SAS 70 Audit Concepts. and Benefits JAYACHANDRAN.B,CISA,CISM. August 2010

Similar documents
ISACA Cincinnati Chapter March Meeting

Weighing in on the Benefits of a SAS 70 Audit for Third Party Administrators

A SERVICE ORGANIZATION S GUIDE SOC 1, 2, & 3 REPORTS

Understanding and Evaluating Service Organization Controls (SOC) Reports

C22: SAS 70 Practices and Developments Todd Bishop, PricewaterhouseCoopers

PREPARING FOR SOC CHANGES. AN ARMANINO WHITE PAPER By Liam Collins, Partner-In-Charge, SOC Audit Practice

Managing Privacy Risk & Compliance in Financial Services. Brett Hamilton Advisory Solutions Consultant ServiceNow

The ProcessGene GRC Suite. Solution Presentation

Exploring Emerging Cyber Attest Requirements

Global Security Consulting Services, compliancy and risk asessment services

SAS 70 & SSAE 16: Changes & Impact on Credit Unions. Agenda

SAS 70 SOC 1 SOC 2 SOC 3. Type 1 Type 2

Assessment and Compliance with Sarbanes-Oxley (SOX) Requirements DataGuardZ Whitepaper

SOC Reporting / SSAE 18 Update July, 2017

Service Organization Control (SOC) Reports: What they are and what to do with them MARCH 21, 2017

SERVICE ORGANIZATION CONTROL (SOC) REPORTS: WHAT ARE THEY?

COBIT 5 With COSO 2013

SOC 3 for Security and Availability

locuz.com SOC Services

GDPR AMC SAAS AND HOSTED MODULES. UK version. AMC Consult A/S June 26, 2018 Version 1.10

01.0 Policy Responsibilities and Oversight

Mastering SOC-1 Attestation Reports Under SSAE 16: Auditing Service Organizations Controls in the Cloud

IT Attestation in the Cloud Era

The SOC 2 Compliance Handbook:

SOC Lessons Learned and Reporting Changes

Retirement of SAS 70 and a new generation of Service Organization Control (SOC) Reports

Information Technology General Control Review

Audit Considerations Relating to an Entity Using a Service Organization

2018 HIPAA One All Rights Reserved. Beyond HIPAA Compliance to Certification

ISO / IEC 27001:2005. A brief introduction. Dimitris Petropoulos Managing Director ENCODE Middle East September 2006

SSAE 18 & new SOC approach to compliance. Moderator Name: Patricio Garcia Managing Partner ControlCase Attestation Services

Data Security Standards

Information for entity management. April 2018

Google Cloud & the General Data Protection Regulation (GDPR)

University of Pittsburgh Security Assessment Questionnaire (v1.7)

The HITRUST CSF. A Revolutionary Way to Protect Electronic Health Information

Security Operations & Analytics Services

Balancing Compliance and Operational Security Demands. Nov 2015 Steve Winterfeld

Achieving third-party reporting proficiency with SOC 2+

IT Audit Process Prof. Liang Yao Week Two IT Audit Function

Evaluating SOC Reports and NEW Reporting Requirements

Introduction to ISO/IEC 27001:2005

Making trust evident Reporting on controls at Service Organizations

SOC-2 Requirement Solution Brief. EventTracker 8815 Centre Park Drive, Columbia MD SOC-2

Balancing Between Risk and Compliance

Demonstrating Compliance in the Financial Services Industry with Veriato

CCISO Blueprint v1. EC-Council

Protecting your data. EY s approach to data privacy and information security

HPE DATA PRIVACY AND SECURITY

SAS70 Type II Reports Use and Interpretation for SOX

HITRUST Common Security Framework - Are you prepared?

SOC for cybersecurity

The Honest Advantage

26 February Office of the Secretary Public Company Accounting Oversight Board 1666 K Street, NW Washington, DC

Table of Contents. Preface xvii PART ONE: FOUNDATIONS OF MODERN INTERNAL AUDITING

Aligning Your Organization s Business Units to Achieve a Cohesive Cybersecurity Strategy

Performing a Vendor Security Review TCTC 2017 FALL EVENT PRESENTER: KATIE MCINTOSH

Model Approach to Efficient and Cost-Effective Third-Party Assurance

Cybersecurity in Higher Ed

Information Security Risk Strategies. By

INFORMATION SECURITY. One line heading. > One line subheading. A briefing on the information security controls at Computershare

Risk Advisory Academy Training Brochure

California ISO Audit Results for 2011 SSAE 16 & Looking Forward for 2012 December 15, 2011

INTELLIGENCE DRIVEN GRC FOR SECURITY

Cybersecurity Conference Presentation North Bay Business Journal. September 27, 2016

Best Practices & Lesson Learned from 100+ ITGRC Implementations

manner. IOPA conducts its reviews in conformance with Government Auditing Standards issued by the Comptroller General of the United States.

Data Processing Agreement

354 & Index Board of Directors Responsibilities Audit Committee and Risk Committee Coordination, 244 Audit Committee Functions and Responsibilities, 2

Credit Union Service Organization Compliance

HCL GRC IT AUDIT & ASSURANCE SERVICES

COPYRIGHTED MATERIAL. Index

GDPR: A QUICK OVERVIEW

SECURITY & PRIVACY DOCUMENTATION

Cyber Security in M&A. Joshua Stone, CIA, CFE, CISA

Transitioning from SAS 70 to SSAE 16

existing customer base (commercial and guidance and directives and all Federal regulations as federal)

Altius IT Policy Collection Compliance and Standards Matrix

USER CORPORATE RULES. These User Corporate Rules are available to Users at any time via a link accessible in the applicable Service Privacy Policy.

WHITE PAPER. Title. Managed Services for SAS Technology

The Common Controls Framework BY ADOBE

Network Instruments white paper

Security Awareness Compliance Requirements. Updated: 11 October, 2017

REPORT 2015/149 INTERNAL AUDIT DIVISION

Overview Bank IT examination perspective Background information Elements of a sound plan Customer notifications

Chapter 18 SaskPower Managing the Risk of Cyber Incidents 1.0 MAIN POINTS

Altius IT Policy Collection Compliance and Standards Matrix

Information Technology Security Plan Policies, Controls, and Procedures Identify Governance ID.GV

Certified Information Security Manager (CISM) Course Overview

Controlled Document Page 1 of 6. Effective Date: 6/19/13. Approved by: CAB/F. Approved on: 6/19/13. Version Supersedes:

Cybersecurity The Evolving Landscape

HIPAA Compliance: What it is, what it means, and what to do about it. Adam Carlson, Security Solutions Consultant Intapp

TARGET2-SECURITIES INFORMATION SECURITY REQUIREMENTS

Within our recommendations for editorial changes, additions are noted in bold underline and deletions in strike-through.

Administration and Data Retention. Best Practices for Systems Management

IT Governance ISO/IEC 27001:2013 ISMS Implementation. Service description. Protect Comply Thrive

DeMystifying Data Breaches and Information Security Compliance

Overview: Compliance and Security Management PCI-DSS Control Compliance Suite Overview

DATA PROCESSING TERMS

ISACA Survey Results. 27 April Ms. Nancy M. Morris, Secretary Securities and Exchange Commission 100 F Street NE Washington, DC

Transcription:

JAYACHANDRAN.B,CISA,CISM jb@esecurityaudit.com August 2010 SAS 70 Audit Concepts and Benefits

Agenda Compliance requirements Overview Business Environment IT Governance and Compliance Management Vendor & Service Provider Management What is SAS 70 & Indian Equivalent Opportunities Questions?

More Regulatory Requirements IT Governance at a Glance Risk Management Programs Risk Management Programs Critical Drivers Increasing Threats Reduced Tolerance for Service Disruption

Compliance Trends The Regulatory Environment Represents a New Enterprise Challenge 2000- Present 1970-1980 Privacy Act of 1974 Foreign Corrupt Practice Act of 1977 1980-1990 Computer Security Act of 1987 1990-2000 EU Data Protection HIPAA FDA 21CFR Part 11 C6-Canada GLBA COPPA USA Patriot Act 2001 EC Data Privacy Directive CLERP 9 CAN-SPAM Act FISMA Sarbanes Oxley (SOX) CIPA 2002 Basel II NERC 1200 (2003) CISP Payment Card Industry (PCI) California Individual Privacy SB1386 Other State Privacy Laws (38)

Responsibility You are responsible for your vendors and service providers. Regulations assign data protection responsibility to the data owner Most regulations define provisions for data owners to provide oversight Law is more thoroughly defining data protection responsibilities

Are These your service Providers?

Common Theme Vendors and Service providers introduce unique risks The current state of vendor data security is inconsistent Regulators have inserted vendor management as a key element for all significant data security programs Compliance by service providers with those regulations is in the early stages (i.e. don t expect much)

Demystifying certifications Business knowledge makes your decision making easier

The certification obsession Almost a million organizations have obtained ISO 9001 certification About 5,600 have obtained ISO 27001 Certification India has over 40K organizations that are ISO 9001 certified; 369 Indian Organizations have obtained ISO 27001 Certification India Ranked #3 for ISO 27001 after Japan (3,790) and UK (487) ROI of Certification easier to establish when it s a competitive differentiator Assigning a Rupee (Dollar) value to benefits of certification hard to establish

Vendor Management Overview

RISK Know your vendor Aligned expectations Effective Controls Enforced Vendor Management Program PROGRAM Due Diligence Contract Terms Joint Risk Assessment Defined Standards Defined Control Responsibility Vendor Reporting Periodic Audit

A History of Issues Poor Controls A Fortune 500 Company reports a lost server with sensitive data at a marketing firm Unsecure Applications - VISA reports that unsecured applications and services are the highest risk to cardholder data processing Weak NDA Service Provider sells sensitive data and gets $10 million Poor Staff Supervision A careless firewall management firm leaves unsecured ports open to a organisation network

Due Diligence Service Provider capabilities aligned to business needs Financial stability Reference checks Formal review and approval process Maintain evidence of due diligence validation

Contract Terms Acknowledge access to sensitive data Agree to protect sensitive data Non-Disclosure and Confidentiality Agreement (NDA) Risk assessment and selection of controls Specify standards Define control responsibility Periodic reporting of control effectiveness Audit Notification of breach and support of incident investigation

Standards Not all service providers are aware of industry or regulatory standards for data protection. The data owner must make service providers aware of standards to include: Regulatory requirements (GLBA, HIPAA, PCI) Industry best practices (CoBIT, FFIEC, ISO 27001, NIST, ITIL) Company standards and policies Audit and reporting standards (PCI, SOX, SAS 70)

Risk Assessment and Control Selection Define system data flow Identify system responsibilities Perform risk assessment Select justified controls Identify control metrics Measure control effectiveness Identify a roadmap to jointly mitigate risks to sensitive data

PCI SOX HIPAA GLBA ISO-17799 Privacy Laws Unified Compliance Programs Training Access Controls Security Policy Unified IT Controls Security Arch. Design Code Review Penetration Testing NIDS/HIDS IDS Firewall Loggin

SAS 70 : What is it? The SAS 70 examination and its predecessor engagement has been in existence for more than 30 years. Commercial and Government organizations are becoming increasingly reliant on shared services processing. An examination conducted in accordance with the AICPA s Statement on Auditing Standards (SAS) No. 70 Service Organizations is a highly specialized examination of the design and operational effectiveness of a service organization s internal controls over processing transactions for user organizations. A report must be issued by an independent auditor CPA. Covers controls exercised by a service organization on behalf of its user organizations. Control Objectives are customizable based upon service organization and the functions performed. Relates to the user organization s financial statement assertions.

Misconceptions Misconception that a SAS 70 examination is some sort of certification process that is governed by established criteria. Organizations have referred to their SAS 70 Certification on their Web sites. SAS 70 is not a certification. A SAS 70 examination is most closely aligned with an audit, as it is governed by audit standards established by the AICPA. SAS 70 guidance was written to provide the auditor the flexibility to address varied control environments and control objectives. The AICPA s SAS 70 is a framework for auditors to follow in providing an opinion over a given control environment. Non CPAs may attempt to issue confusing websites.

Importance of a SAS 70 Communication of information about the service provider s controls The financial statement auditors of user organizations are required under professional standards to understand all aspects of transaction processing and control, including processing performed by a third party service organization. Clients of service organizations are beginning to demand service auditor reviews be performed on a regular basis over outsourced business processes. SAS 70 auditors can develop familiarity with the service organization s environment and leverage that knowledge for audit efficiencies across business offerings and platforms

Importance of a SAS 70 What are the alternatives that a financial statement auditor has when faced with an external service provider? Test the relevant controls at the service provider that support management s assertions on the financial statements Identify and test controls at the user organization that would prevent, detect and correct any control failures for key controls at the service provider (not always a possibility) Rely on the results of a SAS 70 examination (assuming appropriate scope, timing and results of testing) The above are not mutually exclusive alternatives

Parties Involved A service auditor is the auditor who reports on controls of a service organization that may be relevant to a user organization s internal control as it relates to an audit of financial statements. A service organization is the entity or segment of an entity that provides services to a user organization that are part of the user organization s information system. A user auditor is the auditor that reports on the financial statements of the user organization and relies on the report issued by the service auditor. A user organization is the entity that has engaged a service organization and whose financial statements are being audited.

What is a Service Organization? Providing services that impact a customer organization s internal control Organizations that host or support customer hardware and software Data center providers Application service providers (ASPs) Managed information security services Web-hosting or ecommerce infrastructure services Organizations that assist customers with initiating, authorizing, recording, or processing transactions Transfer agents and custodians Third-party administrators (TPAs) Claims processing facilities Data warehouses Call center and customer service centers

Establishing the Terms of the Engagement Most audit firms require a signed engagement letter before beginning the work. Must be dated before field work starts Includes: Scope Type I or Type II report and period of review Areas to be covered and control objectives to be reviewed Management s responsibilities Staff to be assigned to the engagement Professional fees

SAS 70 Sample Approach Evaluate testing results and determine if additional testing is necessary Report results to management Develop report Obtain management representation letter Finalize and Issue report

Content of a SAS 70 Report Independent Service Auditor s Report Provided by (Audit Organization) Description of control provided by the Service Organization Overview of Operations Relevant aspects of a control environment, risk assessment and monitoring Information and Communication

Management Representation Letters Communication from Service Organization management to Independent Auditors Dated last day of audit field work Key disclosures: Service Organization must disclose to the auditor all significant changes in controls that have occurred since the last examination and they must reflect such changes in their description of controls Service Organization must disclose to the auditor any illegal acts, fraud, or uncorrected errors attributable to management or employees that may affect one or more of the user organizations.

Management Representation Letters Key disclosures: Any design deficiencies in the controls must be disclosed for which the service organization believes the cost of corrective action may exceed benefits. No subsequent events have occurred that would have a significant effect on user organizations that have not been disclosed to auditor. Service organization has disclosed to the auditor all instances in which they are aware that controls have not operated with sufficient effectiveness to achieve the specified control objectives.

Purpose of SAS 70 Report Reports on the processing of transactions performed by service organizations; Provides for reporting on a service organization s internal controls to clients, clients auditors and other interested parties including prospective clients; Often referred to as a service auditors report.

Types of SAS 70 Reports Type 1 Type 2 Reports on controls placed in operation (as of a point in time) Looks at the design of controls- not operating effectiveness Considered for information purposes only Not considered a significant use for purposes of reliance by user auditors/organizations Most often performed only in the first year a client has a SAS 70 Reports on controls placed in operation and tests of operating effectiveness (for a period of time, generally not less than 6 months) Differentiating factor: Includes Tests of Operating Effectiveness More comprehensive Requires more internal and external effort Identifies instances of noncompliance More emphasis on evidential matter

Report Structure Section One - Independent Service Auditors Report (the auditors opinion) Section Two - Description of Internal Controls and Control Objectives Overview of the Organization Control Environment Elements System Description Control Objectives, Control Activities and User Control Considerations

Report Structure Section Three - Information Provided by the Independent Service Auditor Type 1 includes the test related to the design of the control environment Type 2 also includes the tests of operating effectiveness with results and exceptions Section Four - Information Provided by the Service Organization (Optional)

The Value of the SAS 70 Examination Provides the User Organization and their auditors with basic assurance around specified controls at the Service Organization Decreases interruptions from multiple user organization audits Increases consistency of information provided to user organizations Provides management within the Service Organization independent assurance of the design and operating effectiveness of key controls used to process user organizations transactions Increases audit efficiencies for the User Auditor and the Service Auditor

Key benefit of a SAS 70 Reduce disruption from multiple user organization audits The SAS 70 review was designed by the AICPA to enable service organizations to obtain a single audit to accommodate all or most of its user organizations audit requirements, substantially reducing its audit support costs.

SAS 70 assignment execution

"What's in it for me?" SAS 70 And SA 402 (AAS 24)AUDIT Considerations Relating To Entities Using Service Organizations(1-4-2003) http://www.icai.org/resource_file/17343link_20_402sa-aas24_12oct09.pdf The Sarbanes-Oxley Act requires accounting firms to register with the PCAOB in order to prepare, issue, or participate in audit reports of issuers. Non-U.S. accounting firms that furnish, prepare, or play a substantial role in preparing an audit report for any issuer also are subject to PCAOB rules Preparation of Internal control documentation (SOP) Continuous assessment effectiveness of controls

SAS 70 assignment execution

SAS 70 Drivers: Legislation Legislation does not mandate the production of SAS 70 showever, the Legislation has: Increased the awareness and scrutiny of internal controls Made obtaining a SAS 70 from external as well as internal service organizations a sound and prudent risk management practice Made CEOs and CFOs responsible for establishing, evaluating, and monitoring the effectiveness of internal controls over financial reporting and disclosure

Leveraging existing certification To SAS 70 compliance The Initial Solution Document requirements for SAS 70 Develop / re deploy controls Maintain SAS 70 compliance The Pain Separate initiatives for each compliance driver Duplication of effort Confused employees The Smart Solution Leverage existing certifications Combination of ISO 9001 and ISO 27001 controls to meet SAS 70 requirements, Have Quality management maintain SAS 70 compliance Benefit: SAS 70 compliance at no extra cost Centralized records to address documentation requirements Extension of this innovative deployment to other engagements Site certification of SAS 70 proactive demonstration of commitment

Prevention vs. Response A recent Gartner study showed that preventing an incident was typically less than 4% of the cost of the incident

Questions or Comments?

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback