Date post: | 18-May-2015 |
Category: |
Education |
Upload: | isaca-new-england |
View: | 1,801 times |
Download: | 3 times |
1
Evaluating Vendor RisksDo you know if they have
Evaluating Vendor RisksDo you know if they have
May 5, 2010
controls?controls?
Introductions
• Relevant Participant Experiences
• Participant Objectives for this class
Page 2
Copyright 2010 Riebeeck Stevens Ltd
Course Objective
To educate participants regarding the nature of vendor risks and the mechanisms to effectively assess, manage and control those risks by providing a learning forum where individuals with greater audit and third party
Page 3
Copyright 2010 Riebeeck Stevens Ltd
individuals with greater audit and third party assurance experience can share their knowledge with peers who are interested in learning about third party assurance and the different mechanisms and standards available to accomplish it.
2
Today’s Discussion Topics
• Overview of outsourcing arrangements• Rights to audit• Diversity of service organizations• Assessment mechanisms
o SAS 70
Page 4
Copyright 2010 Riebeeck Stevens Ltd
o SAS 70o Shared Assessmentso ISAE 3402
• SAS 70 No More• Conducting an assessment engagement• Using a third party assessment• Project management considerations
Outsourcing Business Processes
Page 5
Copyright 2010 Riebeeck Stevens Ltd
Background
• Many entities use outside service organizations to accomplish tasks that affect the entity’s management and information system
• In recent years, there has been an increase in the use of service organizations
Page 6
Copyright 2010 Riebeeck Stevens Ltd
the use of service organizations
• Why do you think BPO (business process outsourcing) has increased so much?
• “Practical IT Auditing” Checklist to evaluate candidates for outsourcing
3
Typical Service Organizations
• Fund accounting agents/Fund administrators• Custodians/Trustees/Investment advisors• Transfer agents/Retirement plan record keepers• Claims processors• ASPs
Page 7
Copyright 2010 Riebeeck Stevens Ltd
• ASPs• ISPs• Payroll processors• Network/Security management• Thoughts on Cloud Computing Providers?
Outsourcing Arrangements
• Total outsourcing – complete business or business function
• Production outsourcing – Call centers• Processing outsourcing – Payroll
Page 8
Copyright 2010 Riebeeck Stevens Ltd
• Recordkeeping outsourcing – Transfer agent• Reporting outsourcing – FISERV and Crawford
Technologies• Physical Facilities outsourcing – Hosting/Co‐
location
Sample Outsourcing Agreements
• 2002: $4 billion / 7‐year utility based deal between American Express and IBM
• 1998: $3 billion application development and maintenance agreement between BellSouth and Andersen Consulting
Page 9
Copyright 2010 Riebeeck Stevens Ltd
• 1998: $4 billion infrastructure outsourcing agreement between BellSouth and EDS
• 1996: $4.5 billion / 10 year outsourcing and strategic alliance agreements between Dupont and CSC and Andersen Consulting
• 1994: $3 billion / 10‐year IT services between Xerox and EDS
4
• Operational Risk
• Reputation Risk
• Strategic Risk
• Compliance Risk
Classification of Vendor Risks
Page 10
Copyright 2010 Riebeeck Stevens Ltd
• Compliance Risk
• Financial Risk
• Support Risk
Classification of Vendor Risks
• Operational Risk ‐ Operational risk not only includes operations and transaction processing, but also areas such as customer service, Information Technology security and
Page 11
Copyright 2010 Riebeeck Stevens Ltd
the protection of non‐public data, systems development and support programs, internal control processes, and capacity and contingency planning.
Classification of Vendor Risks
• Reputation Risk – Errors, delays, or omissions in outsourced services that become public knowledge or directly affect the company's customers can significantly affect reputation. For example a vendor's failure to maintain
Page 12
Copyright 2010 Riebeeck Stevens Ltd
For example, a vendor s failure to maintain adequate service levels and contingencies for key items such as cash deliveries, network hardware devices or ATM servicing could disrupt the ability to deliver service to customers.
5
Classification of Vendor Risks
• Strategic Risk – Inadequate management experience and expertise can lead to a lack of understanding of key risks facing the industry today and into the future. Additionally,
Page 13
Copyright 2010 Riebeeck Stevens Ltd
inaccurate information from vendors can cause the company's management and board of directors to make poor strategic decisions.
Classification of Vendor Risks
• Compliance Risk – Outsourced activities that fail to comply with legal or regulatory requirements can subject the company to legal sanctions. For example, inaccurate or
Page 14
Copyright 2010 Riebeeck Stevens Ltd
untimely consumer compliance disclosures or unauthorized disclosure of confidential customer information could expose the company to civil money penalties or litigation.
Classification of Vendor Risks
• Financial Risk – financial strength of the vendor, cash position, credit rating, bankruptcy history, historical financial performance indicators – return on equity,
Page 15
Copyright 2010 Riebeeck Stevens Ltd
return on investment, return on assets
6
Classification of Vendor Risks
• Support Risk – ability to perform according to service level agreements, professional diversity and capacity of staff, experienced of workers, staff rotation policy, operational
Page 16
Copyright 2010 Riebeeck Stevens Ltd
performance in the market – are they losing customers, is their quality falling
Rights to Audit
• Contract clause allowing the user organization to audit or have access to audits of the services contracted
• Should be a standard part of every outsourcing contract
Page 17
Copyright 2010 Riebeeck Stevens Ltd
outsourcing contract
• Use more frequently
• Demanding specific types of audits
• Make sure you are specific in terms of period of audits
Case Study
New York ‐ 30 Dec 2002: J.P. Morgan Chase & Co. today finalized with IBM a groundbreaking seven‐year outsourcing agreement, in excess of $5 billion, the largest of its kind. The agreement will enable JPMorgan Chase to transform its technology infrastructure through absolute costs savings, increased cost variability, access to the best research and innovation, and improved service levels. By moving from a traditional fixed‐cost approach to one with increased capacity and cost variability, JPMorgan Chase will be able to respond more quickly to changing market conditions
Page 18
Copyright 2010 Riebeeck Stevens Ltd
able to respond more quickly to changing market conditions.
JPMorgan Chase will outsource a significant portion of its data processing technology infrastructure, including data centers, help desks, distributed computing, data networks and voice networks. The agreement includes the transfer of approximately 4,000 JPMorgan Chase employees and contractors as well as selected resources and systems to IBM in the first half of 2003. Application delivery and development, desktop support and other core competencies will largely be retained inside JPMorgan Chase.
7
Case Study ‐ Instructions
• Study the JPM/IBM press release
• Identify the key risks faced by JPM when transferring functions to IBM
• Discuss methods JPM can use to stay informed
Page 19
Copyright 2010 Riebeeck Stevens Ltd
of controls at IBM to address those risks
• Discuss impact to security, audit and compliance
• Should JPM require IBM to include a right to audit clause in their contract? Why?
Summary
After completing this module, you should now:
• Understand the business drivers behind the outsourcing decision
• Understand the various types of outsourcing
Page 20
Copyright 2010 Riebeeck Stevens Ltd
arrangements
• Understand the key classes of vendor risk
• Begin to understand the need to evaluate controls at service organizations
Assessment Mechanisms
Page 21
Copyright 2010 Riebeeck Stevens Ltd
8
Definition of Key Players
Service Organization – The entity that provides services to a user organizationSubservice Organization – An entity that is a service organization of another service organization
Page 22
Copyright 2010 Riebeeck Stevens Ltd
o ga at oService Auditor – Reports on the processing of transactions by a service organizationUser Organization – The entity that has engaged a service organizationUser Auditor – Auditor of a user organization
Key Players
Service AuditorUser Organization
Page 23
Copyright 2010 Riebeeck Stevens Ltd
SubserviceOrganizationUser Auditor
Service Organization
Evaluating Internal Controlat Service Organizations
• How can a user of a service organization (and its internal/external auditor) obtain a sufficient level of comfort that there is an effective control environment at the service organization?
• How can user management ensure that
Page 24
Copyright 2010 Riebeeck Stevens Ltd
• How can user management ensure that outsourced processes are managed following policies, procedures and practices that are aligned with those of his/her own company?
9
Assessment Mechanism: Traditional Approach
• User management submits an internal control questionnaire to service organization
• Service organization provides a self‐assessment report to clients
Page 25
Copyright 2010 Riebeeck Stevens Ltd
• User organization management (internal audit) performs audit procedures at service organization
• User auditor performs audit procedures at service organizations
• One independent firm (third party) is brought in to issue an opinion as to whether management’s description of the control environment is presented
Assessment Mechanisms:Third Party Assurance Approach
Page 26
Copyright 2010 Riebeeck Stevens Ltd
fairly.
• In many cases, the independent firm is also engaged to perform tests of specific controls and report on the result of those tests.
• Agreed‐Upon Procedures
• Shared Assessments
• Standard Compliance Audit
• SAS 70
Assessment Mechanisms:Third Party Assurance Approach
Page 27
Copyright 2010 Riebeeck Stevens Ltd
• SAS 70
• Attestation• Who can issue reports using these
mechanisms?
10
• Agreed‐Upon ProceduresIssued by independent CPA
• Shared AssessmentsIssued by independent CPA or assessment firm
• Standard Compliance Audit
Assessment Mechanisms:Third Party Assurance Approach
Page 28
Copyright 2010 Riebeeck Stevens Ltd
Standard Compliance AuditIssued by certified party – i.e. PCI and ISO
• SAS 70Issued by CPA or CA
• AttestationIssued by CPA or CA
Module Summary
After completing this module, you should now:• Understand the process to evaluate internal
controls at Service Organizations• Understand the basic concepts of Third Party
( )
After completing this module, you should now:• Understand the process to evaluate internal
controls at Service Organizations• Understand the basic concepts of Third Party
( )
Page 29
Copyright 2010 Riebeeck Stevens Ltd
Assurance (TPA)• Identify different mechanisms for conducting
TPA engagements• Understand who can issue third party
assurance reports
Assurance (TPA)• Identify different mechanisms for conducting
TPA engagements• Understand who can issue third party
assurance reports
Agreed‐Upon Procedures
Page 30
Copyright 2010 Riebeeck Stevens Ltd
11
What are Agreed Upon Procedures
• Section 201 of the AICPA Statements on Standards for Attestation Engagements (SSAE)
• An agreed‐upon procedures engagement is one in which a practitioner is engaged by a Responsible Party to issue a report of findings based on
Page 31
Copyright 2010 Riebeeck Stevens Ltd
Party to issue a report of findings based on specific procedures performed on subject matter. The Responsible Party engages the practitioner to assist Specified Parties in evaluating subject matter or an assertion as a result of a need or needs of the Specified Parties.
What is an AUP Report
• An AUP Report is a report issued according to SSAE 10 Section 201
• An AUP Report contains the procedures agreed‐upon by the parties and the findings
Page 32
Copyright 2010 Riebeeck Stevens Ltd
identified by the auditor
• An AUP Report does not contain an opinion from the auditor just the facts of the results
Who Uses a AUP report
• Agreed‐Upon procedures are used by the service organization, user management, external auditors and regulators
• Internal users include senior management,
Page 33
Copyright 2010 Riebeeck Stevens Ltd
compliance, internal audit, security and risk management
• External users typically limited to external auditors and regulators
12
Distribution of the Report
• As an Attestation report, AUP reports have limited distribution
• The Service Organization and the specified parties can have access to the report
Page 34
Copyright 2010 Riebeeck Stevens Ltd
• Other parties interested in the report need to agree as to the sufficiency of the procedures with respect to the subject matter or assertion prior to receiving the report
AUP Auditor’s Responsibilities
• Carry out the procedures
• Report the findings in accordance with the professional standards (general, fieldwork and reporting)
Page 35
Copyright 2010 Riebeeck Stevens Ltd
• Adequately plan and supervise the audit and exercise due professional care in performing the procedures, determining the findings, and preparing the report
AUP Auditor’s Responsibilities
• Risk that misapplication of the procedures may result in inappropriate findings being reported
• Risk that appropriate findings may not be reported or may be reported inaccurately
• These risks are reduced by becoming
Page 36
Copyright 2010 Riebeeck Stevens Ltd
• These risks are reduced by becoming knowledgeable about the subject matter and thoroughly planning and executing the work
• The AUP Auditor has no responsibility to determine completeness or adequacy of the agreed‐upon procedures
13
Layout of a Typical AUP Report
• A title that includes the word independent
• Identification of the specified parties
• Identification of the subject matter (or the written assertion related thereto) and the
Page 37
Copyright 2010 Riebeeck Stevens Ltd
written assertion related thereto) and the character of the engagement
• Identification of the responsible party
• A statement that the subject matter is the responsibility of the responsible party
Extracted from “AICPA Attestation Standards Section 201”
Layout of a Typical AUP Report
• A statement that the procedures performed were those agreed to by the specified parties identified in the report
• A statement that the agreed‐upon procedures engagement was conducted in accordance with
Page 38
Copyright 2010 Riebeeck Stevens Ltd
engagement was conducted in accordance with attestation standards established by the AICPA
• A statement that the sufficiency of the procedures is solely the responsibility of the specified parties and a disclaimer of responsibility for the sufficiency of those procedures
Extracted from “AICPA Attestation Standards Section 201”
Layout of a Typical AUP Report
• A list of the procedures performed (or reference thereto) and related findings (The practitioner should not provide negative assurance
• Where applicable, a description of any agreed‐upon materiality limits
Page 39
Copyright 2010 Riebeeck Stevens Ltd
materiality limits
Extracted from “AICPA Attestation Standards Section 201”
14
Layout of a Typical AUP Report
• A statement that the practitioner was not engaged to and did not conduct an examination of the subject matter, the objective of which would be the expression of an opinion, a disclaimer of opinion on the subject matter, and a statement that if the
Page 40
Copyright 2010 Riebeeck Stevens Ltd
the subject matter, and a statement that if the practitioner had performed additional procedures, other matters might have come to his or her attention that would have been reported
Extracted from “AICPA Attestation Standards Section 201”
Layout of a Typical AUP Report
• A statement of restrictions on the use of the report because it is intended to be used solely by the specified parties
• Where applicable, reservations or restrictions concerning procedures or findings.
Page 41
Copyright 2010 Riebeeck Stevens Ltd
• For an agreed‐upon procedures engagement on prospective financial information.
• Where applicable, a description of the nature of the assistance provided by a specialist.
• The manual or printed signature of the practitioner's firm
• The date of the report
Extracted from “AICPA Attestation Standards Section 201”
Procedures to be Performed
• Can be as limited or as extensive as the specified parties desire
• Mere description of assertion or subject matter does not constitute a valid procedure
• There is flexibility in determining the procedures
Page 42
Copyright 2010 Riebeeck Stevens Ltd
There is flexibility in determining the procedures• Changes to the procedures are acceptable as long
as the specified parties accept responsibility for the sufficiency of the procedures
• Matters that need to be agreed upon include the nature, timing and extent of the procedures
15
Procedures to be Performed
• Procedures should not be subjective and open to interpretations
• Terms of uncertain meaning (such as general review, limited review or check) should be
Page 43
Copyright 2010 Riebeeck Stevens Ltd
avoided
• For each procedure, there should be evidential matter supporting the finding or findings
Let’s explore the Q‐Services report
Project Management Considerations
• Use Of a Specialist
• Internal Auditors and Other Personnel
• Findings
• Working Papers
Page 44
Copyright 2010 Riebeeck Stevens Ltd
• Working Papers
AUP Sample Findings
• Procedure: Inspect the shipment dates for a sample (agreed‐upon) of specified shipping documents, and determine whether any such dates were subsequent to December 31, 20XX.
• Finding (Appropriate description): No shipment
Page 45
Copyright 2010 Riebeeck Stevens Ltd
dates shown on the sample of shipping documents were subsequent to December 31, 20XX.
• Finding (Inappropriate description): Nothing came to my attention as a result of applying that procedure.
• Sample findings matrix from AT 201
16
AUP Auditor Considerations
• Validate that the Specified Parties have agree to the procedures
• Document the steps taken in performing the procedures
• Obtain and maintain appropriate evidence of the
Page 46
Copyright 2010 Riebeeck Stevens Ltd
Obtain and maintain appropriate evidence of the work conducted
• Ensure all changes to the procedures are approved by the Specified Parties
• Obtain representations from management
Using a AUP Report
• A AUP Report contains the results of applying the procedures only – No Opinion
• Each procedure and related result must be evaluated by the user in the context of its
Page 47
Copyright 2010 Riebeeck Stevens Ltd
entity’s internal control
• Be careful not to extrapolate the findings to systems or dates not related to the AUPs
AUP Exercise
• With the JPM/IBM agreement, multiple systems are being processed and supported at IBM
• You work for JPM and some of your clients (your team members) want to audit the system at IBM to evaluate the security controls at IBM
Page 48
Copyright 2010 Riebeeck Stevens Ltd
• Identify and describe 5 audit procedures and discuss them in your group until everyone agrees they are sufficient to meet your objective
• Ensure the wording of the procedures is specific and avoid vague terms
• Draft the result of applying the procedure and share them with the group
17
Module Summary
After completing this module, you now have an understanding of:
• What Agreed‐Upon Procedures are
• What an AUP Report is
Page 49
Copyright 2010 Riebeeck Stevens Ltd
• The content of AUPs
• The responsibilities of the AUP Auditor
• Key considerations of managing an AUP project
• The usability of AUP reports
Shared Assessments
Page 50
Copyright 2010 Riebeeck Stevens Ltd
Shared Assessments
• Special application of the AICPA AUP standard
• Shared Assessments is a program created by BITS, a division of the Financial Services
Page 51
Copyright 2010 Riebeeck Stevens Ltd
Roundtable
• Initially targeted the financial services industry, it is quickly expanding to other industries such as health care
• Program managed by the Santa Fe Group
18
Shared Assessments
• Standardized Information Gathering (SIG) Questionnaire
• Agreed‐Upon Procedures (AUP)
• Created under the principle of getting
Page 52
Copyright 2010 Riebeeck Stevens Ltd
Created under the principle of getting everyone involved
• Sort of like Skype and IP telephony, when everyone is connected, there is no need to pay for phone service
Who uses a Shared Assessments Report?
• SIG is used by the Service Organization and the Outsourcer
• AUP report can be used by all related parties who approved the procedures
Page 53
Copyright 2010 Riebeeck Stevens Ltd
• Limited distribution report – others can use it but need to agree to the sufficiency of the procedures to evaluate the related controls
Shared Assessments Risk Domains
• Information security policy• Organization of information security• Asset management• Human resources security• Physical and environmental security• Communications and operations management
Page 54
Copyright 2010 Riebeeck Stevens Ltd
• Communications and operations management• Access control• Information systems acquisition, development and
maintenance• Information security incident management• Business continuity management• Compliance• Privacy
19
Shared Assessments Project
• Scoping questions – determine:• Service provider and its business model• Target systems and processes• Data that it collects, stores, uses, shares, transports,
retains, secures and/or deletes:
Page 55
Copyright 2010 Riebeeck Stevens Ltd
retains, secures and/or deletes:o Target Datao Protected Target Datao Privacy Target Datao Protected Privacy Target Data
• Based on this information, identify hardware, software and procedures to be tested.
Shared Assessments Lite
• SIG v5 Level 1
• Contains 91 questions
• Intended for low risk scenarios
• Inquiry of Service Organization management
Page 56
Copyright 2010 Riebeeck Stevens Ltd
• Inquiry of Service Organization management
• No testing is involved
SIG v5 L1 Questions
Shared Assessments AUP
• Full SIG v5 and management tools• AUP v5• 12 Risk Domains• Specific procedures to be executed by assessor• Each AUP control area contains:
o Objective(s): Statement(s) describing the business interest
Page 57
Copyright 2010 Riebeeck Stevens Ltd
o Objec e(s) S a e e (s) desc b g e bus ess e esbehind assessing the Domain
o Control(s): Statement(s) about the controls service providers should have in place
o Procedure(s): The action or actions a practitioner will perform to test each control Area
o Industry Relevance: Reference(s) to other standards that apply to the same objective and control as the procedure
20
Shared Assessments Sample Procedure
F.5 Secure Workspace Access Reporting
Objective:
An organization should maintain access and incident reports.
Page 58
Copyright 2010 Riebeeck Stevens Ltd
incident reports.
Control:
Access to Secure Workplace is logged and incident reports are maintained.
.
Extracted from the Shared Assessments AUP document
Procedures:a. Obtain the access and incident logs (physical or electronic) from the service provider for the Secure Workspace Perimeter, and inspect for evidence of the following attributes:Access Logs (Staff):
1. Name2 d i
Shared Assessments Sample Procedure
Page 59
Copyright 2010 Riebeeck Stevens Ltd
2. Date and time3. Point of access4. Date of last update
Access Logs (Visitor):1. Name2. Date and time3. Point of access
Extracted from the Shared Assessments AUP document
4. Company name5. Visiting6. Equipment7. Sign out and return of badge8. Date of last update
Incident Logs:
Shared Assessments Sample Procedure
Page 60
Copyright 2010 Riebeeck Stevens Ltd
1. Name2. Date and time3. Company name4. Incident type5. Date of last update
b. Report the attributes listed in step a not in evidence, the date the access logs and incident log was last updated, or the nonexistence of the access log or incident log.
Extracted from the Shared Assessments AUP document
21
Shared Assessments
Exercise
• Review the JPM/IBM outsourcing arrangement and based on the limited information provided, review the questions
Page 61
Copyright 2010 Riebeeck Stevens Ltd
on Section C2.2 of SIG v5 and the corresponding procedures in Section C of Shared Assessments AUP v5
• Could this provide any comfort when performed by a trusted party?
Shared Assessments Report Layout
• The Shared Assessments report follows the AUP standard of the AICPA
• Description of scope• Domain area
Page 62
Copyright 2010 Riebeeck Stevens Ltd
• Control objective• Control• Procedure• Results of applying the procedure
Using a Shared Assessments Report
• The Shared Assessments report does not provide assurance just attestation of the result
• Each user of the report must evaluate the results in the context of their own risk universe
• Some controls may be applicable others may
Page 63
Copyright 2010 Riebeeck Stevens Ltd
• Some controls may be applicable others may not
• The absence of certain controls may not be relevant to the user’s environment
• Do not extrapolate in time and space
22
Using a Shared Assessments Report
• Limitations of the Shared Assessment Report
• Limited to Security, business continuity and privacy
• No third party opinion
C it b li d f f dit f
Page 64
Copyright 2010 Riebeeck Stevens Ltd
• Can it be relied upon for purposes of an audit of financial statements? Only if issued by CPA? What about internal audit of the user organization?
• What about sub‐service organizations? What options are there to report on that relationship?
Module Summary
After completing this module, you should now understand:
• What are Shared Assessments• What is a Shared Assessments Report• The content of a Shared Assessments Report
Page 65
Copyright 2010 Riebeeck Stevens Ltd
• The content of a Shared Assessments Report• The responsibilities of the Shared Assessments
Auditor• Key considerations of managing a Shared
Assessments project• The usability of Shared Assessments reports
SAS 70 Audits
Page 66
Copyright 2010 Riebeeck Stevens Ltd
23
What is “SAS 70”?
• Statement on Auditing Standards (SAS) No. 70, Service Organizations, as amended
• Issued by the American Institute of Certified Public Accountants (AICPA)
Page 67
Copyright 2010 Riebeeck Stevens Ltd
What is a “SAS 70” Report?
A report containing:
• Description of the control environment• Description of management’s control objectives• Description of specific controls, policies and
procedures
Page 68
Copyright 2010 Riebeeck Stevens Ltd
procedures• Description of tests of those specific controls,
policies and procedures• Results of those tests• Independent auditor’s opinion• Supplemental information provided by the Service
Organization (optional)
Who uses the SAS 70 report?
Primary external users (outside of service organization)
• Clients of service organizations and their auditors
• Auditors of service organization
• Prospective clients of service organizations
Page 69
Copyright 2010 Riebeeck Stevens Ltd
24
Who uses the SAS 70 report?
Benefits of the report to external users
• Enhanced understanding of the control environment
• Additional level of comfort
Page 70
Copyright 2010 Riebeeck Stevens Ltd
Additional level of comfort
• Contained audit costs
• Ability to compare service organizations
• Reliance on controls
Who uses the SAS 70 report?
Primary internal users (within service organization)
• Management
• Internal Audit
• Legal and Compliance
Page 71
Copyright 2010 Riebeeck Stevens Ltd
• Risk Management
• Marketing
Who uses the SAS 70 report?
Benefits of the report to internal users
• Independent evaluation of processes and controls
• Standard documentation of processes and controls for future evaluation of efficiencies
I d i k t
Page 72
Copyright 2010 Riebeeck Stevens Ltd
• Improved risk management
• Potential reduction of coordination with your client’s auditors
• Marketing
25
Distribution of the Report
Controlled by service organization
Generally limited to:
• Service organization
• Clients of service organization
Page 73
Copyright 2010 Riebeeck Stevens Ltd
• Auditors of clients of service organization
• Prospective clients of service organization
Types of Reports
• Type I – Report on Controls placed in Operation as of a specified date
• Type II – Report on Controls placed in
Page 74
Copyright 2010 Riebeeck Stevens Ltd
Type II Report on Controls placed in Operation as of a specified date
AND
Results of Tests of Operating Effectiveness during a specified period
Service Auditor’s Responsibilities:Type I Engagement
• Determine whether the description of controls presents fairly the relevant aspects of the controls placed in operation as of the date of report
Page 75
Copyright 2010 Riebeeck Stevens Ltd
• Determine whether the controls are suitably designed to achieve the specified control objectives
26
Service Auditor’s Responsibilities :Type II Engagement
• Same as in Type I Engagement
AND
• Determine whether the controls that were tested were operating with sufficient
Page 76
Copyright 2010 Riebeeck Stevens Ltd
tested were operating with sufficient effectiveness to achieve control objectives for the specified period of the report
Sub‐Service Organizations: Carve‐out
• Exclude sub‐service organization’s relevant controls and control objectives from report and from auditor’s scope
• If Carve‐Out sub‐servicer, then: Modify scope paragraph in the auditor’s report for the controls of
the sub‐service organizationo Describe the functions and nature of processing performed by sub‐
i i ti
Page 77
Copyright 2010 Riebeeck Stevens Ltd
service organizationo That the description of the controls includes only the controls and
related control objectives of the service organizationo That our examination does not extend to the controls at the sub‐service organization
Service Organization modifies description of controls to summarize the functions and nature of the processing performed by the sub‐service organization that are omitted from the report
• May be necessary to modify opinion paragraph in auditor’s report
• Include sub‐service organization’s relevant controls and control objectives in report and in auditor’s scope
• Ensure description of controls and control objective discussion in report clearly differentiates controls at service organization and at sub‐service organization, but includes both in reporting
• Modify auditor’s report throughout (scope opinion Company
Sub‐Service Organizations: Inclusive
Page 78
Copyright 2010 Riebeeck Stevens Ltd
Modify auditor s report throughout (scope, opinion, Company references) to include sub‐service organization (and its related controls, etc.)
• Perform procedures at the sub‐servicer to determine whether: controls (functions/nature of processing and controls) are fairly
presented controls are suitably designed to achieve the related control objectives controls are operating with sufficient effectiveness (For Type II
engagements)
27
User Control Considerations
• Complementary Controls that may be required at the User Organization
• Include in report’s description of controls
Page 79
Copyright 2010 Riebeeck Stevens Ltd
Include in report s description of controls
• Include in auditor’s report
• Sample UCC: User Organization should remove terminated employees when access no longer needed
Service Auditor’s Responsibilities
• Addressing the representations in the service auditor’s report
• Adhere to the AICPA general standards and
Page 80
Copyright 2010 Riebeeck Stevens Ltd
Adhere to the AICPA general standards and with the relevant AICPA fieldwork and reporting standards
Layout of Typical SAS 70 Report
OpinionSection I – Information provided by the Service Organization Overview of the business Control Environment Applicability of Report D i ti f C t l
Page 81
Copyright 2010 Riebeeck Stevens Ltd
Description of Controls
Section II – Information Provided by the Service Auditor
Section III – Controls, Control Objectives and Tests of Operating Effectiveness
Section IV – Other information provided by the Service Organization
28
Module Summary
After completing this module, you should now be able to:
• Understand the basic SAS 70‐related terms and definitions
Page 82
Copyright 2010 Riebeeck Stevens Ltd
• Understand the basic overview of SAS 70
• Understand who uses SAS 70 reports and why
Project Management:
Useful information for the
Page 83
Copyright 2010 Riebeeck Stevens Ltd
Useful information for the Service Auditor Engagement Team
Define and UnderstandEngagement/Report Scope
Collaborative process with the Client Scope should be driven by USER needs and
requirements
Page 84
Copyright 2010 Riebeeck Stevens Ltd
o Include Core Areas
o Include desired Locations
29
Engagement Time Management
Time Management• Activity Definition
• Activity Sequencing
• Activity Duration Estimating
S h d l D l t
Page 85
Copyright 2010 Riebeeck Stevens Ltd
• Schedule Development
• Schedule Control
Service Organization Involvement
• Project Sponsor (leader/owner) of the Process
• Project Coordinator (daily task management)
Page 86
Copyright 2010 Riebeeck Stevens Ltd
management)• Internal Pre‐Assessment and Remediation• “Buy‐In” of Senior Management within all
functional departments/areas
Senior Management Buy‐In
• Assists in obtaining information timely• Ensures right personnel/contacts are met• Ensures personnel/contacts will provide all
necessary assistance
Page 87
Copyright 2010 Riebeeck Stevens Ltd
• Ensures personnel/contacts know the importance of the project to their department leaders
30
Responsibilities
May impact:
• Timing
• Deadlines
• Budgets/fees
Page 88
Copyright 2010 Riebeeck Stevens Ltd
• Budgets/fees
• Staffing mix
• Expectations set by client or by auditor
• Satisfaction with meeting expectations and
• The ability to manage expectations
Reporting Responsibilities
Generally, Client should draft most areas the Report
• Overview of Operations (Organization Definition)
• Description of Controls and Control Environment
• Control Objectives and Controls
• Other Information provided by the Service Organization
Page 89
Copyright 2010 Riebeeck Stevens Ltd
• Other Information provided by the Service Organization
Generally, the Service Auditor should focus on:
• Opinion
• Information Provided by Service Auditor
• Testing of Controls and Results of Testing
Managing Expectations
• Expectations of Significant Changes During Report Period (mid‐year significant changes in controls/processes to consider)
• Presence of Exceptions in the Report
Page 90
Copyright 2010 Riebeeck Stevens Ltd
• Multi‐location Considerations• Report is evolving
• Recommendations to be Provided to Client
• Regular Status Meetings with Project Champion andDay‐to‐Day Contact Person is important
31
Managing Expectations
• Timeline/Deadline for Stages of Engagement Setting project milestones minimizes time overages
• Detailed Project Plan by Control Objective Breaking down project plan to task level increases
Page 91
Copyright 2010 Riebeeck Stevens Ltd
Breaking down project plan to task level increases accuracy of cost estimation and subsequent budgeting
• Monitor Timing/Fees (budget to actual) Enhanced cost control through frequent budget to actual
monitoring
Module Summary
After completing this module, you should now:
• Understand key aspects of managing a SAS 70 project effectively and efficiently.
• Understand common pitfalls/challenges and
After completing this module, you should now:
• Understand key aspects of managing a SAS 70 project effectively and efficiently.
• Understand common pitfalls/challenges and
Page 92
Copyright 2010 Riebeeck Stevens Ltd
p / gsuccesses that we have encountered in our experience with SAS 70 engagements.
p / gsuccesses that we have encountered in our experience with SAS 70 engagements.
Service Auditor Considerations
Page 93
Copyright 2010 Riebeeck Stevens Ltd
32
Service Auditor Considerations
• Workpaper documentation
• Design of Tests
• Types of tests
• Sampling
Page 94
Copyright 2010 Riebeeck Stevens Ltd
p g
• Findings
• Testing strategies
Design of Tests
Control Test
Page 95
Copyright 2010 Riebeeck Stevens Ltd
Types of Tests
• Inquiry
• Inspection
• Observation
• Re‐performance of the control
Page 96
Copyright 2010 Riebeeck Stevens Ltd
p
33
Sample Sizes
• No definitive guidance
• Driven by four variables
Significance of control
Frequency
Page 97
Copyright 2010 Riebeeck Stevens Ltd
q y
Past experience
Client expectation
Sample Sizes (continued)
• Frequently used numbers (influenced primarily by SOX developments):
Type of Control
Page 98
Copyright 2010 Riebeeck Stevens Ltd
Type of Control
Primary Secondary Other
25 15 5
Findings
Findings should be classified into:
• Nominal
• Management Letter Comment (“MLC”)
Page 99
Copyright 2010 Riebeeck Stevens Ltd
• Exceptions
34
Findings (continued)
• Quantitative materiality thresholds do not apply
• How to deal with exceptions
Identify compensating controls
Page 100
Copyright 2010 Riebeeck Stevens Ltd
y p g
Redefine control objectives
Timely validation
Testing Strategies
• Report must be applicable to internal controls in place during the entire testing period.
• Narrative update can occur at six month
Page 101
Copyright 2010 Riebeeck Stevens Ltd
point
• Controls can be tested at any time during the testing period
Module Summary
After completing this module, you should now:
• Understand important items to consider when performing a SAS 70 engagement including sample sizes, testing strategies and addressing
After completing this module, you should now:
• Understand important items to consider when performing a SAS 70 engagement including sample sizes, testing strategies and addressing
Page 102
Copyright 2010 Riebeeck Stevens Ltd
findings.findings.
35
User Auditor Considerations:
Ho to Use a SAS 70 Report
Page 103
Copyright 2010 Riebeeck Stevens Ltd
How to Use a SAS 70 Report
Is the SAS 70 Useful?
• Address the applications and/or locations used by the Service Organization that are relevant to financial statement assertions?
• Adequate to understand flow of transactions?
• Sufficient detail of controls that prevent or detect
Page 104
Copyright 2010 Riebeeck Stevens Ltd
ppossible errors?
• Are there findings within control tests?
• Does opinion address any exceptions?
• Are any areas being carved‐out?
Procedures when using a SAS 70 Report
• Read report to:• Understand the flow of transactions and the controls
• Determine that controls were operating as intended
• Determine whether significant control deficiencies were noted
Page 105
Copyright 2010 Riebeeck Stevens Ltd
• Inquire of client as to changes since date of SAS 70
• Consider whether additional procedures are necessary
36
Assessing User Control Considerations
• Read service auditor’s report to determine:
Whether the considerations are relevant to your client
o If relevant, ensure during your planning that the controls have been implemented by the client
Page 106
Copyright 2010 Riebeeck Stevens Ltd
controls have been implemented by the client
Nature of complementary controls that should be in place at our client
Updating a SAS 70
When date of SAS 70 report is within the client’s fiscal year (and assessed controls as effective):
• Update through client discussions
When date of SAS 70 is outside of our client’s
Page 107
Copyright 2010 Riebeeck Stevens Ltd
fiscal year (and anticipate assessing controls as effective):
• Can use the report as a starting point in gaining an understanding of the control environment
• You may not rely on this report as audit evidence
Using a SAS 70 Report
READ IT!
READ IT!
Page 108
Copyright 2010 Riebeeck Stevens Ltd
READ IT!
READ IT!
37
Using a SAS 70 Report
• Make sure you understand which significant processes are covered
• Can you rely on the testing which was performed?
Page 109
Copyright 2010 Riebeeck Stevens Ltd
• Determine the results of any testing that was performed
Using a SAS 70 Report
• If the report does not cover the entire period of the user organization’s fiscal year, gain an understanding for the period not covered.
Page 110
Copyright 2010 Riebeeck Stevens Ltd
Module Summary
After completing this module, you should now:
• Understand when you can rely on a SAS 70 report.
• Understand the documentation requirements
After completing this module, you should now:
• Understand when you can rely on a SAS 70 report.
• Understand the documentation requirements
Page 111
Copyright 2010 Riebeeck Stevens Ltd
qwhen leveraging a SAS 70 report.
• Understand how you can benefit from a SAS 70 report.
Discuss the SAS 70 Reliance Decision Tree
qwhen leveraging a SAS 70 report.
• Understand how you can benefit from a SAS 70 report.
Discuss the SAS 70 Reliance Decision Tree
38
Attest Engagement
Page 112
Copyright 2010 Riebeeck Stevens Ltd
What is an Attest Engagement?
• Examination, audit or review of subject matter or management assertion
• Higher level of assurance
• Generally includes an opinion of the auditor
Page 113
Copyright 2010 Riebeeck Stevens Ltd
Generally includes an opinion of the auditor
• Follows the Statement on Standards for Attestation Engagements of the AICPA
Why Do We Need Attest Reports?
• Many financial situations require an attest report
• In the controls space, they can cover areas that are not possible to cover in SAS 70 or
Page 114
Copyright 2010 Riebeeck Stevens Ltd
other reports
• An example is business continuity planning and the availability principle
39
Who uses Attest Reports?
• Attest reports are limited distribution reports
• Can be used by external auditors for evaluating audit risk
• Can be used by the service organization
Page 115
Copyright 2010 Riebeeck Stevens Ltd
Can be used by the service organization management
• Can be used by the user organization management
Attest Engagements
Definition and Underlying Concepts
• Subject matter
• Assertion
• Responsible party
Page 116
Copyright 2010 Riebeeck Stevens Ltd
Attest Engagements
• Suitability of Criteria
Objectivity
Measurability
Completeness
Page 117
Copyright 2010 Riebeeck Stevens Ltd
Relevance
• Availability of Criteria
40
Attest Auditor Responsibilities
• Training and proficiency
• Adequate knowledge of the subject matter
• Independence
• Due professional care
Page 118
Copyright 2010 Riebeeck Stevens Ltd
• Due professional care
• If report issued according to the AICPA standard then auditor should be a CPA
Layout of Attest Report
• Differences in content for an Examination and a Review report
• Considerations as to whether opining on subject matter or management assertion
Page 119
Copyright 2010 Riebeeck Stevens Ltd
• Statement that the work conducted supports the opinion provided
• Compliance with AICPA standards
Project Management Considerations
• Obtain clear management assertion
• Ensure there are suitable criteria
• Delineate an plan every activity
• Discuss and walkthrough every risk and area
Page 120
Copyright 2010 Riebeeck Stevens Ltd
• Discuss and walkthrough every risk and area of control
• Establish a clearly defined timeline
• Obtain concurrence from management on all identified findings
41
Attest Auditor Considerations
• Planning and supervision
• Obtaining sufficient evidence
• Management representations
• Reporting
Page 121
Copyright 2010 Riebeeck Stevens Ltd
• Reporting
• Analysis of other information presented by management
Using an Attest Report
• Ensure focus and scope are relevant
• Review criteria
• Evaluate findings
• Consider period of the attestation
Page 122
Copyright 2010 Riebeeck Stevens Ltd
• Consider period of the attestation
• Determine whether subsequent events occurred
• Integrate controls in the report with risks in your organization
Module Summary
After completing this module, you should now be able to understand:
• What are Attest engagements
• What is an Attestation Report
Page 123
Copyright 2010 Riebeeck Stevens Ltd
• The content of an Attestation Report
• The responsibilities of the Attest Auditor
• Key considerations of managing a Attest project
• The usability of Attest reports
42
Good Bye SAS 70
Page 124
Copyright 2010 Riebeeck Stevens Ltd
SAS 70 No More
• Recent Developments
• International Demand
• IFAC ‐ ISAE 3402
• AICPA SSAE 16 – Reporting on Controls at a
Page 125
Copyright 2010 Riebeeck Stevens Ltd
• AICPA SSAE 16 – Reporting on Controls at a Service Organization
• New SAS – Audit Considerations Relating to an Entity Using a Service Organization
SAS 70 No More
• New Standards do not affect inquiries of management
• New Standards do not affect AUP/Shared Assessments
Page 126
Copyright 2010 Riebeeck Stevens Ltd
• New Standards do not affect the Attest Engagements
43
AICPA SSAE 16
• Separates Service Audit from existing SAS
• Falls under different family of standards
• Instead of an audit standard, it is an attest standard
Page 127
Copyright 2010 Riebeeck Stevens Ltd
standard
• Requires a written management assertion
• And suitable criteria
• Does not consider the usability in a financial statement audit ONLY
SSAE 16 – Impact
• Management of the service organization required to provide the service auditor with a written assertion about1. The fairness of the presentation of the description of
the service organization’s system
Page 128
Copyright 2010 Riebeeck Stevens Ltd
g y2. The suitability of the design of the controls to
achieve the related control objectives stated in the description, and, in a type 2 engagement
3. The operating effectiveness of those controls to achieve the related control objectives stated in the description.
SSAE 16 – Impact
• A service auditor is able to report on controls at a service organization other than controls that are relevant to user entities’ financial reporting, for example, controls related to
Page 129
Copyright 2010 Riebeeck Stevens Ltd
user entities’ regulatory compliance, production, or quality control.
• This is probably the greatest benefit of all!
44
SSAE 16 – Impact
• In a type 2 report, the service auditor’s opinion on the fairness of the presentation of the description of the service organization’s system and on the suitability of the design of
Page 130
Copyright 2010 Riebeeck Stevens Ltd
the controls is for a period of time rather than as of a specified date, as is the case in the current standard
SSAE 16 – Impact
• When obtaining an understanding of the service organization‘s system, the service auditor would be required to obtain information to identify risks that the
Page 131
Copyright 2010 Riebeeck Stevens Ltd
description of the service organization’s system is not fairly presented or that the control objectives stated in the description were not achieved due to intentional acts by service organization personnel.
SSAE 16 – Impact
• Indicates that when assessing the operating effectiveness of controls in a type 2 engagement, evidence obtained in prior engagements about the satisfactory
Page 132
Copyright 2010 Riebeeck Stevens Ltd
operation of controls in prior periods does not provide a basis for a reduction in testing, even if supplemented with evidence obtained during the current period.
45
SSAE 16 – Impact
• A service auditor’s type 2 report would identify the customers to whom use of the report is restricted as "customers of the service organization’s system during some or
Page 133
Copyright 2010 Riebeeck Stevens Ltd
all of the period covered by the service auditor’s report,"and in a service auditor’s type 1 report, as, "customers as of the date of the service organization’s description covered by the report."
SSAE 16 – Key Considerations
• Effective date – the AICPA/ASB has proposed making the SSAE effective concurrently with the new ISAE 3402
• Management assertion – An assertion‐based
Page 134
Copyright 2010 Riebeeck Stevens Ltd
engagement includes an explicit acknowledgement by management of its responsibility for the matters addressed in its assertion
• Convergence with International Standards
IFAC – ISAE 3402
• ISAE 3402 – Assurance Reports on Controls at a Service Organization
• Based on original structure of SAS 70 but very similar to the New SSAE
li ll i h C i
Page 135
Copyright 2010 Riebeeck Stevens Ltd
• Applies to all countries where IFAC is recognized
• Scope – applies to engagements that convey reasonable assurance when the service organization is responsible for the suitable design of controls
46
ISAE 3402
• The standard deals with assurance engagements by professional accountants in public practice to provide a report for use by the user entities and their auditors on the
Page 136
Copyright 2010 Riebeeck Stevens Ltd
controls at a service organization that provides a service to user entities that is likely to be relevant to user entities’ internal control, as it relates to financial reporting.
ISAE 3402
The standard does not deal with assurance engagements:
• To report on whether controls at a service organization operated as described, or
Page 137
Copyright 2010 Riebeeck Stevens Ltd
• To report ONLY on controls at a service organization that are not related to a service that is likely to be relevant to user entities’ internal controls as it relates to financial reporting
Why is ISAE 3402 Important
• Impact at domestic and international levels• It updates/replaces (potentially)/complements:
• US ‐ Statement on Auditing Standards (SAS) No. 70• CA ‐ Canadian Institute of Chartered Accountants
(CICA) 5970
Page 138
Copyright 2010 Riebeeck Stevens Ltd
• UK ‐ Audit and Assurance Faculty Standard (AAF) 01/06
• AU ‐ Guidance Statement (GS) 007• HK ‐ HKSA Statements – Auditing Practice Note 860.2• JP ‐ Audit Standards Committee Report No. 18• DE (Germany) ‐ IDW PS 951
47
IFAC – ISAE 3402
• Introduces the concept of materiality• Not with respect to the financial statements
but with respect to the system The concept of materiality takes into account that
the service auditor’s assurance report provides
Page 139
Copyright 2010 Riebeeck Stevens Ltd
the service auditor’s assurance report provides information about the service organization’s system to meet the common information needs of a broad range of user entities and their auditors who have an understanding of the manner in which that system has been used.
IFAC – ISAE 3402
• Materiality with respect to the fair presentation of the service organization’s description of its system, and with respect to the design of controls, includes primarily the consideration of qualitative factors, for example: whether the description includes the
Page 140
Copyright 2010 Riebeeck Stevens Ltd
for example: whether the description includes the significant aspects of processing significant transactions; whether the description omits or distorts relevant information; and the ability of controls, as designed, to provide reasonable assurance that control objectives would be achieved.
IFAC – ISAE 3402
• Materiality with respect to the service auditor’s opinion on the operating effectiveness of controls includes the consideration of both quantitative and
Page 141
Copyright 2010 Riebeeck Stevens Ltd
qualitative factors, for example, the tolerable rate and observed rate of deviation (a quantitative matter), and the nature and cause of any observed deviation (a qualitative matter).
48
Critical Steps in Assurance Reporting Under ISAE 3402
• Assessing the Suitability of the Criteria
• Obtaining an Understanding of the Service Organization’s System
• Obtaining Evidence Regarding the i i
Page 142
Copyright 2010 Riebeeck Stevens Ltd
Description
• Obtaining Evidence Regarding Design of Controls
• Obtaining Evidence Regarding the Operating Effectiveness of Controls
Critical Steps in Assurance Reporting Under ISAE 3402
• The Work of an Internal Audit Function
• Other Information
• Preparing the Service Auditor’s Assurance Report
Page 143
Copyright 2010 Riebeeck Stevens Ltd
Report
• Other Communication Responsibilities
Topic Existing SAS 70 Standard ISAE 3402 / SSAE
Scope SAS 70 is limited to controls over the processing of financial transactions by aservice organization.
Report can be extended beyond financial reporting.
Opinion / The auditor provides an In addition to the
Comparison of SAS 70 with ISAE/SSAE
Page 144
Copyright 2010 Riebeeck Stevens Ltd
pAssertion
popinion based directly on the subject matter with no formal management assertion.
auditor's opinion, management of the service organization provides a formal assertion affirming its responsibilities for the controls in the report.
Extracted from “Good‐bye SAS 70” by Fiona Gaskin
49
Topic Existing SAS 70 Standard ISAE 3402 / SSAE
Disclosurerequirementsfor use of IA
Work performed by internal audit to support the service auditor's opinion is not disclosed.
Work performed by internal audit used in part to form the service auditor’s opinion shall include a description of the internal auditor’s work and of the service auditor’s procedures with respect to that work.
Comparison of SAS 70 with ISAE/SSAE
Page 145
Copyright 2010 Riebeeck Stevens Ltd
Audit Guidance Guidance is provided in an annually updated Audit Guide, which includesillustrative control objectives for various types of service organizations.
Guidance for the service auditor will be solely contained in the ISAE itself and will not contain illustrative control objectives.The US will continue to provide audit guidance to support the SSAE/SAS 70standards.
Extracted from “Good‐bye SAS 70” by Fiona Gaskin
Topic Existing SAS 70 Standard ISAE 3402 / SSAE
Example ofTerminologyDifferences
Type I - report on the fairness of the description of controls and whether those controls were suitably designed
Type 1 - report on the fairness of the description of controls and whether those controls were suitably designed.
Comparison of SAS 70 with ISAE/SSAE
Page 146
Copyright 2010 Riebeeck Stevens Ltd
designed.
Type II - report also includes an opinion on the operating effectiveness of the controls.
Type 2 - report also includes an opinion on the operating effectiveness of the controls.
Extracted from “Good‐bye SAS 70” by Fiona Gaskin
ISAE 3402 Report
• Internal control is a process designed to provide reasonable assurance regarding the achievement of objectives related to the reliability of financial reporting, effectiveness and efficiency of operations and compliance with applicable laws and regulations.
Page 147
Copyright 2010 Riebeeck Stevens Ltd
p pp g• Control objectives and controls at the User
Organizations• Control objectives and controls at the Service
Organization• Controls at the Service Organization that need to be
complemented at User Organizations
50
Module Summary
After completing this module, you should now be able to understand:• The latest developments in Third Party Assurance
Standards• The impact of new Standards
Page 148
Copyright 2010 Riebeeck Stevens Ltd
p• The benefits of the new Standards• Key differences and similarities between domestic
and international standards• Key considerations and responsibilities of a
service auditor and the user of a third party assurance report
Wrap‐Up and Summary
Wrap-Up
Page 149
Copyright 2010 Riebeeck Stevens Ltd
Using Third Party Reports
• A report is not relevant if it does not address your company’s risks
• Prepare your own ICQ or use a standard one as a pre‐audit tool
Page 150
Copyright 2010 Riebeeck Stevens Ltd
• Use your company’s risk and control matrices as the basis to evaluate ICQ, AUP, SAS 70, ISAE and SSAE findings
• Starting point is your company’s risks not what is in the reports
51
Third Party Assurance – Final Comments
• Businesses will continue to look for opportunities to increase efficiency and effectiveness of business processes
• Globalization will not stop
• Cloud Computing will make this field more
Page 151
Copyright 2010 Riebeeck Stevens Ltd
Cloud Computing will make this field more interesting and complex
• Third party assurance practice will continue to grow
• We will be either auditing or will be audited by a service auditor …
Contact
Felix Ramirez
(W) 646‐290‐8998
(C) 908‐230‐4562
Page 152
Copyright 2010 Riebeeck Stevens Ltd
(C) 908‐230‐4562