SOC Reports The 2017 Update: What s new, What s not, and What you should be doing with the SOC Reports you receive! Presented by Jeff Pershing
|
|
- Todd Jones
- 5 years ago
- Views:
Transcription
1 SOC Reports The 2017 Update What s new, What s not, and What you should be doing with the SOC Reports you receive! presented to Northeast Ohio ISACA Thursday, April 20, 2017 Jeff Pershing, CISA, CISM, CISSP Principal, Pershing Consulting, LLC Introductions Slide 2 Page 1
2 Overview Brief history of reports on Service Organizations Overview of AT 101, SSAE 16/SOC 1, SOC 2, and SOC 3 Attestation Standards Updates / SSAE 18 Overview What s new with SOC Reports Trust Services Principles Overview and Updates What s new with SOC 2 User Auditor Requirements Lessons learned from the first years of SOC reporting Slide 3 Brief history of reports on Service Organizations Slide 4 Page 2
3 SAS70 In the beginning, the AICPA created the SAS70. The AICPA saw that the SAS70 was good and it was so. And then the AICPA rested... For nearly 20 years.... Okay, not quite... SAS78, SAS88, SAS94,... Until... He s dead, Jim... Leonard "Bones" McCoy Slide 5 Why the need for a SAS70 Report anyway? Computers give rise to EDP Electronic Data Processing Computers are very big and expensive (in the 60 s, 70 s, and 80 s) Okay, they re still expensive now... Let s share their use to be more efficient! This sounds like a business opportunity! Let s create a company to provide processing to several companies at once who can t afford their own (Can anyone say, cloud? ) Auditor: How do I know my financial calculations are correct and you have good internal controls? Service Provider: Trust us! Auditor: No, I will audit you. SAS55 says so. See you Monday. Here s my request list. Service Provider: Wait, I have hundreds of customers with auditors all saying the say thing! Slide 6 Page 3
4 Service Provider Audit Reports A Short History AICPA American Institute of Certified Public Accountants SAS - Statement on Auditing Standards SAS 55 Consideration of the Internal Control Structure in a Financial Statement Audit Released in 1988 Created death by auditing for service providers SAS70 Service Organizations Issued in 1992 as Reports on the Processing of Transactions by Service Organizations, effective for reports issued March 31, 1993 One report to meet the needs of multiple user auditors Amended by SAS 88 and renamed Service Organizations Slide 7 Service Provider Audit Reports A Short History (cont) SAS70 amended several times by subsequent SAS 1998 by SAS78 - Consideration of Internal Control in a Financial Statement Audit: An Amendment to Statement on Auditing Standards No by SAS88 Title changed to Service Organizations 2002 by SAS94 - The Effect of Information Technology on the Auditor's Consideration of Internal Control in a Financial Statement Audit 2002 by SAS98 - Omnibus Statement on Auditing Standards-2002 Other minor adjustments ( conforming changes ) in 2006 by SAS105 & SAS106, and 2007 by SAS109 & SAS110 SAS70 was superseded by three Service Organization Control (SOC) reports - SOC 1, SOC 2 and SOC 3 - for reports issued on or after June 15, 2011 SOC Reports were based on Attestation Standard 101 (AT 101) Slide 8 Page 4
5 Why Change? SAS70 was abused - Intended for ICFR, but used for much more: To obtain assurance on controls regarding compliance and operations E.g. Hosted Data Centers providing no financial reporting relevant services SysTrust or AT 101 should have been used instead SAS70 grew in familiarity outside the auditing world (e.g. IT), but not necessarily well understood Are you SAS70 Certified? Slide 9 Why Change? (cont) ISAE 3402/SSAE16 (SOC1) for ICFR International Standard on Assurance Engagements (ISAE) 3402 issued in December of 2009 AICPA issued SSAE No. 16 shortly afterwards as a US Standard in alignment with ISAE 3402 Minor differences between the two Drafted to help correct misuses of the SAS70 SOC2 for matters other than ICFR Specifically, for Security, Availability, Processing Integrity, Confidentiality, and Privacy SOC3, similar to SOC2, but with a general use report All three based on AT101 (SSAE 16 became AT801) Slide 10 Page 5
6 Overview of AT 101, SSAE 16/SOC 1, SOC 2, and SOC 3 Slide 11 Attestation Standards Section 101 Section provides a framework for attestation engagements that are completed by practitioners SOC 1, SOC 2 and SOC 3 reports are completed in accordance with AT Section 101 The subject matter of an attest engagement may take many forms, for example: Physical characteristics (for example, narrative descriptions, square footage of facilities) Historical events (for example, the price of a market basket of goods on a certain date) Systems and processes (for example, internal control) Suitability and Availability of Criteria Subject matter must be capable of evaluation against criteria that are suitable and available to users Slide 12 Page 6
7 Attestation Standards SSAE = Statement on Standards for Attestation Engagements SSAE 10, issued in 2001, established: AT Attest Engagements AT Agreed-Upon Procedures Engagements AT Financial Forecasts and Projections AT Reporting on Pro Forma Financial Information AT Compliance Attestation AT Management's Discussion and Analysis Slide 13 Other SSAEs SSAE 11 - Attest Documentation Updated AT 101, 201, and 301 SSAE 12 - Amendment to Statement on Standards for Attestation Engagement No. 10, Attestation Standards: Revision and Recodification Updated AT 101 SSAE 13 - Defining Professional Requirements in Statements on Standards for Attestation Engagements Created AT 20: Defining Professional Requirements for SSAE Engagements SSAE 14 - SSAE Hierarchy Created AT 50: SSAE Hierarchy SSAE 15 - An Examination of an Entity s Internal Control Over Financial Reporting That Is Integrated With an Audit of Its Financial Statements Created AT 501 (issued in 2008) SSAE 17 - Reporting on Compiled Prospective Financial Statements When the Practitioner s Independence is Impaired Updated AT 301 Slide 14 Page 7
8 NOTE: - SAS 130 withdrew AT 501 SAS 130 An Audit of Internal Control Over Financial Reporting That Is Integrated With an Audit of Financial Statements (AICPA, Professional Standards, AU-C sec. 940) - Issued in October 2015 AICPA Auditing Standards Board (ASB) determined it is appropriate to move the content of AT section 501 from the attestation standards into generally accepted auditing standards (GAAS). The ASB will consider developing, at a later date, an attestation standard addressing examinations of internal control other than internal control over financial reporting that is integrated with an audit of financial statements. SAS No. 130 is effective for integrated audits for periods ending on or after December 15, 2016, at which time AT 501 will be withdrawn. Slide 15 What Changed moving from SAS to AT? Attestation Standard vs. Auditing Standard Management Assertion An assertion is any declaration or set of declarations about whether the subject matter is based on or in conformity with the criteria selected. Description of System vs. Controls Use of suitable criteria Suitability of design opinion Materiality SAS70: point in time SSAE 16(SOC 1)/SOC 2: entire period deviations (not exceptions) Use of Internal Audit Must identify testing by IA in the report Opinion Format Slide 16 Page 8
9 What is a System? TSP sec. 100 paragraph.01 defines a system as follows: A system is designed, implemented, and operated to achieve specific business objectives (for example, delivery of services, production of goods) in accordance with management-specified requirements. System components can be classified into the following five categories: Infrastructure. The physical structures, IT, and other hardware (for example, facilities, computers, equipment, mobile devices, and telecommunications networks). Software. The application programs and IT system software that supports application programs (operating systems, middleware, and utilities). People. The personnel involved in the governance, operation, and use of a system (developers, operators, entity users, vendor personnel, and managers). Processes. The automated and manual procedures. NOTE: SOC 2 Guide, par. 1.26a(ii)(4) uses Procedures rather than Processes Data. Transaction streams, files, databases, tables, and output used or processed by a system. Slide 17 SSAE 16 / SOC 1 SSAE 16 - Reporting on Controls at a Service Organization Created AT 801 As an attestation standard, it is built upon AT 101 Established requirements for attestation engagements to report on controls at organizations that provide services to user entities when those controls are likely to be relevant to user entities' internal control over financial reporting (ICFR) Effective for reports issued on or after June 15, 2011 SOC 1 Audit Guide released May 2011, updated May 2013, new update just released January 2017 Two report types: SOC 1 Type I = SSAE 16 Type I Report SOC 1 Type II = SSAE 16 Type II Report Branded by AICPA as a SOC 1 - Service Organization Control Report 1 AICPA now prefers SOC 1 vs. SSAE16 Slide 18 Page 9
10 SOC 2 Reports Reports on Controls at a Service Organization over Security, Availability, Processing Integrity, Confidentiality, or Privacy Can report again just one Principle, or any combination of the five SOC 2 Guide released May 2011, updated March 2012 and July 2015 new update expected soon Report format designed to match the SSAE 16 SOC 2 Type I SOC 2 Type II Criteria is prescribed: Must use TSP Trust Services Principles Slide 19 Similar to a SOC 2 SOC 3 Reports Uses TSP100 Trust Service Principles Primary Differences Does not contain a description of the practitioner s tests of controls and results of those tests Is a general use report rather than a restricted use report Unqualified Opinion allows use of SOC Seal (SysTrust for Service Organizations ) on Service Provider s website, if the Service Auditor is licensed by CPA Canada (formerly CICA) SOC 3 Guide was planned for release in Q4, but we re still waiting... Slide 20 Page 10
11 Reports Comparison Slide 21 Attestation Standards Updates / SSAE 18 Overview Slide 22 Page 11
12 Attestation Clarity Project Designed to addressed concerns over the clarity, length, and complexity of Attestation Standards Objective: to make AT sections easier to read, understand and apply Redrafted standards utilizing clarity drafting conventions Resulted in SSAE 18 Attestation Standards: Clarification and Recodification Desire to converge with standards of the International Audit and Assurance Standards Board (IAASB) International Standard on Assurance Engagements (ISAE) 3000 (Revised), Assurance Engagements Other Than Audits or Reviews of Historical Financial Information served as the foundation for the common concepts, examination, and review sections of SSAE 18 Slide 23 Clarity Drafting Conventions SSAE 18 was drafted utilizing clarity drafting conventions, including: Establishing objectives for each AT-C section Including a definitions section, where relevant, in each AT-C section Separating requirements from application and other explanatory material Numbering application and other explanatory material paragraphs using an A- prefix and presenting them in a separate section that follows the requirements section Using formatting techniques, such as bulleted lists, to enhance readability Including, when appropriate, special considerations relevant to audits of smaller, less complex entities within the text of the AT-C section Including, when appropriate, special considerations relevant to examination, review, or agreed-upon procedures engagements for governmental entities within the text of the AT-C section The identifier AT-C is used to differentiate the sections of the clarified attestation standards ( AT-C" sections) from the sections of the attestation standards that are superseded by SSAE 18 ( AT sections) Slide 24 Page 12
13 SSAE 18 Supersedes SSAEs 10-17, except: SSAE 10, Chapter 7 (AT 701) - Management s Discussion and Analysis Renamed AT-C 395 SSAE 15 (AT 501 and 9501) - An Examination of an Entity s Internal Control Over Financial Reporting That Is Integrated With an Audit of Its Financial Statements, and related interpretation no. 1 However, SAS 130 withdrew AT 501 and related interpretations for integrated audits for periods ending on or after December 15, 2016 Effective for reports dated on or after May 1, 2017 Slide 25 AT-C Preface Contents of SSAE 18 AT-C Section Common Concepts AT-C Section Concepts Common to All Attestation Engagements AT-C Section Level of Service AT-C Section Examination Engagements AT-C Section Review Engagements AT-C Section Agreed Upon Procedures Engagements AT-C Section Subject Matter AT-C Section Prospective Financial Information AT-C Section Reporting on Pro Forma Financial Information AT-C Section Compliance Attestation AT-C Section Reporting on an Examination of Controls at a Service Organization Relevant to User Entities Internal Control Over Financial Reporting AT-C Section Management s Discussion and Analysis Slide 26 Page 13
14 What s New in SSAE 18? Separate discussion of review engagements AT 101 combined the discussion of examinations and reviews Required representation letters AT 101 allowed, but did not require, representation letters Risk assessment for examination engagements Requires obtaining a more in-depth understanding of the development of the subject matter than currently required in order to better identify the risks of material misstatement in an examination engagement Incorporation of detailed requirements Similar to SASs, specifies additional requirements (e.g. the need for an engagement letter, or the need to obtain written representations) Scope limitation imposed by the engaging party or the responsible party Now allows for a qualified opinion, not only disclaiming an opinion or withdrawing from the engagement Slide 27 Mapping AT to AT-C AT Sections Superseded by SSAE No. 18 AT-C Sections Designated by SSAE No. 18 AT Section Title AT-C Section Title 20 Defining Professional Requirements in Statements on Standards for Attestation Engagements 105 Concepts Common to All Attestation Engagements 50 SSAE Hierarchy 105 Concepts Common to All Attestation Engagements 101 Attest Engagements 105 Concepts Common to All Attestation Engagements 205 Examination Engagements 210 Review Engagements 201 Agreed-Upon Procedures Engagements 215 Agreed-Upon Procedures Engagements 301 Financial Forecasts and Projections 305 Prospective Financial Information 401 Reporting on Pro Forma Financial Information 310 Reporting on Pro Forma Financial Information 501 An Examination of an Entity's Internal Control Over Financial Reporting That Is Integrated With an Audit of Its Financial Statements Statement on Auditing Standards No. 130, An Audit of Internal Control Over Financial Reporting That Is Integrated With an Audit of Financial Statements, withdraws AT section Compliance Attestation 315 Compliance Attestation 701 Management s Discussion and Analysis 395 Management s Discussion and Analysis 801 Reporting on Controls at a Service Organization 320 Reporting on an Examination of Controls at a Service Organization Relevant to User Entities Internal Control Over Financial Reporting Slide 28 Page 14
15 Mapping AT-C to AT AT-C Sections Designated by SSAE No. 18 AT Sections Superseded by SSAE No. 18 AT-C Section Title AT Section Title Preface Preface to the Attestation Standards Introduction Attestation Standards Introduction 100 Common Concepts 105 Concepts Common to All Attestation Engagements 20 Defining Professional Requirements in Statements on Standards for Attestation Engagements 50 SSAE Hierarchy 101 Attest Engagements 200 Level of Service 205 Examination Engagements 101 Attest Engagements 210 Review Engagements 215 Agreed-Upon Procedures Engagements 201 Agreed-Upon Procedures Engagements 300 Subject Matter 305 Prospective Financial Information 301 Financial Forecasts and Projections 310 Reporting on Pro Forma Financial Information 401 Reporting on Pro Forma Financial Information 315 Compliance Attestation 601 Compliance Attestation 320 Reporting on an Examination of Controls 801 Reporting on Controls at a Service Organization at a Service Organization Relevant to User Entities Internal Control Over Financial Reporting 395 Management s Discussion and Analysis 701 Management s Discussion and Analysis Slide 29 What s new with SOC Reports Slide 30 Page 15
16 SOC 2 + Additional Subject Matter Introduced in (approximately) 2015 Allows for addressing additional criteria, additional subject matter using additional suitable criteria, or both E.g. In addition to addressing the Security Principle, also address the HIPAA Security Rule Mappings created from 2014 version of the Trust Services Principle to: CSA Cloud Controls Matrix HITRUST CSF COBIT 5 COSO 2013 ISO NIST SP R4 Slide 31 Underlying Standard has Changed SOC 1 Old Standard AT 801 (with attestation guidance provided by the SOC 1 Guide) New Standards AT-C 105, AT-C 205, AT-C 320 (and a brand new SOC 1 Guide!) SOC 2 / SOC 3 Old Standard AT 101 (with attestation guidance provided by the SOC 2 Guide issued in July 2015) New Standards AT-C 105, AT-C 205 (and the existing SOC 2 Guide) For all three SOC Reports, any dated on or after May 1, 2017, must follow the new AT-C standards (SSAE 18) Slide 32 Page 16
17 But that not all! SOC Report = Service Organization Control Report NO LONGER!!! SOC has been redefined to mean System and Organization Controls According to the AICPA: By redefining that acronym, the AICPA enables the introduction of new internal control examinations that may be performed (a) for other types of organizations, in addition to service organizations and (b) on either system-level or entity-level controls of such organizations. Slide 33 SOC Suite of Services SOC 1 SOC for Service Organizations: ICFR AT-C 320 (and AT-C 105 / AT-C 205) plus a new SOC 1 Guide SOC 2 SOC for Service Organizations: Trust Services Criteria AT-C 205 (and AT-C 105) plus existing SOC 2 Guide SOC 3 SOC for Service Organizations: Trust Services Criteria for General Use Report AT-C 205 (and AT-C 105) plus existing SOC 2 Guide SOC for Cybersecurity (coming soon!) AT-C 205 (and AT-C 105) plus forthcoming Guide Reporting on an Entity s Cybersecurity Risk Management Program and Controls SOC for vendor supply chains (planned for 2018) Slide 34 Page 17
18 SOC for Cybersecurity Called a Cybersecurity Examination, it will include: A description of the entity s cybersecurity risk management program An assessment of the effectiveness of the controls within that program to achieve the entity s cybersecurity objectives Management is responsible for selecting both the description criteria and the control criteria to be used in the engagement Proposed Description Criteria for Management s Description of the Entity s Cybersecurity Risk Management Program Issued 9/15/16; Comment period closed 12/5/16 Currently the only option for description criteria Proposed Revision of Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy Issued 9/15/16; Comment period closed 12/5/16 Includes updates to better address Cybersecurity risks Other cybersecurity control criteria may be used Slide 35 BREAK (?) Slide 36 Page 18
19 Trust Services Principles Overview and Updates Slide 37 The Trust Services Principles Security Availability Processing Integrity Confidentiality Privacy Slide 38 Page 19
20 Trust Service Principles (TSP) Revisions AICPA, Technical Practice Aids, TSP sec. 100 Originally released in 2006, then updated in 2009 Major Revision to TSP sec. 100 in March/April 2014 Removed significant redundancies in wording between the Principles Reorganized in a set Common Criteria applicable to all Principles, plus addition principle-specific criteria Criteria Common to All [Security, Availability, Processing Integrity, and Confidentiality] Principles 28 criteria statements Availability 3 more criteria statements Processing Integrity 6 more criteria statements Confidentiality 6 more criteria statements Mandatory adoption for reporting periods ending on or after Dec. 15, 2014 Privacy was updated separately Slide Revisions to the Trust Service Principles New version released mid-year 2016 Minor and clarifying updates to various criteria Two additional confidentiality criteria were added to address the retention and disposal of confidential information (total of 8 criteria statements now) Incorporated new criteria for Privacy to bring it back into TSP framework (removing the cross references to Generally Accepted Privacy Principles) Early adoption permitted, mandatory use beginning with reports ending on or after December 15, 2016 Slide 40 Page 20
21 Even more Trust Services Revisions! Proposed Revision of Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy Issued 9/15/16; Comment period closed 12/5/16 The proposed revision indicates these are expected to become mandatory by 6/15/2018 with early adoption permitted. However, a final version has not yet been issued. Significant Changes Renaming: trust services principles and criteria are now trust services criteria the five principles (security, availability, processing integrity, confidentiality, and privacy) are now trust services categories Aligns the Trust Services Criteria to the COSO 2013 Framework Includes updates to better address Cybersecurity risks Adds points of focus to all criteria (in a similar manner as COSO 2013) Slide 41 TSP Common Criteria Criteria Common to All [Security, Availability, Processing Integrity, and Confidentiality] Principles CC1.0 - Common Criteria Related to Organization and Management CC2.0 - Common Criteria Related to Communications CC3.0 - Common Criteria Related to Risk Management and Design and Implementation of Controls CC4.0 - Common Criteria Related to Monitoring of Controls CC5.0 - Common Criteria Related to Logical and Physical Access Controls CC6.0 - Common Criteria Related to System Operations CC7.0 - Common Criteria Related to Change Management Additional Criteria when reporting on Availability, Processing Integrity, or Confidentiality Slide 42 Page 21
22 What s new with SOC2 Slide 43 Contents of a SOC 2 Report Auditor s Report What Does It Cover: Fairness of Presentation of the Description Suitability of Design of the Controls Operating Effectiveness of Controls (Type 2 only) Criteria related to the auditor s evaluation Test of Controls and Results (Type 2 only) Whether carve out or inclusive was used Other Information from Service Organization (unaudited) Slide 44 Page 22
23 SOC 2 Guide Updated SOC 2 Guide Released July 1, 2015 Provides how-to guidance for service auditors performing examinations under AT section 101 Incorporates TSP sec. 100 updates from 2014 Updated guide expected in 2017(?) Other updates fall into two major categories Scoping Updates - Drive changes to the examination process Language Updates - Will be reflected in reporting deliverables Slide 45 Scoping Updates Non-Continuous exam periods Recommendation to either expand the period to cover the gap period or evaluate the potential effect of the excluded time period to users of the report [ref. par. 2.26] If addressing Confidentiality or Privacy System boundary must include information life cycle: collection, use, retention, disclosure, and disposal or anonymization of personal information [ref. par and 3.05] Monitoring of a Service Organization Regardless of subservice organization (carve-out or inclusive) approach, controls to monitor services provided by third parties should be included in the description. [ref. par. 1.26a(iv)(2) and 3.5] Slide 46 Page 23
24 Scoping Updates (cont) Complementary User Entity Controls (CUECs) and User Entity Responsibilities CUECs - Now emphasized as controls necessary to meet one or more criteria Otherwise, considered a User Entity Responsibility (new concept introduced in the current guide) User Entity Responsibilities are not required to be included in the system description. Ref. par through 3.37 Slide 47 Representation Letter Language Updates Additional representations by Management to the Service Auditor [ref. par ] Communications from regulators and others have been disclosed Acknowledge responsibility for the subject matter Effect of uncorrected misstatements are immaterial System Description Additional guidance to the service auditor on evaluating what fair presentation is [ref. par. 3.02] Slide 48 Page 24
25 Control Activities Language Updates (cont) Additional guidance to the service auditor on describing controls, including [ref. par. 3.07] What The subject matter to which the control applies Who The party responsible for performing the control How The nature of the activity performed, including sources of information used in performing the control When The frequency with which the control is performed or the timing of its occurrence Control Testing Conclusions Example wording for greatly clarity in particular situations Sampling Size, when there are deviations [ref. par. 4.09] Controls with no activity during the period [ref. par. 4.50] Slide 49 SOC 2 Guide - Other Useful Information Appendix C Illustrative Management Assertion and Related Service Auditor s Report Appendix D Illustrative Type 2 Service Organization Controls Report Appendix E Information for Management of a Service Organization Generally a restatement of Management s responsibilities from various other portions of the guide, but pulled together in one place, and in a more reader-friendly format and writing style. Slide 50 Page 25
26 SOC 2 Guide - Other Useful Information Appendix F Service Auditor Considerations in Performing SOC 2 or SOC 3 Engagements for Cloud Service Organizations (CSOs) Provides an overview of CSOs, deployment models, and challenges unique to CSOs and their impact on performing a SOC 2 / SOC 3 engagement Appendix H Additional Considerations for the Service Auditor Regarding the Trust Services Criteria Provides explanatory information on the seven Common Criteria categories and the additional criteria for Availability, Processing Integrity, and Confidentiality Adds additional context beyond the illustrative risk and controls provided in TSP sec. 100, Appendix B Slide 51 User Auditor Requirements Slide 52 Page 26
27 User Auditor Requirements Read the report!!! Does it cover the relevant services? Service Auditor s Opinion Unqualified? (Good) Qualified? (Not as good, but can be okay) Adverse? (Typically bad) Disclaim an opinion? (Typically very bad) Any deficiencies/deviations? If so, how does is affect the User Entity? SAS 122 / AU-C Section Audit Considerations Relating to an Entity Using a Service Organization Outlines various requirements for User Auditors when evaluating attestation reports Particularly important when evaluating in support of ICFR Slide 53 User Auditor Requirements (cont) Understand the Service Organization / Evaluate appropriateness of the report in support of the User Organization audit (Ref. AU-C 402 par ,.17) Service Auditor s Professional Competence Adequacy of Standards utilized Time period covered Sufficiency and appropriateness of the evidence provided for the understanding of the user entity's internal control Description of the system sufficient/understandable? Control Objectives/Criteria relevant, sufficient, understandable? Controls relevant, sufficient, understandable? Sufficiency and appropriateness of the tests of controls performed by the Service Auditor Evaluate complementary user entity controls for relevance, design and implementation Slide 54 Page 27
28 User Auditor Requirements (cont) Complementary User Entity Controls From AU-C 402, par..08: Controls that management of the service organization assumes, in the design of its service, will be implemented by user entities, and which, if necessary to achieve the control objectives stated in management's description of the service organization's system, are identified as such in that description. User auditor should determine which are relevant to the user entity audit, then evaluate the User Entity for design and implementation of those controls One way is to map Complementary User Entity Controls to User Entity Controls Slide 55 User Auditor Requirements (cont) What if the report is insufficient for the audit need? Contact the service organization, through the user entity, to obtain specific information Visit the service organization and perform procedures that will provide the necessary information about the relevant controls at the service organization Use another auditor to perform procedures that will provide the necessary information about the relevant controls at the service organization Refer to AU-C 402 par..12 for additional information Slide 56 Page 28
29 Common Issues / Lessons Learned SOC 1 SOC 2 Control Objectives included which are not relevant to ICFR System Descriptions insufficient to understand flow of transactions/processes Description of control insufficient to understand control activity Report only covers ITGC, but services provided include transaction or other information processing, etc. Description includes controls that have not been implemented. Descriptions of processes and related controls are incomplete and user unable to understand processing flow through system (who?, what?, where?, when?, how?) Applicable trust services criteria are intended to be met by controls at the subservice organization and description does not identify the controls expected to be implemented at a carved-out service organization Slide 57 Questions? Slide 58 Page 29
30 References and Sources: AICPA.org Links to all current SAS and SSAEs, including SSAE 18 (AT-C 105, AT-C 205, AT-C 320, etc.) AICPA SOC Reports home page AICPA Guides, Alerts (available in a variety of formats for purchase), and Information SOC 1: SOC 2: SOC 2+: Trust Services Principles and Criteria (2016) (download or online subscription): Proposed Trust Services Criteria Updates Exposure Draft Mapping proposed criteria to existing (2016) criteria Cloud Security Alliance Position Paper on AICPA SOC Reports Brief History of all SAS with links to full text for many AICPA Cybersecurity Resources AICPA Cybersecurity Initiative: AICPA Cybersecurity Resource Center: Slide 59 Thank You! Jeff Pershing, CISA, CISM, CISSP Jeff@PershingConsulting.com Page 30
SOC Reporting / SSAE 18 Update July, 2017
SOC Reporting / SSAE 18 Update July, 2017 Agenda SOC Refresher Overview of SSAE 18 Changes to SOC 1 Changes to SOC 2 Quiz / Questions Various Types of SOC Reports SOC for Service Organizations (http://www.aicpa.org/soc4so)
More informationEvaluating SOC Reports and NEW Reporting Requirements
Evaluating SOC Reports and NEW Reporting Requirements ISACA Kris Lonborg, EY Partner Maria Avedissian, EY Senior Manager September 12, 2013 Agenda Evaluating SOC reports Recent changes made to the SOC1
More informationISACA Cincinnati Chapter March Meeting
ISACA Cincinnati Chapter March Meeting Recent and Proposed Changes to SOC Reports Impacting Service and User Organizations. March 3, 2015 Presenters: Sayontan Basu-Mallick Lori Johnson Agenda SOCR Overview
More informationWHICH SOC REPORT IS RIGHT FOR YOUR CLIENT?
CPAs & ADVISORS STRATEGIC ALLIANCE WEBINAR SERIES WHICH SOC REPORT IS RIGHT FOR YOUR CLIENT? June 20, 2017 Cindy Boyle TO RECEIVE CPE CREDIT Participate in entire webinar Answer polls when they are provided
More informationRetirement of SAS 70 and a new generation of Service Organization Control (SOC) Reports
new generation of Service Organization Control (SOC) Reports Presented by: Nina Currigan, KPMG Advisory Manager Karen Krebsbach, Ernst & Young Advisory Manager With you today Nina Currigan Advisory Manager
More informationSAS 70 SOC 1 SOC 2 SOC 3. Type 1 Type 2
SAAABA Changes in Reports on Service Organization Controls April 18, 2012 Changes in Reports on Service Organization Controls (formerly SAS 70) April 18, 2012 Duane M. Reyhl, CPA Andrews Hooper Pavlik
More informationPREPARING FOR SOC CHANGES. AN ARMANINO WHITE PAPER By Liam Collins, Partner-In-Charge, SOC Audit Practice
PREPARING FOR SOC CHANGES AN ARMANINO WHITE PAPER By Liam Collins, Partner-In-Charge, SOC Audit Practice On May 1, 2017, SSAE 18 went into effect and superseded SSAE 16. The following information is here
More informationA SERVICE ORGANIZATION S GUIDE SOC 1, 2, & 3 REPORTS
A SERVICE ORGANIZATION S GUIDE SOC 1, 2, & 3 REPORTS Introduction If you re a growing service organization, whether a technology provider, financial services corporation, healthcare company, or professional
More informationSSAE 18 & new SOC approach to compliance. Moderator Name: Patricio Garcia Managing Partner ControlCase Attestation Services
SSAE 18 & new SOC approach to compliance Moderator Name: Patricio Garcia Managing Partner ControlCase Attestation Services Agenda 1. SSAE 18 overview 2. SOC 2 + 3. 2017 Trust Services Criteria SSAE 18
More informationMastering SOC-1 Attestation Reports Under SSAE 16: Auditing Service Organizations Controls in the Cloud
FOR LIVE POGRAM ONLY Mastering SOC-1 Attestation Reports Under SSAE 16: Auditing Service Organizations Controls in the Cloud TUESDAY, AUGUST 9, 2016, 1:00-2:50 pm Eastern IMPORTANT INFORMATION FOR THE
More informationSERVICE ORGANIZATION CONTROL (SOC) REPORTS: WHAT ARE THEY?
WHITE PAPER SERVICE ORGANIZATION CONTROL (SOC) REPORTS: WHAT ARE THEY? JEFF COOK DIRECTOR CPA, CITP, CIPT, CISA North America Europe 877.224.8077 info@coalfire.com coalfire.com TABLE OF CONTENTS Summary...
More informationC22: SAS 70 Practices and Developments Todd Bishop, PricewaterhouseCoopers
C22: SAS 70 Practices and Developments Todd Bishop, PricewaterhouseCoopers SAS No. 70 Practices & Developments Todd Bishop Director, Risk Assurance Services, PricewaterhouseCoopers Agenda SAS 70 Background
More informationCSF to Support SOC 2 Repor(ng
CSF to Support SOC 2 Repor(ng Ken Vander Wal, CPA, CISA, HCISPP Chief Compliance Officer, HITRUST * ken.vanderwal@hitrustalliance.net Agenda Introduction to SOC Reporting SOC 2 and HITRUST CSF AICPA and
More informationExploring Emerging Cyber Attest Requirements
Exploring Emerging Cyber Attest Requirements With a focus on SOC for Cybersecurity ( Cyber Attest ) Introductions and Overview Audrey Katcher Partner, RubinBrown LLP AICPA volunteer: AICPA SOC2 Guide Working
More informationService Organization Control (SOC) Reports: What they are and what to do with them MARCH 21, 2017
Service Organization Control (SOC) Reports: What they are and what to do with them MARCH 21, 2017 Presenter Colin Wallace, CPA/CFF, CFE, CIA, CISA Partner Colin has provided management consulting and internal
More informationSAS 70 & SSAE 16: Changes & Impact on Credit Unions. Agenda
SAS 70 & SSAE 16: Changes & Impact on Credit Unions John Mason CISM, CISA, CGEIT, CFE SingerLewak LLP October 19, 2010 Agenda Statement on Auditing Standards (SAS) 70 background Background & purpose Types
More informationSOC Updates: Understanding SOC for Cybersecurity and SSAE 18. May 23, 2017
SOC Updates: Understanding SOC for Cybersecurity and SSAE 18 May 23, 2017 Baker Tilly refers to Baker Tilly Virchow Krause, LLP, an independently owned and managed member of Baker Tilly International.
More informationSOC 2 examinations and SOC for Cybersecurity examinations: Understanding the key distinctions
SOC 2 examinations and SOC for Cybersecurity examinations: Understanding the key distinctions DISCLAIMER: The contents of this publication do not necessarily reflect the position or opinion of the American
More informationTransitioning from SAS 70 to SSAE 16
Industry Webinar Series SAS 70 ENDS EXIT TO SSAE 16 Transitioning from SAS 70 to SSAE 16 How Does This Apply to Your Organization? Cindy Boyle, Partner Rodney Walsh, Director BKD IT Risk Services Agenda
More informationAudit Considerations Relating to an Entity Using a Service Organization
An Entity Using a Service Organization 355 AU-C Section 402 Audit Considerations Relating to an Entity Using a Service Organization Source: SAS No. 122; SAS No. 128; SAS No. 130. Effective for audits of
More informationInternational Auditing and Assurance Standards Board (IAASB) International Federation of Accountants 545 Fifth Avenue, 14 th Floor New York, NY 10017
3701 Algonquin Road, Suite 1010 Telephone: 847.253.1545 Rolling Meadows, Illinois 60008, USA Facsimile: 847.253.1443 Web Sites: www.isaca.org and www.itgi.org 25 April 2008 International Auditing and Assurance
More informationIT Attestation in the Cloud Era
IT Attestation in the Cloud Era The need for increased assurance over outsourced operations/ controls April 2013 Symeon Kalamatianos M.Sc., CISA, CISM Senior Manager, IT Risk Consulting Contents Introduction
More informationSOC Lessons Learned and Reporting Changes
SOC Lessons Learned and Reporting Changes Dec. 16, 2014 Your Presenters Today Arshad Ahmed, CISA, CISSP, CPA Leader of SOC and Technology Risk Services for Crowe Rod Smith, CISA, CPA Thought Leader for
More informationWithin our recommendations for editorial changes, additions are noted in bold underline and deletions in strike-through.
1633 Broadway New York, NY 10019-6754 Mr. Jim Sylph Executive Director, Professional Standards International Federation of Accountants 545 Fifth Avenue, 14th Floor New York, NY 10017 Dear Mr. Sylph: We
More informationHITRUST CSF: One Framework
HITRUST CSF: One Framework Leveraging the HITRUST CSF to Support ISO, HIPAA, & NIST Implementation and Compliance, and SSAE 16 SOC Reporting Dr. Bryan Cline, CISSP-ISSEP, CISM, CISA, CCSFP, HCISPP Senior
More informationRe: Exposure Draft Proposed ISAE 3402 on Assurance Reports on Controls at a Third Party Service Organization
Date Le Président Fédération Avenue d Auderghem 22-28 des Experts 1040 Bruxelles 31 May 2008 Comptables Tél. 32 (0) 2 285 40 85 Européens Fax: 32 (0) 2 231 11 12 AISBL E-mail: secretariat@fee.be Mr. Jim
More informationUnderstanding and Evaluating Service Organization Controls (SOC) Reports
Understanding and Evaluating Service Organization Controls (SOC) Reports Kevin Sear, CPA, CIA, CISA, CFE, CGMA Agenda 1. Why are SOC reports important? 2. Understanding the new SOC-1, SOC-2, and SOC-3
More informationAdopting SSAE 18 for SOC 1 reports
Adopting SSAE 18 for SOC 1 reports Overview Since its adoption in 2011, service auditor reports issued in accordance with SSAE 16 have become increasingly common in the marketplace. In April 2016, the
More informationInformation for entity management. April 2018
Information for entity management April 2018 Note to readers: The purpose of this document is to assist management with understanding the cybersecurity risk management examination that can be performed
More informationMaking trust evident Reporting on controls at Service Organizations
www.pwc.com Making trust evident Reporting on controls at Service Organizations 1 Does this picture look familiar to you? User Entity A User Entity B User Entity C Introduction and background Many entities
More informationHong Kong Institute of Certified Public Accountants Practising Certificate ("PC") Business Assurance
Hong Kong Institute of Certified Public Accountants Practising Certificate ("PC") Business Assurance Examinable Auditing Standards December 2017 Session and June 2018 session This document contains the
More informationThe SOC 2 Compliance Handbook:
The SOC 2 Compliance Handbook: Your guide to SOC 2 Audit Success The SOC 2 Compliance Handbook Page 2 Table of Contents Abstract 3 Why am I being asked about SOC Compliance? 4 What s the difference between
More informationSOC for cybersecurity
April 2018 SOC for cybersecurity a backgrounder Acknowledgments Special thanks to Francette Bueno, Senior Manager, Advisory Services, Ernst & Young LLP and Chris K. Halterman, Executive Director, Advisory
More informationIssue for Consideration: Appropriateness of the Drafting of Paragraph A17
Deloitte & Touche LLP Ten Westport Road Wilton, CT 06897-0820 USA Tel: +1 203 761 3000 Fax: +1 203 761 3013 www.deloitte.com Sherry Hazel Audit and Attest Standards American Institute of Certified Public
More informationSAS70 Type II Reports Use and Interpretation for SOX
SAS70 Type II Reports Use and Interpretation for SOX November 19, 2007 Presented by: Erin Erickson, Senior Manager Enterprise Governance and Brenda Karl, Director Technology Risk Management Agenda Background
More informationHITRUST CSF Roadmap for 2018 and Beyond HITRUST Alliance.
HITRUST CSF Roadmap for 2018 and Beyond HITRUST CSF Roadmap 2017 HITRUST CSF v9 Update 21 CFR Part 11 (FDA electronic signatures) Add FFIEC IT Examination (InfoSec), FedRAMP, DHS Critical Resilience Review
More informationSAS 70 revised. ISAE 3402 will focus on financial reporting control procedures. Compact_ IT Advisory 41. Introduction
Compact_ IT Advisory 41 SAS 70 revised ISAE 3402 will focus on financial reporting control procedures Jaap van Beek and Marco Francken J.J. van Beek is a partner at KPMG IT Advisory. He has over twenty-years
More informationWeighing in on the Benefits of a SAS 70 Audit for Third Party Administrators
Weighing in on the Benefits of a SAS 70 Audit for Third Party Administrators With increasing oversight and growing demands for industry regulations, third party assurance has never been under a keener
More information26 February Office of the Secretary Public Company Accounting Oversight Board 1666 K Street, NW Washington, DC
3701 Algonquin Road, Suite 1010 Telephone: 847.253.1545 Rolling Meadows, Illinois 60008, USA Facsimile: 847.253.1443 Web Sites: www.isaca.org and www.itgi.org 26 February 2007 Office of the Secretary Public
More informationSOC 3 for Security and Availability
SOC 3 for Security and Availability Independent Practioner s Trust Services Report For the Period October 1, 2015 through September 30, 2016 Independent SOC 3 Report for the Security and Availability Trust
More informationOpportunities to Integrate Technology Into the Classroom. Presented by:
Opportunities to Integrate Technology Into the Classroom Presented by: Mark Salamasick, CIA, CISA, CRMA, CSP Executive Director of Audit University of Texas System Discussion Topics Internal Audit Textbook
More informationAchieving third-party reporting proficiency with SOC 2+
Achieving third-party reporting proficiency with SOC 2+ Achieving third-party reporting proficiency with SOC 2+ Today s organizations do business within a broad ecosystem. Customers, partners, agents,
More informationSAS 70 Audit Concepts. and Benefits JAYACHANDRAN.B,CISA,CISM. August 2010
JAYACHANDRAN.B,CISA,CISM jb@esecurityaudit.com August 2010 SAS 70 Audit Concepts and Benefits Agenda Compliance requirements Overview Business Environment IT Governance and Compliance Management Vendor
More informationInternal Audit Report. Electronic Bidding and Contract Letting TxDOT Office of Internal Audit
Internal Audit Report Electronic Bidding and Contract Letting TxDOT Office of Internal Audit Objective Review of process controls and service delivery of the TxDOT electronic bidding process. Opinion Based
More information2018 HIPAA One All Rights Reserved. Beyond HIPAA Compliance to Certification
2018 HIPAA One All Rights Reserved. Beyond HIPAA Compliance to Certification Presenters Jared Hamilton CISSP CCSK, CCSFP, MCSE:S Healthcare Cybersecurity Leader, Crowe Horwath Erika Del Giudice CISA, CRISC,
More informationADVANCED AUDIT AND ASSURANCE
ADVANCED AUDIT AND ASSURANCE CPA PROGRAM SUBJECT OUTLINE The Advanced Audit and Assurance subject provides a body of knowledge for you to understand the nature and diversity of audit and assurance engagements.
More informationISA 800/805. Proposed changes to ISA 800/ 805 were limited in nature
ISA 800/805 Prof. Annette Köhler, IAASB Member and Drafting Team Chair Agenda Item 4 New York, USA June 16, 2015 Page 1 Proprietary and Copyrighted Information Background and Introduction Proposed changes
More informationAssurance through the ISO27002 Standard and the US NIST Cybersecurity Framework. Keith Price Principal Consultant
Assurance through the ISO27002 Standard and the US NIST Cybersecurity Framework Keith Price Principal Consultant 1 About About me - Specialise in cybersecurity strategy, architecture, and assessment -
More informationRobert Brammer. Senior Advisor to the Internet2 CEO Internet2 NET+ Security Assessment Forum. 8 April 2014
Robert Brammer Senior Advisor to the Internet2 CEO rfbtech@internet2.edu Internet2 NET+ Security Assessment Forum 8 April 2014 INTERNET2 NET+ Security Initiative Primary objective -- develop guidance to
More informationTable of Contents. Preface xvii PART ONE: FOUNDATIONS OF MODERN INTERNAL AUDITING
Table of Contents Preface xvii PART ONE: FOUNDATIONS OF MODERN INTERNAL AUDITING Chapter 1: Significance of Internal Auditing in Enterprises Today: An Update 3 1.1 Internal Auditing History and Background
More informationPerforming a Vendor Security Review TCTC 2017 FALL EVENT PRESENTER: KATIE MCINTOSH
Performing a Vendor Security Review TCTC 2017 FALL EVENT PRESENTER: KATIE MCINTOSH 1 Speaker Bio Katie McIntosh, CISM, CRISC, CISA, CIA, CRMA, is the Cyber Security Specialist for Central Hudson Gas &
More informationCalifornia ISO Audit Results for 2011 SSAE 16 & Looking Forward for 2012 December 15, 2011
www.pwc.com California ISO Audit Results for 2011 SSAE 16 & Looking Forward for 2012 December 15, 2011 Agenda SSAE 16 Background Results of Audit Scope of Audit Looking Forward Closing Thoughts Slide 1
More informationISACA Survey Results. 27 April Ms. Nancy M. Morris, Secretary Securities and Exchange Commission 100 F Street NE Washington, DC
3701 Algonquin Road, Suite 1010 Telephone: 847.253.1545 Rolling Meadows, Illinois 60008, USA Facsimile: 847.253.1443 Web Sites: www.isaca.org and www.itgi.org 27 April 2006 Ms. Nancy M. Morris, Secretary
More informationCredit Union Service Organization Compliance
Credit Union Service Organization Compliance How do SOC reporting and PCI requirements affect your overall compliance strategy? May 15 2012 Your Speakers Dennis Lavin Credit Union Assurance Partner Moderator
More informationRequest for Qualifications for Audit Services March 25, 2015
Request for Qualifications for Audit Services March 25, 2015 I. GENERAL INFORMATION A. Purpose This Request for Qualifications (RFQ) is to solicit a CPA firm with which to contract for a financial and
More informationISA 540 (Revised): Update. May 2018 ASB meeting Dan Montgomery May 17, 2018
ISA 540 (Revised): Update May 2018 ASB meeting Dan Montgomery May 17, 2018 Overview Update on March 2018 IAASB meeting and April 2018 board teleconference Significant revisions post-march Next steps Page
More informationMaryland Health Care Commission
Special Review Maryland Health Care Commission Security Monitoring of Patient Information Maintained by the State-Designated Health Information Exchange September 2017 OFFICE OF LEGISLATIVE AUDITS DEPARTMENT
More informationExposure Draft The Auditor s Responsibility to Consider Fraud in an Audit of Financial Statements
Chartered Accountants of Canada Comptables agréés du Canada The Canadian Institute of Chartered Accountants 277 Wellington Street West Toronto, Ontario Canada M5V 3H2 Tel: (416) 977-3222 Fax: (416) 977-8585
More informationThe HITRUST CSF. A Revolutionary Way to Protect Electronic Health Information
The HITRUST CSF A Revolutionary Way to Protect Electronic Health Information June 2015 The HITRUST CSF 2 Organizations in the healthcare industry are under immense pressure to improve quality, reduce complexity,
More informationVendor Management: SSAE 18. Presented by Joseph Kirkpatrick CISSP, CISA, CGEIT, CRISC, QSA Managing Partner
Vendor Management: SSAE 18 Presented by Joseph Kirkpatrick CISSP, CISA, CGEIT, CRISC, QSA Managing Partner Audio Handouts Questions Welcome Joseph Kirkpatrick is the Managing Partner at KirkpatrickPrice
More informationPeer Collaboration The Next Best Practice for Third Party Risk Management
SESSION ID: GRM-F02 Peer Collaboration The Next Best Practice for Third Party Risk Management Robin M. Slade EVP & COO The Santa Fe Group & Shared Assessments Program Introduction Q: How do we achieve
More informationGuide To Internal Auditing Iatf Store
GUIDE TO INTERNAL AUDITING IATF 16949 STORE PDF - Are you looking for guide to internal auditing iatf 16949 store Books? Now, you will be happy that at this time guide to internal auditing iatf 16949 store
More informationAuditing IT General Controls
Auditing IT General Controls Amanthi Pendegraft and Nadine Yassine September 27, 2017 Agenda Introduction and Objectives IT Audit Fundamentals IT General Controls Overview Access to Programs and Data Program
More informationGoogle Cloud & the General Data Protection Regulation (GDPR)
Google Cloud & the General Data Protection Regulation (GDPR) INTRODUCTION General Data Protection Regulation (GDPR) On 25 May 2018, the most significant piece of European data protection legislation to
More informationFedRAMP: Understanding Agency and Cloud Provider Responsibilities
May 2013 Walter E. Washington Convention Center Washington, DC FedRAMP: Understanding Agency and Cloud Provider Responsibilities Matthew Goodrich, JD FedRAMP Program Manager US General Services Administration
More informationIS Audit and Assurance Guideline 2002 Organisational Independence
IS Audit and Assurance Guideline 2002 Organisational Independence The specialised nature of information systems (IS) audit and assurance and the skills necessary to perform such engagements require standards
More informationCybersecurity & Privacy Enhancements
Business, Industry and Government Cybersecurity & Privacy Enhancements John Lainhart, Director, Grant Thornton The National Institute of Standards and Technology (NIST) is in the process of updating their
More informationWebtrends Inc. Service Organization Controls (SOC) 3 SM Report on the SaaS Solutions Services System Relevant to Security
Webtrends Inc. Service Organization Controls (SOC) 3 SM Report on the SaaS Solutions Services System Relevant to Security For the Period January 1, 2016 through June 30, 2016 SOC 3 SM SOC 3 is a service
More informationGlobal Specification Protocol for Organisations Certifying to an ISO Standard related to Market, Opinion and Social Research.
CONTENTS i. INTRODUCTION 3 ii. OVERVIEW SPECIFICATION PROTOCOL DOCUMENT DEVELOPMENT PROCESS 4 1. SCOPE 5 2. DEFINITIONS 5 3. REFERENCES 6 4. MANAGEMENT STANDARDS FOR APPROVED CERTIFICATION BODIES 6 4.1
More informationLIST OF SUBSTANTIVE CHANGES AND ADDITIONS. PPC's Guide to Audits of Local Governments. Thirty first Edition (February 2016)
Route To: Partners Managers Staff File LIST OF SUBSTANTIVE CHANGES AND ADDITIONS PPC's Guide to Audits of Local Governments Thirty first Edition (February 2016) Highlights of This Edition The following
More informationIso Controls Checklist File Type S
ISO 27002 CONTROLS CHECKLIST FILE TYPE S PDF - Are you looking for iso 27002 controls checklist file type s Books? Now, you will be happy that at this time iso 27002 controls checklist file type s PDF
More informationCA/Browser Forum Meeting
CA/Browser Forum Meeting WebTrust for CA Update June 21, 2017 Jeff Ward / Don Sheehy / Janet Treasure Current Status WebTrust for CA 2.1 As you are aware, based on ISO 21188 WebTrust criteria based on
More informationHow to implement NIST Cybersecurity Framework using ISO WHITE PAPER. Copyright 2017 Advisera Expert Solutions Ltd. All rights reserved.
How to implement NIST Cybersecurity Framework using ISO 27001 WHITE PAPER Copyright 2017 Advisera Expert Solutions Ltd. All rights reserved. Copyright 2017 Advisera Expert Solutions Ltd. All rights reserved.
More informationCLOUD COMPUTING APPLYING THIS NEW TECHNOLOGY TO YOUR PRACTICE
CLOUD COMPUTING APPLYING THIS NEW TECHNOLOGY TO YOUR PRACTICE Douglas W. Barbin, CPA, CISSP, PCI QSA, CCSK BrightLine CPAs & Associates, Inc. November 4, 2011 Divorced after 72 Days AGENDA ANDOVERVIEW
More informationIS Audit and Assurance Guideline 2001 Audit Charter
IS Audit and Assurance Guideline 2001 Audit Charter The specialised nature of information systems (IS) audit and assurance and the skills necessary to perform such engagements require standards that apply
More informationCitation for published version (APA): Berthing, H. H. (2014). Vision for IT Audit Abstract from Nordic ISACA Conference 2014, Oslo, Norway.
Aalborg Universitet Vision for IT Audit 2020 Berthing, Hans Henrik Aabenhus Publication date: 2014 Document Version Early version, also known as pre-print Link to publication from Aalborg University Citation
More informationAddressing Cybersecurity Risk
The CPA s Role in Addressing Cybersecurity Risk How the Auditing Profession Promotes Cybersecurity Resilience MAY 2017 Contents 1. EXECUTIVE SUMMARY 1 2. THE LANDSCAPE OF CYBERSECURITY RISK 3 The Need
More informationModel Approach to Efficient and Cost-Effective Third-Party Assurance
Model Approach to Efficient and Cost-Effective Third-Party Assurance 1 CHALLENGES WITH THIRD-PARTY ASSURANCE 2 What s Driving Demand for Increased Assurance? Increasing risk posed by third parties Increasing
More informationStudio Guggino and Newtonpartner S.r.l. a team of professionals at the service of your Company
Studio Guggino and Newtonpartner S.r.l. a team of professionals at the service of your Company To get where the others fail, we have to achieve even higher goals www.sas70.it MISSION Our Mission consists
More informationIGNITING GROWTH. Why a SOC Report Makes All the Difference
IGNITING GROWTH Why a SOC Report Makes All the Difference Many service organizations depend on the integrity of their control environment to protect their business as well as that of their customers. With
More informationCITP Examination Content Specification Outline
CITP Examination Content Specification Outline 2016 American Institute of CPAs. All rights reserved. DISCLAIMER: The contents of this publication do not necessarily reflect the position or opinion of the
More informationDoes a SAS 70 Audit Leave you at Risk of a Security Exposure or Failure to Comply with FISMA?
Does a SAS 70 Audit Leave you at Risk of a Security Exposure or Failure to Comply with FISMA? A brief overview of security requirements for Federal government agencies applicable to contracted IT services,
More informationThe Accreditation and Verification Regulation - Verification report
EUROPEAN COMMISSION DIRECTORATE-GENERAL CLIMATE ACTION Directorate A - International and Climate Strategy CLIMA.A.3 - Monitoring, Reporting, Verification Guidance Document The Accreditation and Verification
More informationTRAINING SEMINAR COURSE OUTLINE October
TRAINING SEMINAR COURSE OUTLINE October 10-12 2016 FACILITATOR S BIOGRAPHY SHAWNA M FLANDERS CRISC, CISM, CISA, CSSGB, SSBB Shawna is the Founder and CEO of Business Technology Guidance Associates, LLC.,
More informationThe value of visibility. Cybersecurity risk management examination
The value of visibility Cybersecurity risk management examination Welcome to the "new normal" Cyberattacks are inevitable. In fact, it s no longer a question of if a breach will occur but when. Cybercriminals
More informationINTO THE CLOUD WHAT YOU NEED TO KNOW ABOUT ADOPTION AND ENSURING COMPLIANCE
INTO THE CLOUD WHAT YOU NEED TO KNOW ABOUT ADOPTION AND ENSURING COMPLIANCE INTRODUCTION AGENDA 01. Overview of Cloud Services 02. Cloud Computing Compliance Framework 03. Cloud Adoption and Enhancing
More informationNE HIMSS Vendor Risk. October 9, 2015 MEMBER OF PKF NORTH AMERICA, AN ASSOCIATION OF LEGALLY INDEPENDENT FIRMS
NE HIMSS Vendor Risk October 9, 2015 MEMBER OF PKF NORTH AMERICA, AN ASSOCIATION OF LEGALLY INDEPENDENT FIRMS 2014 Wolf & Company, P.C. Does Vendor Management Feel Like This? 2 Vendor Risk Management Lifecycle
More informationCyber Security Reliability Standards CIP V5 Transition Guidance:
Cyber Security Reliability Standards CIP V5 Transition Guidance: ERO Compliance and Enforcement Activities during the Transition to the CIP Version 5 Reliability Standards To: Regional Entities and Responsible
More informationIT Security Evaluation and Certification Scheme Document
IT Security Evaluation and Certification Scheme Document June 2015 CCS-01 Information-technology Promotion Agency, Japan (IPA) IT Security Evaluation and Certification Scheme (CCS-01) i / ii Table of Contents
More informationPublic Safety Canada. Audit of the Business Continuity Planning Program
Public Safety Canada Audit of the Business Continuity Planning Program October 2016 Her Majesty the Queen in Right of Canada, 2016 Cat: PS4-208/2016E-PDF ISBN: 978-0-660-06766-7 This material may be freely
More informationAction Plan Developed by The Iranian Institute of Certified Accountants (IICA) BACKGROUND NOTE ON ACTION PLANS
BACKGROUND NOTE ON ACTION PLANS Action Plans are developed by IFAC members and associates to address policy matters identified through their responses to the IFAC Compliance Self-Assessment Questionnaire.
More informationMega International Commercial bank (Canada)
Mega International Commercial bank (Canada) Policy and Procedures for Clear Language and Presentation Est. Sep. 12, 2013 I. Purposes: The Mega ICB (C) distributes a limited range of retail banking services,
More information10/12/17. CPA Alberta Professional and Public Accounting Practice Varied Registration Model CPA FORUM NORTH OCTOBER 23 RD, 2017 JASPER, ALBERTA
CPA Alberta Professional and Public Accounting Practice Varied Registration Model CPA FORUM NORTH OCTOBER 23 RD, 2017 JASPER, ALBERTA Larry Brownoff CPA, CA Director, Professional and Career Services Professional
More informationBusiness Assurance for the 21st Century
14/07/2011 Navigating the Information Assurance landscape AUTHORS Niall Browne NAME AFFILIATION Shared Assessments Program Michael de Crespigny (CEO) Jim Reavis Kurt Roemer Raj Samani Information Security
More informationBRING EXPERT TRAINING TO YOUR WORKPLACE.
BRING EXPERT TRAINING TO YOUR WORKPLACE. ISACA s globally respected training and certification programs inspire confidence that enables innovation in the workplace. ISACA s On-Site Training brings a unique
More informationIATF Transition Strategy Presenter: Mrs. Michelle Maxwell, IAOB
IATF 16949 Transition Strategy Presenter: Mrs. Michelle Maxwell, IAOB IATF 16949 Transition Strategy IATF 16949 transition strategy was presented at the IATF global stakeholder conference in Rome, Italy
More informationHITRUST Common Security Framework - Are you prepared?
ALLINIAL HITRUST Common Security Framework - Are you prepared? Michael Kanarellis, HITRUST CCSFP May 17, 2017 MEMBER OF PKF ALLINIAL NORTH GLOBAL, AMERICA, AN ASSOCIATION AN OF LEGALLY OF LEGALLY INDEPENDENT
More information10 Considerations for a Cloud Procurement. March 2017
10 Considerations for a Cloud Procurement March 2017 2017, Amazon Web Services, Inc. or its affiliates. All rights reserved. Notices This document is provided for informational purposes only. It represents
More informationArticle II - Standards Section V - Continuing Education Requirements
Article II - Standards Section V - Continuing Education Requirements 2.5.1 CONTINUING PROFESSIONAL EDUCATION Internal auditors are responsible for maintaining their knowledge and skills. They should update
More informationPeriod from October 1, 2013 to September 30, 2014
Assurance Report on Controls Placed in Operation and Tests of Operating Effectiveness ISAE 3402 Type 2 Period from October 1, 2013 to September 30, 2014 Frankfurt/Main Table of Contents SECTION I Independent
More information