JAYACHANDRAN.B,CISA,CISM jb@esecurityaudit.com August 2010 SAS 70 Audit Concepts and Benefits
Agenda Compliance requirements Overview Business Environment IT Governance and Compliance Management Vendor & Service Provider Management What is SAS 70 & Indian Equivalent Opportunities Questions?
More Regulatory Requirements IT Governance at a Glance Risk Management Programs Risk Management Programs Critical Drivers Increasing Threats Reduced Tolerance for Service Disruption
Compliance Trends The Regulatory Environment Represents a New Enterprise Challenge 2000- Present 1970-1980 Privacy Act of 1974 Foreign Corrupt Practice Act of 1977 1980-1990 Computer Security Act of 1987 1990-2000 EU Data Protection HIPAA FDA 21CFR Part 11 C6-Canada GLBA COPPA USA Patriot Act 2001 EC Data Privacy Directive CLERP 9 CAN-SPAM Act FISMA Sarbanes Oxley (SOX) CIPA 2002 Basel II NERC 1200 (2003) CISP Payment Card Industry (PCI) California Individual Privacy SB1386 Other State Privacy Laws (38)
Responsibility You are responsible for your vendors and service providers. Regulations assign data protection responsibility to the data owner Most regulations define provisions for data owners to provide oversight Law is more thoroughly defining data protection responsibilities
Are These your service Providers?
Common Theme Vendors and Service providers introduce unique risks The current state of vendor data security is inconsistent Regulators have inserted vendor management as a key element for all significant data security programs Compliance by service providers with those regulations is in the early stages (i.e. don t expect much)
Demystifying certifications Business knowledge makes your decision making easier
The certification obsession Almost a million organizations have obtained ISO 9001 certification About 5,600 have obtained ISO 27001 Certification India has over 40K organizations that are ISO 9001 certified; 369 Indian Organizations have obtained ISO 27001 Certification India Ranked #3 for ISO 27001 after Japan (3,790) and UK (487) ROI of Certification easier to establish when it s a competitive differentiator Assigning a Rupee (Dollar) value to benefits of certification hard to establish
Vendor Management Overview
RISK Know your vendor Aligned expectations Effective Controls Enforced Vendor Management Program PROGRAM Due Diligence Contract Terms Joint Risk Assessment Defined Standards Defined Control Responsibility Vendor Reporting Periodic Audit
A History of Issues Poor Controls A Fortune 500 Company reports a lost server with sensitive data at a marketing firm Unsecure Applications - VISA reports that unsecured applications and services are the highest risk to cardholder data processing Weak NDA Service Provider sells sensitive data and gets $10 million Poor Staff Supervision A careless firewall management firm leaves unsecured ports open to a organisation network
Due Diligence Service Provider capabilities aligned to business needs Financial stability Reference checks Formal review and approval process Maintain evidence of due diligence validation
Contract Terms Acknowledge access to sensitive data Agree to protect sensitive data Non-Disclosure and Confidentiality Agreement (NDA) Risk assessment and selection of controls Specify standards Define control responsibility Periodic reporting of control effectiveness Audit Notification of breach and support of incident investigation
Standards Not all service providers are aware of industry or regulatory standards for data protection. The data owner must make service providers aware of standards to include: Regulatory requirements (GLBA, HIPAA, PCI) Industry best practices (CoBIT, FFIEC, ISO 27001, NIST, ITIL) Company standards and policies Audit and reporting standards (PCI, SOX, SAS 70)
Risk Assessment and Control Selection Define system data flow Identify system responsibilities Perform risk assessment Select justified controls Identify control metrics Measure control effectiveness Identify a roadmap to jointly mitigate risks to sensitive data
PCI SOX HIPAA GLBA ISO-17799 Privacy Laws Unified Compliance Programs Training Access Controls Security Policy Unified IT Controls Security Arch. Design Code Review Penetration Testing NIDS/HIDS IDS Firewall Loggin
SAS 70 : What is it? The SAS 70 examination and its predecessor engagement has been in existence for more than 30 years. Commercial and Government organizations are becoming increasingly reliant on shared services processing. An examination conducted in accordance with the AICPA s Statement on Auditing Standards (SAS) No. 70 Service Organizations is a highly specialized examination of the design and operational effectiveness of a service organization s internal controls over processing transactions for user organizations. A report must be issued by an independent auditor CPA. Covers controls exercised by a service organization on behalf of its user organizations. Control Objectives are customizable based upon service organization and the functions performed. Relates to the user organization s financial statement assertions.
Misconceptions Misconception that a SAS 70 examination is some sort of certification process that is governed by established criteria. Organizations have referred to their SAS 70 Certification on their Web sites. SAS 70 is not a certification. A SAS 70 examination is most closely aligned with an audit, as it is governed by audit standards established by the AICPA. SAS 70 guidance was written to provide the auditor the flexibility to address varied control environments and control objectives. The AICPA s SAS 70 is a framework for auditors to follow in providing an opinion over a given control environment. Non CPAs may attempt to issue confusing websites.
Importance of a SAS 70 Communication of information about the service provider s controls The financial statement auditors of user organizations are required under professional standards to understand all aspects of transaction processing and control, including processing performed by a third party service organization. Clients of service organizations are beginning to demand service auditor reviews be performed on a regular basis over outsourced business processes. SAS 70 auditors can develop familiarity with the service organization s environment and leverage that knowledge for audit efficiencies across business offerings and platforms
Importance of a SAS 70 What are the alternatives that a financial statement auditor has when faced with an external service provider? Test the relevant controls at the service provider that support management s assertions on the financial statements Identify and test controls at the user organization that would prevent, detect and correct any control failures for key controls at the service provider (not always a possibility) Rely on the results of a SAS 70 examination (assuming appropriate scope, timing and results of testing) The above are not mutually exclusive alternatives
Parties Involved A service auditor is the auditor who reports on controls of a service organization that may be relevant to a user organization s internal control as it relates to an audit of financial statements. A service organization is the entity or segment of an entity that provides services to a user organization that are part of the user organization s information system. A user auditor is the auditor that reports on the financial statements of the user organization and relies on the report issued by the service auditor. A user organization is the entity that has engaged a service organization and whose financial statements are being audited.
What is a Service Organization? Providing services that impact a customer organization s internal control Organizations that host or support customer hardware and software Data center providers Application service providers (ASPs) Managed information security services Web-hosting or ecommerce infrastructure services Organizations that assist customers with initiating, authorizing, recording, or processing transactions Transfer agents and custodians Third-party administrators (TPAs) Claims processing facilities Data warehouses Call center and customer service centers
Establishing the Terms of the Engagement Most audit firms require a signed engagement letter before beginning the work. Must be dated before field work starts Includes: Scope Type I or Type II report and period of review Areas to be covered and control objectives to be reviewed Management s responsibilities Staff to be assigned to the engagement Professional fees
SAS 70 Sample Approach Evaluate testing results and determine if additional testing is necessary Report results to management Develop report Obtain management representation letter Finalize and Issue report
Content of a SAS 70 Report Independent Service Auditor s Report Provided by (Audit Organization) Description of control provided by the Service Organization Overview of Operations Relevant aspects of a control environment, risk assessment and monitoring Information and Communication
Management Representation Letters Communication from Service Organization management to Independent Auditors Dated last day of audit field work Key disclosures: Service Organization must disclose to the auditor all significant changes in controls that have occurred since the last examination and they must reflect such changes in their description of controls Service Organization must disclose to the auditor any illegal acts, fraud, or uncorrected errors attributable to management or employees that may affect one or more of the user organizations.
Management Representation Letters Key disclosures: Any design deficiencies in the controls must be disclosed for which the service organization believes the cost of corrective action may exceed benefits. No subsequent events have occurred that would have a significant effect on user organizations that have not been disclosed to auditor. Service organization has disclosed to the auditor all instances in which they are aware that controls have not operated with sufficient effectiveness to achieve the specified control objectives.
Purpose of SAS 70 Report Reports on the processing of transactions performed by service organizations; Provides for reporting on a service organization s internal controls to clients, clients auditors and other interested parties including prospective clients; Often referred to as a service auditors report.
Types of SAS 70 Reports Type 1 Type 2 Reports on controls placed in operation (as of a point in time) Looks at the design of controls- not operating effectiveness Considered for information purposes only Not considered a significant use for purposes of reliance by user auditors/organizations Most often performed only in the first year a client has a SAS 70 Reports on controls placed in operation and tests of operating effectiveness (for a period of time, generally not less than 6 months) Differentiating factor: Includes Tests of Operating Effectiveness More comprehensive Requires more internal and external effort Identifies instances of noncompliance More emphasis on evidential matter
Report Structure Section One - Independent Service Auditors Report (the auditors opinion) Section Two - Description of Internal Controls and Control Objectives Overview of the Organization Control Environment Elements System Description Control Objectives, Control Activities and User Control Considerations
Report Structure Section Three - Information Provided by the Independent Service Auditor Type 1 includes the test related to the design of the control environment Type 2 also includes the tests of operating effectiveness with results and exceptions Section Four - Information Provided by the Service Organization (Optional)
The Value of the SAS 70 Examination Provides the User Organization and their auditors with basic assurance around specified controls at the Service Organization Decreases interruptions from multiple user organization audits Increases consistency of information provided to user organizations Provides management within the Service Organization independent assurance of the design and operating effectiveness of key controls used to process user organizations transactions Increases audit efficiencies for the User Auditor and the Service Auditor
Key benefit of a SAS 70 Reduce disruption from multiple user organization audits The SAS 70 review was designed by the AICPA to enable service organizations to obtain a single audit to accommodate all or most of its user organizations audit requirements, substantially reducing its audit support costs.
SAS 70 assignment execution
"What's in it for me?" SAS 70 And SA 402 (AAS 24)AUDIT Considerations Relating To Entities Using Service Organizations(1-4-2003) http://www.icai.org/resource_file/17343link_20_402sa-aas24_12oct09.pdf The Sarbanes-Oxley Act requires accounting firms to register with the PCAOB in order to prepare, issue, or participate in audit reports of issuers. Non-U.S. accounting firms that furnish, prepare, or play a substantial role in preparing an audit report for any issuer also are subject to PCAOB rules Preparation of Internal control documentation (SOP) Continuous assessment effectiveness of controls
SAS 70 assignment execution
SAS 70 Drivers: Legislation Legislation does not mandate the production of SAS 70 showever, the Legislation has: Increased the awareness and scrutiny of internal controls Made obtaining a SAS 70 from external as well as internal service organizations a sound and prudent risk management practice Made CEOs and CFOs responsible for establishing, evaluating, and monitoring the effectiveness of internal controls over financial reporting and disclosure
Leveraging existing certification To SAS 70 compliance The Initial Solution Document requirements for SAS 70 Develop / re deploy controls Maintain SAS 70 compliance The Pain Separate initiatives for each compliance driver Duplication of effort Confused employees The Smart Solution Leverage existing certifications Combination of ISO 9001 and ISO 27001 controls to meet SAS 70 requirements, Have Quality management maintain SAS 70 compliance Benefit: SAS 70 compliance at no extra cost Centralized records to address documentation requirements Extension of this innovative deployment to other engagements Site certification of SAS 70 proactive demonstration of commitment
Prevention vs. Response A recent Gartner study showed that preventing an incident was typically less than 4% of the cost of the incident
Questions or Comments?