Period from October 1, 2013 to September 30, 2014

Similar documents
REPORT OF THE INDEPENDENT ACCOUNTANT

SAS 70 SOC 1 SOC 2 SOC 3. Type 1 Type 2

REPORT OF INDEPENDENT CERTIFIED PUBLIC ACCOUNTANTS

Independent Accountant s Report

Within our recommendations for editorial changes, additions are noted in bold underline and deletions in strike-through.

REPORT OF INDEPENDENT CERTIFIED PUBLIC ACCOUNTANTS

To the management of Entrust Datacard Limited (formerly known as Entrust Limited, hereinafter Entrust ) and Trend Micro, Inc.

To the management of Entrust Datacard Limited (formerly known as Entrust Limited, hereinafter Entrust ) and Trend Micro, Inc.

Re: Exposure Draft Proposed ISAE 3402 on Assurance Reports on Controls at a Third Party Service Organization

Independent Accountants Report. Utrecht, 28 January To the Management of GBO.Overheid:

INTERNATIONAL STANDARD ON AUDITING 505 EXTERNAL CONFIRMATIONS CONTENTS

Audit Considerations Relating to an Entity Using a Service Organization

International Standard on Auditing (Ireland) 505 External Confirmations

Making trust evident Reporting on controls at Service Organizations

Management Assertion Logius 2013

( ' ' (6-6 (6/%& A ' (6 -& (6 - & & (& %& (6-6 (6 $&&&

Independent Accountant s Report

THE CARTER CENTER, INC. Supporting Psychosocial Health and Resilience in Liberia Project from the International Development Association (World Bank)

Report of Independent Accountants

Independent Accountant s Report

Information for entity management. April 2018

EXTERNAL CONFIRMATIONS SRI LANKA AUDITING STANDARD 505 EXTERNAL CONFIRMATIONS

Adopting SSAE 18 for SOC 1 reports

International Standard on Auditing (UK) 505

Audit Guidelines Super Audio CD Player Patent License Agreement

Hong Kong Institute of Certified Public Accountants Practising Certificate ("PC") Business Assurance

Independent Accountant s Report

ISAE 3402-II. LESSOR Group. April 2016

שרוני - שפלר ושות' רואי חשבון

RISK ASSESSMENTS AND INTERNAL CONTROL CIS CHARACTERISTICS AND CONSIDERATIONS CONTENTS

ADVANCED AUDIT AND ASSURANCE

C22: SAS 70 Practices and Developments Todd Bishop, PricewaterhouseCoopers

SOC 3 for Security and Availability

SOC 2 examinations and SOC for Cybersecurity examinations: Understanding the key distinctions

Transitioning from SAS 70 to SSAE 16

Webtrends Inc. Service Organization Controls (SOC) 3 SM Report on the SaaS Solutions Services System Relevant to Security

California ISO Audit Results for 2011 SSAE 16 & Looking Forward for 2012 December 15, 2011

Report of Independent Accountants

Error! No text of specified style in document.

LESSOR Group CVR no.:

Retirement of SAS 70 and a new generation of Service Organization Control (SOC) Reports

LESSOR Group CVR no.:

International Auditing and Assurance Standards Board (IAASB) International Federation of Accountants 545 Fifth Avenue, 14 th Floor New York, NY 10017

NASD NOTICE TO MEMBERS 97-58

STATE OF NORTH CAROLINA OFFICE OF THE STATE AUDITOR BETH A. WOOD, CPA FAYETTEVILLE STATE UNIVERSITY

Report of Independent Accountants

ISA 540 (Revised): Update. May 2018 ASB meeting Dan Montgomery May 17, 2018

Service Organization Control (SOC) Reports: What they are and what to do with them MARCH 21, 2017

SAS70 Type II Reports Use and Interpretation for SOX

Learning Objectives. External confirmations procedures as per SA330 and SA 500 requirements

SAS 70 revised. ISAE 3402 will focus on financial reporting control procedures. Compact_ IT Advisory 41. Introduction

Independent Assurance Statement

CSF to Support SOC 2 Repor(ng

Testers vs Writers: Pen tests Quality in Assurance Projects. 10 November Defcamp7

SOC Reporting / SSAE 18 Update July, 2017

Chapter 18 SaskPower Managing the Risk of Cyber Incidents 1.0 MAIN POINTS

Lahore University of Management Sciences. ACCT 250 Auditing Spring Semester 2018

Exposure Draft The Auditor s Responsibility to Consider Fraud in an Audit of Financial Statements

Contents. Process flow diagrams and other documentation

Internal Audit Report. Electronic Bidding and Contract Letting TxDOT Office of Internal Audit

LIST OF SUBSTANTIVE CHANGES AND ADDITIONS. PPC's Guide to Audits of Local Governments. Thirty first Edition (February 2016)

26 February Office of the Secretary Public Company Accounting Oversight Board 1666 K Street, NW Washington, DC

AND ASSURANCE AN INTEGRATED APPROACH SIXTEENTH EDITION GLOBAL EDITION

Audit Report. The Chartered Institute of Personnel and Development (CIPD)

SSAE 18 & new SOC approach to compliance. Moderator Name: Patricio Garcia Managing Partner ControlCase Attestation Services

Rules for LNE Certification of Management Systems

SOC for cybersecurity

PREPARING FOR SOC CHANGES. AN ARMANINO WHITE PAPER By Liam Collins, Partner-In-Charge, SOC Audit Practice

The Texas A&M University System Internal Audit Department MONTHLY AUDIT REPORT

ISACA Cincinnati Chapter March Meeting

This Advisory Circular relates specifically to Civil Aviation Rules Part 147. Published by Civil Aviation Authority PO Box 3555 Wellington 6140

Cyber Security Reliability Standards CIP V5 Transition Guidance:

Audit confirmation is hereafter referred to as "confirmation."

SAS 70 & SSAE 16: Changes & Impact on Credit Unions. Agenda

Data Processing Agreement for Oracle Cloud Services

Public Safety Canada. Audit of the Business Continuity Planning Program

Presenter: Ian Musweu FCCA, FZICA, CRA. Head of Risk and Assurance Professional Insurance

IT Attestation in the Cloud Era

Physical Security Reliability Standard Implementation

Advanced Corporate Reporting. Corporate Reporting. Financial Accounting. Management in Organisations

WECC Internal Controls Evaluation Process WECC Compliance Oversight Effective date: October 15, 2017

ISA 800/805. Proposed changes to ISA 800/ 805 were limited in nature

UNIFORM STANDARDS FOR PLT COURSES AND PROVIDERS

The Accreditation and Verification Regulation - Verification report

A SERVICE ORGANIZATION S GUIDE SOC 1, 2, & 3 REPORTS

Protecting information across government

NZQA registered unit standard 8086 version 7 Page 1 of 5. Demonstrate knowledge required for quality auditing

Understanding and Evaluating Service Organization Controls (SOC) Reports

Mastering SOC-1 Attestation Reports Under SSAE 16: Auditing Service Organizations Controls in the Cloud

Level 5 Award in the Independent Auditing of External Quality Assurance. Qualification Specification

Information System Security. Nguyen Ho Minh Duc, M.Sc

Maryland Health Care Commission

Weighing in on the Benefits of a SAS 70 Audit for Third Party Administrators

Internal Controls Evaluation (ICE) Processing

Metro. B. KPMG LLP's Management Letter presenting internal control and other. June 30,2009; and. operational matters for considemtion.

Independent Certified Public Accountant s Report

TÜV NORD Group Certification

UBS Implementation Guidelines

Comment on Exposure Draft, IFRS Practice Statement: Application of Materiality to Financial Statements

Submission to the International Integrated Reporting Council regarding the Consultation Draft of the International Integrated Reporting Framework

Transcription:

Assurance Report on Controls Placed in Operation and Tests of Operating Effectiveness ISAE 3402 Type 2 Period from October 1, 2013 to September 30, 2014 Frankfurt/Main

Table of Contents SECTION I Independent Service Auditors Assurance Report on the Description of Controls, their Design and Operating Effectiveness (Provided by KPMG)... 3 SECTION II Description of Controls (Provided by Telehouse Deutschland GmbH)... 8 1. Management Assertion...9 2. Description of the general control environment of Telehouse Deutschland GmbH...11 2.1 Business model... 11 2.2 Business structure... 12 2.3 Service portfolio... 13 2.4 Control environment... 13 2.5 Risk assessment... 16 2.6 Controlling activities... 17 2.7 Information and communication... 17 2.8 Monitoring the internal monitoring system... 17 3. Overview of processes...18 3.1 Site and building security... 18 3.2 Access control... 19 3.3 Security centre (control centre)... 19 3.4 Fire protection... 20 3.5 Safety of personnel... 22 3.6 High availability of power supply... 23 3.7 Ventilation and cooling... 25 3.8 Internal controls... 26 3.9 Review... 26 4. Overview of controls...27 SECTION III Control Objectives, Related Controls and Tests of Operating Effectiveness (Provided by KPMG)... 30 1. Objectives of the Review and Description of Testings Performed...31 2. Audit of the Management Assertion...33 3. Internal control system...34 Attachment General Terms of Engagement 2

SECTION I Independent Service Auditors Assurance Report on the Description of Controls, their Design and Operating Effectiveness (Provided by KPMG) 3

Independent Service Auditor s Assurance Report on the Description of Controls, their Design and Operating Effectiveness To the Board of Directors of Scope, Frankfurt/Main -hereinafter also referred to as Telehouse or company - We have been engaged to report on Telehouse description of controls as related to Hosting- and IT processes as documented in I throughout the period October 1, 2013 to September 30, 2014, and on the design and operation of controls related to the control objectives stated in the description. Telehouse Responsibilities Telehouse is responsible for: preparing the description and accompanying assertion as documented in section II of this report, including the completeness, accuracy and method of presentation of the description and assertion; providing the services covered by the description; stating the control objectives; and designing, implementing and effectively operating controls to achieve the stated control objectives. KPMG s Responsibilities Our responsibility is to express an opinion on the fairness of the presentation of Telehouse description and on the suitability of the design and operating effectiveness of the controls to achieve the related control objectives stated in the description, based on our examination. We conducted our examination in accordance with the International Standard on Assurance Engagements 3402 Assurance Reports on Controls at a Service Organization, issued by the International Auditing and Assurance Standards Board. This standard requires that we plan and perform our examination to obtain reasonable assurance about whether, in all material respects, the description is fairly presented and the controls are suitably designed and operate effectively to achieve the related control objectives, stated in the description throughout the period October 1, 2014 to September 30, 2014. An assurance engagement to report on description, design and operating effectiveness of controls at a service organization involves performing procedures to obtain evidence about the disclosures in the service organization s description of its system and the design and operating effectiveness of controls. The procedures selected depend on the service auditor s judgment, in- 4

cluding the assessment of the risks that the description is not fairly presented, and that controls are not suitably designed nor operate effectively. Our procedures included testing the operating effectiveness of those controls that we consider necessary to provide reasonable assurance, that the control objectives stated, in the description were achieved. An assurance engagement of this type also includes evaluating the overall presentation of the description, the suitability of the objectives stated therein, and the suitability of criterias, specified by the service organization and described in section II of this report. We believe that the evidence we have obtained is sufficient and appropriate to provide a basis for our opinion. Limitations of Controls at a Service Organization Telehouse description is prepared to meet the common needs of a broad range of customers and their auditors and therefore may not include every aspect of the system that each individual customer may consider important in its own particular environment. Also, because of their nature, controls at a service organization may not prevent or detect all errors or omissions in processing or reporting transactions. The description of controls of Telehouse is dated as of September 30 st, 2014, whereas information about tests of operating effectiveness of specific controls cover the period October 1 st, 2013 to September 30 st, 2014. Any projection of such information to the future is subject to the risk that, because of change, the description may no longer portray the controls in existence. The potential effectiveness of specific controls at Telehouse is subject to inherent limitations and, accordingly, errors or fraud may occur and not be detected. Furthermore, the projection of any conclusions, based on our findings, to future periods is subject to the risk that (1) changes made to the system or controls, (2) changes in processing requirements, or (3) changes required because of the passage of time, may alter the validity of such conclusions. Opinion Our opinion has been formed on the basis of the matters outlined in this report. The criteria we used in forming our opinion are those described in section III of this report. (1) the accompanying description fairly presents the aspects of Telehouse controls that may be relevant to a customer s internal control system as it relates to an audit of financial statements as designed and implemented throughout the period October 1st, 2013 to September 30 st, 2014; (2) the controls included in the description were suitably designed throughout the period October 1 st, 2013 to September 30 st, 2014 to achieve the control objectives, specified in the description, if those controls comply satisfactorily and customer organizations apply the controls contemplated in the design of Telehouse controls; 5

(3) the controls tested, which were necessary to provide reasonable assurance that the control objectives stated in the description were achieved, operated effectively throughout the period October 1 st, 2013 to September 30 st, 2014. Description of Tests of Controls In order to perform the procedures we considered necessary to render our opinion as expressed in the previous paragraph, we applied tests of specific controls, which are presented in section III of this report, in order to obtain evidence about their effectiveness in meeting the related control objectives, described in section III, during the period October 1 st, 2013 to September 30 st, 2014. The specific controls and the nature, timing, extent and results of the tests are listed in section III of this report. This information will be provided to customer organizations of Telehouse and to their auditors to be taken into consideration, along with information about the internal control environment at customer organizations, when making assessments of control risk for customer organizations. Intended Users and Purpose This report and the description of tests of controls as described in section III of this report are intended solely for the information and use of the management of Telehouse, its customers and the independent auditors of its customers, who have a sufficient understanding to consider, along with other information including information about controls operated by customers themselves, when assessing the risks of material misstatements of customers financial statements. It is not intended to be, and should not be used by anyone other than these specified parties. The relative effectiveness and significance of specific controls at Telehouse and their effect on assessments of control risk at user organizations are dependent on their interaction with the controls and other factors present at each individual user organization. We have performed no procedures to evaluate the effectiveness of controls for any individual user organization. Additional information The information included in section IV of this report is presented by Telehouse to provide additional information to user organizations and is not part of Telehouse description of controls placed in operation. The information in section IV has not been subjected to the procedures applied in the examination of the description of the controls related to Telehouse processes, and accordingly, we do not express any opinion on it. As a result of a flashover from a momentary short circuit on one of the main supply bus bars on the 27. April 2014, UPS Systems FTS 3-1 and FTS 3-2 have switched off. This has led to a failure in entire power supply in the area of Building A-North and Building-I, which, in turn, has caused a fire alarm in the room 142 in the Building A-North as well as malfunctions and failures in cooling at customer areas in buildings A, I, C3 and K. Both UPS System have been restored after more than 4 hours, all bus bars were back in operation after almost 8 hours. 6

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback