Transitioning from SAS 70 to SSAE 16

Similar documents
WHICH SOC REPORT IS RIGHT FOR YOUR CLIENT?

Retirement of SAS 70 and a new generation of Service Organization Control (SOC) Reports

SOC Reporting / SSAE 18 Update July, 2017

C22: SAS 70 Practices and Developments Todd Bishop, PricewaterhouseCoopers

SAS 70 & SSAE 16: Changes & Impact on Credit Unions. Agenda

SSAE 18 & new SOC approach to compliance. Moderator Name: Patricio Garcia Managing Partner ControlCase Attestation Services

CSF to Support SOC 2 Repor(ng

ISACA Cincinnati Chapter March Meeting

Evaluating SOC Reports and NEW Reporting Requirements

Service Organization Control (SOC) Reports: What they are and what to do with them MARCH 21, 2017

SAS 70 SOC 1 SOC 2 SOC 3. Type 1 Type 2

SOC Updates: Understanding SOC for Cybersecurity and SSAE 18. May 23, 2017

The SOC 2 Compliance Handbook:

PREPARING FOR SOC CHANGES. AN ARMANINO WHITE PAPER By Liam Collins, Partner-In-Charge, SOC Audit Practice

Understanding and Evaluating Service Organization Controls (SOC) Reports

Mastering SOC-1 Attestation Reports Under SSAE 16: Auditing Service Organizations Controls in the Cloud

Adopting SSAE 18 for SOC 1 reports

A SERVICE ORGANIZATION S GUIDE SOC 1, 2, & 3 REPORTS

Making trust evident Reporting on controls at Service Organizations

SOC Reports The 2017 Update: What s new, What s not, and What you should be doing with the SOC Reports you receive! Presented by Jeff Pershing

California ISO Audit Results for 2011 SSAE 16 & Looking Forward for 2012 December 15, 2011

SOC 2 examinations and SOC for Cybersecurity examinations: Understanding the key distinctions

Audit Considerations Relating to an Entity Using a Service Organization

IT Attestation in the Cloud Era

SERVICE ORGANIZATION CONTROL (SOC) REPORTS: WHAT ARE THEY?

Within our recommendations for editorial changes, additions are noted in bold underline and deletions in strike-through.

Exploring Emerging Cyber Attest Requirements

ISAE 3402 and SSAE 16 (replacing SAS 70) Reinforcing confidence through demonstration of effective controls

Credit Union Service Organization Compliance

Studio Guggino and Newtonpartner S.r.l. a team of professionals at the service of your Company

International Auditing and Assurance Standards Board (IAASB) International Federation of Accountants 545 Fifth Avenue, 14 th Floor New York, NY 10017

Citation for published version (APA): Berthing, H. H. (2014). Vision for IT Audit Abstract from Nordic ISACA Conference 2014, Oslo, Norway.

SAS70 Type II Reports Use and Interpretation for SOX

SAS 70 Audit Concepts. and Benefits JAYACHANDRAN.B,CISA,CISM. August 2010

Internal Audit Report. Electronic Bidding and Contract Letting TxDOT Office of Internal Audit

SOC for cybersecurity

Information for entity management. April 2018

3/13/2015. COSO Revised: Implications for Compliance and Ethics Programs. Session Agenda. The COSO Framework

Weighing in on the Benefits of a SAS 70 Audit for Third Party Administrators

SAS 70 revised. ISAE 3402 will focus on financial reporting control procedures. Compact_ IT Advisory 41. Introduction

Period from October 1, 2013 to September 30, 2014

Auditing IT General Controls

Vendor Management: SSAE 18. Presented by Joseph Kirkpatrick CISSP, CISA, CGEIT, CRISC, QSA Managing Partner

SOC Lessons Learned and Reporting Changes

Demonstrating data privacy for GDPR and beyond

ADVANCED AUDIT AND ASSURANCE

NE HIMSS Vendor Risk. October 9, 2015 MEMBER OF PKF NORTH AMERICA, AN ASSOCIATION OF LEGALLY INDEPENDENT FIRMS

What are SSAE 16 Reports and How do I Use Them to Support my Audit and A-123 Compliance? Presentation to ASMC PDI May 29, 2015

HITRUST CSF: One Framework

Re: Exposure Draft Proposed ISAE 3402 on Assurance Reports on Controls at a Third Party Service Organization

IGNITING GROWTH. Why a SOC Report Makes All the Difference

Achieving third-party reporting proficiency with SOC 2+

Webtrends Inc. Service Organization Controls (SOC) 3 SM Report on the SaaS Solutions Services System Relevant to Security

CLOUD COMPUTING APPLYING THIS NEW TECHNOLOGY TO YOUR PRACTICE

Follow AICPA on Twitter Feeds, LinkedIn Networks, Facebook Communities and YouTube Channels:

Addressing Cybersecurity Risk

DESCRIPTION OF AUDITING STANDARDS

SOC 3 for Security and Availability

To the management of Entrust Datacard Limited (formerly known as Entrust Limited, hereinafter Entrust ) and Trend Micro, Inc.

Report of Independent Accountants

Optimising cloud security, trust and transparency

ISA 800/805. Proposed changes to ISA 800/ 805 were limited in nature

INTO THE CLOUD WHAT YOU NEED TO KNOW ABOUT ADOPTION AND ENSURING COMPLIANCE

Testers vs Writers: Pen tests Quality in Assurance Projects. 10 November Defcamp7

NYDFS Cybersecurity Regulations: What do they mean? What is their impact?

CA/Browser Forum Meeting

AUTOTASK ENDPOINT BACKUP (AEB) SECURITY ARCHITECTURE GUIDE

SERVICE DESCRIPTION ISO Lex. Certifications

10 Considerations for a Cloud Procurement. March 2017

Performing a Vendor Security Review TCTC 2017 FALL EVENT PRESENTER: KATIE MCINTOSH

International Standard on Auditing (Ireland) 505 External Confirmations

Opportunities to Integrate Technology Into the Classroom. Presented by:

The Texas A&M University System Internal Audit Department MONTHLY AUDIT REPORT

2018 HIPAA One All Rights Reserved. Beyond HIPAA Compliance to Certification

Information Security Program Audit Introduction and Survival Guide

Superannuation Transaction Network

SOC-2 Requirement Solution Brief. EventTracker 8815 Centre Park Drive, Columbia MD SOC-2

10/12/17. CPA Alberta Professional and Public Accounting Practice Varied Registration Model CPA FORUM NORTH OCTOBER 23 RD, 2017 JASPER, ALBERTA

Auditing and Monitoring in an Effective Institutional Compliance Program

HITRUST Common Security Framework - Are you prepared?

Independent Assurance Statement

Request for Qualifications for Audit Services March 25, 2015

International Standard on Auditing (UK) 505

FIRST NATIONS FINANCIAL MANAGEMENT BOARD. FMB Certification: What Auditors Need to Know March 16, 2017

Contents. Process flow diagrams and other documentation

To the management of Entrust Datacard Limited (formerly known as Entrust Limited, hereinafter Entrust ) and Trend Micro, Inc.

IT Audit Process Prof. Liang Yao Week Two IT Audit Function

HITRUST CSF Roadmap for 2018 and Beyond HITRUST Alliance.

INTERNATIONAL STANDARD ON AUDITING 505 EXTERNAL CONFIRMATIONS CONTENTS

ISE Central Executive Forum and Awards 2012

Integration Technologies Group, Inc. Uncompromising Performance

REPORT OF THE INDEPENDENT ACCOUNTANT

Learning Objectives. External confirmations procedures as per SA330 and SA 500 requirements

Auditing Assurance Services A Systematic Approach 9th Edition

FSC STANDARD. Standard for Multi-site Certification of Chain of Custody Operations. FSC-STD (Version 1-0) EN

Independent Accountants Report. Utrecht, 28 January To the Management of GBO.Overheid:

Cybersecurity & Privacy Enhancements

Independent Accountant s Report

LIST OF SUBSTANTIVE CHANGES AND ADDITIONS. PPC's Guide to Audits of Local Governments. Thirty first Edition (February 2016)

IT Audit Process Prof. Liang Yao Week Six IT Audit Planning

Transcription:

Industry Webinar Series SAS 70 ENDS EXIT TO SSAE 16 Transitioning from SAS 70 to SSAE 16 How Does This Apply to Your Organization? Cindy Boyle, Partner Rodney Walsh, Director BKD IT Risk Services

Agenda Service Organizations User Organizations Background Similarities Key Differences Transition Planning Conclusion Questions

Service Organizations Service Organization provider of services that may impact a user s (client s) financial reporting Such as: data centers transaction/claims processing centers application service providers bank processing centers Service auditor issues an opinion on a service organization's description of controls

User Organizations Users of the Service Organization typically considered your members or clients User Auditor (i.e., your client s auditor) is auditing the financial statements of your client SAS 70 assurance regarding Service Organization's controls

Background Statement on Auditing Standards No. 70 (SAS 70) issued in the early 90s International Standards two new standards International Standard on Assurance Engagements 3402 (ISAE 3402) The closely related U.S. Statement on Standards for Attestation Engagements 16 (SSAE 16) by the AICPA SSAE 16 will supersede SAS 70 beginning with reporting periods ending on or after June 15, 2011

Similarities SSAE 16 continues the focus on controls likely to be relevant to their user entities internal control over financial reporting (ICFR) SSAE 16 will have Type 1 and Type 2 reports similar in scope to the current SAS 70 reports The format of the reports will not be significantly different

Similarities Narrative description of controls: Basis for new description of the system Subservice organizations Included (inclusive method) Excluded (carve-out method) Intended users of the report Service organization s management Users User auditors

Key Differences: SAS vs. SSAE Attest standard, not an audit standard Consistency with international standards and existing attestation standards Increased focus on service organizations with services relevant to a user organizations internal control over financial reporting (ICFR) Reference to AT101 Attest Engagements for service organizations without ICFR relevance

Key Differences: Management Assertion A Management Assertion will be included in or attached to the SSAE 16 report States the system is Fairly represented Suitably designed and implemented The related controls were suitably designed to achieve the stated control That the controls operated effectively throughout the period (for a Type 2 report) Subservice organizations must provide a similar assertion when the inclusive method is used

Key Differences: Management Assertion The report will reference that management is responsible for Preparing the system description Providing the stated services Specifying the control objectives Identifying the risks Selecting and stating the criteria for the assertion (e.g. monitoring activities) Designing, implementing and documenting controls that are suitably designed and operating effectively

Key Differences: Auditor s Opinion vs. Management Assertion Auditor s Opinion remains in the role of providing assurance regarding management s assertions Auditor is not the entity responsible for the communication

Key Differences: System Description Currently a narrative description of controls Management must prepare a written description of the system More inclusive than it has been for many organizations and many CPA firms For inclusive subservice organizations, include their Related control objectives Related controls

Key Differences: System Description Components common to existing Descriptions of Controls Services covered Period covered Control objectives and related controls Complementary user controls

Key Differences: System Description Additional elements for the Description of the System Classes of transactions and details on related procedures and accounting records The capturing and addressing of significant events other than transactions Report preparation processes Other relevant aspects of the organization s Control environment Risk assessment process Information and communication systems Control activities and monitoring controls

Key Differences: Risks Management should Identify the risks that threaten the achievement of the stated services Identify the risks that threaten the achievement of the stated control objectives Evaluate whether the identified controls sufficiently address the risks to achieving the control objectives Risks to Services Control Objectives Risks to Control Objectives Control Activities

Other Key Differences Service auditor must disclose reliance on internal audit Conforming changes to service auditor opinion

Transition Planning Action Items for Service Providers

Transition Planning Promote current year awareness and improvements Determine effective date for your organization Follow up with specific readiness effort this fall or early Q1

Transition Planning Develop a Communication Plan Within your organization To your clients Client Internal Audit/Risk Management (i.e., other users of the report) Marketing material Web pages Contractual references

Transition Planning Review Scope Included/excluded services Services that impact your client s financial reporting Key third parties (sub-service organizations) Identify all relevant 3 rd party service organizations Existence and use of their SAS 70/SSAE 16 Commitments from 3 rd party relative to carve out or inclusive method Contractual /SLA impacts

Transition Planning Review System Description Services Scope Third parties (inclusive or carve out) Risks Objectives Controls

Transition Planning Assess Control Design Risk based Will impact control objectives Will impact supporting control activities Consider current SOX or other compliance efforts/ governance models and efforts

Transition Planning Consider Management Assertion Review basis for assertion Review sufficiency of current monitoring processes Need for direct testing of controls not sufficiently monitored

In Conclusion Develop a project plan Assign responsibilities Monitor the plan We are ready to assist Planning assistance Review of scope and 3 rd parties Risk Approaches Samples/Formats

Thank You Cindy Boyle, CPA, CFIRS, CIA Partner 501.372.1040 cboyle@bkd.com Rodney Walsh, CGEIT Director 816.221.6300 rwalsh@bkd.com

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback