SAS 70 & SSAE 16: Changes & Impact on Credit Unions. Agenda

Similar documents
Retirement of SAS 70 and a new generation of Service Organization Control (SOC) Reports

Transitioning from SAS 70 to SSAE 16

Service Organization Control (SOC) Reports: What they are and what to do with them MARCH 21, 2017

ISACA Cincinnati Chapter March Meeting

SOC Reporting / SSAE 18 Update July, 2017

C22: SAS 70 Practices and Developments Todd Bishop, PricewaterhouseCoopers

A SERVICE ORGANIZATION S GUIDE SOC 1, 2, & 3 REPORTS

WHICH SOC REPORT IS RIGHT FOR YOUR CLIENT?

IT Attestation in the Cloud Era

CSF to Support SOC 2 Repor(ng

Making trust evident Reporting on controls at Service Organizations

SAS 70 SOC 1 SOC 2 SOC 3. Type 1 Type 2

SSAE 18 & new SOC approach to compliance. Moderator Name: Patricio Garcia Managing Partner ControlCase Attestation Services

Evaluating SOC Reports and NEW Reporting Requirements

Understanding and Evaluating Service Organization Controls (SOC) Reports

SOC Reports The 2017 Update: What s new, What s not, and What you should be doing with the SOC Reports you receive! Presented by Jeff Pershing

The SOC 2 Compliance Handbook:

SOC 2 examinations and SOC for Cybersecurity examinations: Understanding the key distinctions

SERVICE ORGANIZATION CONTROL (SOC) REPORTS: WHAT ARE THEY?

SAS70 Type II Reports Use and Interpretation for SOX

SOC Updates: Understanding SOC for Cybersecurity and SSAE 18. May 23, 2017

SOC for cybersecurity

SAS 70 Audit Concepts. and Benefits JAYACHANDRAN.B,CISA,CISM. August 2010

Audit Considerations Relating to an Entity Using a Service Organization

Exploring Emerging Cyber Attest Requirements

Adopting SSAE 18 for SOC 1 reports

Weighing in on the Benefits of a SAS 70 Audit for Third Party Administrators

Studio Guggino and Newtonpartner S.r.l. a team of professionals at the service of your Company

Mastering SOC-1 Attestation Reports Under SSAE 16: Auditing Service Organizations Controls in the Cloud

PREPARING FOR SOC CHANGES. AN ARMANINO WHITE PAPER By Liam Collins, Partner-In-Charge, SOC Audit Practice

California ISO Audit Results for 2011 SSAE 16 & Looking Forward for 2012 December 15, 2011

Credit Union Service Organization Compliance

Information for entity management. April 2018

SAS 70 revised. ISAE 3402 will focus on financial reporting control procedures. Compact_ IT Advisory 41. Introduction

ISAE 3402 and SSAE 16 (replacing SAS 70) Reinforcing confidence through demonstration of effective controls

HITRUST CSF: One Framework

International Auditing and Assurance Standards Board (IAASB) International Federation of Accountants 545 Fifth Avenue, 14 th Floor New York, NY 10017

Citation for published version (APA): Berthing, H. H. (2014). Vision for IT Audit Abstract from Nordic ISACA Conference 2014, Oslo, Norway.

Within our recommendations for editorial changes, additions are noted in bold underline and deletions in strike-through.

The value of visibility. Cybersecurity risk management examination

Achieving third-party reporting proficiency with SOC 2+

IGNITING GROWTH. Why a SOC Report Makes All the Difference

EXAM PREPARATION GUIDE

Does a SAS 70 Audit Leave you at Risk of a Security Exposure or Failure to Comply with FISMA?

Cyber Security in M&A. Joshua Stone, CIA, CFE, CISA

Auditing IT General Controls

SOC Lessons Learned and Reporting Changes

HITRUST CSF Roadmap for 2018 and Beyond HITRUST Alliance.

GDPR: A QUICK OVERVIEW

Guide to the implementation and auditing of ISMS controls based on ISO/IEC 27001

NE HIMSS Vendor Risk. October 9, 2015 MEMBER OF PKF NORTH AMERICA, AN ASSOCIATION OF LEGALLY INDEPENDENT FIRMS

ROI for Your Enterprise Through ISACA A global IS association helping members achieve organisational success.

John Snare Chair Standards Australia Committee IT/12/4

The HIPAA Security & Privacy Rule How Municipalities Can Prepare for Compliance

Introduction to ISO/IEC 27001:2005

Next Generation Policy & Compliance

Invest in. ISACA-certified professionals, see the. rewards.

No IT Audit Staff? How to Hack an IT Audit. Presenters. Mark Bednarz, Partner-In-Charge, Risk Advisory PKF O Connor Davies, LLP

ISO 55001: 2014 Asset Management System 5-Day Training Course (IAM Certified)

Protecting your data. EY s approach to data privacy and information security

Google Cloud & the General Data Protection Regulation (GDPR)

Workday s Robust Privacy Program

IS Audit and Assurance Guideline 2002 Organisational Independence

Information Technology General Control Review

Model Approach to Efficient and Cost-Effective Third-Party Assurance

_isms_27001_fnd_en_sample_set01_v2, Group A

Follow AICPA on Twitter Feeds, LinkedIn Networks, Facebook Communities and YouTube Channels:

IS Audit and Assurance Guideline 2001 Audit Charter

Addressing Cybersecurity Risk

10 Considerations for a Cloud Procurement. March 2017

Re: Exposure Draft Proposed ISAE 3402 on Assurance Reports on Controls at a Third Party Service Organization

2018 HIPAA One All Rights Reserved. Beyond HIPAA Compliance to Certification

IT Audit Process. Prof. Mike Romeu. January 30, IT Audit Process. Prof. Mike Romeu

How to implement NIST Cybersecurity Framework using ISO WHITE PAPER. Copyright 2017 Advisera Expert Solutions Ltd. All rights reserved.

COBIT 5 With COSO 2013

Application for Certification

DIPLOMA COURSE IN INTERNAL AUDIT

Performing a Vendor Security Review TCTC 2017 FALL EVENT PRESENTER: KATIE MCINTOSH

DATA PROCESSING TERMS

Maintenance of Competency; Continuing Professional Education (CPE)

Article II - Standards Section V - Continuing Education Requirements

SOC-2 Requirement Solution Brief. EventTracker 8815 Centre Park Drive, Columbia MD SOC-2

EY s Data Privacy Services. January 2019

ISO 27001:2013 certification

LIST OF SUBSTANTIVE CHANGES AND ADDITIONS. PPC's Guide to Audits of Local Governments. Thirty first Edition (February 2016)

BENEFITS of MEMBERSHIP FOR YOUR INSTITUTION

UKAS Guidance for Bodies Offering Certification of Anti-Bribery Management Systems

Auditing and Monitoring for HIPAA Compliance. HCCA COMPLIANCE INSTITUTE 2003 April, Presented by: Suzie Draper Sheryl Vacca, CHC

Vendor Management: SSAE 18. Presented by Joseph Kirkpatrick CISSP, CISA, CGEIT, CRISC, QSA Managing Partner

A sharper focus on internal controls

COSO 2013: Implementing the Framework

General Data Protection Regulation April 3, Sarah Ackerman, Managing Director Ross Patz, Consultant

BRING EXPERT TRAINING TO YOUR WORKPLACE.

Cloud First Policy General Directorate of Governance and Operations Version April 2017

Audit Report. The Prince s Trust. 27 September 2017

GETTING STARTED WITH THE SIG 2014: A RESPONDENT S GUIDE By Shared Assessments

Error! No text of specified style in document.

CISA EXAM PREPARATION - Weekend Program

CISM Certified Information Security Manager

How Credit Unions Are Taking Advantage of the Cloud

Transcription:

SAS 70 & SSAE 16: Changes & Impact on Credit Unions John Mason CISM, CISA, CGEIT, CFE SingerLewak LLP October 19, 2010 Agenda Statement on Auditing Standards (SAS) 70 background Background & purpose Types Typical use Statement on Standards for Attestation Engagements (SSAE 16) background Definition Intent Overview of SSAE 16 2

Agenda (cont d.) So what has changed? Advantages of SAS 70 & SSAE 16 SAS 70 & SSAE 16 value proposition Practitioner considerations Decision tree So how does this affect my organization? CUSO Management assertion Third-party vendors Use of Internal audit 3 Agenda (cont d.) Pending issues Conclusion & wrap-up 4

SAS 70 Background A bit of history Statement on Auditing Standards 70 First in April 1992 by the AICPA Is used domestically and internationally as a vehicle of auditor-to-auditor communication Focused on unique systems for processing 5 SAS 70 Background(cont d.) A bit of history Its use is frequently found in third-party outsourcing Benefits administration (e.g. 401K) Payroll processing Insurance/medical claims processing Hosted data centers Application service providers (ASPs) Managed security providers Security monitoring Credit scoring/processing organizations 6

SAS 70 Background(cont d.) Types of SAS 70s Type I Provides an independent auditor s opinion on the fairness of the presentation of the service organization's description of controls that had been placed in operation suitability of the design of the controls to achieve the specified control objectives Is as of a specific point in time (rather than a coverage period) Sample of 1 to test the design effectiveness Typical users include marketing organizations and service providers who are preparing initially for a Type II SAS 70 7 SAS 70 Background(cont d.) Type II Provides an independent auditor s opinion on the the information provided in a Type I whether the specific controls were operating effectively during the period under review. Is for a period of time (minimum 6 months) Representative samples are drawn from across the SAS 70 period 8

SAS 70 Background(cont d.) Type II (cont d.) Credit unions: typical organizations that have a Type II SAS 70 performed Benefits administration» 401K investments performed by third party» Trust administration Securities custodian investments (e.g. CUSO or benefits) Payroll (ADP, PayChex, etc.) IT outsourcing: data processing, item processing Credit card processing Loan processing» How many outsource for their loan scoring, credit reports, and/or as a decision tool?» We recently completed the SAS 70 for MeridianLink 9 SAS 70 Background(cont d.) Type II (cont d.) Key benefits derived from using the SAS 70s Improved audit coverage since an independent body has evaluated the selected controls at the outsourcer» Less travel» Independent body may have more specialization skills (e.g. trust administration) Typical reduced audit scope in key areas» Benefits administration» Outsourced IT processing» Payroll Improved confidence in the services and controls provided by the outsourced organization 10

SSAE 16 Background Definition Statement on Standards for Attestation Engagements (SSAE 16) Has an international version as well, International Standards for Attestation Engagements (ISAE 16) Rather than an auditor-to-auditor communication, the intent now is to focus more on the attestation and the structure surrounding the attestation 11 Overview of SSAE 16 Scope Focused on unique systems for processing Type 1 and Type 2 reports Use of subservice organizations (carve-out and inclusive methods) Restricted use report Effective Date Service auditor s reports for periods ending on or after June 15, 2011 Early adoption is permitted 12

Overview of SSAE 16 (cont d.) Notable Changes Attestation standard vs. auditing standard Management assertion Use of suitable criteria Suitability of design opinion (point in time vs. entire period) Materiality Use of internal audit Opinion format 13 So What Has Changed? SAS 70 reports will now be renamed to Service Organization Control (SOC) reports SSAE 16 is NOT intended to provide assurance on controls as they relate to internal controls over financial reporting (ICFR) New standard on the horizon that will provide assurance on controls regarding ICFR Audit standard is now referred to as the attestation standard 14

So What Has Changed?(cont d.) The carve-out method (i.e. specific exclusion) likely will be the most prevalent Subservicing organizations (e.g. payroll, outsourced IT processing, premises monitoring, etc.) may not wish to provide an attestation of their service as they may not be prepared for the expense or the effort 15 So What Has Changed?(cont d.) Management assertion is required Is similar to that used for SOX Section 302: the CEO and CFO must attest to the effectiveness of the controls The description of the organization s controls is presented fairly An explanation of how the controls design is suitable Confirmation that the controls were designed and implemented as of the assertion date Providing information about the controls operating effectiveness (Type II only) 16

Advantages Advantages of a SAS 70 or SSAE 16 Allows the provider s customers to place reliance on the provider s controls. The provider determines the scope, control objectives, controls to be tested, and the review period. Can reduce the scope of internal audits, external audits, regulatory examinations, and required compliance testing Reducing the scope saving $, time Major mortgage servicer essentially recouped its cost 17 Value Proposition INTERNAL VALUE EXTERNAL VALUE VALIDITY EFFICIENCY MEASURABILITY ACCOUNTABILITY EFFECTIVENESS COMPETITIVE ADVANTAGE COMMITMENT TO EXCELLENCE THE CONTROLS EXIST & THEIR DESIGN IS EFFECTIVE; FOR A TYPE II ENGAGEMENT, THEY ARE OPERATIONALLY EFFECTIVE RESOURCES ARE DESIGNED AND DEPLOYED AS PLANNED QUANTIFIABLE, VERIFIABLE RESULTS CONTROL OBJECTIVES CONTROLS ARE FULLY TRANSPARENT TO THE CLIENTS ALL CONTROLS AND PROCEDURES ARE IN PLACE TO ENSURE THE BEST OUTCOME MEMBERS KNOW THAT A CU/CUSO WITH A SAS 70 EXAMINATION HAS STRONGER INTERNAL CONTROLS CLIENTS UNDERSTAND THAT WITH A SAS 70 AUDIT, YOU ARE COMMITTED TO EXCELLENCE FROM THE TOP DOWN

Practitioner Considerations Management s Assertion Written assertion required Description of system (using criteria similar to SSAE 16) Control objectives (specified in Guide) Controls Risk assessment Management s basis for asserting controls were consistently applied Service auditor s responsibilities Suitability of Criteria Management s use of suitable criteria Controls applied as designed 19 Practitioner Considerations (cont d.) Risk Assessment Formal vs. informal assessment If the practitioner has performed the audit previously, it must perform a new risk assessment each time it performs the audit This is intended to ensure that the auditor takes a fresh look at the service organization s environment and provide a more current perspective on the service organization s control structure 20

Practitioner Considerations (cont d.) Risk Assessment Control objectives Relevancy to the key areas to be examined and tested Effects of new legislation or other environmental and economic conditions Organizational strategic objectives and tactical initiatives Monitoring controls Changes in key activities New systems or applications Changes in economic conditions, both macro and micro 21 Practitioner Considerations (cont d.) Criteria Description of the system Types of services and classes of transactions Procedures (automated and manual) Related accounting records Significant events and conditions Specified control objectives and controls and as applicable, complementary user entity controls Other relevant COSO components (e.g., control environment, risk assessment, info and communication, control activities, monitoring) 22

Practitioner Considerations (cont d.) Criteria Changes to the service organization system during the period (in the case of Type 2 report) Management s description does not omit or distort information while meeting common needs of a broad range of user entity/user auditor needs 23 SAS 70 / SSAE 16 Decision Tree User Entity Needs Controls Relevant to User ICFR Need to address internal control over financial reporting requirements? SERVICE ORGANIZATION Controls Over Service Organization Operations/ Compliance USER ORGANIZATION / ENTITY Concerned about risks to your organization? 24

Decision Tree: Financial Reporting Financial Reporting Am I concerned about the design of my internal controls over financial reporting (ICFR)? NO Am I concerned about the effectiveness of my ICFR? NO Do my business partners require independent assurance about how I have addressed my ICFR risks? Y E S Y E S Y E S Consider an independent examination of ICFR design Consider an independent examination of ICFR effectiveness Consider a Type 1 or 2 SSAE16 report (AICPA SOC 1 Report) Operations Compliance Decision Tree: Operations & Compliance Are processes adequately designed to achieve operational and compliance objectives? Y E S Consider an independent review of internal control design Are the operationa l and/or complianc e risks embodied in: NO Are processes effective to achieve operational and compliance objectives? Y E S Are partners concerned about security, privacy, operating effectiveness or confidentiality Consider an independent review of internal control effectiveness Other widely published standards ( AICPA Trust Services, ISO, COBIT, etc) Consider the benefits of a custom attestation report. (Distribution restricted) NO Do business partners require independent assurance about how operational and/or compliance risks are addressed? Y E S Consider the benefits of a Report on Controls at a Service Organization Relevant to Security, Availability, Processing YES Integrity, Confidentiality or Privacy (Distribution may be restricted) (AICPA SOC 2 Report) YES Consider the benefits of an attestation report issued under AT101 (AICPA SOC 3 Report for Trust Services)

So How Does This Affect My Organization? Using the SSAE 16 or SAS 70 when scoping and performing an audit May be able to reduce the scope of the audit if the outsourced provider has a current SAS 70 or SSAE 16 Payroll Data processing Item processing (e.g. WesCorp or other providers) Loan scoring/processing Need to ensure the user (or client) control considerations are being reviewed periodically and are documented Legal aspects to consider 27 So How Does This Affect My Organization? (cont d.) CUSOs Amendment to SEC Rule 206(4)-2, the custody rule under the Investment Advisers Act Became effective March 12, 2010 Qualified custodian can use a SSAE 16 to provide the report on internal controls relating to the custody of client assets Advantages include having the examiners, external auditors, and internal auditors able to rely on the attestation Reduced scope, time, effort for the other audits and examinations Credit unions can ask that their servicers have a SSAE 16 28

So How Does This Affect My Organization? (cont d.) Amendment to SEC Rule 206(4)-2, the custody rule under the Investment Advisers Act (cont d.) This report is prepared by an independent PCAOBregistered public accountant This would not take the place of the required surprise examination 29 So How Does This Affect My Organization? (cont d.) Management Assertion Justifying the management assertion can be timeconsuming Wording has not been finalized yet Can include that management s monitoring can support its assertion that through ongoing activities, e.g. periodic reviews or internal audit activities Assertion s evaluation should include whether the review activities are being performed by someone with appropriate training Most likely, the depth and extent of training will need to be detailed 30

So How Does This Affect My Organization? (cont d.) Third-party vendors (subservice organizations): Current method: informal verification New: if the service organization s system description includes a third party s control objectives and controls (e.g. payroll or physical security monitoring), need a written assertion as part of the service organization s report This may be difficult for many smaller third-party providers to prepare and furnish 31 So How Does This Affect My Organization? (cont d.) Use of internal audit Current: Internal Audit s work is not used; some sampling may overlap with Internal Audit New: Can use some of internal audit s testing Must specify the extent that the controls relied on internal audit This is disclosed in Section 3 s report of tests of operating effectiveness 32

So How Does This Affect My Organization? (cont d.) Cost factors Will vary according to Type of audit (Type I or Type II) Coverage period length (Type II only) Number of control objectives Number of controls overall Number of locations in the organization Complexity of the controls Number and type of clients who will use the SAS 70 Number of application controls vs. the number of IT general controls 33 So How Does This Affect My Organization? (cont d.) How much will it cost? Based on the variables, we have seen Type II SAS 70 s vary from $25,000 to $45,000+ Wide variance in the number of controls and complexity Some users have primarily IT general controls; some efficiencies are available Application controls are specific to the organization and its IT environment Custom applications require more due diligence and effort to determine the key controls and the critical points in processing/handling Can also occur with a less common commercial off-theshelf application 34

Pending Issues Key Issues Pending Resolution Guidance from AICPA expected in early 2011 Management assertion s prescribed wording has not been finalized yet If a significant piece of info is missing, the auditor must determine if that would change the use of the SSAE 16 by the typical user 35 Conclusion In summary, SAS 70 is being updated and enhanced Requires a new risk assessment for each audit (not just updated) Need to determine if the carve-out method (i.e. exclusionary) will be used regarding subservicer organizations Can now leverage Internal Audit s work Management assertion now will be required Several pending issues are to be resolved and clarified by the AICPA in 2011 36

And Now. Questions / Comments??? 37 And in Closing. 38

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback