evaluating vendor risks - presentation

Evaluating Vendor RisksDo you know if they have

Evaluating Vendor RisksDo you know if they haveDo you know if they have

controls?Do you know if they have

controls?May 5, 2010

Introductions

• Relevant Participant Experiencesp p

• Participant Objectives for this class

Copyright 2010 Riebeeck Stevens Ltd

Course Objective

To educate participants regarding the nature f d i k d th h i tof vendor risks and the mechanisms to

effectively assess, manage and control those risks by providing a learning forum whererisks by providing a learning forum where individuals with greater audit and third party assurance experience can share theirassurance experience can share their knowledge with peers who are interested in learning about third party assurance and the different mechanisms and standards available to accomplish it.


Today’s Discussion Topics

• Overview of outsourcing arrangementsRi h di• Rights to audit

• Diversity of service organizations• Assessment mechanisms• Assessment mechanisms

o SAS 70o Shared Assessmentso ISAE 3402

• SAS 70 No MoreC d ti t t• Conducting an assessment engagement

• Using a third party assessment• Project management considerations


Project management considerations

Outsourcing Business Processes


Background

• Many entities use outside service organizations li h k h ff h i ’to accomplish tasks that affect the entity’s

management and information system

I t th h b i i• In recent years, there has been an increase in the use of service organizations

• Why do you think BPO (business process• Why do you think BPO (business process outsourcing) has increased so much?

• “Practical IT Auditing” Checklist to evaluate• Practical IT Auditing Checklist to evaluate candidates for outsourcing


Typical Service Organizations

• Fund accounting agents/Fund administrators• Custodians/Trustees/Investment advisors• Transfer agents/Retirement plan record keepers

Cl i• Claims processors• ASPs• ISPsISPs• Payroll processors• Network/Security management• Thoughts on Cloud Computing Providers?


Outsourcing Arrangements

• Total outsourcing – complete business or business function

• Production outsourcing – Call centers• Processing outsourcing – Payroll• Recordkeeping outsourcing – Transfer agent• Reporting outsourcing – FISERV and Crawford

Technologies• Physical Facilities outsourcing – Hosting/Co‐

location


Sample Outsourcing Agreements

• 2002: $4 billion / 7‐year utility based deal between American Express and IBMAmerican Express and IBM

• 1998: $3 billion application development and maintenance agreement between BellSouth and gAndersen Consulting

• 1998: $4 billion infrastructure outsourcing agreement b t B llS th d EDSbetween BellSouth and EDS

• 1996: $4.5 billion / 10 year outsourcing and strategic alliance agreements between Dupont and CSC and g pAndersen Consulting

• 1994: $3 billion / 10‐year IT services between Xerox and EDS


EDS

Classification of Vendor Risks

• Operational Risk

• Reputation Risk

• Strategic RiskStrategic Risk

• Compliance Risk

Fi i l Ri k• Financial Risk

• Support Risk



• Operational Risk ‐ Operational risk not only includes operations and transaction processing, but also areas such as customer service, Information Technology security and the protection of non‐public data, systems development and support programs, internal control processes, and capacity and contingency planning.



• Reputation Risk – Errors, delays, or omissions i t d i th t b bliin outsourced services that become public knowledge or directly affect the company's customers can significantly affect reputationcustomers can significantly affect reputation. For example, a vendor's failure to maintain adequate service levels and contingencies foradequate service levels and contingencies for key items such as cash deliveries, network hardware devices or ATM servicing could disrupt the ability to deliver service to customers.



• Strategic Risk – Inadequate management experience and expertise can lead to a lack of understanding of key risks facing the industry today and into the future. Additionally, inaccurate information from vendors can cause the company's management and board of directors to make poor strategic decisions.



• Compliance Risk – Outsourced activities that fail to comply with legal or regulatory requirements can subject the company to legal sanctions. For example, inaccurate or untimely consumer compliance disclosures or unauthorized disclosure of confidential customer information could expose the company to civil money penalties or litigation.



• Financial Risk – financial strength of the vendor, cash position, credit rating, bankruptcy history, historical financial performance indicators – return on equity, return on investment, return on assets



• Support Risk – ability to perform according to service level agreements, professional diversity and capacity of staff, experienced of workers, staff rotation policy, operational performance in the market – are they losing customers, is their quality falling


Rights to Audit

• Contract clause allowing the user i ti t dit h t ditorganization to audit or have access to audits

of the services contractedSh ld b t d d t f• Should be a standard part of every outsourcing contractU f tl• Use more frequently

• Demanding specific types of audits• Make sure you are specific in terms of period

of audits


Case StudyNew York ‐ 30 Dec 2002: J.P. Morgan Chase & Co. today finalized with IBM a groundbreaking seven‐year outsourcing agreement, in excess of $5 billion, the largest of its kind. The agreement will enable JPMorgan Chase , g g gto transform its technology infrastructure through absolute costs savings, increased cost variability, access to the best research and innovation, and improved service levels. By moving from a traditional fixed‐cost approach to one with increased capacity and cost variability, JPMorgan Chase will be able to respond more quickly to changing market conditions.

JPMorgan Chase will outsource a significant portion of its data processing technology infrastructure, including data centers, help desks, distributed computing, data networks and voice networks. The agreement includes the transfer of approximately 4,000 JPMorgan Chase employees and contractors as well as selected resources and systems to IBM in the first half of 2003. Application delivery and development, desktop support and


other core competencies will largely be retained inside JPMorgan Chase.

Case Study ‐ Instructions

• Study the JPM/IBM press release

• Identify the key risks faced by JPM when transferring functions to IBM

• Discuss methods JPM can use to stay informed of controls at IBM to address those risks

• Discuss impact to security, audit and compliance

• Should JPM require IBM to include a right to q gaudit clause in their contract? Why?


Summary

After completing this module, you should now:• Understand the business drivers behind the

outsourcing decision• Understand the various types of outsourcing

arrangements• Understand the key classes of vendor risk• Begin to understand the need to evaluate

controls at service organizations


Assessment Mechanisms


Definition of Key Players

Service Organization – The entity that provides i t i tiservices to a user organization

Subservice Organization – An entity that is a service organization of another serviceservice organization of another service organizationService Auditor – Reports on the processing of p p gtransactions by a service organizationUser Organization – The entity that has engaged

i i tia service organizationUser Auditor – Auditor of a user organization


Key Players

Service AuditorUser Organization

Service Organization

SubserviceOrganizationUser Auditor OrganizationUser Auditor


Evaluating Internal Controlat Service Organizations

• How can a user of a service organization (and its i l/ l di ) b i ffi iinternal/external auditor) obtain a sufficient level of comfort that there is an effective control environment at the service organization?environment at the service organization?

• How can user management ensure that outsourced processes are managed followingoutsourced processes are managed following policies, procedures and practices that are aligned with those of his/her own company?


Assessment Mechanism: Traditional Approach

• User management submits an internal control questionnaire to service organization

• Service organization provides a self‐assessment report to clients

• User organization management (internal audit) performs audit procedures at service organization

• User auditor performs audit procedures at service organizations


Assessment Mechanisms:Third Party Assurance Approach

• One independent firm (third party) is brought in to issue an opinion as to whether management’s description of the control environment is presented fairly.

• In many cases, the independent firm is also engaged to perform tests of specific g g p pcontrols and report on the result of those tests.



• Agreed‐Upon Procedures

• Shared Assessments

• Standard Compliance AuditStandard Compliance Audit

• SAS 70

Att t ti• Attestation• Who can issue reports using these

h i ?mechanisms?



• Agreed‐Upon ProceduresIssued by independent CPA

• Shared AssessmentsIssued by independent CPA or assessment firmIssued by independent CPA or assessment firm

• Standard Compliance AuditIssued by certified party – i.e. PCI and ISOy p y

• SAS 70Issued by CPA or CA

• AttestationIssued by CPA or CA


Module Summary

After completing this module, you should now:d d h l l

After completing this module, you should now:d d h l l• Understand the process to evaluate internal

controls at Service Organizationsd d h b i f hi d

• Understand the process to evaluate internal controls at Service Organizations

d d h b i f hi d• Understand the basic concepts of Third Party Assurance (TPA)d if diff h i f d i

• Understand the basic concepts of Third Party Assurance (TPA)d if diff h i f d i• Identify different mechanisms for conducting TPA engagementsU d d h i hi d

• Identify different mechanisms for conducting TPA engagementsU d d h i hi d• Understand who can issue third party assurance reports

• Understand who can issue third party assurance reports


Agreed‐Upon Procedures


What are Agreed Upon Procedures

• Section 201 of the AICPA Statements on Standards f A i E (SSAE)for Attestation Engagements (SSAE)

• An agreed‐upon procedures engagement is one in which a practitioner is engaged by a Responsiblewhich a practitioner is engaged by a Responsible Party to issue a report of findings based on specific procedures performed on subject matterspecific procedures performed on subject matter. The Responsible Party engages the practitioner to assist Specified Parties in evaluating subject p g jmatter or an assertion as a result of a need or needs of the Specified Parties.


What is an AUP Report

• An AUP Report is a report issued according to SSAE 10 Section 201

• An AUP Report contains the procedures agreed‐upon by the parties and the findings identified by the auditor

• An AUP Report does not contain an opinion from the auditor just the facts of the resultsfrom the auditor just the facts of the results


Who Uses a AUP report

• Agreed‐Upon procedures are used by the service organization, user management, external auditors and regulators

• Internal users include senior management, compliance, internal audit, security and risk management

• External users typically limited to externalExternal users typically limited to external auditors and regulators


Distribution of the Report

• As an Attestation report, AUP reports have limited distribution

• The Service Organization and the specified parties can have access to the report

• Other parties interested in the report needOther parties interested in the report need to agree as to the sufficiency of the procedures with respect to the subjectprocedures with respect to the subject matter or assertion prior to receiving the report


report

AUP Auditor’s Responsibilities

• Carry out the procedures

• Report the findings in accordance with the professional standards (general, fieldwork and reporting)

• Adequately plan and supervise the audit andAdequately plan and supervise the audit and exercise due professional care in performing the procedures, determining the findings,the procedures, determining the findings, and preparing the report


AUP Auditor’s Responsibilities

• Risk that misapplication of the procedures may l i i i fi di b i dresult in inappropriate findings being reported

• Risk that appropriate findings may not be reported or may be reported inaccuratelyreported or may be reported inaccurately

• These risks are reduced by becoming knowledgeable about the subject matter andknowledgeable about the subject matter and thoroughly planning and executing the work

• The AUP Auditor has no responsibility to p ydetermine completeness or adequacy of the agreed‐upon procedures


Layout of a Typical AUP Report

• A title that includes the word independent

• Identification of the specified parties

• Identification of the subject matter (or theIdentification of the subject matter (or the written assertion related thereto) and the character of the engagementcharacter of the engagement

• Identification of the responsible party

A t t t th t th bj t tt i th• A statement that the subject matter is the responsibility of the responsible party

Copyright 2010 Riebeeck Stevens LtdExtracted from “AICPA Attestation Standards Section 201”


• A statement that the procedures performed were h d b h ifi d i id ifi dthose agreed to by the specified parties identified in the report

• A statement that the agreed upon procedures• A statement that the agreed‐upon procedures engagement was conducted in accordance with attestation standards established by the AICPAattestation standards established by the AICPA

• A statement that the sufficiency of the procedures is solely the responsibility of the specified parties y p y p pand a disclaimer of responsibility for the sufficiency of those procedures



• A list of the procedures performed (or reference th t ) d l t d fi di (Th titithereto) and related findings (The practitioner should not provide negative assurance

• Where applicable a description of any agreed‐uponWhere applicable, a description of any agreed‐upon materiality limits



• A statement that the practitioner was not engaged t d did t d t i ti f thto and did not conduct an examination of the subject matter, the objective of which would be the expression of an opinion a disclaimer of opinion onexpression of an opinion, a disclaimer of opinion on the subject matter, and a statement that if the practitioner had performed additional procedures, p p p ,other matters might have come to his or her attention that would have been reported



• A statement of restrictions on the use of the report because it is intended to be used solely by the specifiedbecause it is intended to be used solely by the specified parties

• Where applicable, reservations or restrictions pp ,concerning procedures or findings.

• For an agreed‐upon procedures engagement on ti fi i l i f tiprospective financial information.

• Where applicable, a description of the nature of the assistance provided by a specialist.p y p

• The manual or printed signature of the practitioner's firmTh d f h


• The date of the report

Extracted from “AICPA Attestation Standards Section 201”

Procedures to be Performed

• Can be as limited or as extensive as the specified ti d iparties desire

• Mere description of assertion or subject matter does not constitute a valid proceduredoes not constitute a valid procedure

• There is flexibility in determining the procedures• Changes to the procedures are acceptable as long g p p g

as the specified parties accept responsibility for the sufficiency of the procedures

• Matters that need to be agreed upon include the nature, timing and extent of the procedures


Procedures to be Performed

• Procedures should not be subjective and open to interpretations

• Terms of uncertain meaning (such as general review, limited review or check) should be avoided

• For each procedure, there should be evidential matter supporting the finding orevidential matter supporting the finding or findings

Let’s explore the Q‐Services report


Let s explore the Q‐Services report

Project Management Considerations

• Use Of a Specialist

• Internal Auditors and Other Personnel

• FindingsFindings

• Working Papers


AUP Sample Findings

• Procedure: Inspect the shipment dates for a sample (agreed upon) of specified shippingsample (agreed‐upon) of specified shipping documents, and determine whether any such dates were subsequent to December 31, 20XX.q ,

• Finding (Appropriate description): No shipment dates shown on the sample of shipping doc ments ere s bseq ent to December 31documents were subsequent to December 31, 20XX.

• Finding (Inappropriate description): Nothing came g ( pp p p ) gto my attention as a result of applying that procedure.S l fi di t i f AT 201


• Sample findings matrix from AT 201

AUP Auditor Considerations

• Validate that the Specified Parties have agree to the dprocedures

• Document the steps taken in performing the proceduresprocedures

• Obtain and maintain appropriate evidence of the work conducted

• Ensure all changes to the procedures are approved by the Specified Parties

• Obtain representations from management


Using a AUP Report

• A AUP Report contains the results of applying the procedures only – No Opinion

• Each procedure and related result must be evaluated by the user in the context of its entity’s internal control

• Be careful not to extrapolate the findings to systems or dates not related to the AUPssystems or dates not related to the AUPs


AUP Exercise

• With the JPM/IBM agreement, multiple systems are being processed and supported at IBMbeing processed and supported at IBM

• You work for JPM and some of your clients (your team members) want to audit the system at IBM to evaluate ) ythe security controls at IBM

• Identify and describe 5 audit procedures and discuss th i til ththem in your group until everyone agrees they are sufficient to meet your objective

• Ensure the wording of the procedures is specific and g p pavoid vague terms

• Draft the result of applying the procedure and share h i h h


them with the group

Module Summary

After completing this module, you now have an understanding of:

• What Agreed‐Upon Procedures are• What an AUP Report is• The content of AUPs• The responsibilities of the AUP Auditor• Key considerations of managing an AUP

project• The usability of AUP reports


Shared Assessments


Shared Assessments

• Special application of the AICPA AUP standard

• Shared Assessments is a program created by BITS, a division of the Financial Services Roundtable

• Initially targeted the financial services industry, it is quickly expanding to otherindustry, it is quickly expanding to other industries such as health care

• Program managed by the Santa Fe Group


• Program managed by the Santa Fe Group

Shared Assessments

• Standardized Information Gathering (SIG) Questionnaire

• Agreed‐Upon Procedures (AUP)

• Created under the principle of getting everyone involvedeveryone involved

• Sort of like Skype and IP telephony, when everyone is connected there is no need toeveryone is connected, there is no need to pay for phone service


Who uses a Shared Assessments Report?

• SIG is used by the Service Organization and the Outsourcer

• AUP report can be used by all related parties who approved the procedures

• Limited distribution report – others can use itLimited distribution report others can use it but need to agree to the sufficiency of the procedures to evaluate the related controlsprocedures to evaluate the related controls


Shared Assessments Risk Domains

• Information security policy• Organization of information securityOrganization of information security• Asset management• Human resources security• Physical and environmental security• Communications and operations management• Access controlAccess control• Information systems acquisition, development and

maintenanceI f ti it i id t t• Information security incident management

• Business continuity management• Compliance


p• Privacy

Shared Assessments Project

• Scoping questions – determine:S i id d it b i d l• Service provider and its business model

• Target systems and processes• Data that it collects stores uses shares transportsData that it collects, stores, uses, shares, transports,

retains, secures and/or deletes:o Target Datao Protected Target Datao Privacy Target Datao Protected Privacy Target Datao Protected Privacy Target Data

• Based on this information, identify hardware, software and procedures to be tested


software and procedures to be tested.

Shared Assessments Lite

• SIG v5 Level 1

• Contains 91 questions

• Intended for low risk scenariosIntended for low risk scenarios

• Inquiry of Service Organization management

N t ti i i l d• No testing is involved

SIG v5 L1 Questions


Shared Assessments AUP

• Full SIG v5 and management tools• AUP v5AUP v5• 12 Risk Domains• Specific procedures to be executed by assessor

E h AUP t l t i• Each AUP control area contains:o Objective(s): Statement(s) describing the business interest

behind assessing the DomainC t l( ) St t t( ) b t th t l io Control(s): Statement(s) about the controls service providers should have in place

o Procedure(s): The action or actions a practitioner will perform to test each control Areaperform to test each control Area

o Industry Relevance: Reference(s) to other standards that apply to the same objective and control as the procedure


Shared Assessments Sample Procedure

F.5 Secure Workspace Access Reporting

Objective:

An organization should maintain access andAn organization should maintain access and incident reports.

Control:Control:

Access to Secure Workplace is logged and i id t t i t i dincident reports are maintained.


.

Extracted from the Shared Assessments AUP document


Procedures:a. Obtain the access and incident logs (physical or electronic) from the service provider for the Secure Workspace Perimeter, and inspect for evidence of the following attributes:Access Logs (Staff):

1. Name2. Date and time3 Point of access3. Point of access4. Date of last update

Access Logs (Visitor):1. Name2. Date and time3 Point of access


3. Point of access



4. Company name5. Visiting6. Equipment7. Sign out and return of badge8. Date of last update8. Date of last update

Incident Logs:1. Name2 D t d ti2. Date and time3. Company name4. Incident typeyp5. Date of last update

b. Report the attributes listed in step a not in evidence, the date the access logs and incident log was last updated or


date the access logs and incident log was last updated, or the nonexistence of the access log or incident log.


Shared Assessments

Exercise

• Review the JPM/IBM outsourcing arrangement and based on the limited information provided, review the questions on Section C2.2 of SIG v5 and the corresponding procedures in Section C of Shared Assessments AUP v5

• Could this provide any comfort when performed by a trusted party?


performed by a trusted party?

Shared Assessments Report Layout

• The Shared Assessments report follows the AUP standard of the AICPA

• Description of scope• Domain area• Control objective• Control• Procedure• Results of applying the procedure


Using a Shared Assessments Report

• The Shared Assessments report does not d f h lprovide assurance just attestation of the result

• Each user of the report must evaluate the lt i th t t f th i i k iresults in the context of their own risk universe

• Some controls may be applicable others may notnot

• The absence of certain controls may not be relevant to the user’s environmentrelevant to the user s environment

• Do not extrapolate in time and space


Using a Shared Assessments Report

• Limitations of the Shared Assessment Reportd b d• Limited to Security, business continuity and

privacyN thi d t i i• No third party opinion

• Can it be relied upon for purposes of an audit of financial statements? Only if issued by CPA?financial statements? Only if issued by CPA? What about internal audit of the user organization?g

• What about sub‐service organizations? What options are there to report on that relationship?


Module Summary

After completing this module, you should now d t dunderstand:

• What are Shared Assessments• What is a Shared Assessments Report• What is a Shared Assessments Report• The content of a Shared Assessments Report• The responsibilities of the Shared AssessmentsThe responsibilities of the Shared Assessments

Auditor• Key considerations of managing a Shared y g g

Assessments project• The usability of Shared Assessments reports


SAS 70 Audits


What is “SAS 70”?

• Statement on Auditing Standards (SAS) No. 70, S i O i i d dService Organizations, as amended

• Issued by the American Institute of Certified P bli A t t (AICPA)Public Accountants (AICPA)


What is a “SAS 70” Report?

A report containing:

• Description of the control environment• Description of management’s control objectives

f f l l d• Description of specific controls, policies and procedures

• Description of tests of those specific controls, p ppolicies and procedures

• Results of those tests• Independent auditor’s opinionIndependent auditor s opinion• Supplemental information provided by the Service

Organization (optional)


Who uses the SAS 70 report?

Primary external users (outside of service organization)

• Clients of service organizations and their auditors

• Auditors of service organization

• Prospective clients of service organizations



Benefits of the report to external users

• Enhanced understanding of the control environment

• Additional level of comfort

• Contained audit costs• Contained audit costs

• Ability to compare service organizations

• Reliance on controls



Primary internal users (within service organization)

• Management

• Internal Audit

• Legal and Compliance

• Risk Management

• Marketing



Benefits of the report to internal users• Independent evaluation of processes and controls

• Standard documentation of processes and controls for f l i f ffi i ifuture evaluation of efficiencies

• Improved risk management

P t ti l d ti f di ti ith li t’• Potential reduction of coordination with your client’s auditors

• MarketingMarketing


Distribution of the Report

Controlled by service organization

Generally limited to:

• Service organization

• Clients of service organization

• Auditors of clients of service organization

• Prospective clients of service organization


Types of Reports

• Type I – Report on Controls placed in Operation as of a specified date

• Type II – Report on Controls placed in Operation as of a specified dateOperation as of a specified date

AND

R lt f T t f O ti Eff tiResults of Tests of Operating Effectiveness during a specified period


Service Auditor’s Responsibilities:Type I Engagement

• Determine whether the description of controlsDetermine whether the description of controls presents fairly the relevant aspects of the controls placed in operation as of the date of report

h h h l bl• Determine whether the controls are suitably designed to achieve the specified control objectivesobjectives


Service Auditor’s Responsibilities :Type II Engagement

• Same as in Type I Engagement

AND

• Determine whether the controls that were• Determine whether the controls that were tested were operating with sufficient effectiveness to achieve control objectives for the specified period of the report


Sub‐Service Organizations: Carve‐out

• Exclude sub‐service organization’s relevant controls and control objectives from report and from auditor’s scopecontrol objectives from report and from auditor s scope

• If Carve‐Out sub‐servicer, then: Modify scope paragraph in the auditor’s report for the controls of

the sub‐service organizationthe sub service organizationo Describe the functions and nature of processing performed by sub‐

service organizationo That the description of the controls includes only the controls and

related control objectives of the service organizationo That our examination does not extend to the controls at the sub‐service organization

Service Organization modifies description of controls to summarize h f i d f h i f d b h bthe functions and nature of the processing performed by the sub‐service organization that are omitted from the report

• May be necessary to modify opinion paragraph in auditor’s


report

Sub‐Service Organizations: Inclusive

• Include sub‐service organization’s relevant controls and control objectives in report and in auditor’s scope

• Ensure description of controls and control objective discussion in report clearly differentiates controls at service organization and at sub‐service organization, but includes both in reporting

• Modify auditor’s report throughout (scope, opinion, Company references) to include sub‐service organization (and its related controls, etc.)

• Perform procedures at the sub‐servicer to determine whether: controls (functions/nature of processing and controls) are fairly

presented controls are suitably designed to achieve the related control objectives controls are operating with sufficient effectiveness (For Type II


controls are operating with sufficient effectiveness (For Type II engagements)

User Control Considerations

• Complementary Controls that may be required at the User Organization

• Include in report’s description of controls

• Include in auditor’s report• Include in auditor s report

• Sample UCC: User Organization should t i t d l hremove terminated employees when access

no longer needed


Service Auditor’s Responsibilities

• Addressing the representations in the service auditor’s reportp

• Adhere to the AICPA general standards and with the relevant AICPA fieldwork andwith the relevant AICPA fieldwork and reporting standards


Layout of Typical SAS 70 Report

OpinionSection I Information provided by the Service Organi ationSection I – Information provided by the Service Organization Overview of the business Control Environment Applicability of Report Description of ControlsSection II – Information Provided by the Service AuditorSection II Information Provided by the Service AuditorSection III – Controls, Control Objectives and Tests of

Operating EffectivenessSection IV – Other information provided by the Service

Organization


Module Summary

After completing this module, you should now be blable to:

• Understand the basic SAS 70‐related terms and definitions

• Understand the basic overview of SAS 70

• Understand who uses SAS 70 reports and why


Project Management: j gUseful information for the Service Auditor Engagement TeamService Auditor Engagement Team


Define and UnderstandEngagement/Report Scope

Collaborative process with the Client Scope should be driven by USER needs and

requirementso Include Core Areas

o Include desired Locations


Engagement Time Management

Time Management• Activity Definition

• Activity Sequencing

• Activity Duration Estimating

• Schedule Development

• Schedule Control• Schedule Control


Service Organization Involvement

• Project Sponsor (leader/owner) of the Process

• Project Coordinator (daily task j ( ymanagement)

• Internal Pre‐Assessment and RemediationInternal Pre Assessment and Remediation• “Buy‐In” of Senior Management within all

functional departments/areasfunctional departments/areas


Senior Management Buy‐In

• Assists in obtaining information timely• Ensures right personnel/contacts are met• Ensures personnel/contacts will provide all

necessary assistance • Ensures personnel/contacts know the

importance of the project to their department leaders


Responsibilities

May impact:May impact:• Timing

• Deadlines• Deadlines

• Budgets/fees

• Staffing mix• Staffing mix

• Expectations set by client or by auditor

S ti f ti ith ti t ti d• Satisfaction with meeting expectations and

• The ability to manage expectations


Reporting Responsibilities

Generally, Client should draft most areas the Report• Overview of Operations (Organization Definition)

• Description of Controls and Control Environment

• Control Objecti es and Controls• Control Objectives and Controls

• Other Information provided by the Service Organization

Generally the Service Auditor should focus on:Generally, the Service Auditor should focus on:• Opinion

• Information Provided by Service AuditorInformation Provided by Service Auditor

• Testing of Controls and Results of Testing


Managing Expectations

• Expectations of Significant Changes During Report Period (mid‐year significant changes in controls/processes to consider)

• Presence of Exceptions in the Report• Multi‐location Considerations

R i l i• Report is evolving

• Recommendations to be Provided to Client

• Regular Status Meetings with Project Champion andDay‐to‐Day Contact Person is important


Managing Expectations

• Timeline/Deadline for Stages of Engagement• Timeline/Deadline for Stages of Engagement Setting project milestones minimizes time overages

• Detailed Project Plan by Control Objective• Detailed Project Plan by Control Objective Breaking down project plan to task level increases

accuracy of cost estimation and subsequent budgetingy q g g

• Monitor Timing/Fees (budget to actual) Enhanced cost control through frequent budget to actual g q g

monitoring


Module Summary

After completing this module, you should now:After completing this module, you should now:

• Understand key aspects of managing a SAS 70 project effectively and efficiently.

• Understand key aspects of managing a SAS 70 project effectively and efficiently.

• Understand common pitfalls/challenges and successes that we have encountered in our

• Understand common pitfalls/challenges and successes that we have encountered in our experience with SAS 70 engagements. experience with SAS 70 engagements.


Service Auditor ConsiderationsService Auditor Considerations


Service Auditor Considerations

• Workpaper documentation

• Design of Tests

• Types of tests

• Sampling

• FindingsFindings

• Testing strategies


Design of Tests

Control TestControl Test


Types of Tests

• Inquiry

• Inspection

• Observation

• Re‐performance of the control


Sample Sizes

• No definitive guidance

• Driven by four variables Significance of controlg

Frequency

Past experience Past experience

Client expectation


Sample Sizes (continued)

• Frequently used numbers (influenced primarily by SOX developments):primarily by SOX developments):

Type of ControlPrimary Secondary OtherPrimary Secondary Other

25 15 5


Findings

Findings should be classified into:g• Nominal

M L C (“MLC”)• Management Letter Comment (“MLC”)

• Exceptionsp


Findings (continued)

• Quantitative materiality thresholds do not apply

• How to deal with exceptions Identify compensating controls

Redefine control objectivesj

Timely validation


Testing Strategies

• Report must be applicable to internal controls in place during the entire testing period.

• Narrative update can occur at six month point

• Controls can be tested at any time during the testing periodtesting period


Module Summary


• Understand important items to consider when performing a SAS 70 engagement including

• Understand important items to consider when performing a SAS 70 engagement including sample sizes, testing strategies and addressing findings.sample sizes, testing strategies and addressing findings.


User Auditor Considerations:User Auditor Considerations:How to Use a SAS 70 Report


Is the SAS 70 Useful?

• Address the applications and/or locations used by the Service Organization that are relevant tothe Service Organization that are relevant to financial statement assertions?

• Adequate to understand flow of transactions?Adequate to understand flow of transactions?• Sufficient detail of controls that prevent or detect

possible errors?• Are there findings within control tests?• Does opinion address any exceptions?• Are any areas being carved‐out?


Procedures when using a SAS 70 Report

• Read report to:U d t d th fl f t ti d th t l• Understand the flow of transactions and the controls

• Determine that controls were operating as intended• Determine whether significant control deficiencies• Determine whether significant control deficiencies

were noted• Inquire of client as to changes since date of SAS 70• Consider whether additional procedures are

necessary


Assessing User Control Considerations

• Read service auditor’s report to determine: Whether the considerations are relevant to your cliento If relevant, ensure during your planning that the

controls have been implemented by the client

Nature of complementary controls that should Nature of complementary controls that should be in place at our client


Updating a SAS 70

When date of SAS 70 report is within the client’s fiscal year (and assessed controls as effective):

• Update through client discussions

When date of SAS 70 is outside of our client’s fiscal year (and anticipate assessing controls as y ( p geffective):

• Can use the report as a starting point in gaining p g p g gan understanding of the control environment

• You may not rely on this report as audit evidence


y y p

Using a SAS 70 Report

READ IT!READ IT!

READ IT!

READ IT!!



• Make sure you understand which significant processes are covered

• Can you rely on the testing which was performed?

• Determine the results of any testing that wasDetermine the results of any testing that was performed



• If the report does not cover the entire period of the user organization’s fiscal year, gain an understanding for the period not covered.


Module Summary


• Understand when you can rely on a SAS 70 report.

• Understand when you can rely on a SAS 70 report.

• Understand the documentation requirements when leveraging a SAS 70 report.

• Understand the documentation requirements when leveraging a SAS 70 report.g g p

• Understand how you can benefit from a SAS 70 report

g g p

• Understand how you can benefit from a SAS 70 report70 report.

Discuss the SAS 70 Reliance Decision Tree

70 report.

Discuss the SAS 70 Reliance Decision Tree


Attest Engagement


What is an Attest Engagement?

• Examination, audit or review of subject matter or management assertion

• Higher level of assurance

• Generally includes an opinion of the auditor

• Follows the Statement on Standards for• Follows the Statement on Standards for Attestation Engagements of the AICPA


Why Do We Need Attest Reports?

• Many financial situations require an attest report

• In the controls space, they can cover areas that are not possible to cover in SAS 70 or other reports

• An example is business continuity planning and the availability principleand the availability principle


Who uses Attest Reports?

• Attest reports are limited distribution reports

• Can be used by external auditors for evaluating audit risk

• Can be used by the service organization managementmanagement

• Can be used by the user organization managementmanagement


Attest Engagements

Definition and Underlying Concepts• Subject matter

• Assertion

• Responsible party


Attest Engagements

• Suitability of Criteria Objectivity

Measurability

Completeness

Relevance

• Availability of Criteria


Attest Auditor Responsibilities

• Training and proficiency

• Adequate knowledge of the subject matter

• IndependenceIndependence

• Due professional care

If t i d di t th AICPA• If report issued according to the AICPA standard then auditor should be a CPA


Layout of Attest Report

• Differences in content for an Examination and a Review report

• Considerations as to whether opining on subject matter or management assertion

• Statement that the work conducted supportsStatement that the work conducted supports the opinion provided

• Compliance with AICPA standards• Compliance with AICPA standards


Project Management Considerations

• Obtain clear management assertion

• Ensure there are suitable criteria

• Delineate an plan every activityDelineate an plan every activity

• Discuss and walkthrough every risk and area of controlof control

• Establish a clearly defined timeline

• Obtain concurrence from management on all identified findings


Attest Auditor Considerations

• Planning and supervision

• Obtaining sufficient evidence

• Management representationsManagement representations

• Reporting

A l i f th i f ti t d b• Analysis of other information presented by management


Using an Attest Report

• Ensure focus and scope are relevant

• Review criteria

• Evaluate findingsEvaluate findings

• Consider period of the attestation

D t i h th b t t• Determine whether subsequent events occurred

• Integrate controls in the report with risks in your organization


Module Summary

After completing this module, you should now be able to understand:

• What are Attest engagements• What is an Attestation Report• The content of an Attestation Report• The responsibilities of the Attest Auditor• Key considerations of managing a Attest

project• The usability of Attest reports


Good Bye SAS 70


SAS 70 No More

• Recent Developments

• International Demand

• IFAC ‐ ISAE 3402IFAC ISAE 3402

• AICPA SSAE 16 – Reporting on Controls at a Service OrganizationService Organization

• New SAS – Audit Considerations Relating to E tit U i S i O i tian Entity Using a Service Organization


SAS 70 No More

• New Standards do not affect inquiries of management

• New Standards do not affect AUP/Shared Assessments

• New Standards do not affect the AttestNew Standards do not affect the Attest Engagements


AICPA SSAE 16

• Separates Service Audit from existing SAS

• Falls under different family of standards

• Instead of an audit standard, it is an attestInstead of an audit standard, it is an attest standard

• Requires a written management assertion• Requires a written management assertion

• And suitable criteria

• Does not consider the usability in a financial statement audit ONLY


SSAE 16 – Impact

• Management of the service organization required t id th i dit ith ittto provide the service auditor with a written assertion about1 The fairness of the presentation of the description of1. The fairness of the presentation of the description of

the service organization’s system2. The suitability of the design of the controls to

achieve the related control objectives stated in the description, and, in a type 2 engagement

3 The operating effectiveness of those controls to3. The operating effectiveness of those controls to achieve the related control objectives stated in the description.


SSAE 16 – Impact

• A service auditor is able to report on controls at a service organization other than controls that are relevant to user entities’ financial reporting, for example, controls related to user entities’ regulatory compliance, production, or quality control.

• This is probably the greatest benefit of all!


SSAE 16 – Impact

• In a type 2 report, the service auditor’s opinion on the fairness of the presentation of the description of the service organization’s system and on the suitability of the design of the controls is for a period of time rather than as of a specified date, as is the case in the current standard


SSAE 16 – Impact

• When obtaining an understanding of the service organization‘s system, the service auditor would be required to obtain information to identify risks that the description of the service organization’s system is not fairly presented or that the control objectives stated in the description were not achieved due to intentional acts by service organization personnel.


SSAE 16 – Impact

• Indicates that when assessing the operating effectiveness of controls in a type 2 engagement, evidence obtained in prior engagements about the satisfactory operation of controls in prior periods does not provide a basis for a reduction in testing, even if supplemented with evidence obtained during the current period.


SSAE 16 – Impact

• A service auditor’s type 2 report would identify the customers to whom use of the report is restricted as "customers of the service organization’s system during some or all of the period covered by the service auditor’s report,"and in a service auditor’s type 1 report, as, "customers as of the date of the service organization’s description covered by the report."


SSAE 16 – Key Considerations

• Effective date – the AICPA/ASB has proposed making the SSAE effective concurrently with the new ISAE 3402

• Management assertion – An assertion‐based engagement includes an explicit acknowledgement by management of its responsibility for the matters addressed in its assertion

• Convergence with International Standards


IFAC – ISAE 3402

• ISAE 3402 – Assurance Reports on Controls at a Service Organization

• Based on original structure of SAS 70 but very l hsimilar to the New SSAE

• Applies to all countries where IFAC is i drecognized

• Scope – applies to engagements that convey bl h th ireasonable assurance when the service

organization is responsible for the suitable design of controls


design of controls

ISAE 3402

• The standard deals with assurance engagements by professional accountants in public practice to provide a report for use by the user entities and their auditors on the controls at a service organization that provides a service to user entities that is likely to be relevant to user entities’ internal control, as it relates to financial reporting.


ISAE 3402

The standard does not deal with assurance engagements:

• To report on whether controls at a service organization operated as described, or

• To report ONLY on controls at a serviceTo report ONLY on controls at a service organization that are not related to a service that is likely to be relevant to user entities’that is likely to be relevant to user entities internal controls as it relates to financial reporting


reporting

Why is ISAE 3402 Important

• Impact at domestic and international levelsIt d t / l ( t ti ll )/ l t• It updates/replaces (potentially)/complements:• US ‐ Statement on Auditing Standards (SAS) No. 70• CA ‐ Canadian Institute of Chartered AccountantsCA Canadian Institute of Chartered Accountants

(CICA) 5970• UK ‐ Audit and Assurance Faculty Standard (AAF)

/01/06• AU ‐ Guidance Statement (GS) 007• HK ‐ HKSA Statements – Auditing Practice Note 860 2HK HKSA Statements Auditing Practice Note 860.2• JP ‐ Audit Standards Committee Report No. 18• DE (Germany) ‐ IDW PS 951


IFAC – ISAE 3402

• Introduces the concept of materiality• Not with respect to the financial statements

but with respect to the system The concept of materiality takes into account that

the service auditor’s assurance report provides information about the service organization’s systeminformation about the service organization s system to meet the common information needs of a broad range of user entities and their auditors who have an understanding of the manner in which that system has been used.


IFAC – ISAE 3402

• Materiality with respect to the fair presentation of th i i ti ’ d i ti f it tthe service organization’s description of its system, and with respect to the design of controls, includes primarily the consideration of qualitative factorsprimarily the consideration of qualitative factors, for example: whether the description includes the significant aspects of processing significant g p p g gtransactions; whether the description omits or distorts relevant information; and the ability of controls, as designed, to provide reasonable assurance that control objectives would be achieved


achieved.

IFAC – ISAE 3402

• Materiality with respect to the service auditor’s opinion on the operating effectiveness of controls includes the consideration of both quantitative and qualitative factors, for example, the tolerable rate and observed rate of deviation (a quantitative matter), and the nature and cause of any observed deviation (a qualitative matter).


Critical Steps in Assurance Reporting Under ISAE 3402

• Assessing the Suitability of the Criteria• Obtaining an Understanding of the Service

Organization’s System• Obtaining Evidence Regarding the

Description• Obtaining Evidence Regarding Design of

Controls• Obtaining Evidence Regarding the Operating

Effectiveness of Controls


Critical Steps in Assurance Reporting Under ISAE 3402

• The Work of an Internal Audit Function

• Other Information

• Preparing the Service Auditor’s AssurancePreparing the Service Auditor s Assurance Report

• Other Communication Responsibilities• Other Communication Responsibilities


/

Comparison of SAS 70 with ISAE/SSAE

Topic Existing SAS 70 Standard ISAE 3402 / SSAE

Scope SAS 70 is limited to controls over the processing of

Report can be extended beyond financial p g

financial transactions by aservice organization.

yreporting.

Opinion / Assertion

The auditor provides an opinion based directly on

In addition to the auditor's opinion,

fthe subject matter with no formal management assertion.

management of the service organization provides a formal passertion affirming its responsibilities for the controls in the report


controls in the report.

Extracted from “Good‐bye SAS 70” by Fiona Gaskin

/



Disclosurerequirementsf f IA

Work performed by internal audit to support the service

di ' i i i

Work performed by internal audit used in part to form the service

di ’ i i h ll i l dfor use of IA auditor's opinion is not disclosed.

auditor’s opinion shall include a description of the internal auditor’s work and of the service auditor’s procedures with respectauditor’s procedures with respect to that work.

Audit Guidance Guidance is provided in an d d d

Guidance for the service auditor dannually updated Audit

Guide, which includesillustrative control objectives for various types of service

will be solely contained in the ISAE itself and will not contain illustrative control objectives.The US will continue to providefor various types of service

organizations.The US will continue to provide audit guidance to support the SSAE/SAS 70standards


standards.




Example ofTerminology

Type I - report on the fairness of the

Type 1 - report on the fairness of the descriptionTerminology

Differencesfairness of the description of controls and whether those

fairness of the description of controls and whether those controls were suitably

controls were suitably designed.

designed.

Type II - report also includes an opinion on

Type 2 - report also includes an opinion on the operating

the operating effectiveness of the controls.

effectiveness of the controls.


controls.


ISAE 3402 Report

• Internal control is a process designed to provide bl di th hi t freasonable assurance regarding the achievement of

objectives related to the reliability of financial reporting, effectiveness and efficiency of operationsreporting, effectiveness and efficiency of operations and compliance with applicable laws and regulations.

• Control objectives and controls at the User Organizations

• Control objectives and controls at the Service OrganizationOrganization

• Controls at the Service Organization that need to be complemented at User Organizations


p g

Module Summary

After completing this module, you should now be able to understand:able to understand:• The latest developments in Third Party Assurance

StandardsSta da ds• The impact of new Standards• The benefits of the new Standards• Key differences and similarities between domestic

and international standardsK id ti d ibiliti f• Key considerations and responsibilities of a service auditor and the user of a third party assurance report


p

Wrap-Up

Wrap‐Up and SummaryWrap Up and Summary


Using Third Party Reports

• A report is not relevant if it does not address your ’ i kcompany’s risks

• Prepare your own ICQ or use a standard one as a di lpre‐audit tool

• Use your company’s risk and control matrices as h b i l ICQ AUP SAS 70 ISAE dthe basis to evaluate ICQ, AUP, SAS 70, ISAE and SSAE findings

St ti i t i ’ i k t h t i• Starting point is your company’s risks not what is in the reports


Third Party Assurance – Final Comments

• Businesses will continue to look for opportunities to increase efficiency and effectiveness ofto increase efficiency and effectiveness of business processes

• Globalization will not stopGlobalization will not stop• Cloud Computing will make this field more

interesting and complexg p• Third party assurance practice will continue to

grow• We will be either auditing or will be audited by a

service auditor …


Contact

Felix Ramirez

(W) 646‐290‐8998(W) 646 290 8998

(C) 908‐230‐4562

( ) f li i @ i b k t(e) [email protected]
