Internal Control Certification –It’s Not Just an Accounting Thing           Presented by          Jeff Ziliani, CPA   Burn...
Internal Controls in the News “Corzine’s lack of internal controls at MF Global gets exposed with missing money”      – Bl...
Internal Controls in the News (cont.) “A Red Flag on G.M. Internal Controls”      – New York Times, August 20, 2010 “Lack ...
Internal Controls in the News (cont.) “The ability to plan for the short- and long-term,  determine product offerings, per...
IC Certification / Due Diligence  The Challenge:  • Increasing reliance on the outsourcing of    certain tasks or function...
IC Certification / Due Diligence (cont.)  • Consumer confidence stressed – need for    “peace of mind”  The Solution:  • B...
Examples of Services Within Scope
Examples of Services Within Scope (cont.) • Financial Services Customer Accounting • Loan / Claims Management and Processi...
Changing Standards              Statement of Auditing Standards              (SAS) No. 70, Service              Organizati...
Changing Standards (cont.)             Statement on Standards for             Attestation Engagements (SSAE)             N...
What Changed? 1.The name. 2.Now have 3 different Service Organization   Controls (SOC) reports to meet specific user   nee...
• Description of Service Organization’s System• CPA’s opinion on fairness of presentation of the  description, suitability...
• Unaudited system description used to  delineate the boundaries of the system• CPA’s opinion on whether the entity  maint...
Walkthrough of the Process Responsibilities of Management • Determine the scope of engagement to be   performed   - What s...
Walkthrough of the Process (cont.) Responsibilities of Management (cont.) • Prepare a written description of the system / ...
Walkthrough of the Process (cont.) Identification of Control Objectives • SOC 1 Engagements:     - Control objectives dete...
Walkthrough of the Process (cont.) Trust Services Principles and Criteria “Checklist” approach broken into the following a...
Walkthrough of the Process (cont.) Additional Guidance • Provide access to all information. • Be proactive in documenting ...
Walkthrough of the Process (cont.) Additional Guidance (cont.) • Provide evidence that a control is operating   effectivel...
Walkthrough of the Process (cont.) Q. Does obtaining a SSAE16 report  mean that the entire organization is  now “SSAE16 ce...
Walkthrough of the Process (cont.) Q. Is this a one-time process? A. No. At least quarterly, it is a best   practice to do...
Due Diligence- What to Look For
Due Diligence- What to Look For (cont.) • Is the service or specific system controls   covered by the SSAE 16 report? • Wh...
Due Diligence- What to Look For (cont.) • Were there any exceptions or deficiencies   noted in the auditor’s report? • Is ...
Additional ResourcesAmerican Institute of Certified Public Accountants     www.AICPA.orgSSAE16 Information, FAQ, Latest Ne...
“Internal Controls cannot make an institution successful, but the lack ofcontrols or only partial controls can beand commo...
Internal Control Certification – It’s Not Just an Accounting Thing (Credit Union Conference Presentation)
Upcoming SlideShare
Loading in …5
×

Internal Control Certification – It’s Not Just an Accounting Thing (Credit Union Conference Presentation)

898 views

Published on

In this recorded 2012 NAFCU Technology & Security Conference session, you will learn about the internal control certification process and how it impacts more than just the accounting department. Discover the importance of becoming internal control certified, gain insight on the impact of recent regulation change from SAS70 to SSAE 16, and get a walkthrough of the process and audit reports (Type I & Type II) as well as discuss the involvement from the “technology side of the house,” including documentation of systems controls, disaster recovery and more!

Presented by Jeff Ziliani, CPA, Director of Finance and Administration, Burns-Fazzi, Brock

Burns-Fazzi, Brock is the NAFCU Services Preferred Partner for Executive Benefits and Compensation Consulting and Long Term Care Insurance.

More information at http://www.nafcu.org/bfb

Published in: Business
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
898
On SlideShare
0
From Embeds
0
Number of Embeds
121
Actions
Shares
0
Downloads
8
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Internal Control Certification – It’s Not Just an Accounting Thing (Credit Union Conference Presentation)

  1. 1. Internal Control Certification –It’s Not Just an Accounting Thing Presented by Jeff Ziliani, CPA Burns-Fazzi, Brock & Associates
  2. 2. Internal Controls in the News “Corzine’s lack of internal controls at MF Global gets exposed with missing money” – Bloomberg News, November 2, 2011 “UBS says some internal controls were not effective” – Reuters, October 25, 2011
  3. 3. Internal Controls in the News (cont.) “A Red Flag on G.M. Internal Controls” – New York Times, August 20, 2010 “Lack of internal controls could present problems for cattle industry” – Farm & Dairy, August 12, 2010
  4. 4. Internal Controls in the News (cont.) “The ability to plan for the short- and long-term, determine product offerings, perform initial and ongoing due diligence over any third-party relationships and set appropriate limits through policies and procedures mitigates strategic risk.” - Debbie Matz, NCUA Chairman Excerpt from Letter No.: 11-CU-16 Issued Oct. 2011
  5. 5. IC Certification / Due Diligence The Challenge: • Increasing reliance on the outsourcing of certain tasks or functions • Increasing dependency on external technology and information systems • Pressures of profitability, fraud and embezzlement at an all-time high
  6. 6. IC Certification / Due Diligence (cont.) • Consumer confidence stressed – need for “peace of mind” The Solution: • Building trust and confidence through a report issued by an independent Certified Public Accountant
  7. 7. Examples of Services Within Scope
  8. 8. Examples of Services Within Scope (cont.) • Financial Services Customer Accounting • Loan / Claims Management and Processing • Cloud Computing • Managed Security • Customer Support • Sales Force Automation • Enterprise IT Outsourcing Services
  9. 9. Changing Standards Statement of Auditing Standards (SAS) No. 70, Service Organizations Effective – April 1992
  10. 10. Changing Standards (cont.) Statement on Standards for Attestation Engagements (SSAE) No. 16, Reporting on Controls at a Service Organization Effective – On or after June 15, 2011
  11. 11. What Changed? 1.The name. 2.Now have 3 different Service Organization Controls (SOC) reports to meet specific user needs. 3.Management to provide a written assertion to be included in the auditor’s report.
  12. 12. • Description of Service Organization’s System• CPA’s opinion on fairness of presentation of the description, suitability of design and in a type 2 report, the operating effectiveness of controls• A type 2 report includes a description of the CPA’s tests of controls and results
  13. 13. • Unaudited system description used to delineate the boundaries of the system• CPA’s opinion on whether the entity maintained effective controls over its system
  14. 14. Walkthrough of the Process Responsibilities of Management • Determine the scope of engagement to be performed - What service / system / process are we looking to be included in this engagement? - Is this a Type 1 or 2 engagement?
  15. 15. Walkthrough of the Process (cont.) Responsibilities of Management (cont.) • Prepare a written description of the system / controls within scope. • Provide a written assertion regarding the design, implementation and operation of the controls of the service organization’s system.
  16. 16. Walkthrough of the Process (cont.) Identification of Control Objectives • SOC 1 Engagements: - Control objectives determined and documented by Management. • SOC 2 & 3 Engagements: - Control objectives based on applicable Trust Services Principles and Criteria.
  17. 17. Walkthrough of the Process (cont.) Trust Services Principles and Criteria “Checklist” approach broken into the following areas: • Security • Availability • Processing Integrity • Confidentiality • Privacy The engagement may cover one, multiple or all of the principles.
  18. 18. Walkthrough of the Process (cont.) Additional Guidance • Provide access to all information. • Be proactive in documenting changes in controls/systems. • Disclose any design or operating deficiencies.
  19. 19. Walkthrough of the Process (cont.) Additional Guidance (cont.) • Provide evidence that a control is operating effectively. • For Type 2 engagements, the auditor will be testing to see if the control has been operating effectively over the period within scope, typically no shorter than a 6 month period.)
  20. 20. Walkthrough of the Process (cont.) Q. Does obtaining a SSAE16 report mean that the entire organization is now “SSAE16 certified”? A. No. The auditor’s report is limited in scope to the specific services or systems controls and does not encompass all controls and areas of the organization.
  21. 21. Walkthrough of the Process (cont.) Q. Is this a one-time process? A. No. At least quarterly, it is a best practice to document any changes to controls. In addition, the report itself will need to be “kept current” as the report tells the users that the controls addressed in the report existed and operating effectively at or during a certain period of time.
  22. 22. Due Diligence- What to Look For
  23. 23. Due Diligence- What to Look For (cont.) • Is the service or specific system controls covered by the SSAE 16 report? • Which accounting firm performed the work? • What is the period of time covered by the report? • What type of report is it?
  24. 24. Due Diligence- What to Look For (cont.) • Were there any exceptions or deficiencies noted in the auditor’s report? • Is there any other useful information about the vendor that is included in the report? (ie: disaster recovery plan) • What are the next steps?
  25. 25. Additional ResourcesAmerican Institute of Certified Public Accountants www.AICPA.orgSSAE16 Information, FAQ, Latest News, etc. www.SSAE16.comIT Governance Institute www.ITGI.org
  26. 26. “Internal Controls cannot make an institution successful, but the lack ofcontrols or only partial controls can beand commonly is a cause of its failure.” - Gene Bucciarelli, CPA, BankersOnline.com

×