Weighing in on the Benefits of a SAS 70 Audit for Third Party Administrators

Similar documents
A SERVICE ORGANIZATION S GUIDE SOC 1, 2, & 3 REPORTS

C22: SAS 70 Practices and Developments Todd Bishop, PricewaterhouseCoopers

IT Attestation in the Cloud Era

Understanding and Evaluating Service Organization Controls (SOC) Reports

SAS 70 Audit Concepts. and Benefits JAYACHANDRAN.B,CISA,CISM. August 2010

IT Audit Process Prof. Liang Yao Week Two IT Audit Function

SQL Compliance Whitepaper HOW COMPLIANCE IMPACTS BACKUP STRATEGY

PREPARING FOR SOC CHANGES. AN ARMANINO WHITE PAPER By Liam Collins, Partner-In-Charge, SOC Audit Practice

Making trust evident Reporting on controls at Service Organizations

Service Organization Control (SOC) Reports: What they are and what to do with them MARCH 21, 2017

Overview: Compliance and Security Management PCI-DSS Control Compliance Suite Overview

SAS 70 SOC 1 SOC 2 SOC 3. Type 1 Type 2

Studio Guggino and Newtonpartner S.r.l. a team of professionals at the service of your Company

SOC Reporting / SSAE 18 Update July, 2017

SAS 70 & SSAE 16: Changes & Impact on Credit Unions. Agenda

The SOC 2 Compliance Handbook:

Evaluating SOC Reports and NEW Reporting Requirements

Information for entity management. April 2018

Retirement of SAS 70 and a new generation of Service Organization Control (SOC) Reports

Data Security: Public Contracts and the Cloud

Audit Considerations Relating to an Entity Using a Service Organization

SAS70 Type II Reports Use and Interpretation for SOX

Mastering SOC-1 Attestation Reports Under SSAE 16: Auditing Service Organizations Controls in the Cloud

"Charting the Course... Certified Information Systems Auditor (CISA) Course Summary

CSF to Support SOC 2 Repor(ng

Complete document security

Cloud Computing Standard 1.1 INTRODUCTION 2.1 PURPOSE. Effective Date: July 28, 2015

Achieving third-party reporting proficiency with SOC 2+

ISACA Cincinnati Chapter March Meeting

Exploring Emerging Cyber Attest Requirements

Does a SAS 70 Audit Leave you at Risk of a Security Exposure or Failure to Comply with FISMA?

SERVICE ORGANIZATION CONTROL (SOC) REPORTS: WHAT ARE THEY?

PCI Policy Compliance Using Information Security Policies Made Easy. PCI Policy Compliance Information Shield Page 1

CONSIDERATIONS BEFORE MOVING TO THE CLOUD

Information Security Risk Strategies. By

Balancing Compliance and Operational Security Demands. Nov 2015 Steve Winterfeld

Tracking and Reporting

BENEFITS of MEMBERSHIP FOR YOUR INSTITUTION

SOC 2 examinations and SOC for Cybersecurity examinations: Understanding the key distinctions

IT Audit and Risk Trends for Credit Union Internal Auditors. Blair Bautista, Director Bob Grill, Manager David Dyk, Manager

Overview Bank IT examination perspective Background information Elements of a sound plan Customer notifications

Oracle Database Vault

SOC for cybersecurity

Credit Union Service Organization Compliance

Compliance in 5 Steps

AWS continually manages risk and undergoes recurring assessments to ensure compliance with industry standards.

HITRUST CSF: One Framework

Demonstrating Compliance in the Financial Services Industry with Veriato

2018 HIPAA One All Rights Reserved. Beyond HIPAA Compliance to Certification

Auditing and Monitoring for HIPAA Compliance. HCCA COMPLIANCE INSTITUTE 2003 April, Presented by: Suzie Draper Sheryl Vacca, CHC

Managing Privacy Risk & Compliance in Financial Services. Brett Hamilton Advisory Solutions Consultant ServiceNow

Information Technology General Control Review

Policy. Sensitive Information. Credit Card, Social Security, Employee, and Customer Data Version 3.4

COBIT 5 With COSO 2013

IIA EXAM - IIA-CGAP. Certified Government Auditing Professional. Buy Full Product.

HCL GRC IT AUDIT & ASSURANCE SERVICES

Protecting your data. EY s approach to data privacy and information security

California ISO Audit Results for 2011 SSAE 16 & Looking Forward for 2012 December 15, 2011

Transitioning from SAS 70 to SSAE 16

Invest in. ISACA-certified professionals, see the. rewards.

01.0 Policy Responsibilities and Oversight

Assessment and Compliance with Sarbanes-Oxley (SOX) Requirements DataGuardZ Whitepaper

Tech Advantage Benchmarking Your Cyber Security Program. March 5, 2014

Exam Questions IIA-CGAP

Performing a Vendor Security Review TCTC 2017 FALL EVENT PRESENTER: KATIE MCINTOSH

IGNITING GROWTH. Why a SOC Report Makes All the Difference

Cybersecurity Conference Presentation North Bay Business Journal. September 27, 2016

Information Security Management in a Regulation Driven World

Aon Service Corporation Law Global Privacy Office. Aon Client Data Privacy Summary

Next Generation Policy & Compliance

MHA Consulting BCM Metrics Resiliency Through Measurement

Google Cloud & the General Data Protection Regulation (GDPR)

CONSIDERATIONS BEFORE MOVING TO THE CLOUD

Compliance and Privileged Password Management

What can the OnBase Cloud do for you? lbmctech.com

WHICH SOC REPORT IS RIGHT FOR YOUR CLIENT?

Network Instruments white paper

Keys to a more secure data environment

Security Awareness Compliance Requirements. Updated: 11 October, 2017

Adopting SSAE 18 for SOC 1 reports

354 & Index Board of Directors Responsibilities Audit Committee and Risk Committee Coordination, 244 Audit Committee Functions and Responsibilities, 2

The HITRUST CSF. A Revolutionary Way to Protect Electronic Health Information

Operational Network Security

PCI Data Security. Meeting the Challenges of PCI DSS Payment Card Security

Within our recommendations for editorial changes, additions are noted in bold underline and deletions in strike-through.

COPYRIGHTED MATERIAL. Index

DeMystifying Data Breaches and Information Security Compliance

IBM Internet Security Systems October Market Intelligence Brief

- OQSF - Occupational Qualifications Sub-framework

CCISO Blueprint v1. EC-Council

Sage Data Security Services Directory

Certified Information Systems Auditor (CISA)

Don t Be the Next Headline! PHI and Cyber Security in Outsourced Services.

VMware vcloud Air Network Service Providers Ensure Smooth Cloud Deployment

Business Continuity Planning

New York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines

University of Pittsburgh Security Assessment Questionnaire (v1.7)

HITRUST CSF Assurance Program HITRUST, Frisco, TX. All Rights Reserved.

Internal Audit Report. Electronic Bidding and Contract Letting TxDOT Office of Internal Audit

Article II - Standards Section V - Continuing Education Requirements

Transcription:

Weighing in on the Benefits of a SAS 70 Audit for Third Party Administrators With increasing oversight and growing demands for industry regulations, third party assurance has never been under a keener eye than we live in today. From insider scandals to outside threats, the protection of corporate and personal information is the corner stone of information security compliance. Obtaining a current SAS 70 audit report can be a significant differentiator within your industry and provide value to new and current customers. Statement of Auditing Standards No. 70 (SAS 70) audits have become the global de facto standard in third party information security assurance. The passage of laws like Sarbanes-Oxley (SOX) has sparked other countries to re-evaluate their own forms of SOX regulations; driving companies to enter a new realm of oversight and regulations related to third party assurance. The Public Company Accounting Oversight Board provided guidance with regards to companies that are required to comply with SOX and how to evaluate the risk of outsourcing services to third party vendors. Within this guidance they indicated that a company could utilize a SAS 70 Type 2 audit to evaluate their vendor s control environments, igniting the SAS 70 era for service organizations. The demand for convenient access to information has driven companies to plug anything and everything into the internet; additionally new technologies have provided organizations a level of comfort to open up their once closed networks to remote employees and third party vendors. Increased flexibility and access to information creates new risks that need to be taken into consideration; standard operating procedures are no longer good enough, organizations need to incorporate regulations and define authorizations to ensure they maintain the level of security that existed in the pre internet world. This change in the way companies data is accessed and transmitted has propelled the SAS 70 audit to the checklist of business proposals and contract renewal requirements, failure to have a current SAS 70 audit can significantly affect potential or current business relationships. SAS 70 Compliance Current and Future Trends SAS 70 has not been the single solution for service organizations; with foreign countries forming their own compliance standards, service organizations operating internationally were required to adhere to different countries laws. Due to the varying forms of service organization reports the International Auditing and Assurance Standards Board (IAASB) felt there was a need for a common auditing standard to address the varying differences in each country s audit requirements. As a result the IAASB created and issued the International Standard on Assurance Engagements (ISAE) 3402 Assurance Report on

Controls at a Service Organization on December 18, 2009. ISAE 3402 is not a means to replace country specific standards (i.e. SAS 70) but provides a reporting option to address current limitations. The American Institute of Certified Public Accountants has recently updated the SAS 70 audit to more closely align the standard with ISAE 3402; the new standard is Statement on Standards for Attestation Engagements No.16 (SSAE 16) Reporting on Controls at a Service Organization and will become effective in June 2011. Visit our Blog for more information on SSAE 16. Even with all of the different changes to compliance standards that companies are facing today, as we move forward and align our clients with the appropriate rules and regulations whether it s called SAS 70, ISAE 3402 or SSAE 16 these auditor reports are a marketable and accepted form of qualification for service organizations that will continue to play a vital role in obtaining and retaining customers today and for years to come. SAS 70 Audit What is it? A SAS 70 audit is performed by an independent certified public accounting firm through examining the controls and processes involved in storing, handling, and transmitting data. The successful completion of an unqualified audit illustrates an organization s ongoing commitment to create and maintain suitable controls for the protection and security of its customers confidential information. Customers of service organizations can easily incorporate the SAS 70 report in their SOX compliance programs as proof that appropriate controls are in place for outsourced services. The SAS 70 audit can also help organizations to comply with other regulations, including HIPAA (Health Insurance Portability and Accountability Act), GLBA (Gramm-Leach-Bliley Act of 1999), and ISO 27001/2. SAS 70 Audit Services SAS 70 Readiness Assessment - is a review designed for organizations preparing for their first SAS 70 audit. Organizations who have not formally evaluated their internal controls often start with a SAS 70 Readiness Assessment. SAS 70 Type 1 - provides limited assurance and reports on the design of controls as of a point in time. Organizations that have policies and procedures in place but little or no history of the policies and procedures in operation start with a SAS 70 Type 1 audit prior to undergoing the SAS 70 Type 2 audit. SAS 70 Type 2 - provides the highest level of assurance for SAS 70 audits and reports on the service organization s controls and operating effectiveness over a period of time (generally at least six months). SAS 70 Type 1 and 2 Reports SAS 70 Type 1 Report is designed to provide an overview of the service organization s description of internal controls and processes relevant to their customers. The report is helpful to gain an understanding of the controls and processes that are designed and implemented at the service organization. A SAS 70 Type 1 audit report contains an opinion and a description of relevant services under review at a point in time. What does this mean? An independent auditor provides an audit opinion on the controls in place to meet the objectives of your business services under review. SAS 70 Type 2 Report also provides a description of internal controls and processes relevant to their customers however in addition, the auditor tests these controls over a period of time to verify that the internal controls and processes are actually operating as the service organization intended. Why obtain a Type 2 report? Since your auditor provides an opinion about the operating effectiveness of controls, third parties are more likely to accept a Type 2 report verses a Type 1 report.

Composition of SAS 70 audit reports There are 4 possible sections of a SAS 70 audit report: Section 1 Audit Opinion: An opinion is prepared for each SAS 70 audit report to clearly explain the scope of services under review and the overall conclusion of the SAS 70 report issued. The table below illustrates the components covered in the opinion letters for both of the SAS 70 audit reports. Opinion Type 1 Report Type 2 Report (1) Whether the service organization s description of its controls Included Included presents fairly, in all material respects, the relevant aspects of the service organization s controls that had been place in operation as of a specific date. (2) Whether the controls were suitably designed to achieve Included Included specified control objectives. (3) Whether the controls that were tested were operating with sufficient effectiveness to provide reasonable, but not absolute, assurance that the control objectives were achieved during the period specified. Not Included Included Section 2 Description of Services/Controls: Includes a description of the company s services under review and a detailed list of the company s policies and procedures with regards to their service offerings. This list should include enough information for your customers to understand the value of the controls in place, but limited to protect proprietary information. Section 3 Information Provided by the Service Auditor: (Type 2 Reports only) Includes the control objectives (scope of audit), relevant implemented controls, auditor s description of controls tested and results of testing. Section 4 Other Information Provided by the Service Organization: An unaudited section of the report used for informational purposes. This section is often used to describe disaster recovering planning and other regulatory compliance procedures that do not fall within the scope of a SAS 70 audit report. What s Covered The SAS 70 covers the information system used by service organizations. The information systems are not limited to just computers and software, but any form of handling user organization s information that could affect their financial reporting. The scope of a SAS 70 audit includes procedures that cover the IT General Computing Controls (GCC) supporting your primary information systems. These controls are used in delivering services and sustaining business procedures for organizations processing financial transactions like payroll companies or electronic payment processing organizations. Details of the IT GCCs and business process procedures are as follows: An examination of IT GCCs is used to evaluate the integrity of data within information systems utilized in delivering services. This portion of the SAS 70 scope is relevant to all service providers and is the core of your SAS 70 audit. The IT GCCs review will cover the physical security, environmental security, computer operations, problem and change management, logical security and data communications. An assessment of business process procedures is used to evaluate how organizations ensure the accuracy, timeliness and completeness for processing financial transactions. This assessment is relevant for organizations like payroll providers, receivable management companies, payment processors and third party administration services. This portion of the SAS 70 scope is not relevant for organizations like software as a service, application service providers or data centers. However business process controls may be integrated in the application software such as a payroll system, retail banking system, inventory system or billing system and require some manual processes like account reconciliations.

SAS 70 Compliance for Third Party Administrators Third Party Administrators (TPAs) perform critical functions for many organizations by processing insurance claims or certain aspects of employee benefit plans. Whether it s health care administration, insurance claims processing, utilization reviews or processing of benefit plans (i.e. retirement plans, flexible spending accounts, etc); TPAs handle sensitive data that if misstated posses a financial and/or regulatory risks to their clients. Increased demand for security, privacy and regulatory compliance has escalated the need for TPAs to become SAS 70 compliant. SAS 70 is playing an important role for service organizations by establishing credibility and trust with their clients and as a marketing tool to enter new markets or expand existing market share. Information security is not the only relevant component of SAS 70 audits. TPAs are responsible for recording and processing transactions that have a financial impact to their clients. Your SAS 70 audit should have an appropriate balance of Information Technology and Quality Control procedures over the transaction processing, to ensure that client records are secure, processing of transactions are authorized and financial account balances are complete and accurate. SAS 70 audits for TPAs involve the following critical areas: 1. Organizational Level Controls: also known as tone at the top, is the evaluation of management s oversight and internal operational level controls. 2. Physical Security: the protection of information systems as it relates to third party data. 3. Environmental Security: the protection of information systems and data from environmental threats. 4. Data backups: the availability and protection of third parties data. 5. System Availability: the availability of information systems to user organizations. 6. Application Change Control: the processing and procedures used to ensure that systems function per user requirements. 7. Information Security: the logical protection of data from unauthorized system access. 8. Client Account Setup: new clients are setup according to contracted terms. 9. Authorization of Claims Processing: submitted claims are processed according to client contracted terms and guidelines. 10. Deposits / Credits: customer s deposits or credits are completely and accurately applied to the appropriate accounts. TPAs can use the unaudited Section 4 of the SAS 70 report to communicate their efforts to comply with many regulatory requirements such as the Health Insurance Portability and Accountability Act (HIPAA). You can read more about the HIPAA and how it relates to TPAs at our Ycompli Blog. What your SAS 70 auditors can do? Perform a risk assessment and compare your internal controls and procedures against the HIPAA security rule requirements in conjunction with the SAS 70 audit procedures. Your SAS 70 provider covers many of the same topics that HIPAA requires; therefore you can leverage your audit efficiencies by working towards HIPAA and SAS 70 compliance at the same time. The scope of the SAS 70 audit is determined by the service organization; however a well scoped audit can ensure that sufficient information is provided to your user organizations and communicates your stringent controls over physical security, environmental security, authorized access and continuous availability of services, which clearly demonstrates your organization s quality of services. Key Benefits Obtaining SAS 70 compliance has enabled service organizations to instill confidence and integrity directly into the hands of their customers, ensuring the reliability of sound internal controls for increased third party assurance. Key benefits from SAS 70 audits are: Instant credibility with current and potential customers Third party perception Independent assessment of controls Potential to grow market share

Reduction of third party self assessment questionnaires One audit report can satisfy multiple customers Confirmation that controls, procedures, and processes are in place as management intends Key Costs Key cost areas for SAS 70 audits include your company s internal personnel time, training and your audit firm s professional fees. Depending on level of defined policies and procedures internal personnel time and training can vary significantly. The professional fees cost of a SAS 70 audit varies from client to client because all SAS 70 audits are different. However some of the factors that should be considered in the price of a SAS 70 audit are the size of your organization, the complexity of the information systems under review, the type of services offered and possibly the location of your business. Lessons Learned We have found that having a clear plan and efficient execution strategies are the key ingredients to a successful SAS 70 audit. Key success factors for an efficient SAS 70 audit include but are not limited to the following: A project plan Designation of a SAS 70 project lead Scheduling of required resources (members of business units) Utilization of experience and educated auditors Calculating the ROI A SAS 70 audit provides organizations with tangible and non-tangible results. Let s start with the non-tangibles. As a component of your SAS 70 audit, your audit firm provides a complete analysis on your operations writes up a report and delivers management best practice recommendations that could benefit an organization from increase efficiencies to a reduction of fraud risk. These benefits are difficult to quantify, but still valuable information. Tangible costs can be found by the number of new customers that selected your organizations because you were SAS 70 audited. Also operating on a higher level of compliance will provide your organization with more leverage with regards to pricing when renewing existing customers contracts. SAS 70 is an internationally recognized third party assurance audit designed for service organizations. It has become the most widely accepted compliance initiative that provides service organizations a benchmark to compare their internal controls and processes against industry best practices. Statement on Auditing Standards No. 70 was originally created in 1992 and over the past five to ten years become globally recognized as one of the highest forms of third party assurance. Organizations can benefit from obtaining a SAS 70 audit, from increasing third party confidence to growing market share. Authored by Ben Osbrach, CISSP, CISA, QSA Contact info: Direct 813.924.5404 Toll free 866.669.6561 osbrach@assuranceconcepts.com www.assuranceconcepts.com

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback