Evaluating Vendor Risks - slides

1

Evaluating Vendor RisksDo you know if they have

Evaluating Vendor RisksDo you know if they have

May 5, 2010

controls?controls?

Introductions

• Relevant Participant Experiences

• Participant Objectives for this class

Page 2

Copyright 2010 Riebeeck Stevens Ltd

Course Objective

To educate participants regarding the nature of vendor risks and the mechanisms to effectively assess, manage and control those risks by providing a learning forum where individuals with greater audit and third party

Page 3


individuals with greater audit and third party assurance experience can share their knowledge with peers who are interested in learning about third party assurance and the different mechanisms and standards available to accomplish it.

2

Today’s Discussion Topics

• Overview of outsourcing arrangements• Rights to audit• Diversity of service organizations• Assessment mechanisms

o SAS 70

Page 4


o SAS 70o Shared Assessmentso ISAE 3402

• SAS 70 No More• Conducting an assessment engagement• Using a third party assessment• Project management considerations

Outsourcing Business Processes

Page 5


Background

• Many entities use outside service organizations to accomplish tasks that affect the entity’s management and information system

• In recent years, there has been an increase in the use of service organizations

Page 6


the use of service organizations

• Why do you think BPO (business process outsourcing) has increased so much?

• “Practical IT Auditing” Checklist to evaluate candidates for outsourcing

3

Typical Service Organizations

• Fund accounting agents/Fund administrators• Custodians/Trustees/Investment advisors• Transfer agents/Retirement plan record keepers• Claims processors• ASPs

Page 7


• ASPs• ISPs• Payroll processors• Network/Security management• Thoughts on Cloud Computing Providers?

Outsourcing Arrangements

• Total outsourcing – complete business or business function

• Production outsourcing – Call centers• Processing outsourcing – Payroll

Page 8


• Recordkeeping outsourcing – Transfer agent• Reporting outsourcing – FISERV and Crawford

Technologies• Physical Facilities outsourcing – Hosting/Co‐

location

Sample Outsourcing Agreements

• 2002: $4 billion / 7‐year utility based deal between American Express and IBM

• 1998: $3 billion application development and maintenance agreement between BellSouth and Andersen Consulting

Page 9


• 1998: $4 billion infrastructure outsourcing agreement between BellSouth and EDS

• 1996: $4.5 billion / 10 year outsourcing and strategic alliance agreements between Dupont and CSC and Andersen Consulting

• 1994: $3 billion / 10‐year IT services between Xerox and EDS

4

• Operational Risk

• Reputation Risk

• Strategic Risk

• Compliance Risk

Classification of Vendor Risks

Page 10


• Compliance Risk

• Financial Risk

• Support Risk


• Operational Risk ‐ Operational risk not only includes operations and transaction processing, but also areas such as customer service, Information Technology security and

Page 11


the protection of non‐public data, systems development and support programs, internal control processes, and capacity and contingency planning.


• Reputation Risk – Errors, delays, or omissions in outsourced services that become public knowledge or directly affect the company's customers can significantly affect reputation. For example a vendor's failure to maintain

Page 12


For example, a vendor s failure to maintain adequate service levels and contingencies for key items such as cash deliveries, network hardware devices or ATM servicing could disrupt the ability to deliver service to customers.

5


• Strategic Risk – Inadequate management experience and expertise can lead to a lack of understanding of key risks facing the industry today and into the future. Additionally,

Page 13


inaccurate information from vendors can cause the company's management and board of directors to make poor strategic decisions.


• Compliance Risk – Outsourced activities that fail to comply with legal or regulatory requirements can subject the company to legal sanctions. For example, inaccurate or

Page 14


untimely consumer compliance disclosures or unauthorized disclosure of confidential customer information could expose the company to civil money penalties or litigation.


• Financial Risk – financial strength of the vendor, cash position, credit rating, bankruptcy history, historical financial performance indicators – return on equity,

Page 15


return on investment, return on assets

6


• Support Risk – ability to perform according to service level agreements, professional diversity and capacity of staff, experienced of workers, staff rotation policy, operational

Page 16


performance in the market – are they losing customers, is their quality falling

Rights to Audit

• Contract clause allowing the user organization to audit or have access to audits of the services contracted

• Should be a standard part of every outsourcing contract

Page 17


outsourcing contract

• Use more frequently

• Demanding specific types of audits

• Make sure you are specific in terms of period of audits

Case Study

New York ‐ 30 Dec 2002: J.P. Morgan Chase & Co. today finalized with IBM a groundbreaking seven‐year outsourcing agreement, in excess of $5 billion, the largest of its kind. The agreement will enable JPMorgan Chase to transform its technology infrastructure through absolute costs savings, increased cost variability, access to the best research and innovation, and improved service levels. By moving from a traditional fixed‐cost approach to one with increased capacity and cost variability, JPMorgan Chase will be able to respond more quickly to changing market conditions

Page 18


able to respond more quickly to changing market conditions.

JPMorgan Chase will outsource a significant portion of its data processing technology infrastructure, including data centers, help desks, distributed computing, data networks and voice networks. The agreement includes the transfer of approximately 4,000 JPMorgan Chase employees and contractors as well as selected resources and systems to IBM in the first half of 2003. Application delivery and development, desktop support and other core competencies will largely be retained inside JPMorgan Chase.

7

Case Study ‐ Instructions

• Study the JPM/IBM press release

• Identify the key risks faced by JPM when transferring functions to IBM

• Discuss methods JPM can use to stay informed

Page 19


of controls at IBM to address those risks

• Discuss impact to security, audit and compliance

• Should JPM require IBM to include a right to audit clause in their contract? Why?

Summary

After completing this module, you should now:

• Understand the business drivers behind the outsourcing decision

• Understand the various types of outsourcing

Page 20


arrangements

• Understand the key classes of vendor risk

• Begin to understand the need to evaluate controls at service organizations

Assessment Mechanisms

Page 21


8

Definition of Key Players

Service Organization – The entity that provides services to a user organizationSubservice Organization – An entity that is a service organization of another service organization

Page 22


o ga at oService Auditor – Reports on the processing of transactions by a service organizationUser Organization – The entity that has engaged a service organizationUser Auditor – Auditor of a user organization

Key Players

Service AuditorUser Organization

Page 23


SubserviceOrganizationUser Auditor

Service Organization

Evaluating Internal Controlat Service Organizations

• How can a user of a service organization (and its internal/external auditor) obtain a sufficient level of comfort that there is an effective control environment at the service organization?

• How can user management ensure that

Page 24


• How can user management ensure that outsourced processes are managed following policies, procedures and practices that are aligned with those of his/her own company?

9

Assessment Mechanism: Traditional Approach

• User management submits an internal control questionnaire to service organization

• Service organization provides a self‐assessment report to clients

Page 25


• User organization management (internal audit) performs audit procedures at service organization

• User auditor performs audit procedures at service organizations

• One independent firm (third party) is brought in to issue an opinion as to whether management’s description of the control environment is presented

Assessment Mechanisms:Third Party Assurance Approach

Page 26


fairly.

• In many cases, the independent firm is also engaged to perform tests of specific controls and report on the result of those tests.

• Agreed‐Upon Procedures

• Shared Assessments

• Standard Compliance Audit

• SAS 70


Page 27


• SAS 70

• Attestation• Who can issue reports using these

mechanisms?

10

• Agreed‐Upon ProceduresIssued by independent CPA

• Shared AssessmentsIssued by independent CPA or assessment firm

• Standard Compliance Audit


Page 28


Standard Compliance AuditIssued by certified party – i.e. PCI and ISO

• SAS 70Issued by CPA or CA

• AttestationIssued by CPA or CA

Module Summary

After completing this module, you should now:• Understand the process to evaluate internal

controls at Service Organizations• Understand the basic concepts of Third Party

( )

After completing this module, you should now:• Understand the process to evaluate internal

controls at Service Organizations• Understand the basic concepts of Third Party

( )

Page 29


Assurance (TPA)• Identify different mechanisms for conducting

TPA engagements• Understand who can issue third party

assurance reports

Assurance (TPA)• Identify different mechanisms for conducting

TPA engagements• Understand who can issue third party

assurance reports

Agreed‐Upon Procedures

Page 30


11

What are Agreed Upon Procedures

• Section 201 of the AICPA Statements on Standards for Attestation Engagements (SSAE)

• An agreed‐upon procedures engagement is one in which a practitioner is engaged by a Responsible Party to issue a report of findings based on

Page 31


Party to issue a report of findings based on specific procedures performed on subject matter. The Responsible Party engages the practitioner to assist Specified Parties in evaluating subject matter or an assertion as a result of a need or needs of the Specified Parties.

What is an AUP Report

• An AUP Report is a report issued according to SSAE 10 Section 201

• An AUP Report contains the procedures agreed‐upon by the parties and the findings

Page 32


identified by the auditor

• An AUP Report does not contain an opinion from the auditor just the facts of the results

Who Uses a AUP report

• Agreed‐Upon procedures are used by the service organization, user management, external auditors and regulators

• Internal users include senior management,

Page 33


compliance, internal audit, security and risk management

• External users typically limited to external auditors and regulators

12

Distribution of the Report

• As an Attestation report, AUP reports have limited distribution

• The Service Organization and the specified parties can have access to the report

Page 34


• Other parties interested in the report need to agree as to the sufficiency of the procedures with respect to the subject matter or assertion prior to receiving the report

AUP Auditor’s Responsibilities

• Carry out the procedures

• Report the findings in accordance with the professional standards (general, fieldwork and reporting)

Page 35


• Adequately plan and supervise the audit and exercise due professional care in performing the procedures, determining the findings, and preparing the report

AUP Auditor’s Responsibilities

• Risk that misapplication of the procedures may result in inappropriate findings being reported

• Risk that appropriate findings may not be reported or may be reported inaccurately

• These risks are reduced by becoming

Page 36


• These risks are reduced by becoming knowledgeable about the subject matter and thoroughly planning and executing the work

• The AUP Auditor has no responsibility to determine completeness or adequacy of the agreed‐upon procedures

13

Layout of a Typical AUP Report

• A title that includes the word independent

• Identification of the specified parties

• Identification of the subject matter (or the written assertion related thereto) and the

Page 37


written assertion related thereto) and the character of the engagement

• Identification of the responsible party

• A statement that the subject matter is the responsibility of the responsible party

Extracted from “AICPA Attestation Standards Section 201”


• A statement that the procedures performed were those agreed to by the specified parties identified in the report

• A statement that the agreed‐upon procedures engagement was conducted in accordance with

Page 38


engagement was conducted in accordance with attestation standards established by the AICPA

• A statement that the sufficiency of the procedures is solely the responsibility of the specified parties and a disclaimer of responsibility for the sufficiency of those procedures



• A list of the procedures performed (or reference thereto) and related findings (The practitioner should not provide negative assurance

• Where applicable, a description of any agreed‐upon materiality limits

Page 39


materiality limits


14


• A statement that the practitioner was not engaged to and did not conduct an examination of the subject matter, the objective of which would be the expression of an opinion, a disclaimer of opinion on the subject matter, and a statement that if the

Page 40


the subject matter, and a statement that if the practitioner had performed additional procedures, other matters might have come to his or her attention that would have been reported



• A statement of restrictions on the use of the report because it is intended to be used solely by the specified parties

• Where applicable, reservations or restrictions concerning procedures or findings.

Page 41


• For an agreed‐upon procedures engagement on prospective financial information.

• Where applicable, a description of the nature of the assistance provided by a specialist.

• The manual or printed signature of the practitioner's firm

• The date of the report


Procedures to be Performed

• Can be as limited or as extensive as the specified parties desire

• Mere description of assertion or subject matter does not constitute a valid procedure

• There is flexibility in determining the procedures

Page 42


There is flexibility in determining the procedures• Changes to the procedures are acceptable as long

as the specified parties accept responsibility for the sufficiency of the procedures

• Matters that need to be agreed upon include the nature, timing and extent of the procedures

15

Procedures to be Performed

• Procedures should not be subjective and open to interpretations

• Terms of uncertain meaning (such as general review, limited review or check) should be

Page 43


avoided

• For each procedure, there should be evidential matter supporting the finding or findings

Let’s explore the Q‐Services report

Project Management Considerations

• Use Of a Specialist

• Internal Auditors and Other Personnel

• Findings

• Working Papers

Page 44


• Working Papers

AUP Sample Findings

• Procedure: Inspect the shipment dates for a sample (agreed‐upon) of specified shipping documents, and determine whether any such dates were subsequent to December 31, 20XX.

• Finding (Appropriate description): No shipment

Page 45


dates shown on the sample of shipping documents were subsequent to December 31, 20XX.

• Finding (Inappropriate description): Nothing came to my attention as a result of applying that procedure.

• Sample findings matrix from AT 201

16

AUP Auditor Considerations

• Validate that the Specified Parties have agree to the procedures

• Document the steps taken in performing the procedures

• Obtain and maintain appropriate evidence of the

Page 46


Obtain and maintain appropriate evidence of the work conducted

• Ensure all changes to the procedures are approved by the Specified Parties

• Obtain representations from management

Using a AUP Report

• A AUP Report contains the results of applying the procedures only – No Opinion

• Each procedure and related result must be evaluated by the user in the context of its

Page 47


entity’s internal control

• Be careful not to extrapolate the findings to systems or dates not related to the AUPs

AUP Exercise

• With the JPM/IBM agreement, multiple systems are being processed and supported at IBM

• You work for JPM and some of your clients (your team members) want to audit the system at IBM to evaluate the security controls at IBM

Page 48


• Identify and describe 5 audit procedures and discuss them in your group until everyone agrees they are sufficient to meet your objective

• Ensure the wording of the procedures is specific and avoid vague terms

• Draft the result of applying the procedure and share them with the group

17

Module Summary

After completing this module, you now have an understanding of:

• What Agreed‐Upon Procedures are

• What an AUP Report is

Page 49


• The content of AUPs

• The responsibilities of the AUP Auditor

• Key considerations of managing an AUP project

• The usability of AUP reports

Shared Assessments

Page 50


Shared Assessments

• Special application of the AICPA AUP standard

• Shared Assessments is a program created by BITS, a division of the Financial Services

Page 51


Roundtable

• Initially targeted the financial services industry, it is quickly expanding to other industries such as health care

• Program managed by the Santa Fe Group

18

Shared Assessments

• Standardized Information Gathering (SIG) Questionnaire

• Agreed‐Upon Procedures (AUP)

• Created under the principle of getting

Page 52


Created under the principle of getting everyone involved

• Sort of like Skype and IP telephony, when everyone is connected, there is no need to pay for phone service

Who uses a Shared Assessments Report?

• SIG is used by the Service Organization and the Outsourcer

• AUP report can be used by all related parties who approved the procedures

Page 53


• Limited distribution report – others can use it but need to agree to the sufficiency of the procedures to evaluate the related controls

Shared Assessments Risk Domains

• Information security policy• Organization of information security• Asset management• Human resources security• Physical and environmental security• Communications and operations management

Page 54


• Communications and operations management• Access control• Information systems acquisition, development and

maintenance• Information security incident management• Business continuity management• Compliance• Privacy

19

Shared Assessments Project

• Scoping questions – determine:• Service provider and its business model• Target systems and processes• Data that it collects, stores, uses, shares, transports,

retains, secures and/or deletes:

Page 55


retains, secures and/or deletes:o Target Datao Protected Target Datao Privacy Target Datao Protected Privacy Target Data

• Based on this information, identify hardware, software and procedures to be tested.

Shared Assessments Lite

• SIG v5 Level 1

• Contains 91 questions

• Intended for low risk scenarios

• Inquiry of Service Organization management

Page 56


• Inquiry of Service Organization management

• No testing is involved

SIG v5 L1 Questions

Shared Assessments AUP

• Full SIG v5 and management tools• AUP v5• 12 Risk Domains• Specific procedures to be executed by assessor• Each AUP control area contains:

o Objective(s): Statement(s) describing the business interest

Page 57


o Objec e(s) S a e e (s) desc b g e bus ess e esbehind assessing the Domain

o Control(s): Statement(s) about the controls service providers should have in place

o Procedure(s): The action or actions a practitioner will perform to test each control Area

o Industry Relevance: Reference(s) to other standards that apply to the same objective and control as the procedure

20

Shared Assessments Sample Procedure

F.5 Secure Workspace Access Reporting

Objective:

An organization should maintain access and incident reports.

Page 58


incident reports.

Control:

Access to Secure Workplace is logged and incident reports are maintained.

.

Extracted from the Shared Assessments AUP document

Procedures:a. Obtain the access and incident logs (physical or electronic) from the service provider for the Secure Workspace Perimeter, and inspect for evidence of the following attributes:Access Logs (Staff):

1. Name2 d i


Page 59


2. Date and time3. Point of access4. Date of last update

Access Logs (Visitor):1. Name2. Date and time3. Point of access


4. Company name5. Visiting6. Equipment7. Sign out and return of badge8. Date of last update

Incident Logs:


Page 60


1. Name2. Date and time3. Company name4. Incident type5. Date of last update

b. Report the attributes listed in step a not in evidence, the date the access logs and incident log was last updated, or the nonexistence of the access log or incident log.


21

Shared Assessments

Exercise

• Review the JPM/IBM outsourcing arrangement and based on the limited information provided, review the questions

Page 61


on Section C2.2 of SIG v5 and the corresponding procedures in Section C of Shared Assessments AUP v5

• Could this provide any comfort when performed by a trusted party?

Shared Assessments Report Layout

• The Shared Assessments report follows the AUP standard of the AICPA

• Description of scope• Domain area

Page 62


• Control objective• Control• Procedure• Results of applying the procedure

Using a Shared Assessments Report

• The Shared Assessments report does not provide assurance just attestation of the result

• Each user of the report must evaluate the results in the context of their own risk universe

• Some controls may be applicable others may

Page 63


• Some controls may be applicable others may not

• The absence of certain controls may not be relevant to the user’s environment

• Do not extrapolate in time and space

22

Using a Shared Assessments Report

• Limitations of the Shared Assessment Report

• Limited to Security, business continuity and privacy

• No third party opinion

C it b li d f f dit f

Page 64


• Can it be relied upon for purposes of an audit of financial statements? Only if issued by CPA? What about internal audit of the user organization?

• What about sub‐service organizations? What options are there to report on that relationship?

Module Summary

After completing this module, you should now understand:

• What are Shared Assessments• What is a Shared Assessments Report• The content of a Shared Assessments Report

Page 65


• The content of a Shared Assessments Report• The responsibilities of the Shared Assessments

Auditor• Key considerations of managing a Shared

Assessments project• The usability of Shared Assessments reports

SAS 70 Audits

Page 66


23

What is “SAS 70”?

• Statement on Auditing Standards (SAS) No. 70, Service Organizations, as amended

• Issued by the American Institute of Certified Public Accountants (AICPA)

Page 67


What is a “SAS 70” Report?

A report containing:

• Description of the control environment• Description of management’s control objectives• Description of specific controls, policies and

procedures

Page 68


procedures• Description of tests of those specific controls,

policies and procedures• Results of those tests• Independent auditor’s opinion• Supplemental information provided by the Service

Organization (optional)

Who uses the SAS 70 report?

Primary external users (outside of service organization)

• Clients of service organizations and their auditors

• Auditors of service organization

• Prospective clients of service organizations

Page 69


24


Benefits of the report to external users

• Enhanced understanding of the control environment

• Additional level of comfort

Page 70


Additional level of comfort

• Contained audit costs

• Ability to compare service organizations

• Reliance on controls


Primary internal users (within service organization)

• Management

• Internal Audit

• Legal and Compliance

Page 71


• Risk Management

• Marketing


Benefits of the report to internal users

• Independent evaluation of processes and controls

• Standard documentation of processes and controls for future evaluation of efficiencies

I d i k t

Page 72


• Improved risk management

• Potential reduction of coordination with your client’s auditors

• Marketing

25

Distribution of the Report

Controlled by service organization

Generally limited to:

• Service organization

• Clients of service organization

Page 73


• Auditors of clients of service organization

• Prospective clients of service organization

Types of Reports

• Type I – Report on Controls placed in Operation as of a specified date

• Type II – Report on Controls placed in

Page 74


Type II Report on Controls placed in Operation as of a specified date

AND

Results of Tests of Operating Effectiveness during a specified period

Service Auditor’s Responsibilities:Type I Engagement

• Determine whether the description of controls presents fairly the relevant aspects of the controls placed in operation as of the date of report

Page 75


• Determine whether the controls are suitably designed to achieve the specified control objectives

26

Service Auditor’s Responsibilities :Type II Engagement

• Same as in Type I Engagement

AND

• Determine whether the controls that were tested were operating with sufficient

Page 76


tested were operating with sufficient effectiveness to achieve control objectives for the specified period of the report

Sub‐Service Organizations: Carve‐out

• Exclude sub‐service organization’s relevant controls and control objectives from report and from auditor’s scope

• If Carve‐Out sub‐servicer, then: Modify scope paragraph in the auditor’s report for the controls of

the sub‐service organizationo Describe the functions and nature of processing performed by sub‐

i i ti

Page 77


service organizationo That the description of the controls includes only the controls and

related control objectives of the service organizationo That our examination does not extend to the controls at the sub‐service organization

Service Organization modifies description of controls to summarize the functions and nature of the processing performed by the sub‐service organization that are omitted from the report

• May be necessary to modify opinion paragraph in auditor’s report

• Include sub‐service organization’s relevant controls and control objectives in report and in auditor’s scope

• Ensure description of controls and control objective discussion in report clearly differentiates controls at service organization and at sub‐service organization, but includes both in reporting

• Modify auditor’s report throughout (scope opinion Company

Sub‐Service Organizations: Inclusive

Page 78


Modify auditor s report throughout (scope, opinion, Company references) to include sub‐service organization (and its related controls, etc.)

• Perform procedures at the sub‐servicer to determine whether: controls (functions/nature of processing and controls) are fairly

presented controls are suitably designed to achieve the related control objectives controls are operating with sufficient effectiveness (For Type II

engagements)

27

User Control Considerations

• Complementary Controls that may be required at the User Organization

• Include in report’s description of controls

Page 79


Include in report s description of controls

• Include in auditor’s report

• Sample UCC: User Organization should remove terminated employees when access no longer needed

Service Auditor’s Responsibilities

• Addressing the representations in the service auditor’s report

• Adhere to the AICPA general standards and

Page 80


Adhere to the AICPA general standards and with the relevant AICPA fieldwork and reporting standards

Layout of Typical SAS 70 Report

OpinionSection I – Information provided by the Service Organization Overview of the business Control Environment Applicability of Report D i ti f C t l

Page 81


Description of Controls

Section II – Information Provided by the Service Auditor

Section III – Controls, Control Objectives and Tests of Operating Effectiveness

Section IV – Other information provided by the Service Organization

28

Module Summary

After completing this module, you should now be able to:

• Understand the basic SAS 70‐related terms and definitions

Page 82


• Understand the basic overview of SAS 70

• Understand who uses SAS 70 reports and why

Project Management:

Useful information for the

Page 83


Useful information for the Service Auditor Engagement Team

Define and UnderstandEngagement/Report Scope

Collaborative process with the Client Scope should be driven by USER needs and

requirements

Page 84


o Include Core Areas

o Include desired Locations

29

Engagement Time Management

Time Management• Activity Definition

• Activity Sequencing

• Activity Duration Estimating

S h d l D l t

Page 85


• Schedule Development

• Schedule Control

Service Organization Involvement

• Project Sponsor (leader/owner) of the Process

• Project Coordinator (daily task management)

Page 86


management)• Internal Pre‐Assessment and Remediation• “Buy‐In” of Senior Management within all

functional departments/areas

Senior Management Buy‐In

• Assists in obtaining information timely• Ensures right personnel/contacts are met• Ensures personnel/contacts will provide all

necessary assistance

Page 87


• Ensures personnel/contacts know the importance of the project to their department leaders

30

Responsibilities

May impact:

• Timing

• Deadlines

• Budgets/fees

Page 88


• Budgets/fees

• Staffing mix

• Expectations set by client or by auditor

• Satisfaction with meeting expectations and

• The ability to manage expectations

Reporting Responsibilities

Generally, Client should draft most areas the Report

• Overview of Operations (Organization Definition)

• Description of Controls and Control Environment

• Control Objectives and Controls

• Other Information provided by the Service Organization

Page 89


• Other Information provided by the Service Organization

Generally, the Service Auditor should focus on:

• Opinion

• Information Provided by Service Auditor

• Testing of Controls and Results of Testing

Managing Expectations

• Expectations of Significant Changes During Report Period (mid‐year significant changes in controls/processes to consider)

• Presence of Exceptions in the Report

Page 90


• Multi‐location Considerations• Report is evolving

• Recommendations to be Provided to Client

• Regular Status Meetings with Project Champion andDay‐to‐Day Contact Person is important

31

Managing Expectations

• Timeline/Deadline for Stages of Engagement Setting project milestones minimizes time overages

• Detailed Project Plan by Control Objective Breaking down project plan to task level increases

Page 91


Breaking down project plan to task level increases accuracy of cost estimation and subsequent budgeting

• Monitor Timing/Fees (budget to actual) Enhanced cost control through frequent budget to actual

monitoring

Module Summary


• Understand key aspects of managing a SAS 70 project effectively and efficiently.

• Understand common pitfalls/challenges and


• Understand key aspects of managing a SAS 70 project effectively and efficiently.

• Understand common pitfalls/challenges and

Page 92


p / gsuccesses that we have encountered in our experience with SAS 70 engagements.

p / gsuccesses that we have encountered in our experience with SAS 70 engagements.

Service Auditor Considerations

Page 93


32

Service Auditor Considerations

• Workpaper documentation

• Design of Tests

• Types of tests

• Sampling

Page 94


p g

• Findings

• Testing strategies

Design of Tests

Control Test

Page 95


Types of Tests

• Inquiry

• Inspection

• Observation

• Re‐performance of the control

Page 96


p

33

Sample Sizes

• No definitive guidance

• Driven by four variables

Significance of control

Frequency

Page 97


q y

Past experience

Client expectation

Sample Sizes (continued)

• Frequently used numbers (influenced primarily by SOX developments):

Type of Control

Page 98


Type of Control

Primary Secondary Other

25 15 5

Findings

Findings should be classified into:

• Nominal

• Management Letter Comment (“MLC”)

Page 99


• Exceptions

34

Findings (continued)

• Quantitative materiality thresholds do not apply

• How to deal with exceptions

Identify compensating controls

Page 100


y p g

Redefine control objectives

Timely validation

Testing Strategies

• Report must be applicable to internal controls in place during the entire testing period.

• Narrative update can occur at six month

Page 101


point

• Controls can be tested at any time during the testing period

Module Summary


• Understand important items to consider when performing a SAS 70 engagement including sample sizes, testing strategies and addressing


• Understand important items to consider when performing a SAS 70 engagement including sample sizes, testing strategies and addressing

Page 102


findings.findings.

35

User Auditor Considerations:

Ho to Use a SAS 70 Report

Page 103


How to Use a SAS 70 Report

Is the SAS 70 Useful?

• Address the applications and/or locations used by the Service Organization that are relevant to financial statement assertions?

• Adequate to understand flow of transactions?

• Sufficient detail of controls that prevent or detect

Page 104


ppossible errors?

• Are there findings within control tests?

• Does opinion address any exceptions?

• Are any areas being carved‐out?

Procedures when using a SAS 70 Report

• Read report to:• Understand the flow of transactions and the controls

• Determine that controls were operating as intended

• Determine whether significant control deficiencies were noted

Page 105


• Inquire of client as to changes since date of SAS 70

• Consider whether additional procedures are necessary

36

Assessing User Control Considerations

• Read service auditor’s report to determine:

Whether the considerations are relevant to your client

o If relevant, ensure during your planning that the controls have been implemented by the client

Page 106


controls have been implemented by the client

Nature of complementary controls that should be in place at our client

Updating a SAS 70

When date of SAS 70 report is within the client’s fiscal year (and assessed controls as effective):

• Update through client discussions

When date of SAS 70 is outside of our client’s

Page 107


fiscal year (and anticipate assessing controls as effective):

• Can use the report as a starting point in gaining an understanding of the control environment

• You may not rely on this report as audit evidence

Using a SAS 70 Report

READ IT!

READ IT!

Page 108


READ IT!

READ IT!

37


• Make sure you understand which significant processes are covered

• Can you rely on the testing which was performed?

Page 109


• Determine the results of any testing that was performed


• If the report does not cover the entire period of the user organization’s fiscal year, gain an understanding for the period not covered.

Page 110


Module Summary


• Understand when you can rely on a SAS 70 report.

• Understand the documentation requirements


• Understand when you can rely on a SAS 70 report.

• Understand the documentation requirements

Page 111


qwhen leveraging a SAS 70 report.

• Understand how you can benefit from a SAS 70 report.

Discuss the SAS 70 Reliance Decision Tree

qwhen leveraging a SAS 70 report.

• Understand how you can benefit from a SAS 70 report.

Discuss the SAS 70 Reliance Decision Tree

38

Attest Engagement

Page 112


What is an Attest Engagement?

• Examination, audit or review of subject matter or management assertion

• Higher level of assurance

• Generally includes an opinion of the auditor

Page 113


Generally includes an opinion of the auditor

• Follows the Statement on Standards for Attestation Engagements of the AICPA

Why Do We Need Attest Reports?

• Many financial situations require an attest report

• In the controls space, they can cover areas that are not possible to cover in SAS 70 or

Page 114


other reports

• An example is business continuity planning and the availability principle

39

Who uses Attest Reports?

• Attest reports are limited distribution reports

• Can be used by external auditors for evaluating audit risk

• Can be used by the service organization

Page 115


Can be used by the service organization management

• Can be used by the user organization management

Attest Engagements

Definition and Underlying Concepts

• Subject matter

• Assertion

• Responsible party

Page 116


Attest Engagements

• Suitability of Criteria

Objectivity

Measurability

Completeness

Page 117


Relevance

• Availability of Criteria

40

Attest Auditor Responsibilities

• Training and proficiency

• Adequate knowledge of the subject matter

• Independence

• Due professional care

Page 118


• Due professional care

• If report issued according to the AICPA standard then auditor should be a CPA

Layout of Attest Report

• Differences in content for an Examination and a Review report

• Considerations as to whether opining on subject matter or management assertion

Page 119


• Statement that the work conducted supports the opinion provided

• Compliance with AICPA standards

Project Management Considerations

• Obtain clear management assertion

• Ensure there are suitable criteria

• Delineate an plan every activity

• Discuss and walkthrough every risk and area

Page 120


• Discuss and walkthrough every risk and area of control

• Establish a clearly defined timeline

• Obtain concurrence from management on all identified findings

41

Attest Auditor Considerations

• Planning and supervision

• Obtaining sufficient evidence

• Management representations

• Reporting

Page 121


• Reporting

• Analysis of other information presented by management

Using an Attest Report

• Ensure focus and scope are relevant

• Review criteria

• Evaluate findings

• Consider period of the attestation

Page 122


• Consider period of the attestation

• Determine whether subsequent events occurred

• Integrate controls in the report with risks in your organization

Module Summary

After completing this module, you should now be able to understand:

• What are Attest engagements

• What is an Attestation Report

Page 123


• The content of an Attestation Report

• The responsibilities of the Attest Auditor

• Key considerations of managing a Attest project

• The usability of Attest reports

42

Good Bye SAS 70

Page 124


SAS 70 No More

• Recent Developments

• International Demand

• IFAC ‐ ISAE 3402

• AICPA SSAE 16 – Reporting on Controls at a

Page 125


• AICPA SSAE 16 – Reporting on Controls at a Service Organization

• New SAS – Audit Considerations Relating to an Entity Using a Service Organization

SAS 70 No More

• New Standards do not affect inquiries of management

• New Standards do not affect AUP/Shared Assessments

Page 126


• New Standards do not affect the Attest Engagements

43

AICPA SSAE 16

• Separates Service Audit from existing SAS

• Falls under different family of standards

• Instead of an audit standard, it is an attest standard

Page 127


standard

• Requires a written management assertion

• And suitable criteria

• Does not consider the usability in a financial statement audit ONLY

SSAE 16 – Impact

• Management of the service organization required to provide the service auditor with a written assertion about1. The fairness of the presentation of the description of

the service organization’s system

Page 128


g y2. The suitability of the design of the controls to

achieve the related control objectives stated in the description, and, in a type 2 engagement

3. The operating effectiveness of those controls to achieve the related control objectives stated in the description.

SSAE 16 – Impact

• A service auditor is able to report on controls at a service organization other than controls that are relevant to user entities’ financial reporting, for example, controls related to

Page 129


user entities’ regulatory compliance, production, or quality control.

• This is probably the greatest benefit of all!

44

SSAE 16 – Impact

• In a type 2 report, the service auditor’s opinion on the fairness of the presentation of the description of the service organization’s system and on the suitability of the design of

Page 130


the controls is for a period of time rather than as of a specified date, as is the case in the current standard

SSAE 16 – Impact

• When obtaining an understanding of the service organization‘s system, the service auditor would be required to obtain information to identify risks that the

Page 131


description of the service organization’s system is not fairly presented or that the control objectives stated in the description were not achieved due to intentional acts by service organization personnel.

SSAE 16 – Impact

• Indicates that when assessing the operating effectiveness of controls in a type 2 engagement, evidence obtained in prior engagements about the satisfactory

Page 132


operation of controls in prior periods does not provide a basis for a reduction in testing, even if supplemented with evidence obtained during the current period.

45

SSAE 16 – Impact

• A service auditor’s type 2 report would identify the customers to whom use of the report is restricted as "customers of the service organization’s system during some or

Page 133


all of the period covered by the service auditor’s report,"and in a service auditor’s type 1 report, as, "customers as of the date of the service organization’s description covered by the report."

SSAE 16 – Key Considerations

• Effective date – the AICPA/ASB has proposed making the SSAE effective concurrently with the new ISAE 3402

• Management assertion – An assertion‐based

Page 134


engagement includes an explicit acknowledgement by management of its responsibility for the matters addressed in its assertion

• Convergence with International Standards

IFAC – ISAE 3402

• ISAE 3402 – Assurance Reports on Controls at a Service Organization

• Based on original structure of SAS 70 but very similar to the New SSAE

li ll i h C i

Page 135


• Applies to all countries where IFAC is recognized

• Scope – applies to engagements that convey reasonable assurance when the service organization is responsible for the suitable design of controls

46

ISAE 3402

• The standard deals with assurance engagements by professional accountants in public practice to provide a report for use by the user entities and their auditors on the

Page 136


controls at a service organization that provides a service to user entities that is likely to be relevant to user entities’ internal control, as it relates to financial reporting.

ISAE 3402

The standard does not deal with assurance engagements:

• To report on whether controls at a service organization operated as described, or

Page 137


• To report ONLY on controls at a service organization that are not related to a service that is likely to be relevant to user entities’ internal controls as it relates to financial reporting

Why is ISAE 3402 Important

• Impact at domestic and international levels• It updates/replaces (potentially)/complements:

• US ‐ Statement on Auditing Standards (SAS) No. 70• CA ‐ Canadian Institute of Chartered Accountants

(CICA) 5970

Page 138


• UK ‐ Audit and Assurance Faculty Standard (AAF) 01/06

• AU ‐ Guidance Statement (GS) 007• HK ‐ HKSA Statements – Auditing Practice Note 860.2• JP ‐ Audit Standards Committee Report No. 18• DE (Germany) ‐ IDW PS 951

47

IFAC – ISAE 3402

• Introduces the concept of materiality• Not with respect to the financial statements

but with respect to the system The concept of materiality takes into account that

the service auditor’s assurance report provides

Page 139


the service auditor’s assurance report provides information about the service organization’s system to meet the common information needs of a broad range of user entities and their auditors who have an understanding of the manner in which that system has been used.

IFAC – ISAE 3402

• Materiality with respect to the fair presentation of the service organization’s description of its system, and with respect to the design of controls, includes primarily the consideration of qualitative factors, for example: whether the description includes the

Page 140


for example: whether the description includes the significant aspects of processing significant transactions; whether the description omits or distorts relevant information; and the ability of controls, as designed, to provide reasonable assurance that control objectives would be achieved.

IFAC – ISAE 3402

• Materiality with respect to the service auditor’s opinion on the operating effectiveness of controls includes the consideration of both quantitative and

Page 141


qualitative factors, for example, the tolerable rate and observed rate of deviation (a quantitative matter), and the nature and cause of any observed deviation (a qualitative matter).

48

Critical Steps in Assurance Reporting Under ISAE 3402

• Assessing the Suitability of the Criteria

• Obtaining an Understanding of the Service Organization’s System

• Obtaining Evidence Regarding the i i

Page 142


Description

• Obtaining Evidence Regarding Design of Controls

• Obtaining Evidence Regarding the Operating Effectiveness of Controls

Critical Steps in Assurance Reporting Under ISAE 3402

• The Work of an Internal Audit Function

• Other Information

• Preparing the Service Auditor’s Assurance Report

Page 143


Report

• Other Communication Responsibilities

Topic Existing SAS 70 Standard ISAE 3402 / SSAE

Scope SAS 70 is limited to controls over the processing of financial transactions by aservice organization.

Report can be extended beyond financial reporting.

Opinion / The auditor provides an In addition to the

Comparison of SAS 70 with ISAE/SSAE

Page 144


pAssertion

popinion based directly on the subject matter with no formal management assertion.

auditor's opinion, management of the service organization provides a formal assertion affirming its responsibilities for the controls in the report.

Extracted from “Good‐bye SAS 70” by Fiona Gaskin

49


Disclosurerequirementsfor use of IA

Work performed by internal audit to support the service auditor's opinion is not disclosed.

Work performed by internal audit used in part to form the service auditor’s opinion shall include a description of the internal auditor’s work and of the service auditor’s procedures with respect to that work.


Page 145


Audit Guidance Guidance is provided in an annually updated Audit Guide, which includesillustrative control objectives for various types of service organizations.

Guidance for the service auditor will be solely contained in the ISAE itself and will not contain illustrative control objectives.The US will continue to provide audit guidance to support the SSAE/SAS 70standards.



Example ofTerminologyDifferences

Type I - report on the fairness of the description of controls and whether those controls were suitably designed

Type 1 - report on the fairness of the description of controls and whether those controls were suitably designed.


Page 146


designed.

Type II - report also includes an opinion on the operating effectiveness of the controls.

Type 2 - report also includes an opinion on the operating effectiveness of the controls.


ISAE 3402 Report

• Internal control is a process designed to provide reasonable assurance regarding the achievement of objectives related to the reliability of financial reporting, effectiveness and efficiency of operations and compliance with applicable laws and regulations.

Page 147


p pp g• Control objectives and controls at the User

Organizations• Control objectives and controls at the Service

Organization• Controls at the Service Organization that need to be

complemented at User Organizations

50

Module Summary

After completing this module, you should now be able to understand:• The latest developments in Third Party Assurance

Standards• The impact of new Standards

Page 148


p• The benefits of the new Standards• Key differences and similarities between domestic

and international standards• Key considerations and responsibilities of a

service auditor and the user of a third party assurance report

Wrap‐Up and Summary

Wrap-Up

Page 149


Using Third Party Reports

• A report is not relevant if it does not address your company’s risks

• Prepare your own ICQ or use a standard one as a pre‐audit tool

Page 150


• Use your company’s risk and control matrices as the basis to evaluate ICQ, AUP, SAS 70, ISAE and SSAE findings

• Starting point is your company’s risks not what is in the reports

51

Third Party Assurance – Final Comments

• Businesses will continue to look for opportunities to increase efficiency and effectiveness of business processes

• Globalization will not stop

• Cloud Computing will make this field more

Page 151


Cloud Computing will make this field more interesting and complex

• Third party assurance practice will continue to grow

• We will be either auditing or will be audited by a service auditor …

Contact

Felix Ramirez

(W) 646‐290‐8998

(C) 908‐230‐4562

Page 152


(C) 908‐230‐4562

(e) [email protected]

Date post:	18-May-2015
Category:	Education
Upload:	isaca-new-england
View:	1,801 times
Download:	3 times

Evaluating Vendor Risks - slides

Education