Your SlideShare is downloading. ×
Internal Control Certification – It’s Not Just an Accounting Thing (Credit Union Conference Presentation)
Internal Control Certification – It’s Not Just an Accounting Thing (Credit Union Conference Presentation)
Internal Control Certification – It’s Not Just an Accounting Thing (Credit Union Conference Presentation)
Internal Control Certification – It’s Not Just an Accounting Thing (Credit Union Conference Presentation)
Internal Control Certification – It’s Not Just an Accounting Thing (Credit Union Conference Presentation)
Internal Control Certification – It’s Not Just an Accounting Thing (Credit Union Conference Presentation)
Internal Control Certification – It’s Not Just an Accounting Thing (Credit Union Conference Presentation)
Internal Control Certification – It’s Not Just an Accounting Thing (Credit Union Conference Presentation)
Internal Control Certification – It’s Not Just an Accounting Thing (Credit Union Conference Presentation)
Internal Control Certification – It’s Not Just an Accounting Thing (Credit Union Conference Presentation)
Internal Control Certification – It’s Not Just an Accounting Thing (Credit Union Conference Presentation)
Internal Control Certification – It’s Not Just an Accounting Thing (Credit Union Conference Presentation)
Internal Control Certification – It’s Not Just an Accounting Thing (Credit Union Conference Presentation)
Internal Control Certification – It’s Not Just an Accounting Thing (Credit Union Conference Presentation)
Internal Control Certification – It’s Not Just an Accounting Thing (Credit Union Conference Presentation)
Internal Control Certification – It’s Not Just an Accounting Thing (Credit Union Conference Presentation)
Internal Control Certification – It’s Not Just an Accounting Thing (Credit Union Conference Presentation)
Internal Control Certification – It’s Not Just an Accounting Thing (Credit Union Conference Presentation)
Internal Control Certification – It’s Not Just an Accounting Thing (Credit Union Conference Presentation)
Internal Control Certification – It’s Not Just an Accounting Thing (Credit Union Conference Presentation)
Internal Control Certification – It’s Not Just an Accounting Thing (Credit Union Conference Presentation)
Internal Control Certification – It’s Not Just an Accounting Thing (Credit Union Conference Presentation)
Internal Control Certification – It’s Not Just an Accounting Thing (Credit Union Conference Presentation)
Internal Control Certification – It’s Not Just an Accounting Thing (Credit Union Conference Presentation)
Internal Control Certification – It’s Not Just an Accounting Thing (Credit Union Conference Presentation)
Internal Control Certification – It’s Not Just an Accounting Thing (Credit Union Conference Presentation)
Internal Control Certification – It’s Not Just an Accounting Thing (Credit Union Conference Presentation)
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Internal Control Certification – It’s Not Just an Accounting Thing (Credit Union Conference Presentation)

607

Published on

In this recorded 2012 NAFCU Technology & Security Conference session, you will learn about the internal control certification process and how it impacts more than just the accounting department. …

In this recorded 2012 NAFCU Technology & Security Conference session, you will learn about the internal control certification process and how it impacts more than just the accounting department. Discover the importance of becoming internal control certified, gain insight on the impact of recent regulation change from SAS70 to SSAE 16, and get a walkthrough of the process and audit reports (Type I & Type II) as well as discuss the involvement from the “technology side of the house,” including documentation of systems controls, disaster recovery and more!

Presented by Jeff Ziliani, CPA, Director of Finance and Administration, Burns-Fazzi, Brock

Burns-Fazzi, Brock is the NAFCU Services Preferred Partner for Executive Benefits and Compensation Consulting and Long Term Care Insurance.

More information at http://www.nafcu.org/bfb

Published in: Business
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
607
On Slideshare
0
From Embeds
0
Number of Embeds
3
Actions
Shares
0
Downloads
6
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Internal Control Certification –It’s Not Just an Accounting Thing Presented by Jeff Ziliani, CPA Burns-Fazzi, Brock & Associates
  • 2. Internal Controls in the News “Corzine’s lack of internal controls at MF Global gets exposed with missing money” – Bloomberg News, November 2, 2011 “UBS says some internal controls were not effective” – Reuters, October 25, 2011
  • 3. Internal Controls in the News (cont.) “A Red Flag on G.M. Internal Controls” – New York Times, August 20, 2010 “Lack of internal controls could present problems for cattle industry” – Farm & Dairy, August 12, 2010
  • 4. Internal Controls in the News (cont.) “The ability to plan for the short- and long-term, determine product offerings, perform initial and ongoing due diligence over any third-party relationships and set appropriate limits through policies and procedures mitigates strategic risk.” - Debbie Matz, NCUA Chairman Excerpt from Letter No.: 11-CU-16 Issued Oct. 2011
  • 5. IC Certification / Due Diligence The Challenge: • Increasing reliance on the outsourcing of certain tasks or functions • Increasing dependency on external technology and information systems • Pressures of profitability, fraud and embezzlement at an all-time high
  • 6. IC Certification / Due Diligence (cont.) • Consumer confidence stressed – need for “peace of mind” The Solution: • Building trust and confidence through a report issued by an independent Certified Public Accountant
  • 7. Examples of Services Within Scope
  • 8. Examples of Services Within Scope (cont.) • Financial Services Customer Accounting • Loan / Claims Management and Processing • Cloud Computing • Managed Security • Customer Support • Sales Force Automation • Enterprise IT Outsourcing Services
  • 9. Changing Standards Statement of Auditing Standards (SAS) No. 70, Service Organizations Effective – April 1992
  • 10. Changing Standards (cont.) Statement on Standards for Attestation Engagements (SSAE) No. 16, Reporting on Controls at a Service Organization Effective – On or after June 15, 2011
  • 11. What Changed? 1.The name. 2.Now have 3 different Service Organization Controls (SOC) reports to meet specific user needs. 3.Management to provide a written assertion to be included in the auditor’s report.
  • 12. • Description of Service Organization’s System• CPA’s opinion on fairness of presentation of the description, suitability of design and in a type 2 report, the operating effectiveness of controls• A type 2 report includes a description of the CPA’s tests of controls and results
  • 13. • Unaudited system description used to delineate the boundaries of the system• CPA’s opinion on whether the entity maintained effective controls over its system
  • 14. Walkthrough of the Process Responsibilities of Management • Determine the scope of engagement to be performed - What service / system / process are we looking to be included in this engagement? - Is this a Type 1 or 2 engagement?
  • 15. Walkthrough of the Process (cont.) Responsibilities of Management (cont.) • Prepare a written description of the system / controls within scope. • Provide a written assertion regarding the design, implementation and operation of the controls of the service organization’s system.
  • 16. Walkthrough of the Process (cont.) Identification of Control Objectives • SOC 1 Engagements: - Control objectives determined and documented by Management. • SOC 2 & 3 Engagements: - Control objectives based on applicable Trust Services Principles and Criteria.
  • 17. Walkthrough of the Process (cont.) Trust Services Principles and Criteria “Checklist” approach broken into the following areas: • Security • Availability • Processing Integrity • Confidentiality • Privacy The engagement may cover one, multiple or all of the principles.
  • 18. Walkthrough of the Process (cont.) Additional Guidance • Provide access to all information. • Be proactive in documenting changes in controls/systems. • Disclose any design or operating deficiencies.
  • 19. Walkthrough of the Process (cont.) Additional Guidance (cont.) • Provide evidence that a control is operating effectively. • For Type 2 engagements, the auditor will be testing to see if the control has been operating effectively over the period within scope, typically no shorter than a 6 month period.)
  • 20. Walkthrough of the Process (cont.) Q. Does obtaining a SSAE16 report mean that the entire organization is now “SSAE16 certified”? A. No. The auditor’s report is limited in scope to the specific services or systems controls and does not encompass all controls and areas of the organization.
  • 21. Walkthrough of the Process (cont.) Q. Is this a one-time process? A. No. At least quarterly, it is a best practice to document any changes to controls. In addition, the report itself will need to be “kept current” as the report tells the users that the controls addressed in the report existed and operating effectively at or during a certain period of time.
  • 22. Due Diligence- What to Look For
  • 23. Due Diligence- What to Look For (cont.) • Is the service or specific system controls covered by the SSAE 16 report? • Which accounting firm performed the work? • What is the period of time covered by the report? • What type of report is it?
  • 24. Due Diligence- What to Look For (cont.) • Were there any exceptions or deficiencies noted in the auditor’s report? • Is there any other useful information about the vendor that is included in the report? (ie: disaster recovery plan) • What are the next steps?
  • 25. Additional ResourcesAmerican Institute of Certified Public Accountants www.AICPA.orgSSAE16 Information, FAQ, Latest News, etc. www.SSAE16.comIT Governance Institute www.ITGI.org
  • 26. “Internal Controls cannot make an institution successful, but the lack ofcontrols or only partial controls can beand commonly is a cause of its failure.” - Gene Bucciarelli, CPA, BankersOnline.com

×