This document provides an overview of evaluating vendor risks at service organizations. It discusses assessing, managing, and controlling risks posed by third party vendors. The document outlines various assessment mechanisms for evaluating internal controls at service organizations, such as SAS 70, Shared Assessments, and ISAE 3402 reports. It also discusses how user organizations can obtain assurance about service organization controls through third party assurance engagements.
This document provides an overview of evaluating risks associated with outsourcing to vendor organizations. It discusses classifying vendor risks such as operational, reputation, strategic, compliance, financial, and support risks. It also covers rights to audit vendor organizations and mechanisms for assessing internal controls at service organizations, including SAS 70, Shared Assessments, and ISAE 3402 reports which are issued by independent auditors or assessment firms. The document uses a case study of JP Morgan's outsourcing agreement with IBM to illustrate key considerations around understanding controls at an outsourced vendor.
Rule Imc Records Management & Discovery Offering Q109 V2mikelines
The document is a presentation by Rule Financial on electronic discovery best practices. It was prepared in Q1 2009. The presentation discusses the challenges of increasing litigation volumes and discovery obligations, as well as the fragmented software vendor landscape. It promotes adopting the Electronic Discovery Reference Model process and bringing discovery management in-house through strategic investment in people, processes, and technology.
The document discusses RightSourcing and Enterprise Iron's retirement services RightSourcing model. It defines RightSourcing as transferring functions to lower-cost domestic contractors to reduce costs while avoiding risks of offshore outsourcing. Enterprise Iron's model uses a South Dakota location with educated employees, security, and network capabilities. It discusses full, collaborative, and call center RightSourcing options and retirement services functions that can be RightSourced like operations, plan sponsor services, and treasury operations.
The document discusses managing security risks when information technology functions are outsourced to third parties. It covers planning for outsourcing contracts, including assessing security risks, requirements for vendors, and contract terms. It also discusses selecting vendors, administering contracts over time through reviews and audits, and ensuring proper termination of contracts and systems access. Managing security is key throughout the outsourcing lifecycle from initial planning through contract completion.
This document discusses key insurance coverages for entrepreneurial companies including property, product liability, cyber risk, intellectual property infringement, and international risks. It also outlines common risks that keep CFOs awake including financial, human capital, intellectual capital, operational risks, regulatory risks, and credit risks. The document then discusses building scalable insurance programs and the importance of management liability insurance including directors and officers liability, employment practices liability, fiduciary liability, and ERISA bonds. It concludes with an overview of privacy and cyber risks and coverages.
With information technology playing an increasingly substantive role in the running of captive entities, its application in law, claims management and e-billing are explored.
Technology Enabled Corporate Communications- Forum For Corporate Directors an...Roger Cohen
This document discusses technology trends in consumer and enterprise technology and how they can enable professional services and improve compliance processes. It summarizes Roger Cohen's expertise in designing technology solutions for legally intensive business processes. It also outlines challenges public companies face in managing information for regulatory filings, audits, and compliance. It proposes that technology-enabled professional services using tools like virtual data rooms and apps can help address these challenges by providing structure, automation and transparency. Finally, it discusses keys to successful enterprise IT projects, including implementing solutions incrementally from the bottom-up and focusing on user experience, change management and governance.
1) The nature of cyber attacks has changed and now pose a serious threat as attackers are financially motivated and have access to powerful hacking tools, while law enforcement lacks resources to properly respond.
2) Traditional incident response methods are ineffective as they are reactive and lack coordination between technical and business teams, often making mistakes.
3) The document argues that organizations need to implement an agile incident response program including a computer security incident response team (CSIRT) that takes a proactive and coordinated approach to security incident prevention and management.
This document provides an overview of evaluating risks associated with outsourcing to vendor organizations. It discusses classifying vendor risks such as operational, reputation, strategic, compliance, financial, and support risks. It also covers rights to audit vendor organizations and mechanisms for assessing internal controls at service organizations, including SAS 70, Shared Assessments, and ISAE 3402 reports which are issued by independent auditors or assessment firms. The document uses a case study of JP Morgan's outsourcing agreement with IBM to illustrate key considerations around understanding controls at an outsourced vendor.
Rule Imc Records Management & Discovery Offering Q109 V2mikelines
The document is a presentation by Rule Financial on electronic discovery best practices. It was prepared in Q1 2009. The presentation discusses the challenges of increasing litigation volumes and discovery obligations, as well as the fragmented software vendor landscape. It promotes adopting the Electronic Discovery Reference Model process and bringing discovery management in-house through strategic investment in people, processes, and technology.
The document discusses RightSourcing and Enterprise Iron's retirement services RightSourcing model. It defines RightSourcing as transferring functions to lower-cost domestic contractors to reduce costs while avoiding risks of offshore outsourcing. Enterprise Iron's model uses a South Dakota location with educated employees, security, and network capabilities. It discusses full, collaborative, and call center RightSourcing options and retirement services functions that can be RightSourced like operations, plan sponsor services, and treasury operations.
The document discusses managing security risks when information technology functions are outsourced to third parties. It covers planning for outsourcing contracts, including assessing security risks, requirements for vendors, and contract terms. It also discusses selecting vendors, administering contracts over time through reviews and audits, and ensuring proper termination of contracts and systems access. Managing security is key throughout the outsourcing lifecycle from initial planning through contract completion.
This document discusses key insurance coverages for entrepreneurial companies including property, product liability, cyber risk, intellectual property infringement, and international risks. It also outlines common risks that keep CFOs awake including financial, human capital, intellectual capital, operational risks, regulatory risks, and credit risks. The document then discusses building scalable insurance programs and the importance of management liability insurance including directors and officers liability, employment practices liability, fiduciary liability, and ERISA bonds. It concludes with an overview of privacy and cyber risks and coverages.
With information technology playing an increasingly substantive role in the running of captive entities, its application in law, claims management and e-billing are explored.
Technology Enabled Corporate Communications- Forum For Corporate Directors an...Roger Cohen
This document discusses technology trends in consumer and enterprise technology and how they can enable professional services and improve compliance processes. It summarizes Roger Cohen's expertise in designing technology solutions for legally intensive business processes. It also outlines challenges public companies face in managing information for regulatory filings, audits, and compliance. It proposes that technology-enabled professional services using tools like virtual data rooms and apps can help address these challenges by providing structure, automation and transparency. Finally, it discusses keys to successful enterprise IT projects, including implementing solutions incrementally from the bottom-up and focusing on user experience, change management and governance.
1) The nature of cyber attacks has changed and now pose a serious threat as attackers are financially motivated and have access to powerful hacking tools, while law enforcement lacks resources to properly respond.
2) Traditional incident response methods are ineffective as they are reactive and lack coordination between technical and business teams, often making mistakes.
3) The document argues that organizations need to implement an agile incident response program including a computer security incident response team (CSIRT) that takes a proactive and coordinated approach to security incident prevention and management.
This webinar discusses remote deposit capture (RDC) risk management and FFIEC compliance. It provides an overview of the key aspects of the FFIEC guidance on RDC risks, including the three pillars of responsibility, risks, and mitigation. It summarizes various RDC risks and how financial institutions should assess and manage risks related to technology, operations, vendors, customers and more. The webinar emphasizes that RDC implementation requires involvement from many areas of a financial institution and strong risk management practices.
3rd Party Risk: Practical Considerations for Privacy & Security Due DiligenceResilient Systems
This document provides an overview of 3rd party risk due diligence best practices for privacy and security. It discusses using questionnaires and on-site reviews to assess 3rd party vendors. It also addresses considerations for evaluating foreign service providers, such as the scope of services, data sensitivity, geographic factors, business continuity, local laws, legal risks, and security controls. The document provides examples of key questions to include in a questionnaire and areas to focus on during an on-site review.
IT Outsourcing Risks In Financial SectorUKNGroupLtd
Presentation exploring the key risks of outsourcing IT in the banking and financial sectors. Understanding these risks will help your organisation mitigate against them and ensure your IT outsourcing requirement is delivered with the minimum risk to business.
Real estate risk advisory brochure 2013Nidhi Gupta
Riskpro India is a specialized Risk Management Consulting firm providing risk management advisory, risk trainings, internal audits, forensic accounting, investigations, fraud prevention, process reviews services etc.
Real estate services involves the purchase, ownership, management, rental and/or sale of real estate for profit. Improvement of realty property as part of a real estate investment strategy is generally considered to be a sub-specialty of real estate investing called real estate development. Real estate is an asset form with limited liquidity relative to other investments. Management and evaluation of risk is a major part of any successful real estate investment strategy where risk occurs in many different ways at every stage of the investment process from sale, purchase, tenancy to market and environmental conditions where one needs a prudent approach for mitigating potential risks in this business for investors, buyers, sellers and vendors.
Basis above backdrop we’re pleased to launch our comprehensive Real estate Risk advisory services in addition to our existing bouquet of Risk advisory, Consulting, Training & Human Capital Services. Our services are offered through our multi location delivery centres in major metros with total presence in 11 Indian cities network.
“We are quoted in recent Economic Times news as among fastest growing risk consulting firms in India.”
Riskpro is an organization providing risk management consulting services across India through offices in major cities. It is managed by experienced professionals with over 200 years of cumulative experience. Riskpro aims to provide integrated risk management solutions to mid-large sized companies and financial institutions. It offers quality advisory services at affordable rates compared to large consulting firms. Riskpro's main focus and differentiators include risk management expertise, hybrid delivery model, and commitment to client service.
Real estate risk advisory brochure 2013Nidhi Gupta
Riskpro is an organization of risk management consulting firms in India with over 200 years of cumulative experience. It provides integrated risk management services to mid-large corporations and financial institutions. Riskpro aims to be the preferred provider of governance, risk, and compliance solutions. It offers quality advisory services at affordable rates compared to large consulting firms. Riskpro has expertise in areas such as credit risk, market risk, operational risk, IT risk, and regulatory compliance.
Thinksoft provides specialized testing services for banking software to ensure quality, reduce risks, and accelerate time to market. As financial institutions handle vast amounts of money, any issues with new software could be severely costly. Thinksoft has deep expertise in testing major banking platforms across many countries. Their experienced team and customized methodologies help catch defects early and deliver cleaner system rollouts. Banks benefit from Thinksoft's testing through reduced costs, shorter schedules, and satisfied business users.
Identifying Your Agency's Vulnerabilities Emily2014
This document provides an overview of operational risks and how to identify vulnerabilities within an agency. It discusses the types of operational risks including people, processes, systems, and external events. An operational risk assessment can show where gaps have opened in existing programs related to human error, lack of procedures, system failures, and external dependencies. The document recommends not relying on historical data alone to predict future risks, and suggests improving communication and managing risks in real time. It also provides examples of how to assess risks from vendors and contractors through background checks, contract terms, and onsite reviews.
The document outlines the top 10 IT trends and priorities for 2014 that CIOs should focus on to maximize their impact, including: choosing the right technology partners, attracting and retaining skills, cybersecurity and governance, enabling BYOD and mobile apps, leveraging big data analytics, improving collaboration and interoperability, preparing for cloud adoption, rethinking IT spending to focus on growth, ensuring business relevance, and reducing time to service delivery. Focusing on these key areas will allow CIOs to position IT as a strategic business enabler rather than just a cost center.
Broadridge offers transfer agent solutions to help companies efficiently address business needs and achieve financial objectives. Their comprehensive suite of services includes record keeping, shareholder communications, proxy processing, and annual meeting expertise. Companies benefit from single-source simplicity, significant cost reductions, and superior service. Broadridge's unique shareholder communications model simplifies the management of shareholder relationships.
1) The document summarizes a presentation on benchmarking and exit clauses in IT outsourcing contracts.
2) Benchmarking involves comparing performance metrics like quality, time and cost to industry best practices in order to drive continuous improvement. Exit clauses aim to manage risks when terminating outsourcing services or transitioning to a new supplier.
3) Key elements of benchmarking and exit clauses include scope, participants, process, price adjustments, personnel issues, knowledge transfer, assistance periods and dispute resolution
This document discusses key considerations for IT internal audits related to information security and business continuity management. It outlines several audits that an IT internal audit function can perform to evaluate an organization's information security strategy and program, including assessments of the information security program, the threat and vulnerability management program, and performing vulnerability assessments. It also discusses how business continuity has increased in importance given disruptions from events like natural disasters and infrastructure failures, and the need for organizations to have effective business continuity management. The document provides context around risks to information from both internal and external threats and how IT internal audit can help evaluate controls.
RESPA-TILA Integrated Disclosure: Are You Ready?Infinitive
New Consumer Financial Protection Bureau (CFPB) rules are game-changing for the financial and mortgage industries. Learn more about RESPA-TILA Integrated Disclosure requirements and how a dedicated program focusing on Intensity, Intimacy and Influence will ensure compliance.
Third-Party Risk Management: Implementing a StrategyNICSA
Two Part Series: Part I of II
Third-Party Risk Management: Implementing a Strategy
Sleep Better at Night: Learn techniques to manage risks associated with third-party relationships.
This document summarizes a presentation on managing risks when offshoring services, including experiences from India. The key points discussed include:
- Offshoring provides benefits like lower costs, access to skilled talent, and time zone advantages, but also poses operational, strategic, and compliance risks.
- Common risks include miscommunication due to language/cultural barriers, public resistance, security/data integrity issues, and wage inflation reducing cost benefits.
- Risks can be managed through measures like joint knowledge sharing, well-defined risk matrices, transition management, and monitoring offshored activities.
- India is a favored offshore destination for its skilled English-speaking workforce and quality standards, though economic downturn
“An ably led, well defined, pragmatic, measured, and adequately funded enterprise-wide Data Risk Management (DRM) program is not an executive prerogative; it is a tacit mandate from the shareholders for the very survival of a business in today’s data-driven economy.
How to Build a Module in Odoo 17 Using the Scaffold MethodCeline George
Odoo provides an option for creating a module by using a single line command. By using this command the user can make a whole structure of a module. It is very easy for a beginner to make a module. There is no need to make each file manually. This slide will show how to create a module using the scaffold method.
This webinar discusses remote deposit capture (RDC) risk management and FFIEC compliance. It provides an overview of the key aspects of the FFIEC guidance on RDC risks, including the three pillars of responsibility, risks, and mitigation. It summarizes various RDC risks and how financial institutions should assess and manage risks related to technology, operations, vendors, customers and more. The webinar emphasizes that RDC implementation requires involvement from many areas of a financial institution and strong risk management practices.
3rd Party Risk: Practical Considerations for Privacy & Security Due DiligenceResilient Systems
This document provides an overview of 3rd party risk due diligence best practices for privacy and security. It discusses using questionnaires and on-site reviews to assess 3rd party vendors. It also addresses considerations for evaluating foreign service providers, such as the scope of services, data sensitivity, geographic factors, business continuity, local laws, legal risks, and security controls. The document provides examples of key questions to include in a questionnaire and areas to focus on during an on-site review.
IT Outsourcing Risks In Financial SectorUKNGroupLtd
Presentation exploring the key risks of outsourcing IT in the banking and financial sectors. Understanding these risks will help your organisation mitigate against them and ensure your IT outsourcing requirement is delivered with the minimum risk to business.
Real estate risk advisory brochure 2013Nidhi Gupta
Riskpro India is a specialized Risk Management Consulting firm providing risk management advisory, risk trainings, internal audits, forensic accounting, investigations, fraud prevention, process reviews services etc.
Real estate services involves the purchase, ownership, management, rental and/or sale of real estate for profit. Improvement of realty property as part of a real estate investment strategy is generally considered to be a sub-specialty of real estate investing called real estate development. Real estate is an asset form with limited liquidity relative to other investments. Management and evaluation of risk is a major part of any successful real estate investment strategy where risk occurs in many different ways at every stage of the investment process from sale, purchase, tenancy to market and environmental conditions where one needs a prudent approach for mitigating potential risks in this business for investors, buyers, sellers and vendors.
Basis above backdrop we’re pleased to launch our comprehensive Real estate Risk advisory services in addition to our existing bouquet of Risk advisory, Consulting, Training & Human Capital Services. Our services are offered through our multi location delivery centres in major metros with total presence in 11 Indian cities network.
“We are quoted in recent Economic Times news as among fastest growing risk consulting firms in India.”
Riskpro is an organization providing risk management consulting services across India through offices in major cities. It is managed by experienced professionals with over 200 years of cumulative experience. Riskpro aims to provide integrated risk management solutions to mid-large sized companies and financial institutions. It offers quality advisory services at affordable rates compared to large consulting firms. Riskpro's main focus and differentiators include risk management expertise, hybrid delivery model, and commitment to client service.
Real estate risk advisory brochure 2013Nidhi Gupta
Riskpro is an organization of risk management consulting firms in India with over 200 years of cumulative experience. It provides integrated risk management services to mid-large corporations and financial institutions. Riskpro aims to be the preferred provider of governance, risk, and compliance solutions. It offers quality advisory services at affordable rates compared to large consulting firms. Riskpro has expertise in areas such as credit risk, market risk, operational risk, IT risk, and regulatory compliance.
Thinksoft provides specialized testing services for banking software to ensure quality, reduce risks, and accelerate time to market. As financial institutions handle vast amounts of money, any issues with new software could be severely costly. Thinksoft has deep expertise in testing major banking platforms across many countries. Their experienced team and customized methodologies help catch defects early and deliver cleaner system rollouts. Banks benefit from Thinksoft's testing through reduced costs, shorter schedules, and satisfied business users.
Identifying Your Agency's Vulnerabilities Emily2014
This document provides an overview of operational risks and how to identify vulnerabilities within an agency. It discusses the types of operational risks including people, processes, systems, and external events. An operational risk assessment can show where gaps have opened in existing programs related to human error, lack of procedures, system failures, and external dependencies. The document recommends not relying on historical data alone to predict future risks, and suggests improving communication and managing risks in real time. It also provides examples of how to assess risks from vendors and contractors through background checks, contract terms, and onsite reviews.
The document outlines the top 10 IT trends and priorities for 2014 that CIOs should focus on to maximize their impact, including: choosing the right technology partners, attracting and retaining skills, cybersecurity and governance, enabling BYOD and mobile apps, leveraging big data analytics, improving collaboration and interoperability, preparing for cloud adoption, rethinking IT spending to focus on growth, ensuring business relevance, and reducing time to service delivery. Focusing on these key areas will allow CIOs to position IT as a strategic business enabler rather than just a cost center.
Broadridge offers transfer agent solutions to help companies efficiently address business needs and achieve financial objectives. Their comprehensive suite of services includes record keeping, shareholder communications, proxy processing, and annual meeting expertise. Companies benefit from single-source simplicity, significant cost reductions, and superior service. Broadridge's unique shareholder communications model simplifies the management of shareholder relationships.
1) The document summarizes a presentation on benchmarking and exit clauses in IT outsourcing contracts.
2) Benchmarking involves comparing performance metrics like quality, time and cost to industry best practices in order to drive continuous improvement. Exit clauses aim to manage risks when terminating outsourcing services or transitioning to a new supplier.
3) Key elements of benchmarking and exit clauses include scope, participants, process, price adjustments, personnel issues, knowledge transfer, assistance periods and dispute resolution
This document discusses key considerations for IT internal audits related to information security and business continuity management. It outlines several audits that an IT internal audit function can perform to evaluate an organization's information security strategy and program, including assessments of the information security program, the threat and vulnerability management program, and performing vulnerability assessments. It also discusses how business continuity has increased in importance given disruptions from events like natural disasters and infrastructure failures, and the need for organizations to have effective business continuity management. The document provides context around risks to information from both internal and external threats and how IT internal audit can help evaluate controls.
RESPA-TILA Integrated Disclosure: Are You Ready?Infinitive
New Consumer Financial Protection Bureau (CFPB) rules are game-changing for the financial and mortgage industries. Learn more about RESPA-TILA Integrated Disclosure requirements and how a dedicated program focusing on Intensity, Intimacy and Influence will ensure compliance.
Third-Party Risk Management: Implementing a StrategyNICSA
Two Part Series: Part I of II
Third-Party Risk Management: Implementing a Strategy
Sleep Better at Night: Learn techniques to manage risks associated with third-party relationships.
This document summarizes a presentation on managing risks when offshoring services, including experiences from India. The key points discussed include:
- Offshoring provides benefits like lower costs, access to skilled talent, and time zone advantages, but also poses operational, strategic, and compliance risks.
- Common risks include miscommunication due to language/cultural barriers, public resistance, security/data integrity issues, and wage inflation reducing cost benefits.
- Risks can be managed through measures like joint knowledge sharing, well-defined risk matrices, transition management, and monitoring offshored activities.
- India is a favored offshore destination for its skilled English-speaking workforce and quality standards, though economic downturn
“An ably led, well defined, pragmatic, measured, and adequately funded enterprise-wide Data Risk Management (DRM) program is not an executive prerogative; it is a tacit mandate from the shareholders for the very survival of a business in today’s data-driven economy.
How to Build a Module in Odoo 17 Using the Scaffold MethodCeline George
Odoo provides an option for creating a module by using a single line command. By using this command the user can make a whole structure of a module. It is very easy for a beginner to make a module. There is no need to make each file manually. This slide will show how to create a module using the scaffold method.
How to Manage Your Lost Opportunities in Odoo 17 CRMCeline George
Odoo 17 CRM allows us to track why we lose sales opportunities with "Lost Reasons." This helps analyze our sales process and identify areas for improvement. Here's how to configure lost reasons in Odoo 17 CRM
Executive Directors Chat Leveraging AI for Diversity, Equity, and InclusionTechSoup
Let’s explore the intersection of technology and equity in the final session of our DEI series. Discover how AI tools, like ChatGPT, can be used to support and enhance your nonprofit's DEI initiatives. Participants will gain insights into practical AI applications and get tips for leveraging technology to advance their DEI goals.
Exploiting Artificial Intelligence for Empowering Researchers and Faculty, In...Dr. Vinod Kumar Kanvaria
Exploiting Artificial Intelligence for Empowering Researchers and Faculty,
International FDP on Fundamentals of Research in Social Sciences
at Integral University, Lucknow, 06.06.2024
By Dr. Vinod Kumar Kanvaria
हिंदी वर्णमाला पीपीटी, hindi alphabet PPT presentation, hindi varnamala PPT, Hindi Varnamala pdf, हिंदी स्वर, हिंदी व्यंजन, sikhiye hindi varnmala, dr. mulla adam ali, hindi language and literature, hindi alphabet with drawing, hindi alphabet pdf, hindi varnamala for childrens, hindi language, hindi varnamala practice for kids, https://www.drmullaadamali.com
ISO/IEC 27001, ISO/IEC 42001, and GDPR: Best Practices for Implementation and...PECB
Denis is a dynamic and results-driven Chief Information Officer (CIO) with a distinguished career spanning information systems analysis and technical project management. With a proven track record of spearheading the design and delivery of cutting-edge Information Management solutions, he has consistently elevated business operations, streamlined reporting functions, and maximized process efficiency.
Certified as an ISO/IEC 27001: Information Security Management Systems (ISMS) Lead Implementer, Data Protection Officer, and Cyber Risks Analyst, Denis brings a heightened focus on data security, privacy, and cyber resilience to every endeavor.
His expertise extends across a diverse spectrum of reporting, database, and web development applications, underpinned by an exceptional grasp of data storage and virtualization technologies. His proficiency in application testing, database administration, and data cleansing ensures seamless execution of complex projects.
What sets Denis apart is his comprehensive understanding of Business and Systems Analysis technologies, honed through involvement in all phases of the Software Development Lifecycle (SDLC). From meticulous requirements gathering to precise analysis, innovative design, rigorous development, thorough testing, and successful implementation, he has consistently delivered exceptional results.
Throughout his career, he has taken on multifaceted roles, from leading technical project management teams to owning solutions that drive operational excellence. His conscientious and proactive approach is unwavering, whether he is working independently or collaboratively within a team. His ability to connect with colleagues on a personal level underscores his commitment to fostering a harmonious and productive workplace environment.
Date: May 29, 2024
Tags: Information Security, ISO/IEC 27001, ISO/IEC 42001, Artificial Intelligence, GDPR
-------------------------------------------------------------------------------
Find out more about ISO training and certification services
Training: ISO/IEC 27001 Information Security Management System - EN | PECB
ISO/IEC 42001 Artificial Intelligence Management System - EN | PECB
General Data Protection Regulation (GDPR) - Training Courses - EN | PECB
Webinars: https://pecb.com/webinars
Article: https://pecb.com/article
-------------------------------------------------------------------------------
For more information about PECB:
Website: https://pecb.com/
LinkedIn: https://www.linkedin.com/company/pecb/
Facebook: https://www.facebook.com/PECBInternational/
Slideshare: http://www.slideshare.net/PECBCERTIFICATION
A workshop hosted by the South African Journal of Science aimed at postgraduate students and early career researchers with little or no experience in writing and publishing journal articles.
Strategies for Effective Upskilling is a presentation by Chinwendu Peace in a Your Skill Boost Masterclass organisation by the Excellence Foundation for South Sudan on 08th and 09th June 2024 from 1 PM to 3 PM on each day.
How to Make a Field Mandatory in Odoo 17Celine George
In Odoo, making a field required can be done through both Python code and XML views. When you set the required attribute to True in Python code, it makes the field required across all views where it's used. Conversely, when you set the required attribute in XML views, it makes the field required only in the context of that particular view.
1. Evaluating Vendor Risks
Do you know if they have
controls?
May 5, 2010
Introductions
• Relevant Participant Experiences
• Participant Objectives for this class
Copyright 2010 Riebeeck Stevens Ltd
Page 2
Course Objective
To educate participants regarding the nature
of vendor risks and the mechanisms to
effectively assess, manage and control those
risks by providing a learning forum where
individuals with greater audit and third party
individuals with greater audit and third party
assurance experience can share their
knowledge with peers who are interested in
learning about third party assurance and the
different mechanisms and standards available
to accomplish it.
Copyright 2010 Riebeeck Stevens Ltd
Page 3
1
2. Today’s Discussion Topics
• Overview of outsourcing arrangements
• Rights to audit
• Diversity of service organizations
• Assessment mechanisms
o SAS 70
SAS 70
o Shared Assessments
o ISAE 3402
• SAS 70 No More
• Conducting an assessment engagement
• Using a third party assessment
• Project management considerations
Copyright 2010 Riebeeck Stevens Ltd
Page 4
Outsourcing Business Processes
Copyright 2010 Riebeeck Stevens Ltd
Page 5
Background
• Many entities use outside service organizations
to accomplish tasks that affect the entity’s
management and information system
• In recent years, there has been an increase in
the use of service organizations
the use of service organizations
• Why do you think BPO (business process
outsourcing) has increased so much?
• “Practical IT Auditing” Checklist to evaluate
candidates for outsourcing
Copyright 2010 Riebeeck Stevens Ltd
Page 6
2
3. Typical Service Organizations
• Fund accounting agents/Fund administrators
• Custodians/Trustees/Investment advisors
• Transfer agents/Retirement plan record keepers
• Claims processors
• ASPs
• ISPs
• Payroll processors
• Network/Security management
• Thoughts on Cloud Computing Providers?
Copyright 2010 Riebeeck Stevens Ltd
Page 7
Outsourcing Arrangements
• Total outsourcing – complete business or
business function
• Production outsourcing – Call centers
• Processing outsourcing – Payroll
• Recordkeeping outsourcing – Transfer agent
• Reporting outsourcing – FISERV and Crawford
Technologies
• Physical Facilities outsourcing – Hosting/Co‐
location
Copyright 2010 Riebeeck Stevens Ltd
Page 8
Sample Outsourcing Agreements
• 2002: $4 billion / 7‐year utility based deal between
American Express and IBM
• 1998: $3 billion application development and
maintenance agreement between BellSouth and
Andersen Consulting
• 1998: $4 billion infrastructure outsourcing agreement
between BellSouth and EDS
• 1996: $4.5 billion / 10 year outsourcing and strategic
alliance agreements between Dupont and CSC and
Andersen Consulting
• 1994: $3 billion / 10‐year IT services between Xerox and
EDS
Copyright 2010 Riebeeck Stevens Ltd
Page 9
3
4. Classification of Vendor Risks
• Operational Risk
• Reputation Risk
• Strategic Risk
• Compliance Risk
Compliance Risk
• Financial Risk
• Support Risk
Copyright 2010 Riebeeck Stevens Ltd
Page 10
Classification of Vendor Risks
• Operational Risk ‐ Operational risk not only
includes operations and transaction
processing, but also areas such as customer
service, Information Technology security and
the protection of non‐public data, systems
development and support programs, internal
control processes, and capacity and
contingency planning.
Copyright 2010 Riebeeck Stevens Ltd
Page 11
Classification of Vendor Risks
• Reputation Risk – Errors, delays, or omissions
in outsourced services that become public
knowledge or directly affect the company's
customers can significantly affect reputation.
For example, a vendor s failure to maintain
For example a vendor's failure to maintain
adequate service levels and contingencies for
key items such as cash deliveries, network
hardware devices or ATM servicing could
disrupt the ability to deliver service to
customers.
Copyright 2010 Riebeeck Stevens Ltd
Page 12
4
5. Classification of Vendor Risks
• Strategic Risk – Inadequate management
experience and expertise can lead to a lack of
understanding of key risks facing the industry
today and into the future. Additionally,
inaccurate information from vendors can
cause the company's management and board
of directors to make poor strategic decisions.
Copyright 2010 Riebeeck Stevens Ltd
Page 13
Classification of Vendor Risks
• Compliance Risk – Outsourced activities that
fail to comply with legal or regulatory
requirements can subject the company to
legal sanctions. For example, inaccurate or
untimely consumer compliance disclosures
or unauthorized disclosure of confidential
customer information could expose the
company to civil money penalties or
litigation.
Copyright 2010 Riebeeck Stevens Ltd
Page 14
Classification of Vendor Risks
• Financial Risk – financial strength of the
vendor, cash position, credit rating,
bankruptcy history, historical financial
performance indicators – return on equity,
return on investment, return on assets
Copyright 2010 Riebeeck Stevens Ltd
Page 15
5
6. Classification of Vendor Risks
• Support Risk – ability to perform according to
service level agreements, professional
diversity and capacity of staff, experienced of
workers, staff rotation policy, operational
performance in the market – are they losing
customers, is their quality falling
Copyright 2010 Riebeeck Stevens Ltd
Page 16
Rights to Audit
• Contract clause allowing the user
organization to audit or have access to audits
of the services contracted
• Should be a standard part of every
outsourcing contract
outsourcing contract
• Use more frequently
• Demanding specific types of audits
• Make sure you are specific in terms of period
of audits
Copyright 2010 Riebeeck Stevens Ltd
Page 17
Case Study
New York ‐ 30 Dec 2002: J.P. Morgan Chase & Co. today finalized with IBM
a groundbreaking seven‐year outsourcing agreement, in excess of $5
billion, the largest of its kind. The agreement will enable JPMorgan Chase
to transform its technology infrastructure through absolute costs savings,
increased cost variability, access to the best research and innovation, and
improved service levels. By moving from a traditional fixed‐cost approach
to one with increased capacity and cost variability, JPMorgan Chase will be
able to respond more quickly to changing market conditions.
able to respond more quickly to changing market conditions
JPMorgan Chase will outsource a significant portion of its data processing
technology infrastructure, including data centers, help desks, distributed
computing, data networks and voice networks. The agreement includes
the transfer of approximately 4,000 JPMorgan Chase employees and
contractors as well as selected resources and systems to IBM in the first
half of 2003. Application delivery and development, desktop support and
other core competencies will largely be retained inside JPMorgan Chase.
Copyright 2010 Riebeeck Stevens Ltd
Page 18
6
7. Case Study ‐ Instructions
• Study the JPM/IBM press release
• Identify the key risks faced by JPM when
transferring functions to IBM
• Discuss methods JPM can use to stay informed
of controls at IBM to address those risks
• Discuss impact to security, audit and compliance
• Should JPM require IBM to include a right to
audit clause in their contract? Why?
Copyright 2010 Riebeeck Stevens Ltd
Page 19
Summary
After completing this module, you should now:
• Understand the business drivers behind the
outsourcing decision
• Understand the various types of outsourcing
arrangements
• Understand the key classes of vendor risk
• Begin to understand the need to evaluate
controls at service organizations
Copyright 2010 Riebeeck Stevens Ltd
Page 20
Assessment Mechanisms
Copyright 2010 Riebeeck Stevens Ltd
Page 21
7
8. Definition of Key Players
Service Organization – The entity that provides
services to a user organization
Subservice Organization – An entity that is a
service organization of another service
o ga at o
organization
Service Auditor – Reports on the processing of
transactions by a service organization
User Organization – The entity that has engaged
a service organization
User Auditor – Auditor of a user organization
Copyright 2010 Riebeeck Stevens Ltd
Page 22
Key Players
User Organization Service Auditor
Service Organization
Subservice
User Auditor Organization
Copyright 2010 Riebeeck Stevens Ltd
Page 23
Evaluating Internal Control
at Service Organizations
• How can a user of a service organization (and its
internal/external auditor) obtain a sufficient
level of comfort that there is an effective control
environment at the service organization?
• How can user management ensure that
How can user management ensure that
outsourced processes are managed following
policies, procedures and practices that are
aligned with those of his/her own company?
Copyright 2010 Riebeeck Stevens Ltd
Page 24
8
9. Assessment Mechanism:
Traditional Approach
• User management submits an internal
control questionnaire to service organization
• Service organization provides a self‐
assessment report to clients
• User organization management (internal
audit) performs audit procedures at service
organization
• User auditor performs audit procedures at
service organizations
Copyright 2010 Riebeeck Stevens Ltd
Page 25
Assessment Mechanisms:
Third Party Assurance Approach
• One independent firm (third party) is
brought in to issue an opinion as to
whether management’s description of
the control environment is presented
fairly.
• In many cases, the independent firm is
also engaged to perform tests of specific
controls and report on the result of
those tests.
Copyright 2010 Riebeeck Stevens Ltd
Page 26
Assessment Mechanisms:
Third Party Assurance Approach
• Agreed‐Upon Procedures
• Shared Assessments
• Standard Compliance Audit
• SAS 70
SAS 70
• Attestation
• Who can issue reports using these
mechanisms?
Copyright 2010 Riebeeck Stevens Ltd
Page 27
9
10. Assessment Mechanisms:
Third Party Assurance Approach
• Agreed‐Upon Procedures
Issued by independent CPA
• Shared Assessments
Issued by independent CPA or assessment firm
• Standard Compliance Audit
Standard Compliance Audit
Issued by certified party – i.e. PCI and ISO
• SAS 70
Issued by CPA or CA
• Attestation
Issued by CPA or CA
Copyright 2010 Riebeeck Stevens Ltd
Page 28
Module Summary
After completing this module, you should now:
• Understand the process to evaluate internal
controls at Service Organizations
• Understand the basic concepts of Third Party
Assurance (TPA)
( )
• Identify different mechanisms for conducting
TPA engagements
• Understand who can issue third party
assurance reports
Copyright 2010 Riebeeck Stevens Ltd
Page 29
Agreed‐Upon Procedures
Copyright 2010 Riebeeck Stevens Ltd
Page 30
10
11. What are Agreed Upon Procedures
• Section 201 of the AICPA Statements on Standards
for Attestation Engagements (SSAE)
• An agreed‐upon procedures engagement is one in
which a practitioner is engaged by a Responsible
Party to issue a report of findings based on
Party to issue a report of findings based on
specific procedures performed on subject matter.
The Responsible Party engages the practitioner to
assist Specified Parties in evaluating subject
matter or an assertion as a result of a need or
needs of the Specified Parties.
Copyright 2010 Riebeeck Stevens Ltd
Page 31
What is an AUP Report
• An AUP Report is a report issued according to
SSAE 10 Section 201
• An AUP Report contains the procedures
agreed‐upon by the parties and the findings
identified by the auditor
• An AUP Report does not contain an opinion
from the auditor just the facts of the results
Copyright 2010 Riebeeck Stevens Ltd
Page 32
Who Uses a AUP report
• Agreed‐Upon procedures are used by the
service organization, user management,
external auditors and regulators
• Internal users include senior management,
compliance, internal audit, security and risk
management
• External users typically limited to external
auditors and regulators
Copyright 2010 Riebeeck Stevens Ltd
Page 33
11
12. Distribution of the Report
• As an Attestation report, AUP reports have
limited distribution
• The Service Organization and the specified
parties can have access to the report
• Other parties interested in the report need
to agree as to the sufficiency of the
procedures with respect to the subject
matter or assertion prior to receiving the
report
Copyright 2010 Riebeeck Stevens Ltd
Page 34
AUP Auditor’s Responsibilities
• Carry out the procedures
• Report the findings in accordance with the
professional standards (general, fieldwork
and reporting)
• Adequately plan and supervise the audit and
exercise due professional care in performing
the procedures, determining the findings,
and preparing the report
Copyright 2010 Riebeeck Stevens Ltd
Page 35
AUP Auditor’s Responsibilities
• Risk that misapplication of the procedures may
result in inappropriate findings being reported
• Risk that appropriate findings may not be
reported or may be reported inaccurately
• These risks are reduced by becoming
These risks are reduced by becoming
knowledgeable about the subject matter and
thoroughly planning and executing the work
• The AUP Auditor has no responsibility to
determine completeness or adequacy of the
agreed‐upon procedures
Copyright 2010 Riebeeck Stevens Ltd
Page 36
12
13. Layout of a Typical AUP Report
• A title that includes the word independent
• Identification of the specified parties
• Identification of the subject matter (or the
written assertion related thereto) and the
written assertion related thereto) and the
character of the engagement
• Identification of the responsible party
• A statement that the subject matter is the
responsibility of the responsible party
Copyright 2010 Riebeeck Stevens Ltd
Extracted from “AICPA Attestation Standards Section 201”
Page 37
Layout of a Typical AUP Report
• A statement that the procedures performed were
those agreed to by the specified parties identified
in the report
• A statement that the agreed‐upon procedures
engagement was conducted in accordance with
engagement was conducted in accordance with
attestation standards established by the AICPA
• A statement that the sufficiency of the procedures
is solely the responsibility of the specified parties
and a disclaimer of responsibility for the
sufficiency of those procedures
Copyright 2010 Riebeeck Stevens Ltd
Extracted from “AICPA Attestation Standards Section 201”
Page 38
Layout of a Typical AUP Report
• A list of the procedures performed (or reference
thereto) and related findings (The practitioner
should not provide negative assurance
• Where applicable, a description of any agreed‐upon
materiality limits
materiality limits
Copyright 2010 Riebeeck Stevens Ltd
Extracted from “AICPA Attestation Standards Section 201”
Page 39
13
14. Layout of a Typical AUP Report
• A statement that the practitioner was not engaged
to and did not conduct an examination of the
subject matter, the objective of which would be the
expression of an opinion, a disclaimer of opinion on
the subject matter, and a statement that if the
the subject matter, and a statement that if the
practitioner had performed additional procedures,
other matters might have come to his or her
attention that would have been reported
Copyright 2010 Riebeeck Stevens Ltd
Extracted from “AICPA Attestation Standards Section 201”
Page 40
Layout of a Typical AUP Report
• A statement of restrictions on the use of the report
because it is intended to be used solely by the specified
parties
• Where applicable, reservations or restrictions
concerning procedures or findings.
• For an agreed‐upon procedures engagement on
prospective financial information.
• Where applicable, a description of the nature of the
assistance provided by a specialist.
• The manual or printed signature of the practitioner's
firm
• The date of the report
Copyright 2010 Riebeeck Stevens Ltd
Extracted from “AICPA Attestation Standards Section 201”
Page 41
Procedures to be Performed
• Can be as limited or as extensive as the specified
parties desire
• Mere description of assertion or subject matter
does not constitute a valid procedure
• There is flexibility in determining the procedures
There is flexibility in determining the procedures
• Changes to the procedures are acceptable as long
as the specified parties accept responsibility for the
sufficiency of the procedures
• Matters that need to be agreed upon include the
nature, timing and extent of the procedures
Copyright 2010 Riebeeck Stevens Ltd
Page 42
14
15. Procedures to be Performed
• Procedures should not be subjective and
open to interpretations
• Terms of uncertain meaning (such as general
review, limited review or check) should be
avoided
• For each procedure, there should be
evidential matter supporting the finding or
findings
Let’s explore the Q‐Services report
Copyright 2010 Riebeeck Stevens Ltd
Page 43
Project Management Considerations
• Use Of a Specialist
• Internal Auditors and Other Personnel
• Findings
• Working Papers
Working Papers
Copyright 2010 Riebeeck Stevens Ltd
Page 44
AUP Sample Findings
• Procedure: Inspect the shipment dates for a
sample (agreed‐upon) of specified shipping
documents, and determine whether any such
dates were subsequent to December 31, 20XX.
• Finding (Appropriate description): No shipment
dates shown on the sample of shipping
documents were subsequent to December 31,
20XX.
• Finding (Inappropriate description): Nothing came
to my attention as a result of applying that
procedure.
• Sample findings matrix from AT 201
Copyright 2010 Riebeeck Stevens Ltd
Page 45
15
16. AUP Auditor Considerations
• Validate that the Specified Parties have agree to the
procedures
• Document the steps taken in performing the
procedures
• Obtain and maintain appropriate evidence of the
Obtain and maintain appropriate evidence of the
work conducted
• Ensure all changes to the procedures are approved
by the Specified Parties
• Obtain representations from management
Copyright 2010 Riebeeck Stevens Ltd
Page 46
Using a AUP Report
• A AUP Report contains the results of applying
the procedures only – No Opinion
• Each procedure and related result must be
evaluated by the user in the context of its
entity’s internal control
• Be careful not to extrapolate the findings to
systems or dates not related to the AUPs
Copyright 2010 Riebeeck Stevens Ltd
Page 47
AUP Exercise
• With the JPM/IBM agreement, multiple systems are
being processed and supported at IBM
• You work for JPM and some of your clients (your team
members) want to audit the system at IBM to evaluate
the security controls at IBM
• Identify and describe 5 audit procedures and discuss
them in your group until everyone agrees they are
sufficient to meet your objective
• Ensure the wording of the procedures is specific and
avoid vague terms
• Draft the result of applying the procedure and share
them with the group
Copyright 2010 Riebeeck Stevens Ltd
Page 48
16
17. Module Summary
After completing this module, you now have an
understanding of:
• What Agreed‐Upon Procedures are
• What an AUP Report is
• The content of AUPs
• The responsibilities of the AUP Auditor
• Key considerations of managing an AUP
project
• The usability of AUP reports
Copyright 2010 Riebeeck Stevens Ltd
Page 49
Shared Assessments
Copyright 2010 Riebeeck Stevens Ltd
Page 50
Shared Assessments
• Special application of the AICPA AUP
standard
• Shared Assessments is a program created by
BITS, a division of the Financial Services
Roundtable
• Initially targeted the financial services
industry, it is quickly expanding to other
industries such as health care
• Program managed by the Santa Fe Group
Copyright 2010 Riebeeck Stevens Ltd
Page 51
17
18. Shared Assessments
• Standardized Information Gathering (SIG)
Questionnaire
• Agreed‐Upon Procedures (AUP)
• Created under the principle of getting
Created under the principle of getting
everyone involved
• Sort of like Skype and IP telephony, when
everyone is connected, there is no need to
pay for phone service
Copyright 2010 Riebeeck Stevens Ltd
Page 52
Who uses a Shared Assessments Report?
• SIG is used by the Service Organization and
the Outsourcer
• AUP report can be used by all related parties
who approved the procedures
• Limited distribution report – others can use it
but need to agree to the sufficiency of the
procedures to evaluate the related controls
Copyright 2010 Riebeeck Stevens Ltd
Page 53
Shared Assessments Risk Domains
• Information security policy
• Organization of information security
• Asset management
• Human resources security
• Physical and environmental security
• Communications and operations management
Communications and operations management
• Access control
• Information systems acquisition, development and
maintenance
• Information security incident management
• Business continuity management
• Compliance
• Privacy
Copyright 2010 Riebeeck Stevens Ltd
Page 54
18
19. Shared Assessments Project
• Scoping questions – determine:
• Service provider and its business model
• Target systems and processes
• Data that it collects, stores, uses, shares, transports,
retains, secures and/or deletes:
retains, secures and/or deletes:
o Target Data
o Protected Target Data
o Privacy Target Data
o Protected Privacy Target Data
• Based on this information, identify hardware,
software and procedures to be tested.
Copyright 2010 Riebeeck Stevens Ltd
Page 55
Shared Assessments Lite
• SIG v5 Level 1
• Contains 91 questions
• Intended for low risk scenarios
• Inquiry of Service Organization management
Inquiry of Service Organization management
• No testing is involved
SIG v5 L1 Questions
Copyright 2010 Riebeeck Stevens Ltd
Page 56
Shared Assessments AUP
• Full SIG v5 and management tools
• AUP v5
• 12 Risk Domains
• Specific procedures to be executed by assessor
• Each AUP control area contains:
o Objective(s): Statement(s) describing the business interest
Objec e(s) S a e e (s) desc b g e bus ess e es
behind assessing the Domain
o Control(s): Statement(s) about the controls service
providers should have in place
o Procedure(s): The action or actions a practitioner will
perform to test each control Area
o Industry Relevance: Reference(s) to other standards that
apply to the same objective and control as the procedure
Copyright 2010 Riebeeck Stevens Ltd
Page 57
19
20. Shared Assessments Sample Procedure
F.5 Secure Workspace Access Reporting
Objective:
An organization should maintain access and
incident reports.
incident reports.
Control:
Access to Secure Workplace is logged and
incident reports are maintained.
.
Copyright 2010 Riebeeck Stevens Ltd
Extracted from the Shared Assessments AUP document
Page 58
Shared Assessments Sample Procedure
Procedures:
a. Obtain the access and incident logs (physical or electronic)
from the service provider for the Secure Workspace Perimeter,
and inspect for evidence of the following attributes:
Access Logs (Staff):
1. Name
2. Date and time
2 d i
3. Point of access
4. Date of last update
Access Logs (Visitor):
1. Name
2. Date and time
3. Point of access
Copyright 2010 Riebeeck Stevens Ltd
Extracted from the Shared Assessments AUP document
Page 59
Shared Assessments Sample Procedure
4. Company name
5. Visiting
6. Equipment
7. Sign out and return of badge
8. Date of last update
Incident Logs:
1. Name
2. Date and time
3. Company name
4. Incident type
5. Date of last update
b. Report the attributes listed in step a not in evidence, the
date the access logs and incident log was last updated, or
the nonexistence of the access log or incident log.
Copyright 2010 Riebeeck Stevens Ltd
Extracted from the Shared Assessments AUP document
Page 60
20
21. Shared Assessments
Exercise
• Review the JPM/IBM outsourcing
arrangement and based on the limited
information provided, review the questions
on Section C2.2 of SIG v5 and the
corresponding procedures in Section C of
Shared Assessments AUP v5
• Could this provide any comfort when
performed by a trusted party?
Copyright 2010 Riebeeck Stevens Ltd
Page 61
Shared Assessments Report Layout
• The Shared Assessments report follows the
AUP standard of the AICPA
• Description of scope
• Domain area
• Control objective
• Control
• Procedure
• Results of applying the procedure
Copyright 2010 Riebeeck Stevens Ltd
Page 62
Using a Shared Assessments Report
• The Shared Assessments report does not
provide assurance just attestation of the result
• Each user of the report must evaluate the
results in the context of their own risk universe
• Some controls may be applicable others may
Some controls may be applicable others may
not
• The absence of certain controls may not be
relevant to the user’s environment
• Do not extrapolate in time and space
Copyright 2010 Riebeeck Stevens Ltd
Page 63
21
22. Using a Shared Assessments Report
• Limitations of the Shared Assessment Report
• Limited to Security, business continuity and
privacy
• No third party opinion
• Can it be relied upon for purposes of an audit of
C it b li d f f dit f
financial statements? Only if issued by CPA?
What about internal audit of the user
organization?
• What about sub‐service organizations? What
options are there to report on that relationship?
Copyright 2010 Riebeeck Stevens Ltd
Page 64
Module Summary
After completing this module, you should now
understand:
• What are Shared Assessments
• What is a Shared Assessments Report
• The content of a Shared Assessments Report
The content of a Shared Assessments Report
• The responsibilities of the Shared Assessments
Auditor
• Key considerations of managing a Shared
Assessments project
• The usability of Shared Assessments reports
Copyright 2010 Riebeeck Stevens Ltd
Page 65
SAS 70 Audits
Copyright 2010 Riebeeck Stevens Ltd
Page 66
22
23. What is “SAS 70”?
• Statement on Auditing Standards (SAS) No. 70,
Service Organizations, as amended
• Issued by the American Institute of Certified
Public Accountants (AICPA)
Copyright 2010 Riebeeck Stevens Ltd
Page 67
What is a “SAS 70” Report?
A report containing:
• Description of the control environment
• Description of management’s control objectives
• Description of specific controls, policies and
procedures
• Description of tests of those specific controls,
policies and procedures
• Results of those tests
• Independent auditor’s opinion
• Supplemental information provided by the Service
Organization (optional)
Copyright 2010 Riebeeck Stevens Ltd
Page 68
Who uses the SAS 70 report?
Primary external users (outside of service organization)
• Clients of service organizations and their auditors
• Auditors of service organization
• Prospective clients of service organizations
Copyright 2010 Riebeeck Stevens Ltd
Page 69
23
24. Who uses the SAS 70 report?
Benefits of the report to external users
• Enhanced understanding of the control
environment
• Additional level of comfort
Additional level of comfort
• Contained audit costs
• Ability to compare service organizations
• Reliance on controls
Copyright 2010 Riebeeck Stevens Ltd
Page 70
Who uses the SAS 70 report?
Primary internal users (within service organization)
• Management
• Internal Audit
• Legal and Compliance
• Risk Management
• Marketing
Copyright 2010 Riebeeck Stevens Ltd
Page 71
Who uses the SAS 70 report?
Benefits of the report to internal users
• Independent evaluation of processes and controls
• Standard documentation of processes and controls for
future evaluation of efficiencies
• Improved risk management
I d ik t
• Potential reduction of coordination with your client’s
auditors
• Marketing
Copyright 2010 Riebeeck Stevens Ltd
Page 72
24
25. Distribution of the Report
Controlled by service organization
Generally limited to:
• Service organization
• Clients of service organization
• Auditors of clients of service organization
• Prospective clients of service organization
Copyright 2010 Riebeeck Stevens Ltd
Page 73
Types of Reports
• Type I – Report on Controls placed in
Operation as of a specified date
• Type II – Report on Controls placed in
Type II Report on Controls placed in
Operation as of a specified date
AND
Results of Tests of Operating Effectiveness
during a specified period
Copyright 2010 Riebeeck Stevens Ltd
Page 74
Service Auditor’s Responsibilities:
Type I Engagement
• Determine whether the description of controls
presents fairly the relevant aspects of the
controls placed in operation as of the date of
report
• Determine whether the controls are suitably
designed to achieve the specified control
objectives
Copyright 2010 Riebeeck Stevens Ltd
Page 75
25
26. Service Auditor’s Responsibilities :
Type II Engagement
• Same as in Type I Engagement
AND
• Determine whether the controls that were
tested were operating with sufficient
tested were operating with sufficient
effectiveness to achieve control objectives
for the specified period of the report
Copyright 2010 Riebeeck Stevens Ltd
Page 76
Sub‐Service Organizations: Carve‐out
• Exclude sub‐service organization’s relevant controls and
control objectives from report and from auditor’s scope
• If Carve‐Out sub‐servicer, then:
Modify scope paragraph in the auditor’s report for the controls of
the sub‐service organization
o Describe the functions and nature of processing performed by sub‐
service organization
i i ti
o That the description of the controls includes only the controls and
related control objectives of the service organization
o That our examination does not extend to the controls at the sub‐service organization
Service Organization modifies description of controls to summarize
the functions and nature of the processing performed by the sub‐
service organization that are omitted from the report
• May be necessary to modify opinion paragraph in auditor’s
report
Copyright 2010 Riebeeck Stevens Ltd
Page 77
Sub‐Service Organizations: Inclusive
• Include sub‐service organization’s relevant controls and
control objectives in report and in auditor’s scope
• Ensure description of controls and control objective
discussion in report clearly differentiates controls at service
organization and at sub‐service organization, but includes
both in reporting
• Modify auditor s report throughout (scope, opinion, Company
Modify auditor’s report throughout (scope opinion Company
references) to include sub‐service organization (and its
related controls, etc.)
• Perform procedures at the sub‐servicer to determine
whether:
controls (functions/nature of processing and controls) are fairly
presented
controls are suitably designed to achieve the related control objectives
controls are operating with sufficient effectiveness (For Type II
engagements)
Copyright 2010 Riebeeck Stevens Ltd
Page 78
26
27. User Control Considerations
• Complementary Controls that may be
required at the User Organization
• Include in report’s description of controls
Include in report s description of controls
• Include in auditor’s report
• Sample UCC: User Organization should
remove terminated employees when access
no longer needed
Copyright 2010 Riebeeck Stevens Ltd
Page 79
Service Auditor’s Responsibilities
• Addressing the representations in the service
auditor’s report
• Adhere to the AICPA general standards and
Adhere to the AICPA general standards and
with the relevant AICPA fieldwork and
reporting standards
Copyright 2010 Riebeeck Stevens Ltd
Page 80
Layout of Typical SAS 70 Report
Opinion
Section I – Information provided by the Service Organization
Overview of the business
Control Environment
Applicability of Report
Description of Controls
D i ti fC t l
Section II – Information Provided by the Service Auditor
Section III – Controls, Control Objectives and Tests of
Operating Effectiveness
Section IV – Other information provided by the Service
Organization
Copyright 2010 Riebeeck Stevens Ltd
Page 81
27
28. Module Summary
After completing this module, you should now be
able to:
• Understand the basic SAS 70‐related terms and
definitions
• Understand the basic overview of SAS 70
• Understand who uses SAS 70 reports and why
Copyright 2010 Riebeeck Stevens Ltd
Page 82
Project Management:
Useful information for the
Useful information for the
Service Auditor Engagement Team
Copyright 2010 Riebeeck Stevens Ltd
Page 83
Define and Understand
Engagement/Report Scope
Collaborative process with the Client
Scope should be driven by USER needs and
requirements
o Include Core Areas
o Include desired Locations
Copyright 2010 Riebeeck Stevens Ltd
Page 84
28
29. Engagement Time Management
Time Management
• Activity Definition
• Activity Sequencing
• Activity Duration Estimating
• Schedule Development
S h d l D l t
• Schedule Control
Copyright 2010 Riebeeck Stevens Ltd
Page 85
Service Organization Involvement
• Project Sponsor (leader/owner) of the
Process
• Project Coordinator (daily task
management)
• Internal Pre‐Assessment and Remediation
• “Buy‐In” of Senior Management within all
functional departments/areas
Copyright 2010 Riebeeck Stevens Ltd
Page 86
Senior Management Buy‐In
• Assists in obtaining information timely
• Ensures right personnel/contacts are met
• Ensures personnel/contacts will provide all
necessary assistance
• Ensures personnel/contacts know the
importance of the project to their department
leaders
Copyright 2010 Riebeeck Stevens Ltd
Page 87
29
30. Responsibilities
May impact:
• Timing
• Deadlines
• Budgets/fees
• Staffing mix
• Expectations set by client or by auditor
• Satisfaction with meeting expectations and
• The ability to manage expectations
Copyright 2010 Riebeeck Stevens Ltd
Page 88
Reporting Responsibilities
Generally, Client should draft most areas the Report
• Overview of Operations (Organization Definition)
• Description of Controls and Control Environment
• Control Objectives and Controls
• Other Information provided by the Service Organization
Other Information provided by the Service Organization
Generally, the Service Auditor should focus on:
• Opinion
• Information Provided by Service Auditor
• Testing of Controls and Results of Testing
Copyright 2010 Riebeeck Stevens Ltd
Page 89
Managing Expectations
• Expectations of Significant Changes During Report
Period (mid‐year significant changes in
controls/processes to consider)
• Presence of Exceptions in the Report
• Multi‐location Considerations
• Report is evolving
• Recommendations to be Provided to Client
• Regular Status Meetings with Project Champion and
Day‐to‐Day Contact Person is important
Copyright 2010 Riebeeck Stevens Ltd
Page 90
30
31. Managing Expectations
• Timeline/Deadline for Stages of Engagement
Setting project milestones minimizes time overages
• Detailed Project Plan by Control Objective
Breaking down project plan to task level increases
Breaking down project plan to task level increases
accuracy of cost estimation and subsequent budgeting
• Monitor Timing/Fees (budget to actual)
Enhanced cost control through frequent budget to actual
monitoring
Copyright 2010 Riebeeck Stevens Ltd
Page 91
Module Summary
After completing this module, you should now:
• Understand key aspects of managing a SAS 70
project effectively and efficiently.
• Understand common pitfalls/challenges and
p / g
successes that we have encountered in our
experience with SAS 70 engagements.
Copyright 2010 Riebeeck Stevens Ltd
Page 92
Service Auditor Considerations
Copyright 2010 Riebeeck Stevens Ltd
Page 93
31
32. Service Auditor Considerations
• Workpaper documentation
• Design of Tests
• Types of tests
• p g
Sampling
• Findings
• Testing strategies
Copyright 2010 Riebeeck Stevens Ltd
Page 94
Design of Tests
Control Test
Copyright 2010 Riebeeck Stevens Ltd
Page 95
Types of Tests
• Inquiry
• Inspection
• Observation
• p
Re‐performance of the control
Copyright 2010 Riebeeck Stevens Ltd
Page 96
32
33. Sample Sizes
• No definitive guidance
• Driven by four variables
Significance of control
Frequency
q y
Past experience
Client expectation
Copyright 2010 Riebeeck Stevens Ltd
Page 97
Sample Sizes (continued)
• Frequently used numbers (influenced
primarily by SOX developments):
Type of Control
Primary Secondary Other
25 15 5
Copyright 2010 Riebeeck Stevens Ltd
Page 98
Findings
Findings should be classified into:
• Nominal
• Management Letter Comment (“MLC”)
• Exceptions
Copyright 2010 Riebeeck Stevens Ltd
Page 99
33
34. Findings (continued)
• Quantitative materiality thresholds do not
apply
• How to deal with exceptions
Identify compensating controls
y p g
Redefine control objectives
Timely validation
Copyright 2010 Riebeeck Stevens Ltd
Page 100
Testing Strategies
• Report must be applicable to internal
controls in place during the entire testing
period.
• Narrative update can occur at six month
point
• Controls can be tested at any time during the
testing period
Copyright 2010 Riebeeck Stevens Ltd
Page 101
Module Summary
After completing this module, you should now:
• Understand important items to consider when
performing a SAS 70 engagement including
sample sizes, testing strategies and addressing
findings.
Copyright 2010 Riebeeck Stevens Ltd
Page 102
34
35. User Auditor Considerations:
How to Use a SAS 70 Report
Ho to Use a SAS 70 Report
Copyright 2010 Riebeeck Stevens Ltd
Page 103
Is the SAS 70 Useful?
• Address the applications and/or locations used by
the Service Organization that are relevant to
financial statement assertions?
• Adequate to understand flow of transactions?
• Sufficient detail of controls that prevent or detect
p
possible errors?
• Are there findings within control tests?
• Does opinion address any exceptions?
• Are any areas being carved‐out?
Copyright 2010 Riebeeck Stevens Ltd
Page 104
Procedures when using a SAS 70 Report
• Read report to:
• Understand the flow of transactions and the controls
• Determine that controls were operating as intended
• Determine whether significant control deficiencies
were noted
• Inquire of client as to changes since date of SAS 70
• Consider whether additional procedures are
necessary
Copyright 2010 Riebeeck Stevens Ltd
Page 105
35
36. Assessing User Control Considerations
• Read service auditor’s report to determine:
Whether the considerations are relevant to your
client
o If relevant, ensure during your planning that the
controls have been implemented by the client
controls have been implemented by the client
Nature of complementary controls that should
be in place at our client
Copyright 2010 Riebeeck Stevens Ltd
Page 106
Updating a SAS 70
When date of SAS 70 report is within the client’s
fiscal year (and assessed controls as effective):
• Update through client discussions
When date of SAS 70 is outside of our client’s
fiscal year (and anticipate assessing controls as
effective):
• Can use the report as a starting point in gaining
an understanding of the control environment
• You may not rely on this report as audit evidence
Copyright 2010 Riebeeck Stevens Ltd
Page 107
Using a SAS 70 Report
READ IT!
READ IT!
READ IT!
READ IT!
Copyright 2010 Riebeeck Stevens Ltd
Page 108
36
37. Using a SAS 70 Report
• Make sure you understand which significant
processes are covered
• Can you rely on the testing which was
performed?
• Determine the results of any testing that was
performed
Copyright 2010 Riebeeck Stevens Ltd
Page 109
Using a SAS 70 Report
• If the report does not cover the entire period
of the user organization’s fiscal year, gain an
understanding for the period not covered.
Copyright 2010 Riebeeck Stevens Ltd
Page 110
Module Summary
After completing this module, you should now:
• Understand when you can rely on a SAS 70
report.
• Understand the documentation requirements
q
when leveraging a SAS 70 report.
• Understand how you can benefit from a SAS
70 report.
Discuss the SAS 70 Reliance Decision Tree
Copyright 2010 Riebeeck Stevens Ltd
Page 111
37
38. Attest Engagement
Copyright 2010 Riebeeck Stevens Ltd
Page 112
What is an Attest Engagement?
• Examination, audit or review of subject
matter or management assertion
• Higher level of assurance
• Generally includes an opinion of the auditor
Generally includes an opinion of the auditor
• Follows the Statement on Standards for
Attestation Engagements of the AICPA
Copyright 2010 Riebeeck Stevens Ltd
Page 113
Why Do We Need Attest Reports?
• Many financial situations require an attest
report
• In the controls space, they can cover areas
that are not possible to cover in SAS 70 or
other reports
• An example is business continuity planning
and the availability principle
Copyright 2010 Riebeeck Stevens Ltd
Page 114
38
39. Who uses Attest Reports?
• Attest reports are limited distribution reports
• Can be used by external auditors for
evaluating audit risk
• Can be used by the service organization
Can be used by the service organization
management
• Can be used by the user organization
management
Copyright 2010 Riebeeck Stevens Ltd
Page 115
Attest Engagements
Definition and Underlying Concepts
• Subject matter
• Assertion
• Responsible party
Copyright 2010 Riebeeck Stevens Ltd
Page 116
Attest Engagements
• Suitability of Criteria
Objectivity
Measurability
Completeness
Relevance
• Availability of Criteria
Copyright 2010 Riebeeck Stevens Ltd
Page 117
39
40. Attest Auditor Responsibilities
• Training and proficiency
• Adequate knowledge of the subject matter
• Independence
• Due professional care
Due professional care
• If report issued according to the AICPA
standard then auditor should be a CPA
Copyright 2010 Riebeeck Stevens Ltd
Page 118
Layout of Attest Report
• Differences in content for an Examination
and a Review report
• Considerations as to whether opining on
subject matter or management assertion
• Statement that the work conducted supports
the opinion provided
• Compliance with AICPA standards
Copyright 2010 Riebeeck Stevens Ltd
Page 119
Project Management Considerations
• Obtain clear management assertion
• Ensure there are suitable criteria
• Delineate an plan every activity
• Discuss and walkthrough every risk and area
Discuss and walkthrough every risk and area
of control
• Establish a clearly defined timeline
• Obtain concurrence from management on all
identified findings
Copyright 2010 Riebeeck Stevens Ltd
Page 120
40
41. Attest Auditor Considerations
• Planning and supervision
• Obtaining sufficient evidence
• Management representations
• Reporting
• Analysis of other information presented by
management
Copyright 2010 Riebeeck Stevens Ltd
Page 121
Using an Attest Report
• Ensure focus and scope are relevant
• Review criteria
• Evaluate findings
• Consider period of the attestation
Consider period of the attestation
• Determine whether subsequent events
occurred
• Integrate controls in the report with risks in
your organization
Copyright 2010 Riebeeck Stevens Ltd
Page 122
Module Summary
After completing this module, you should now be
able to understand:
• What are Attest engagements
• What is an Attestation Report
• The content of an Attestation Report
• The responsibilities of the Attest Auditor
• Key considerations of managing a Attest
project
• The usability of Attest reports
Copyright 2010 Riebeeck Stevens Ltd
Page 123
41
42. Good Bye SAS 70
Copyright 2010 Riebeeck Stevens Ltd
Page 124
SAS 70 No More
• Recent Developments
• International Demand
• IFAC ‐ ISAE 3402
• AICPA SSAE 16 – Reporting on Controls at a
AICPA SSAE 16 – Reporting on Controls at a
Service Organization
• New SAS – Audit Considerations Relating to
an Entity Using a Service Organization
Copyright 2010 Riebeeck Stevens Ltd
Page 125
SAS 70 No More
• New Standards do not affect inquiries of
management
• New Standards do not affect AUP/Shared
Assessments
• New Standards do not affect the Attest
Engagements
Copyright 2010 Riebeeck Stevens Ltd
Page 126
42
43. AICPA SSAE 16
• Separates Service Audit from existing SAS
• Falls under different family of standards
• Instead of an audit standard, it is an attest
standard
• Requires a written management assertion
• And suitable criteria
• Does not consider the usability in a financial
statement audit ONLY
Copyright 2010 Riebeeck Stevens Ltd
Page 127
SSAE 16 – Impact
• Management of the service organization required
to provide the service auditor with a written
assertion about
1. The fairness of the presentation of the description of
the service organization’s system
g y
2. The suitability of the design of the controls to
achieve the related control objectives stated in the
description, and, in a type 2 engagement
3. The operating effectiveness of those controls to
achieve the related control objectives stated in the
description.
Copyright 2010 Riebeeck Stevens Ltd
Page 128
SSAE 16 – Impact
• A service auditor is able to report on controls
at a service organization other than controls
that are relevant to user entities’ financial
reporting, for example, controls related to
user entities’ regulatory compliance,
production, or quality control.
• This is probably the greatest benefit of all!
Copyright 2010 Riebeeck Stevens Ltd
Page 129
43
44. SSAE 16 – Impact
• In a type 2 report, the service auditor’s
opinion on the fairness of the presentation of
the description of the service organization’s
system and on the suitability of the design of
the controls is for a period of time rather
than as of a specified date, as is the case in
the current standard
Copyright 2010 Riebeeck Stevens Ltd
Page 130
SSAE 16 – Impact
• When obtaining an understanding of the
service organization‘s system, the service
auditor would be required to obtain
information to identify risks that the
description of the service organization’s
system is not fairly presented or that the
control objectives stated in the description
were not achieved due to intentional acts by
service organization personnel.
Copyright 2010 Riebeeck Stevens Ltd
Page 131
SSAE 16 – Impact
• Indicates that when assessing the operating
effectiveness of controls in a type 2
engagement, evidence obtained in prior
engagements about the satisfactory
operation of controls in prior periods does
not provide a basis for a reduction in testing,
even if supplemented with evidence
obtained during the current period.
Copyright 2010 Riebeeck Stevens Ltd
Page 132
44
45. SSAE 16 – Impact
• A service auditor’s type 2 report would
identify the customers to whom use of the
report is restricted as "customers of the
service organization’s system during some or
all of the period covered by the service
auditor’s report,"and in a service auditor’s
type 1 report, as, "customers as of the date
of the service organization’s description
covered by the report."
Copyright 2010 Riebeeck Stevens Ltd
Page 133
SSAE 16 – Key Considerations
• Effective date – the AICPA/ASB has proposed
making the SSAE effective concurrently with
the new ISAE 3402
• Management assertion – An assertion‐based
engagement includes an explicit
acknowledgement by management of its
responsibility for the matters addressed in its
assertion
• Convergence with International Standards
Copyright 2010 Riebeeck Stevens Ltd
Page 134
IFAC – ISAE 3402
• ISAE 3402 – Assurance Reports on Controls at
a Service Organization
• Based on original structure of SAS 70 but very
similar to the New SSAE
• Applies to all countries where IFAC is
li ll i h Ci
recognized
• Scope – applies to engagements that convey
reasonable assurance when the service
organization is responsible for the suitable
design of controls
Copyright 2010 Riebeeck Stevens Ltd
Page 135
45
46. ISAE 3402
• The standard deals with assurance
engagements by professional accountants in
public practice to provide a report for use by
the user entities and their auditors on the
controls at a service organization that
provides a service to user entities that is
likely to be relevant to user entities’ internal
control, as it relates to financial reporting.
Copyright 2010 Riebeeck Stevens Ltd
Page 136
ISAE 3402
The standard does not deal with assurance
engagements:
• To report on whether controls at a service
organization operated as described, or
• To report ONLY on controls at a service
organization that are not related to a service
that is likely to be relevant to user entities’
internal controls as it relates to financial
reporting
Copyright 2010 Riebeeck Stevens Ltd
Page 137
Why is ISAE 3402 Important
• Impact at domestic and international levels
• It updates/replaces (potentially)/complements:
• US ‐ Statement on Auditing Standards (SAS) No. 70
• CA ‐ Canadian Institute of Chartered Accountants
(CICA) 5970
• UK ‐ Audit and Assurance Faculty Standard (AAF)
01/06
• AU ‐ Guidance Statement (GS) 007
• HK ‐ HKSA Statements – Auditing Practice Note 860.2
• JP ‐ Audit Standards Committee Report No. 18
• DE (Germany) ‐ IDW PS 951
Copyright 2010 Riebeeck Stevens Ltd
Page 138
46
47. IFAC – ISAE 3402
• Introduces the concept of materiality
• Not with respect to the financial statements
but with respect to the system
The concept of materiality takes into account that
the service auditor’s assurance report provides
the service auditor’s assurance report provides
information about the service organization’s system
to meet the common information needs of a broad
range of user entities and their auditors who have an
understanding of the manner in which that system
has been used.
Copyright 2010 Riebeeck Stevens Ltd
Page 139
IFAC – ISAE 3402
• Materiality with respect to the fair presentation of
the service organization’s description of its system,
and with respect to the design of controls, includes
primarily the consideration of qualitative factors,
for example: whether the description includes the
for example: whether the description includes the
significant aspects of processing significant
transactions; whether the description omits or
distorts relevant information; and the ability of
controls, as designed, to provide reasonable
assurance that control objectives would be
achieved.
Copyright 2010 Riebeeck Stevens Ltd
Page 140
IFAC – ISAE 3402
• Materiality with respect to the service
auditor’s opinion on the operating
effectiveness of controls includes the
consideration of both quantitative and
qualitative factors, for example, the tolerable
rate and observed rate of deviation (a
quantitative matter), and the nature and
cause of any observed deviation (a
qualitative matter).
Copyright 2010 Riebeeck Stevens Ltd
Page 141
47
48. Critical Steps in Assurance Reporting
Under ISAE 3402
• Assessing the Suitability of the Criteria
• Obtaining an Understanding of the Service
Organization’s System
• Obtaining Evidence Regarding the
Description
i i
• Obtaining Evidence Regarding Design of
Controls
• Obtaining Evidence Regarding the Operating
Effectiveness of Controls
Copyright 2010 Riebeeck Stevens Ltd
Page 142
Critical Steps in Assurance Reporting
Under ISAE 3402
• The Work of an Internal Audit Function
• Other Information
• Preparing the Service Auditor’s Assurance
Report
• Other Communication Responsibilities
Copyright 2010 Riebeeck Stevens Ltd
Page 143
Comparison of SAS 70 with ISAE/SSAE
Topic Existing SAS 70 Standard ISAE 3402 / SSAE
Scope SAS 70 is limited to controls Report can be extended
over the processing of beyond financial
financial transactions by a reporting.
service organization.
Opinion /
p The auditor provides an
p In addition to the
Assertion opinion based directly on auditor's opinion,
the subject matter with no management of the
formal management service organization
assertion. provides a formal
assertion affirming its
responsibilities for the
controls in the report.
Copyright 2010 Riebeeck Stevens Ltd
Extracted from “Good‐bye SAS 70” by Fiona Gaskin
Page 144
48
49. Comparison of SAS 70 with ISAE/SSAE
Topic Existing SAS 70 Standard ISAE 3402 / SSAE
Disclosure Work performed by internal Work performed by internal audit
requirements audit to support the service used in part to form the service
for use of IA auditor's opinion is not auditor’s opinion shall include a
disclosed. description of the internal
auditor’s work and of the service
auditor’s procedures with respect
to that work.
Audit Guidance Guidance is provided in an Guidance for the service auditor
annually updated Audit will be solely contained in the
Guide, which includes ISAE itself and will not contain
illustrative control objectives illustrative control objectives.
for various types of service The US will continue to provide
organizations. audit guidance to support the
SSAE/SAS 70
standards.
Copyright 2010 Riebeeck Stevens Ltd
Extracted from “Good‐bye SAS 70” by Fiona Gaskin
Page 145
Comparison of SAS 70 with ISAE/SSAE
Topic Existing SAS 70 Standard ISAE 3402 / SSAE
Example of Type I - report on the Type 1 - report on the
Terminology fairness of the fairness of the description
Differences description of controls of controls and whether
and whether those those controls were suitably
controls were suitably designed.
designed.
designed
Type II - report also Type 2 - report also includes
includes an opinion on an opinion on the operating
the operating effectiveness of the controls.
effectiveness of the
controls.
Copyright 2010 Riebeeck Stevens Ltd
Extracted from “Good‐bye SAS 70” by Fiona Gaskin
Page 146
ISAE 3402 Report
• Internal control is a process designed to provide
reasonable assurance regarding the achievement of
objectives related to the reliability of financial
reporting, effectiveness and efficiency of operations
and compliance with applicable laws and regulations.
p pp g
• Control objectives and controls at the User
Organizations
• Control objectives and controls at the Service
Organization
• Controls at the Service Organization that need to be
complemented at User Organizations
Copyright 2010 Riebeeck Stevens Ltd
Page 147
49
50. Module Summary
After completing this module, you should now be
able to understand:
• The latest developments in Third Party Assurance
Standards
• The impact of new Standards
p
• The benefits of the new Standards
• Key differences and similarities between domestic
and international standards
• Key considerations and responsibilities of a
service auditor and the user of a third party
assurance report
Copyright 2010 Riebeeck Stevens Ltd
Page 148
Wrap-Up
Wrap‐Up and Summary
Copyright 2010 Riebeeck Stevens Ltd
Page 149
Using Third Party Reports
• A report is not relevant if it does not address your
company’s risks
• Prepare your own ICQ or use a standard one as a
pre‐audit tool
• Use your company’s risk and control matrices as
the basis to evaluate ICQ, AUP, SAS 70, ISAE and
SSAE findings
• Starting point is your company’s risks not what is
in the reports
Copyright 2010 Riebeeck Stevens Ltd
Page 150
50
51. Third Party Assurance – Final Comments
• Businesses will continue to look for opportunities
to increase efficiency and effectiveness of
business processes
• Globalization will not stop
• Cloud Computing will make this field more
Cloud Computing will make this field more
interesting and complex
• Third party assurance practice will continue to
grow
• We will be either auditing or will be audited by a
service auditor …
Copyright 2010 Riebeeck Stevens Ltd
Page 151
Contact
Felix Ramirez
(W) 646‐290‐8998
(C) 908‐230‐4562
(C) 908‐230‐4562
(e) felix.ramirez@riebeeckstevens.com
Copyright 2010 Riebeeck Stevens Ltd
Page 152
51