DESCRIPTION OF AUDITING STANDARDS

Similar documents
CSF to Support SOC 2 Repor(ng

Weighing in on the Benefits of a SAS 70 Audit for Third Party Administrators

Transitioning from SAS 70 to SSAE 16

CLOUD QUALITY AND CLOUD CERTIFICATION

Studio Guggino and Newtonpartner S.r.l. a team of professionals at the service of your Company

A SERVICE ORGANIZATION S GUIDE SOC 1, 2, & 3 REPORTS

Effective COBIT Learning Solutions Information package Corporate customers

SSAE 18 & new SOC approach to compliance. Moderator Name: Patricio Garcia Managing Partner ControlCase Attestation Services

California ISO Audit Results for 2011 SSAE 16 & Looking Forward for 2012 December 15, 2011

SAS70 Type II Reports Use and Interpretation for SOX

ITSM20F_Umang. Number: ITSM20F Passing Score: 800 Time Limit: 120 min File Version: 4.0. Exin ITSM20F

SAS 70 & SSAE 16: Changes & Impact on Credit Unions. Agenda

HVAC & REFRIGERATION.

Integration Technologies Group, Inc. Uncompromising Performance

GPI Asia Annual Conference 2012 CMMI for Development with CMMI for Service, or with ITIL

SAS 70 SOC 1 SOC 2 SOC 3. Type 1 Type 2

COURSE BROCHURE CISA TRAINING

Retirement of SAS 70 and a new generation of Service Organization Control (SOC) Reports

ISO/IEC JTC 1 N 13145

ISACA Cincinnati Chapter March Meeting

C22: SAS 70 Practices and Developments Todd Bishop, PricewaterhouseCoopers

ISO/IEC INTERNATIONAL STANDARD. Information technology Security techniques Information security management systems Overview and vocabulary

HP Education Services Bulgaria

Global Wind Organisation CRITERIA FOR THE CERTIFICATION BODY

Information Security Management System (ISMS) ISO/IEC 27001:2013

International Auditing and Assurance Standards Board (IAASB) International Federation of Accountants 545 Fifth Avenue, 14 th Floor New York, NY 10017

ITIL Qualification Scheme

Innovative Fastening Technologies

Audit Considerations Relating to an Entity Using a Service Organization

SERVICE DESCRIPTION ISO Lex. Certifications

HITRUST CSF: One Framework

Managing Risk through GFSI

manner. IOPA conducts its reviews in conformance with Government Auditing Standards issued by the Comptroller General of the United States.

ISO/IEC overview

Service Organization Control (SOC) Reports: What they are and what to do with them MARCH 21, 2017

Introduction to ISO/IEC 27001:2005

ACCREDITATION COMMISSION FOR CONFORMITY ASSESSMENT BODIES

Table of Contents. Preface xvii PART ONE: FOUNDATIONS OF MODERN INTERNAL AUDITING

Google Cloud & the General Data Protection Regulation (GDPR)

ISO/ IEC (ITSM) Certification Roadmap

ISO/IEC Winnie Chan BADM 559 Professor Shaw Fall 2008

ISAE 3402 and SSAE 16 (replacing SAS 70) Reinforcing confidence through demonstration of effective controls

SOC for cybersecurity

EXIN Expert in IT Service Management based on ISO/IEC Preparation Guide

Information technology Service management. Part 11: Guidance on the relationship between ISO/IEC :2011 and service management frameworks: ITIL

Global Security Consulting Services, compliancy and risk asessment services

The IECEE CB Scheme facilitates Global trade of Information Technology products.

An Introduction to the ISO Security Standards

SAS 70 Audit Concepts. and Benefits JAYACHANDRAN.B,CISA,CISM. August 2010

The SOC 2 Compliance Handbook:

What is ISO/IEC 27001?

An Overview of ISO/IEC family of Information Security Management System Standards

PTSPAS Product Assessment HAPAS Equivalent in accordance with MCHW SHW Volume 1 Clause and

EA-7/05 - EA Guidance on the Application of ISO/IEC 17021:2006 for Combined Audits

Addressing Cybersecurity Risk

IATF Stakeholder Conference

Moving Professionals Forward. World Leader In Competence Based Certification

Iso Need to access completely for Ebook PDF iso 27004

EPAM Cloud Problem Resolution Consulting

CRITERIA FOR CERTIFICATION BODY ACCREDITATION IN THE FIELD OF RISK BASED INSPECTION MANAGEMENT SYSTEMS

The Role of SANAS in Support of South African Regulatory Objectives. Mr. Mpho Phaloane South African National Accreditation System

FramewOrk to DeSign and implement ifc

Implementing an ISMS: Stories from the Trenches. Peter H. Gregory, CISA, CISSP, DRCE

CMMI Version 1.2. Josh Silverman Northrop Grumman

LL-C (Certification) Services Overview

SERVICE ORGANIZATION CONTROL (SOC) REPORTS: WHAT ARE THEY?

What is the Value of IT Certification?

BACKGROUND NOTE ON ACTION PLANS

ACCREDITATION COMMISSION FOR CONFORMITY ASSESSMENT BODIES

Assessment and Compliance with Sarbanes-Oxley (SOX) Requirements DataGuardZ Whitepaper

Protecting your data. EY s approach to data privacy and information security

Exam Requirements v4.1

TIPA Lead Assessor for ITIL

Exploring Emerging Cyber Attest Requirements

ITIL V3.0 Compliance Benchmarking with CMMI-SVC SCAMPI A

FAQ: The IECEE CB Scheme

Mutual Recognition Agreements WCAE Florence, November 2014

Where is the EU in cloud security certification?: Main findings

What is ISO/IEC 20000?

Adopting SSAE 18 for SOC 1 reports

Evaluating SOC Reports and NEW Reporting Requirements

Report on ISO/IEC/JTC1/SC27 Activities in Digital Identities

ISO/IEC ISO/IEC

Cloud Transformation and Significance of Security

ISO Energy Management System Standard

AUTOTASK ENDPOINT BACKUP (AEB) SECURITY ARCHITECTURE GUIDE

Discontinuing the Metallic Handcuffs Compliance Testing Program and Request for

ISO COMPLIANCE GUIDE. How Rapid7 Can Help You Achieve Compliance with ISO 27002

Mastering SOC-1 Attestation Reports Under SSAE 16: Auditing Service Organizations Controls in the Cloud

Cybersecurity & Privacy Enhancements

HCL GRC IT AUDIT & ASSURANCE SERVICES

FACTS AND OPPORTUNITIES IN BRAZIL. Gartner IT Security Summit Washington DC, June 2008

FSSC Information Day 2014 Integrity Program

Table of Contents. Preface xiii PART I: IT GOVERNANCE CONCEPTS. Chapter 1: Importance of IT Governance for All Enterprises 3

Balancing Compliance and Operational Security Demands. Nov 2015 Steve Winterfeld

Getting Started with ITIL

COOMET Recommendation Content and Rules of Drawing up Documents for CRMs Developed within COOMET

SOC 2 examinations and SOC for Cybersecurity examinations: Understanding the key distinctions

Understanding and Evaluating Service Organization Controls (SOC) Reports

Outsourcing: The Perspective of a Data Processor

Transcription:

June 7, 2017 DESCRIPTION OF AUDITING STANDARDS ISAE 3402 (FORMER SAS 70) AUDITING STANDARD Customers require that the service organizations demonstrate they have the adequate internal control system to protect data and sensitive information belonging to the customers. Created by the American Institute of Certified Public Accountants (AICPA), the SAS 70 standard was developed specifically to address this concern. Based on independent audits, the SAS 70 certification allows the service organization to guarantee their customers the effective working of internal controls and processes. The SAS 70 audit report was intended to be used by the customers and their auditors. From 2011, new standards, i.e. ISAE 3402 (International standard) and SSAE 16 (American standard), are used instead of SAS 70. EPAM obtained the following audit certificates: SAS 70 Type II: in 2007, 2008, 2009 and 2010 ISAE 3402 / 3000 Type 2: in 2011, 2012, 2013, 2014, 2015, and 2016 Locations in the audit scope: Belarus, Minsk Software Development Center (9 offices) Belarus, Minsk Business Systems and Services Bulgaria, Sofia Software Development Center China, Shenzhen Software Development Center China, Shenzhen Particular Offshore Development Center Czech Republic, Prague Software Development Center Hungary, Budapest Software Development Center (2 offices) Kazakhstan, Karaganda Software Development Center Kazakhstan, Astana Software Development Center Poland, Gdansk Software Development Center Poland, Gdansk Particular Offshore Development Center Poland, Krakow Software Development Center Poland, Krakow Particular Offshore Development Center Russia, St. Petersburg Software Development Center Ukraine, Kyiv (4 offices) Auditor Company: Deloitte Ltd. Description of Audits 1

The audit is performed in November usually. During the latest audit, 26 facilities were audited in 9 countries while the auditors interviewed 200+ employees. The Auditors Opinion: [...] The controls tested, which were those necessary to provide reasonable assurance that the control objectives stated in the description were achieved, operated effectively throughout the period from May 1, 2016 to October 31, 2016 Description of Audits 2

ISO 27001 AUDITING STANDARD ISO/IEC 27001 is an internationally recognized standard to manage the company s Information Security Management System. The company s Information Security Management System is developed according to the requirements of ISAE 3402 (former SAS 70) and ISO 27001, which are leading auditing and security standards. EPAM was the first ITO provider in Central and Eastern Europe to achieve SAS70 Type II report and ISO 27001certificate. EPAM s dedication to protecting its clients information and intellectual property assets is demonstrated by obtaining these certificates annually. EPAM obtained the ISO 27001:2005 audit certificates: Years: 2010, 2011, 2012, 2013 and 2014 Locations: Hungary, Budapest Software Development Center Ukraine, Kyiv Particular Offshore Development Center Auditor Company: DNV - Det Norske Veritas EPAM obtained the ISO 27001:2013 audit certificate: Years: 2015, 2016 and 2017 Locations: Bulgaria, Sofia Software Development Center China, Shenzhen Software Development Center China, Shenzhen Particular Offshore Development Center Hungary, Budapest Software Development Center Hungary, Debrecen Software Development Center India, Hyderabad Software Development Center Kazakhstan, Karaganda Software Development Center Kazakhstan, Astana Software Development Center Mexico, Guadalajara Software Development Center Poland, Gdansk Software Development Center Poland, Gdansk Particular Offshore Development Center Poland, Krakow Software Development Center Poland, Krakow Particular Offshore Development Center Ukraine, Kyiv Particular Offshore Development Center United States, Washington D.C. Software Development Center United States, Conshohocken Software Development Center Auditor Company: DNV - Det Norske Veritas Description of Audits 3

ISO 9001 AUDITING STANDARD ISO 9001 sets out the criteria for a quality management system and is the only standard in the family that can be certified to (although this is not a requirement). In fact ISO 9001 is implemented by over one million companies and organizations in over 170 countries. The standard is based on a number of quality management principles including a strong customer focus, the motivation and implication of top management, the process approach and continual improvement. These principles are explained in more detail in the pdf Quality Management Principles. Using ISO 9001:2008 helps ensure that customers get consistent, good quality products and services, which in turn brings many business benefits. Certification is a confirmation of the requirements of ISO 9001, which guarantees the availability of the Company s disciplined approach to the management and quality of products and services. EPAM obtained the ISO 9001:2008 audit certificate: Years: 2011, 2012, 2014, 2015 Locations: Belarus, Minsk office Russia, Moscow office EPAM obtained the ISO 9001:2015 audit certificate: Year: 2017 Location: Belarus, Minsk office Certification audit: every 3 rd year Inspection audit: annually Auditor company: BelGiss, ROSTEST Moscow, SGS SOX AUDITING STANDARD The Sarbanes-Oxley Act (SOX) of 2002 established accountability for the accuracy of financial statements. Its Section 404, Management Assessment of Internal Controls, requires publicly held companies to undergo strict audits on financial data and internal controls. These audits known as SOX audits provide information for investors and other stakeholders with information on how well the audited company maintains general accounting standards and has adequate management controls over business and financial information. A SOX audit tests for variances and misstatements in a company s financial data, strength of internal controls and governance in the accounting department. When testing for variances and misstatements, auditors will review documents prepared by the company. The SOX audit has been performed annually since 2014. Description of Audits 4

CMMI (CAPABILITY MATURITY MODEL INTEGRATION) APPRAISAL CMMI-DEV ((CMMI for Development) guidance covers the lifecycles of products and services from conception through delivery and maintenance. CMMI-DEV best practices are flexible enough to apply to a variety of industries, yet stable and consistent enough to provide a benchmark against which your organization can measure and compare itself. Appraisal is a confirmation of the compliance with the level of maturity (from 2 to 5). Level of maturity is determined on the ground of the level of achievement of process areas development goals specified in the CMMI model. Adopting CMMI-DEV is a solid, high-return investment that your organization can make to ensure longterm enduring results. The business benefits experienced by organizations using CMMI-DEV in their process improvement programs include the following: Improved customer satisfaction Increased quality More accurate schedules Lower development costs Substantial return on investment Improved employee morale and reduced turnover EPAM was appraised as follows: Year: 2014 and 2017 Locations: Hungary organizational unit - CMMI-DEV v1.3 Maturity Level 5 Krakow office, Poland - CMMI-DEV v1.3 Maturity Level 5 Shenzhen office, China (as Jointech) - CMMI-DEV v1.3 Maturity Level 3 Appraisal periodicity: every 3rd year Appraisal organization: IAL Software Engineering, S.A (for Hungary and Poland); Zhizhuo (for Shenzhen) Description of Audits 5

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback