently serves as the quality control practice leader for the Business Risk Group.
3 Presenter Kim Koch, CPA Partner Kim has practiced public accounting since 2001 and has over 15 years of experience in conducting SOC audits, financial statement and compliance audits, attestation examinations, and internal control assessments. Kim serves clients in a variety of industries including technology companies, publicly traded entities, private businesses, third party administrators, and government agencies. She regularly presents continuing professional education sessions internally and externally including topics related to SOC 1, SOC 2, and SOC 3 reporting. Kim is on the team that develops the firm s tools for SOC audits and also regularly reviews the AICPA s proposed changes to SOC requirements.
4 OBJECTIVES Understand the importance of a SOC report Recognize the differences between SOC 1, 2, and 3 reports List items that are and aren t covered in SOC reports Analyze the scope of your provider s report Assess the impact of complementary user entity controls and internal control exceptions Work with an auditor or management to evaluate and complement their service providers controls 4
5 Increases exposure to risk SOC REPORTS & MITIGATING RISK Simple questionnaires and contractual clauses are inadequate Need for vendor management and vendor due diligence Rise in outsourcing tasks and functions to service providers 5
6 OVERVIEW Historical with SAS 70 SAS 70 Reporting New with SSAE 16 SOC 1 Internal Controls Over Financial Reporting New with AT101 SOC 2 Trust Services Principles (Detailed Reporting) SOC 3 Trust Services Principles (Summary Reporting) 6
7 DEFINITIONS SOC 1 Report o A report on Controls at a Service Organization which are relevant to the user entities internal control over financial reporting. SOC 2 Report o Report on Controls at a Service Organization related to compliance or operations and based on Trust Services Principles and Criteria. Principles covered include Security, Availability, Processing Integrity, Confidentiality and/or Privacy. SOC 3 Report o A SOC 3 report is a general-use report that provides only the auditor s report on whether the system achieved the Trust Services Criteria without including a description of tests and results or opinion on the description of the system. 7
8 SOC COMPARISON: REPORTING OPTIONS Summary SOC 1 SOC 2 SOC 3 Detailed report for users, auditors and specified parties Detailed reports for users and auditors Summary report that can be more generally distributed Applicability Focused on financial reporting risks and controls specified by the service provider Most applicable when the service provider performs financial transactions processing or supports transaction processing systems Focused on the Trust Services Principles: o Security o Availability o Confidentiality o Processing Integrity o Privacy Applicable to a broad variety of systems 8
9 SOC COMPARISON: SCOPE SOC 1 SOC 2 / SOC 3 Required focus Internal control over financial reporting Compliance or operational controls Define scope and systems Control domains covered Level of standardization Classes of transactions Procedures for processing and reporting transactions Accounting records of the systems Handling of significant events and conditions other than transactions Report preparation for users Other aspects relevant to processing and reporting user transactions Transaction processing controls Supporting information technology general controls Control objectives are defined by the service provider and may vary depending on the type of service provided. Infrastructure Software Procedures People Data Security Availability Confidentiality Processing Integrity Privacy Principles are selected by the service provider Specific predefined criteria are used rather than control objectives 9
10 SOC COMPARISON: REPORT STRUCTURE SOC 1 SOC 2 SOC 3 Auditor s Opinion Auditor s Opinion Auditor s Opinion Management Assertion Management Assertion Management Assertion Assertion System Description (including controls) Assertion System Description (including controls) Assertion System Description (including controls) Control Objectives Criteria Criteria (referenced) Control Activities Control Activities Test of Operating Effectiveness* Test of Operating Effectiveness* Results of Tests* Results of Tests* Other Information (if applicable) *Note: Only applicable for Type II reports. Other Information (if applicable) 10
11 SOC COMPARISON: REPORT TYPES Type I Type II SOC Reports SOC 1 SOC 2 SOC 1 SOC 2 Coverage Point in time Period of time Assessment Design Design Operating Effectiveness Results of Tests 11
12 INTERNATIONAL REPORTING ISAE 3402 SSAE 16 (SOC 1) United States CICA 5970 Canada AAF 01/06 United Kingdom HKCPA HK/China AUS 810 Australia Others 12
13 WHY ARE SOC REPORTS IMPORTANT? Services outsourced to service organizations are relevant to the audit when these services and related controls are part of the entity s information system which is relevant to financial reporting. When reliance is placed on controls at service organizations and their sub-service providers, it is important to obtain and review SOC reports covering a sufficient portion of the audit period. 13
14 WHY DO WE REVIEW SOC REPORTS? New Hire Information Employee Termination Payroll Register Payroll Journal Entries Other Employee Masterfile Changes Financial Statements 14
15 PCAOB OBSERVATIONS Reliance on service organizations was not identified or not properly documented. Sub-service organizations that were scoped out of the report were not addressed. Complementary-entity user controls were not sufficiently tested or not properly linked to the test of controls. Update procedures were not properly performed or documented when the auditor s report did not sufficiently cover the entire audit period. Control exceptions identified by the service provider were not evaluated to determine the sufficiency of audit procedures. 15
16 HOW ARE SOC REPORTS EVALUATED? Inventory Assess Identify Test and Conclude Description Inventory existing outsourced vendor relationships to determine whether third-party assurance may be required Assess the key financial reporting risks associated with significant outsourced vendors Identify in-scope service organizations Identify relevant reports that have been obtained and determine appropriateness Identify any additional reports or documents needed to complete the assessment (e.g., bridge letter, Management s discussion with the service provider, etc.) Assess the adequacy of the SOC report scope Perform review procedures to evaluate the operational effectiveness of controls relied upon at the service organization 16
17 STRUCTURE AND CONTENTS OF SOC 1/SOC 2 REPORTS The structure and contents of SOC 1 and SOC 2 reports generally follows the below list: o Independent service auditor s report (opinion) o Management s written assertion o Service organization s description of the system o Complementary user entity controls o Control objectives (SOC 1)/Criteria (SOC 2), control activities and control tests performed (Type II reports) o Supplemental information from the service organization When performing an evaluation of an SOC report, management should identify and evaluate each section of the report 17
18 INDEPENDENT SERVICE AUDITOR S REPORT This section describes the scope of the examination and provides the service auditor s opinion on: o Management s presentation of its system of internal control. o The suitability of the design of the system. o Opinion on the operating effectiveness of the controls (Type II reports only). It generally includes the following sections: o Scope o Service Organization s Responsibilities o Service Auditor s Responsibilities o Inherent Limitations o Opinion o Description of Test of Controls o Restricted Use 18
19 REVIEWING INDEPENDENT SERVICE AUDITOR S REPORT Verify that the report coverage is adequate. If the coverage is insufficient and/or the report date does not coincide with the client s year-end, verify how Management was able to gain acceptance of the coverage exceptions. Verify the type of report issued and determine whether it is appropriate for use (e.g., SOC 1 vs. SOC 2, and Type I vs. Type II). Verify whether service providers are being used by the service organization and determine whether the service auditor s evaluation included sub-service providers. Determine the type of opinion issued (i.e., modified vs. unmodified). 19
20 MANAGEMENT S WRITTEN ASSERTION Management s assertions may be in a separate section of the report or included in the section containing the description of the system. Management s written assertions cover the following: o The fair presentation of the description of the system o The suitability of the design of controls and verification that they were implemented as of a specific date (Type I) or throughout the period (Type II) o The operating effectiveness of the controls throughout the period (Type II) o The relevant changes to the system throughout the period (Type II) 20
21 REVIEWING MANAGEMENT S WRITTEN ASSERTION Verify that Management s written assertions in this section mirror the service auditor s opinion. Verify that there are no qualifications in the assertions/modifications in the language (i.e., use of except for or other exclusionary language). Verify that there are no omissions in description criteria outlined by the AICPA relative to the services provided. 21
22 SERVICE ORGANIZATION S DESCRIPTION OF THE SYSTEM This section includes the service organization s explanation of the system and generally includes a description of the following: o Services provided o Description of entity-level controls relating to the control environment, risk assessment processes, monitoring activities and information and communication processes o Procedures by which services are provided and transactions are accounted for, and related accounting records o Significant events other than transactions o Report preparation processes o Control objectives and related control activities o Complementary user entity controls o Description of sub-service provider controls 22
23 REVIEWING SERVICE ORGANIZATION S DESCRIPTION OF THE SYSTEM Verify that the services provided are consistent with the services received. Understand if there are any significant events that impact the services relied upon. 23
24 COMPLEMENTARY USER ENTITY CONTROLS Complementary user entity controls (CUECs) are controls which the service organization assumes will be in place at user entities. Identifies the roles, responsibilities and obligations of the user entity to ensure achievement of the control objectives identified in the report. Also known as user organization control, complementary customer controls, or other similar names or phrases. 24
25 REVIEWING COMPLEMENTARY USER ENTITY CONTROLS Identify and evaluate all CEUCs that are relevant (i.e., those which directly impact financial reporting risk[s]). For IT-related CEUCs, communicate with the IT team and consider the Company s responsibilities in areas of change management, security and operations. For all in-scope CEUCs, ensure that the CEUC is appropriately mapped to key controls and that the design and operating effectiveness of those controls have been tested. 25
26 CONTROL OBJECTIVES, CONTROL ACTIVITIES AND TESTS PERFORMED Presents the control objectives and related control activities performed by the service organization Presents the test procedures performed and the results of control testing performed by the service auditors Shows the exceptions or deviations noted by the service auditors Shows Management s response to the exceptions noted 26
27 REVIEWING CONTROL OBJECTIVES, CONTROL ACTIVITIES AND TESTS PERFORMED Consider performing a self-assessment of the service auditors test adequacy of the test procedures performed. Review the responses provided by the service organization and determine whether the responses are satisfactory. Management may also consider discussing the nature of the exceptions with the service auditors. Evaluate all relevant exceptions, which include: Exceptions relevant to control objectives that mitigate the financial reporting risks. Exceptions related to Information Technology General Controls (ITGCs) supporting relevant applications that mitigate the financial reporting risks. 27
28 SUB-SERVICE ORGANIZATIONS A third-party provider used by the primary service providers to outsource processes and controls. They can be part of transaction processing (e.g., claims processing) or the IT environment (e.g., data center hosting). They are identified by the service organization in their assertion and by the service auditor in their opinion. 28
29 REVIEWING SUB-SERVICE ORGANIZATIONS Evaluation of internal controls should include the impact of all identified sub-service providers. Assess the impact of sub-service providers to the Company s internal control over financial reporting. Identify and evaluate all sub-service providers used by in-scope service organizations as part of the SOC review procedures. For in-scope sub-service providers, formally document the review of the sub-service providers SOC report, if applicable. 29
30 ASSESSING SOC COVERAGE To rely on SOC reports for SOX 404, the report must generally cover at least the first nine months of the audit period. Obtain a bridge letter if there is a gap between the SOC report date and the Company s year-end date. Review the bridge letters and evaluate the impact of changes in the service organizations controls, if any. If the report coverage is less than nine months and/or there is a gap larger than three months, Management must document how it became comfortable with the small coverage period and/or gap in the reporting period. 30
31 SSAE 16 T0 SSAE 18 Naming convention Vendor management Complementary subservice organization controls Service auditor risk assessment 31
32 Questions? Colin Wallace (503) Kim Koch (206) The material appearing in this presentation is for informational purposes only and is not legal or accounting advice. Communication of this information is not intended to create, and receipt does not constitute, a legal relationship, including, but not limited to, an accountant-client relationship. Although these materials may have been prepared by professionals, they should not be used as a substitute for professional services. If legal, accounting, or other professional advice is required, the services of a professional should be sought.
Retirement of SAS 70 and a new generation of Service Organization Control (SOC) Reports
new generation of Service Organization Control (SOC) Reports Presented by: Nina Currigan, KPMG Advisory Manager Karen Krebsbach, Ernst & Young Advisory Manager With you today Nina Currigan Advisory Manager
More informationSAS 70 & SSAE 16: Changes & Impact on Credit Unions. Agenda
SAS 70 & SSAE 16: Changes & Impact on Credit Unions John Mason CISM, CISA, CGEIT, CFE SingerLewak LLP October 19, 2010 Agenda Statement on Auditing Standards (SAS) 70 background Background & purpose Types
More informationISACA Cincinnati Chapter March Meeting
ISACA Cincinnati Chapter March Meeting Recent and Proposed Changes to SOC Reports Impacting Service and User Organizations. March 3, 2015 Presenters: Sayontan Basu-Mallick Lori Johnson Agenda SOCR Overview
More informationSAS 70 SOC 1 SOC 2 SOC 3. Type 1 Type 2
SAAABA Changes in Reports on Service Organization Controls April 18, 2012 Changes in Reports on Service Organization Controls (formerly SAS 70) April 18, 2012 Duane M. Reyhl, CPA Andrews Hooper Pavlik
More informationC22: SAS 70 Practices and Developments Todd Bishop, PricewaterhouseCoopers
C22: SAS 70 Practices and Developments Todd Bishop, PricewaterhouseCoopers SAS No. 70 Practices & Developments Todd Bishop Director, Risk Assurance Services, PricewaterhouseCoopers Agenda SAS 70 Background
More informationEvaluating SOC Reports and NEW Reporting Requirements
Evaluating SOC Reports and NEW Reporting Requirements ISACA Kris Lonborg, EY Partner Maria Avedissian, EY Senior Manager September 12, 2013 Agenda Evaluating SOC reports Recent changes made to the SOC1
More informationUnderstanding and Evaluating Service Organization Controls (SOC) Reports
Understanding and Evaluating Service Organization Controls (SOC) Reports Kevin Sear, CPA, CIA, CISA, CFE, CGMA Agenda 1. Why are SOC reports important? 2. Understanding the new SOC-1, SOC-2, and SOC-3
More informationMaking trust evident Reporting on controls at Service Organizations
www.pwc.com Making trust evident Reporting on controls at Service Organizations 1 Does this picture look familiar to you? User Entity A User Entity B User Entity C Introduction and background Many entities
More informationTransitioning from SAS 70 to SSAE 16
Industry Webinar Series SAS 70 ENDS EXIT TO SSAE 16 Transitioning from SAS 70 to SSAE 16 How Does This Apply to Your Organization? Cindy Boyle, Partner Rodney Walsh, Director BKD IT Risk Services Agenda
More informationMastering SOC-1 Attestation Reports Under SSAE 16: Auditing Service Organizations Controls in the Cloud
FOR LIVE POGRAM ONLY Mastering SOC-1 Attestation Reports Under SSAE 16: Auditing Service Organizations Controls in the Cloud TUESDAY, AUGUST 9, 2016, 1:00-2:50 pm Eastern IMPORTANT INFORMATION FOR THE
More informationIT Attestation in the Cloud Era
IT Attestation in the Cloud Era The need for increased assurance over outsourced operations/ controls April 2013 Symeon Kalamatianos M.Sc., CISA, CISM Senior Manager, IT Risk Consulting Contents Introduction
More informationSERVICE ORGANIZATION CONTROL (SOC) REPORTS: WHAT ARE THEY?
WHITE PAPER SERVICE ORGANIZATION CONTROL (SOC) REPORTS: WHAT ARE THEY? JEFF COOK DIRECTOR CPA, CITP, CIPT, CISA North America Europe 877.224.8077 info@coalfire.com coalfire.com TABLE OF CONTENTS Summary...
More informationAuditing IT General Controls
Auditing IT General Controls Amanthi Pendegraft and Nadine Yassine September 27, 2017 Agenda Introduction and Objectives IT Audit Fundamentals IT General Controls Overview Access to Programs and Data Program
More informationA SERVICE ORGANIZATION S GUIDE SOC 1, 2, & 3 REPORTS
A SERVICE ORGANIZATION S GUIDE SOC 1, 2, & 3 REPORTS Introduction If you re a growing service organization, whether a technology provider, financial services corporation, healthcare company, or professional
More informationAudit Considerations Relating to an Entity Using a Service Organization
An Entity Using a Service Organization 355 AU-C Section 402 Audit Considerations Relating to an Entity Using a Service Organization Source: SAS No. 122; SAS No. 128; SAS No. 130. Effective for audits of
More informationExploring Emerging Cyber Attest Requirements
Exploring Emerging Cyber Attest Requirements With a focus on SOC for Cybersecurity ( Cyber Attest ) Introductions and Overview Audrey Katcher Partner, RubinBrown LLP AICPA volunteer: AICPA SOC2 Guide Working
More informationThe SOC 2 Compliance Handbook:
The SOC 2 Compliance Handbook: Your guide to SOC 2 Audit Success The SOC 2 Compliance Handbook Page 2 Table of Contents Abstract 3 Why am I being asked about SOC Compliance? 4 What s the difference between
More informationWHICH SOC REPORT IS RIGHT FOR YOUR CLIENT?
CPAs & ADVISORS STRATEGIC ALLIANCE WEBINAR SERIES WHICH SOC REPORT IS RIGHT FOR YOUR CLIENT? June 20, 2017 Cindy Boyle TO RECEIVE CPE CREDIT Participate in entire webinar Answer polls when they are provided
More informationWeighing in on the Benefits of a SAS 70 Audit for Third Party Administrators
Weighing in on the Benefits of a SAS 70 Audit for Third Party Administrators With increasing oversight and growing demands for industry regulations, third party assurance has never been under a keener
More informationSSAE 18 & new SOC approach to compliance. Moderator Name: Patricio Garcia Managing Partner ControlCase Attestation Services
SSAE 18 & new SOC approach to compliance Moderator Name: Patricio Garcia Managing Partner ControlCase Attestation Services Agenda 1. SSAE 18 overview 2. SOC 2 + 3. 2017 Trust Services Criteria SSAE 18
More informationSOC Reporting / SSAE 18 Update July, 2017
SOC Reporting / SSAE 18 Update July, 2017 Agenda SOC Refresher Overview of SSAE 18 Changes to SOC 1 Changes to SOC 2 Quiz / Questions Various Types of SOC Reports SOC for Service Organizations (http://www.aicpa.org/soc4so)
More informationPREPARING FOR SOC CHANGES. AN ARMANINO WHITE PAPER By Liam Collins, Partner-In-Charge, SOC Audit Practice
PREPARING FOR SOC CHANGES AN ARMANINO WHITE PAPER By Liam Collins, Partner-In-Charge, SOC Audit Practice On May 1, 2017, SSAE 18 went into effect and superseded SSAE 16. The following information is here
More informationSOC 2 examinations and SOC for Cybersecurity examinations: Understanding the key distinctions
SOC 2 examinations and SOC for Cybersecurity examinations: Understanding the key distinctions DISCLAIMER: The contents of this publication do not necessarily reflect the position or opinion of the American
More informationCSF to Support SOC 2 Repor(ng
CSF to Support SOC 2 Repor(ng Ken Vander Wal, CPA, CISA, HCISPP Chief Compliance Officer, HITRUST * ken.vanderwal@hitrustalliance.net Agenda Introduction to SOC Reporting SOC 2 and HITRUST CSF AICPA and
More informationSOC Reports The 2017 Update: What s new, What s not, and What you should be doing with the SOC Reports you receive! Presented by Jeff Pershing
SOC Reports The 2017 Update What s new, What s not, and What you should be doing with the SOC Reports you receive! presented to Northeast Ohio ISACA Thursday, April 20, 2017 Jeff Pershing, CISA, CISM,
More informationInformation for entity management. April 2018
Information for entity management April 2018 Note to readers: The purpose of this document is to assist management with understanding the cybersecurity risk management examination that can be performed
More informationCalifornia ISO Audit Results for 2011 SSAE 16 & Looking Forward for 2012 December 15, 2011
www.pwc.com California ISO Audit Results for 2011 SSAE 16 & Looking Forward for 2012 December 15, 2011 Agenda SSAE 16 Background Results of Audit Scope of Audit Looking Forward Closing Thoughts Slide 1
More informationSOC for cybersecurity
April 2018 SOC for cybersecurity a backgrounder Acknowledgments Special thanks to Francette Bueno, Senior Manager, Advisory Services, Ernst & Young LLP and Chris K. Halterman, Executive Director, Advisory
More informationInternal Audit Report. Electronic Bidding and Contract Letting TxDOT Office of Internal Audit
Internal Audit Report Electronic Bidding and Contract Letting TxDOT Office of Internal Audit Objective Review of process controls and service delivery of the TxDOT electronic bidding process. Opinion Based
More informationCredit Union Service Organization Compliance
Credit Union Service Organization Compliance How do SOC reporting and PCI requirements affect your overall compliance strategy? May 15 2012 Your Speakers Dennis Lavin Credit Union Assurance Partner Moderator
More informationSAS 70 Audit Concepts. and Benefits JAYACHANDRAN.B,CISA,CISM. August 2010
JAYACHANDRAN.B,CISA,CISM jb@esecurityaudit.com August 2010 SAS 70 Audit Concepts and Benefits Agenda Compliance requirements Overview Business Environment IT Governance and Compliance Management Vendor
More informationSAS70 Type II Reports Use and Interpretation for SOX
SAS70 Type II Reports Use and Interpretation for SOX November 19, 2007 Presented by: Erin Erickson, Senior Manager Enterprise Governance and Brenda Karl, Director Technology Risk Management Agenda Background
More informationInternational Auditing and Assurance Standards Board (IAASB) International Federation of Accountants 545 Fifth Avenue, 14 th Floor New York, NY 10017
3701 Algonquin Road, Suite 1010 Telephone: 847.253.1545 Rolling Meadows, Illinois 60008, USA Facsimile: 847.253.1443 Web Sites: www.isaca.org and www.itgi.org 25 April 2008 International Auditing and Assurance
More informationSOC Updates: Understanding SOC for Cybersecurity and SSAE 18. May 23, 2017
SOC Updates: Understanding SOC for Cybersecurity and SSAE 18 May 23, 2017 Baker Tilly refers to Baker Tilly Virchow Krause, LLP, an independently owned and managed member of Baker Tilly International.
More information2018 HIPAA One All Rights Reserved. Beyond HIPAA Compliance to Certification
2018 HIPAA One All Rights Reserved. Beyond HIPAA Compliance to Certification Presenters Jared Hamilton CISSP CCSK, CCSFP, MCSE:S Healthcare Cybersecurity Leader, Crowe Horwath Erika Del Giudice CISA, CRISC,
More informationGoogle Cloud & the General Data Protection Regulation (GDPR)
Google Cloud & the General Data Protection Regulation (GDPR) INTRODUCTION General Data Protection Regulation (GDPR) On 25 May 2018, the most significant piece of European data protection legislation to
More informationAdopting SSAE 18 for SOC 1 reports
Adopting SSAE 18 for SOC 1 reports Overview Since its adoption in 2011, service auditor reports issued in accordance with SSAE 16 have become increasingly common in the marketplace. In April 2016, the
More informationCyber Security in M&A. Joshua Stone, CIA, CFE, CISA
Cyber Security in M&A Joshua Stone, CIA, CFE, CISA Agenda About Whitley Penn, LLP The Threat Landscape Changed Cybersecurity Due Diligence Privacy Practices Cybersecurity Practices Costs of a Data Breach
More informationSOC Lessons Learned and Reporting Changes
SOC Lessons Learned and Reporting Changes Dec. 16, 2014 Your Presenters Today Arshad Ahmed, CISA, CISSP, CPA Leader of SOC and Technology Risk Services for Crowe Rod Smith, CISA, CPA Thought Leader for
More informationStudio Guggino and Newtonpartner S.r.l. a team of professionals at the service of your Company
Studio Guggino and Newtonpartner S.r.l. a team of professionals at the service of your Company To get where the others fail, we have to achieve even higher goals www.sas70.it MISSION Our Mission consists
More information"Charting the Course... Certified Information Systems Auditor (CISA) Course Summary
Course Summary Description In this course, you will perform evaluations of organizational policies, procedures, and processes to ensure that an organization's information systems align with overall business
More informationADVANCED AUDIT AND ASSURANCE
ADVANCED AUDIT AND ASSURANCE CPA PROGRAM SUBJECT OUTLINE The Advanced Audit and Assurance subject provides a body of knowledge for you to understand the nature and diversity of audit and assurance engagements.
More informationLIST OF SUBSTANTIVE CHANGES AND ADDITIONS. PPC's Guide to Audits of Local Governments. Thirty first Edition (February 2016)
Route To: Partners Managers Staff File LIST OF SUBSTANTIVE CHANGES AND ADDITIONS PPC's Guide to Audits of Local Governments Thirty first Edition (February 2016) Highlights of This Edition The following
More informationISAE 3402 and SSAE 16 (replacing SAS 70) Reinforcing confidence through demonstration of effective controls
ISAE 3402 and SSAE 16 (replacing SAS 70) Reinforcing confidence through demonstration of effective controls ISAE 3402 and SSAE 16 defined Overview of service organisation control reports Service organisation
More informationNo IT Audit Staff? How to Hack an IT Audit. Presenters. Mark Bednarz, Partner-In-Charge, Risk Advisory PKF O Connor Davies, LLP
No IT Audit Staff? How to Hack an IT Audit Presenters Mark Bednarz, Partner-In-Charge, Risk Advisory PKF O Connor Davies, LLP Learning Objectives After this session, participants will be able to: Devise
More informationWebtrends Inc. Service Organization Controls (SOC) 3 SM Report on the SaaS Solutions Services System Relevant to Security
Webtrends Inc. Service Organization Controls (SOC) 3 SM Report on the SaaS Solutions Services System Relevant to Security For the Period January 1, 2016 through June 30, 2016 SOC 3 SM SOC 3 is a service
More informationAchieving third-party reporting proficiency with SOC 2+
Achieving third-party reporting proficiency with SOC 2+ Achieving third-party reporting proficiency with SOC 2+ Today s organizations do business within a broad ecosystem. Customers, partners, agents,
More informationIGNITING GROWTH. Why a SOC Report Makes All the Difference
IGNITING GROWTH Why a SOC Report Makes All the Difference Many service organizations depend on the integrity of their control environment to protect their business as well as that of their customers. With
More informationCITADEL INFORMATION GROUP, INC.
CITADEL INFORMATION GROUP, INC. The Role of the Information Security Assessment in a SAS 99 Audit Stan Stahl, Ph.D. President Citadel Information Group, Inc. The auditor has a responsibility to plan and
More informationBackground of the North America Top Technology Initiatives Survey
Kevin M. Martin, CPA.CITP, MCSE, MCP+I The 2013 North America* Top Technology Initiatives Survey *AICPA and CPA Canada The views expressed by the presenters do not necessarily represent the views, positions,
More informationGDPR: A QUICK OVERVIEW
GDPR: A QUICK OVERVIEW 2018 Get ready now. 29 June 2017 Presenters Charles Barley Director, Risk Advisory Services Charles Barley, Jr. is responsible for the delivery of governance, risk and compliance
More informationEXAM PREPARATION GUIDE
When Recognition Matters EXAM PREPARATION GUIDE PECB Certified Management System Auditor www.pecb.com The objective of the PECB Certified Management System Auditor examination is to ensure that the candidates
More informationISO/IEC INTERNATIONAL STANDARD
INTERNATIONAL STANDARD ISO/IEC 27006 Second edition 2011-12-01 Information technology Security techniques Requirements for bodies providing audit and certification of information security management systems
More informationWorkday s Robust Privacy Program
Workday s Robust Privacy Program Workday s Robust Privacy Program Introduction Workday is a leading provider of enterprise cloud applications for human resources and finance. Founded in 2005 by Dave Duffield
More informationError! No text of specified style in document.
Error! No text of specified style in document. Error! Use the Home tab to apply Section title to the text that you want to appear here. CFD Independent Auditor Report on CFD Allocation Round 2 4 September
More informationSAS 70 revised. ISAE 3402 will focus on financial reporting control procedures. Compact_ IT Advisory 41. Introduction
Compact_ IT Advisory 41 SAS 70 revised ISAE 3402 will focus on financial reporting control procedures Jaap van Beek and Marco Francken J.J. van Beek is a partner at KPMG IT Advisory. He has over twenty-years
More informationAssessment and Compliance with Sarbanes-Oxley (SOX) Requirements DataGuardZ Whitepaper
Assessment and Compliance with Sarbanes-Oxley (SOX) Requirements DataGuardZ Whitepaper What is the history behind Sarbanes-Oxley Act (SOX)? In 2002, the U.S. Senate added the Sarbanes-Oxley Act (SOX) to
More informationThe Minimum IT Controls to Assess in a Financial Audit (Part II)
The Minimum IT Controls to Assess in a Financial Audit (Part II) Tommie W. Singleton, Ph.D., CISA, CITP, CMA, CPA, is an associate professor of information systems (IS) at the University of Alabama at
More informationChapter 8: SDLC Reviews and Audit Learning objectives Introduction Role of IS Auditor in SDLC
Chapter 8: SDLC Reviews and Audit... 2 8.1 Learning objectives... 2 8.1 Introduction... 2 8.2 Role of IS Auditor in SDLC... 2 8.2.1 IS Auditor as Team member... 2 8.2.2 Mid-project reviews... 3 8.2.3 Post
More informationThe value of visibility. Cybersecurity risk management examination
The value of visibility Cybersecurity risk management examination Welcome to the "new normal" Cyberattacks are inevitable. In fact, it s no longer a question of if a breach will occur but when. Cybercriminals
More informationNE HIMSS Vendor Risk. October 9, 2015 MEMBER OF PKF NORTH AMERICA, AN ASSOCIATION OF LEGALLY INDEPENDENT FIRMS
NE HIMSS Vendor Risk October 9, 2015 MEMBER OF PKF NORTH AMERICA, AN ASSOCIATION OF LEGALLY INDEPENDENT FIRMS 2014 Wolf & Company, P.C. Does Vendor Management Feel Like This? 2 Vendor Risk Management Lifecycle
More informationDoes a SAS 70 Audit Leave you at Risk of a Security Exposure or Failure to Comply with FISMA?
Does a SAS 70 Audit Leave you at Risk of a Security Exposure or Failure to Comply with FISMA? A brief overview of security requirements for Federal government agencies applicable to contracted IT services,
More informationSOC-2 Requirement Solution Brief. EventTracker 8815 Centre Park Drive, Columbia MD SOC-2
Requirement Solution Brief 8815 Centre Park Drive, Columbia MD 21045 About delivers business critical software and services that transform high-volume cryptic log data into actionable, prioritized intelligence
More informationTesters vs Writers: Pen tests Quality in Assurance Projects. 10 November Defcamp7
Testers vs Writers: Pen tests Quality in Assurance Projects 10 November 2016 @ Defcamp7 Contents INTRODUCTION CONTEXT WHAT ABOUT AUDITING STANDARDS WHAT ABOUT INDEPENDENCE PEN TEST BETWEEN REGULATORY AND
More informationBusiness Continuity Planning
Information Systems Audit and Control Association www.isaca.org Business Continuity Planning AUDIT PROGRAM & INTERNAL CONTROL QUESTIONNAIRE The Information Systems Audit and Control Association With more
More informationHITRUST CSF: One Framework
HITRUST CSF: One Framework Leveraging the HITRUST CSF to Support ISO, HIPAA, & NIST Implementation and Compliance, and SSAE 16 SOC Reporting Dr. Bryan Cline, CISSP-ISSEP, CISM, CISA, CCSFP, HCISPP Senior
More informationNYDFS Cybersecurity Regulations: What do they mean? What is their impact?
June 13, 2017 NYDFS Cybersecurity Regulations: What do they mean? What is their impact? Gus Coldebella Principal, Boston Caroline Simons Principal, Boston Agenda 1) Overview of the new regulations 2) Assessing
More informationEXAM PREPARATION GUIDE
When Recognition Matters EXAM PREPARATION GUIDE PECB Certified ISO 22000 Lead Auditor www.pecb.com The objective of the Certified ISO 22000 Lead Auditor examination is to ensure that the candidate has
More information26 February Office of the Secretary Public Company Accounting Oversight Board 1666 K Street, NW Washington, DC
3701 Algonquin Road, Suite 1010 Telephone: 847.253.1545 Rolling Meadows, Illinois 60008, USA Facsimile: 847.253.1443 Web Sites: www.isaca.org and www.itgi.org 26 February 2007 Office of the Secretary Public
More informationWithin our recommendations for editorial changes, additions are noted in bold underline and deletions in strike-through.
1633 Broadway New York, NY 10019-6754 Mr. Jim Sylph Executive Director, Professional Standards International Federation of Accountants 545 Fifth Avenue, 14th Floor New York, NY 10017 Dear Mr. Sylph: We
More informationCITP Examination Content Specification Outline
CITP Examination Content Specification Outline 2016 American Institute of CPAs. All rights reserved. DISCLAIMER: The contents of this publication do not necessarily reflect the position or opinion of the
More informationSOC 3 for Security and Availability
SOC 3 for Security and Availability Independent Practioner s Trust Services Report For the Period October 1, 2015 through September 30, 2016 Independent SOC 3 Report for the Security and Availability Trust
More informationNew York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines
New York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines New York Department of Financial Services ( DFS ) Regulation 23 NYCRR 500 requires that entities
More informationIndependent Accountants Report. Utrecht, 28 January To the Management of GBO.Overheid:
KPMG IT Auditors P.O. Box 43004 3540 AA Utrecht The Netherlands Rijnzathe 14 3454 PV De Meern The Netherlands Telephone +31 (0)30 658 2150 Fax +31 (0)30 658 2199 Independent Accountants Report To the Management
More informationCLOUD COMPUTING APPLYING THIS NEW TECHNOLOGY TO YOUR PRACTICE
CLOUD COMPUTING APPLYING THIS NEW TECHNOLOGY TO YOUR PRACTICE Douglas W. Barbin, CPA, CISSP, PCI QSA, CCSK BrightLine CPAs & Associates, Inc. November 4, 2011 Divorced after 72 Days AGENDA ANDOVERVIEW
More informationChapter 18 SaskPower Managing the Risk of Cyber Incidents 1.0 MAIN POINTS
Chapter 18 SaskPower Managing the Risk of Cyber Incidents 1.0 MAIN POINTS The Saskatchewan Power Corporation (SaskPower) is the principal supplier of power in Saskatchewan with its mission to deliver power
More informationInformation Technology General Control Review
Information Technology General Control Review David L. Shissler, Senior IT Auditor, CPA, CISA, CISSP Office of Internal Audit and Risk Assessment September 15, 2016 Background Presenter Senior IT Auditor
More informationApplication for Certification
Application for Certification Requirements to Become a Certified Information Security Manager To become a Certified Information Security Manager (CISM), an applicant must: 1. Score a passing grade on the
More informationInstitute of Certified Forensic Accountants. Certificate in Internal Auditing
Institute of Certified Forensic Accountants Certificate in Internal Auditing www.forensicglobal.org info@forensicglobal.org Welcome The Institute of Certified Forensic Accountants is a professional body
More informationProtecting your data. EY s approach to data privacy and information security
Protecting your data EY s approach to data privacy and information security Digital networks are a key enabler in the globalization of business. They dramatically enhance our ability to communicate, share
More informationIT Audit Process Prof. Liang Yao Week Two IT Audit Function
Week Two IT Audit Function Why we need IT audit A Case Study What You Can Learn about Risk Management from Societe Generale? https://www.cio.com/article/2436790/security0/what-you-can-learn-about-risk-management-fromsociete-generale.html
More informationDisaster Recovery Planning: Is Your Plan in Place? Presented by: Steve Shofner, CISA, CGEIT
Disaster Recovery Planning: Is Your Plan in Place? Presented by: Steve Shofner, CISA, CGEIT 1 The material appearing in this presentation is for informational purposes only and is not legal or accounting
More informationCYBER INSURANCE: MANAGING THE RISK
CYBER INSURANCE: MANAGING THE RISK LEON FOUCHE PARTNER & NATIONAL CYBERSECURITY LEAD BDO AUSTRALIA MEMBER OF THE GLOBAL CYBERSECURITY LEADERSHIP GROUP ii CYBER INSURANCE: MANAGING THE RISK There s no doubt
More informationEXAM PREPARATION GUIDE
When Recognition Matters EXAM PREPARATION GUIDE PECB Certified ISO/IEC 20000 Lead Auditor www.pecb.com The objective of the Certified ISO/IEC 20000 Lead Auditor examination is to ensure that the candidate
More informationInformation Security Policy
April 2016 Table of Contents PURPOSE AND SCOPE 5 I. CONFIDENTIAL INFORMATION 5 II. SCOPE 6 ORGANIZATION OF INFORMATION SECURITY 6 I. RESPONSIBILITY FOR INFORMATION SECURITY 6 II. COMMUNICATIONS REGARDING
More informationPublic vs private cloud for regulated entities
Public vs private cloud for regulated entities DC2: Restricted use The cloud is for everyone but not for everything 2 Opportunity enabler DC2: Restricted use Flexibility SAAS Public Accessibility Agility
More informationPeriod from October 1, 2013 to September 30, 2014
Assurance Report on Controls Placed in Operation and Tests of Operating Effectiveness ISAE 3402 Type 2 Period from October 1, 2013 to September 30, 2014 Frankfurt/Main Table of Contents SECTION I Independent
More informationISO 27001:2013 certification
www.pwc.ch/cybersecurity ISO 27001:2013 certification Building confidence in your digital future Our approach to certification PwC offers a four-phase approach to help with your ISO 27001 project, using
More informationAddressing Cybersecurity Risk
The CPA s Role in Addressing Cybersecurity Risk How the Auditing Profession Promotes Cybersecurity Resilience MAY 2017 Contents 1. EXECUTIVE SUMMARY 1 2. THE LANDSCAPE OF CYBERSECURITY RISK 3 The Need
More informationLahore University of Management Sciences. ACCT 250 Auditing Spring Semester 2018
Lahore University of Management Sciences ACCT 250 Auditing Spring Semester 2018 Instructor Syed Zain ul Abideen / Waqar Ali Room No. SDSB room no. 442, 422 Office Hours TBA Email syed.zain@lums.edu.pk;
More informationEXAM PREPARATION GUIDE
When Recognition Matters EXAM PREPARATION GUIDE PECB Certified ISO 9001 Lead Auditor www.pecb.com The objective of the PECB Certified ISO 9001 Lead Auditor examination is to ensure that the candidate possesses
More informationEY s data privacy service offering
EY s data privacy service offering How to transform your data privacy capabilities for an EU General Data Protection Regulation (GDPR) world Introduction Data privacy encompasses the rights and obligations
More informationBusiness Assurance for the 21st Century
14/07/2011 Navigating the Information Assurance landscape AUTHORS Niall Browne NAME AFFILIATION Shared Assessments Program Michael de Crespigny (CEO) Jim Reavis Kurt Roemer Raj Samani Information Security
More informationBENEFITS of MEMBERSHIP FOR YOUR INSTITUTION
PROFILE The Fiduciary and Investment Risk Management Association, Inc. (FIRMA ) is the leading provider of fiduciary and investment risk management education and networking to the fiduciary and investment
More informationREPORT 2015/149 INTERNAL AUDIT DIVISION
INTERNAL AUDIT DIVISION REPORT 2015/149 Audit of the information and communications technology operations in the Investment Management Division of the United Nations Joint Staff Pension Fund Overall results
More informationBHConsulting. Your trusted cybersecurity partner
Your trusted cybersecurity partner BH Consulting Securing your business BH Consulting is an award-winning, independent provider of cybersecurity consulting and information security advisory services. Recognised
More informationFRAUD-RELATED INTERNAL CONTROLS
GLOBAL HEADQUARTERS THE GREGOR BUILDING 716 WEST AVE AUSTIN, TX 78701-2727 USA TABLE OF CONTENTS I. THE NEED FOR INTERNAL CONTROLS Example... 1 Threats to an Organization s Internal Control Environment...
More informationSafeguarding unclassified controlled technical information (UCTI)
Safeguarding unclassified controlled technical information (UCTI) An overview Government Contract Services Bulletin Safeguarding UCTI An overview On November 18, 2013, the Department of Defense (DoD) issued
More informationPublic Safety Canada. Audit of the Business Continuity Planning Program
Public Safety Canada Audit of the Business Continuity Planning Program October 2016 Her Majesty the Queen in Right of Canada, 2016 Cat: PS4-208/2016E-PDF ISBN: 978-0-660-06766-7 This material may be freely
More informationEvolve Your Security Operations Strategy To Account For Cloud
Evolve Your Security Operations Strategy To Account For Cloud GET STARTED The growth of cloud computing and proliferation of complex service delivery models continue to accelerate as companies recognize
More information