This document discusses Statement on Auditing Standards (SAS) No. 70 and how it relates to Sarbanes-Oxley compliance for service organizations. It defines SAS 70 Type I and Type II reports, noting that Type II reports include testing of operational effectiveness over time. A SAS 70 Type II audit demonstrates that a service organization's controls were suitably designed and operating effectively to meet customer needs. Completing this audit provides assurance to customers that can help meet their Sarbanes-Oxley Section 404 requirements for internal controls reporting.
ISO 27001:2013 the Information Security Management Standard is one of the fastest growing standards right now; partly due to the ever evolving digital landscape and the recent introduction of the new GDPR.
Similarly to ISO 9001, ISO 27001 is the internationally recognized standard for information security management. It is the most widely used ISMS standard in the world, with over 35k certificates issued to organizations in 178 countries.
What do these standards have in common? And if you have one management system can you have the other?
From May 2017, NQA is able to carry out transition audits to the revised medical device standard as a part of your next assessment.
Every organization which wishes to maintain certification to this standard must undergo a transition audit before March 2019 including resolution of any/all non-conformances raised during
the transition audit. To help get you started, the helpful annexes in the new standard have been expanded to give you more detail on where to focus your attention to understand and implement the
required changes. The work required will of course depend on your products/services and the nonapplicable cause specific to your QMS.
ISO 27001:2013 the Information Security Management Standard is one of the fastest growing standards right now; partly due to the ever evolving digital landscape and the recent introduction of the new GDPR.
Similarly to ISO 9001, ISO 27001 is the internationally recognized standard for information security management. It is the most widely used ISMS standard in the world, with over 35k certificates issued to organizations in 178 countries.
What do these standards have in common? And if you have one management system can you have the other?
From May 2017, NQA is able to carry out transition audits to the revised medical device standard as a part of your next assessment.
Every organization which wishes to maintain certification to this standard must undergo a transition audit before March 2019 including resolution of any/all non-conformances raised during
the transition audit. To help get you started, the helpful annexes in the new standard have been expanded to give you more detail on where to focus your attention to understand and implement the
required changes. The work required will of course depend on your products/services and the nonapplicable cause specific to your QMS.
Explanation of ISO standard 13485 (QUALITY MANAGEMENT SYSTEM OF MEDICAL DEVICES) in a clarified way to understand it well in a simplified way through this mode. Your comments are appreciated.
This document provides an overview of the key changes between the 2005 and 2018 version of ISO 22000 – there are several new requirements in addition to changes to key definitions. You will need to prepare for these changes and adapt your food safety management system to meet the new requirements within the transition timeline.
PECB Webinar: Proposed changes for medical device quality management systems ...PECB
We will cover:
• Overview of proposed changes to ISO 13485:201X, MDSAP
• New EU regulations and unannounced audits
• New directions for QMS and regulatory audits
Presenter:
This webinar will be presented by Danny Kroo, the founder and principal consultant at Docusys Corporation.
How to effectively use ISO 27001 Certification and SOC 2 ReportsSalvi Jansen
You are a service organization managing clients’ mission critical systems, storing and processing confidential client information for multiple clients.
Explanation of ISO standard 13485 (QUALITY MANAGEMENT SYSTEM OF MEDICAL DEVICES) in a clarified way to understand it well in a simplified way through this mode. Your comments are appreciated.
This document provides an overview of the key changes between the 2005 and 2018 version of ISO 22000 – there are several new requirements in addition to changes to key definitions. You will need to prepare for these changes and adapt your food safety management system to meet the new requirements within the transition timeline.
PECB Webinar: Proposed changes for medical device quality management systems ...PECB
We will cover:
• Overview of proposed changes to ISO 13485:201X, MDSAP
• New EU regulations and unannounced audits
• New directions for QMS and regulatory audits
Presenter:
This webinar will be presented by Danny Kroo, the founder and principal consultant at Docusys Corporation.
How to effectively use ISO 27001 Certification and SOC 2 ReportsSalvi Jansen
You are a service organization managing clients’ mission critical systems, storing and processing confidential client information for multiple clients.
ISO 22000:2018 has been released. Important changes include the HLS, expectations on the risk assessment, higher level of involvement & commitment from management, PDCA cycle application, etc. The important changes are captured. Additionally there are some more changes can be seen in the standard. The transition in three years period 19th June 2021 is decided by ISO..
Use of audit clauses in information technology and outsourcing agreements including implications for the Cloud, OSFI Memorandum of February 29, 2012, control audits and CSAE 3416 Audits (Richard Austin and Ken Silverman)
Internal Control Certification – It’s Not Just an Accounting Thing (Credit Un...NAFCU Services Corporation
In this recorded 2012 NAFCU Technology & Security Conference session, you will learn about the internal control certification process and how it impacts more than just the accounting department. Discover the importance of becoming internal control certified, gain insight on the impact of recent regulation change from SAS70 to SSAE 16, and get a walkthrough of the process and audit reports (Type I & Type II) as well as discuss the involvement from the “technology side of the house,” including documentation of systems controls, disaster recovery and more!
Presented by Jeff Ziliani, CPA, Director of Finance and Administration, Burns-Fazzi, Brock
Burns-Fazzi, Brock is the NAFCU Services Preferred Partner for Executive Benefits and Compensation Consulting and Long Term Care Insurance.
More information at http://www.nafcu.org/bfb
Soc 2 attestation or ISO 27001 certification - Which is better for organizationVISTA InfoSec
Organizations struggle with the decision between selecting the SOC 2 attestation or ISO 27001 Certification. It is important to understand which audit is required & suitable for your organization.
PECB Webinar: Service Catalog among frameworks and standardsPECB
The webinar covers:
• Service Catalog in ITIL
• Service Catalog in ISO/IEC 20000
• Service Catalog in COBIT 5.0
• How to achieve the best situation for your IT organization
Presenter:
This session was presented by Yahia Al Anwar. He is a senior IT Services Management and Project Management consultant of EGYBYTE with more than 20 years of international experience in ITSM, systems management, security and infrastructure.
Link of the recorded session published on YouTube: https://youtu.be/0FJZ2qQFMRs
ControlCase covers the following:
- What does SOC stand for?
- What is SOC 2 compliance?
- What is SOC 2 certification?
- What is a SOC 2 report?
- Who can perform a SOC 2 audit?
- How do managed service providers comply with SOC 2
- How to lower cost of SOC 2 audit?
- ControlCase methodology for SOC 2 compliance
A Beginner's Guide to SOC 2 CertificationShyamMishra72
Obtaining SOC 2 (System and Organization Controls 2) certification can demonstrate your organization's commitment to information security and privacy. SOC 2 is a widely recognized auditing standard developed by the American Institute of Certified Public Accountants (AICPA). It focuses on the controls related to the security, availability, processing integrity, confidentiality, and privacy of customer data within service organizations.
A portion of an internal training session at EBSL Technologies Int\'l
Principles of IT Operations, to include ISO 27001, COBIL ,ITIL,IT Security, IT Frameworks.
1. EBSL
IT Operations
EBSL Technologies Int'l
www.ebsltechnologies.com
internal consultant training
SAS 70
Presented by
Jon CRG Shende FBCS CITP
Director IT Services
2. EBSL
SAS 70
Statement of Auditing Standards 70 (SAS 70) is an
internationally recognized auditing standard developed and
adopted as a standard in 1992 by the American Institute of
Certified Public Accountants (AICPA)
Currently there are two types of SAS 70 reports termed
SAS 70 Type I & SAS 70 Type II
2
3. EBSL
SAS 70
SAS 70 is designated by the U.S. Securities and Exchange
Commission (SEC) as an acceptable method for a user
organization's management to obtain assurance about service
organization's internal controls without conducting separate
assessments
3
4. EBSL
SAS 70 Type I
This report includes the service auditor's opinion
The opinion covers
•
fairness of the presentation of the service organization's
description of controls placed into operation &
•
the functionality of the controls to achieve the specified control
objectives
4
5. EBSL
SAS 70 Type II
This report includes the information contained in a Type I service
auditor's report as well as the service auditor's opinion regarding
the operational effectiveness of specific controls during the
period under review
Our Focus in this session will be on the
•
SAS 70 -Type II report
5
6. EBSL
Importance of SAS 70
A SAS 70 audit performed annually, independently verifies the
validity and functionality of a data center's control activities and
processes.
These control activities and processes are especially important to
any entity that must validate the security of financial and
sensitive information controls e.g. healthcare, insurance and
financial institutions and any publicly traded company
6
7. EBSL
SAS 7O & Sarbanes Oxley 1
SOX 404 focuses on processes comprising an organization's
financial reporting process, where management document and
evaluate all controls
Controls must be significant to the financial reporting processes
Evaluations are conducted during an annual assessment on the
effectiveness of internal controls
7
8. EBSL
SAS 7O & Sarbanes-Oxley 2
Services Providers/Vendors
For service providers that process transactions, host data, or
provide other services
Management may
evaluate the design &
test the operating effectiveness of the service organization's
controls
8
9. EBSL
SAS 7O & Sarbanes Oxley 3
Conclusion
SAS No. 70 Type II meets the requirements of Section 404 of
the Sarbanes-Oxley Act of 2002
Regarding SOX 404
SAS 70 audit reports are important to the process of reporting on
the effectiveness of internal control over financial reporting
9
10. EBSL
SAS 70 Type II Audit
This audit includes examination of controls implemented in
operation and testing of operating effectiveness
Testing of controls has a minimum period of at least 6 months
Testing conducted in predetermined time-frames during this
time
Testing is conducted in a manner that mitigates business
interruption of an type
10
11. EBSL
SAS 70 Type II Audit
Designated test period are determined by
external auditor requirements may change testing time
e.g shortened to 4 months or increased to 10 months
user organization demands
service organization financial and operational concerns
11
12. EBSL
SAS 70 Type II Audit
Organizations can obtain Type II compliance can by undergoing a
Type I audit, then moving towards Type II compliance for following
years
However specific factors may dictate an immediate move towards
obtaining Type II compliance from the start
12