Upload
nguyenxuyen
View
220
Download
3
Embed Size (px)
Citation preview
Vendor & Service Provider Management
Whatis SAS 70 & Indian Equivalent
Opportunities
Questions?
Compliancerequirements Overview
IT
Governance
and
Compliance
Management
Agenda
Business Environment
Risk Management Programs
Risk Management Programs
Critical Drivers
More
Regulatory
Requirements
Reduced
Tolerance
for Service
Disruption
Increasing
Threats
IT Governance at a Glance
1970-1980
1980-1990
1990-2000
2000-
Present
The Regulatory Environment Represents
The Regulatory Environment Represents
a New Enterprise Challenge
a New Enterprise Challenge
�Computer Security Act of 1987
�EU Data Protection
�HIPAA
�FDA 21CFR Part 11
�C6-Canada
�GLBA
�COPPA
�USA Patriot Act 2001
�EC Data Privacy Directive
�CLERP 9
�CAN-SPAM Act
�FISMA
�Sarbanes Oxley (SOX)
�CIPA 2002
�Basel II
�NERC 1200 (2003)
�CISP
�Payment Card Industry
(PCI)
�California Individual
Privacy SB1386
�Other State Privacy Laws
(38)
�Privacy Act of 1974
�Foreign Corrupt
Practice Act
of 1977
Compliance Trends
You are responsible for your vendors and
service providers.
Responsibility
•Regulations assign data protection responsibility
to the data owner
•Most regulations define provisions for data
owners to provide oversight
•Law is m
ore thoroughly defining data protection
responsibilities
Are These your service
Providers?
•Vendors and Service providers introduce
unique risks
•The current state of vendor data security is
inconsistent
•Regulators have inserted vendor management
as a key element for all significant data
security programs
•Complia
nce by service providers with those
regulations is in the early stages (i.e. don’t
expect much)
Common Theme
Demystifying certifications
“Business knowledge makes your decision making easier”
The certification obsession
•Almost a million organizations have obtained ISO 9001
certification
–About 5,600 have obtained ISO 27001 Certification
•India has over 40K organizations that are ISO 9001 certified;
–369 Indian Organizations have obtained ISO 27001
Certification
–India Ranked #3 for ISO 27001 after Japan (3,790) and UK
(487)
•ROI of Certification –easier to establish when it’s a competitive
differentiator
•Assigning a Rupee (Dollar) value to benefits of certification –
hard to establish
Vendor Management
Overview
Vendor Management
Program
RISK
Know your vendor
Alig
ned expectations
Effective C
ontrols
Enforced
PROGRAM
Due Diligence
Contract Term
s
Joint Risk Assessment
Defined Standards
Defined Control Responsibility
Vendor Reporting
Periodic Audit
A History of Issues
•Poor Controls
–A Fortune 500 Company reports a lost
server with sensitive data at a m
arketing firm
•UnsecureApplications-VISA reports that unsecured
applications and services are the highest risk to
cardholder data processing
•Weak NDA
–Service Provider sells sensitive data and
gets $10 m
illion
•Poor Staff Supervision
–A careless firewall management
firm
leaves unsecured ports open to a organisationnetwork
Due Diligence
•Service Provider capabilities alig
ned to business needs
•Financial stability
•Reference checks
•Form
al review and approval process
•Maintain evidence of due diligence valid
ation
Contract Term
s
•Acknowledge access to sensitive data
•Agree to protect sensitive data
•Non-D
isclosure and C
onfidentiality Agreement (N
DA)
•Risk assessment and selection of controls
•Specify standards
•Define control responsibility
•Periodic reporting of control effectiveness
•Audit
•Notification of breach and support of incident
investigation
Standards
Not all service providers are aware of industry or regulatory
standards for data protection. The data owner must make
service providers aware of standards to include:
•Regulatory requirements (GLBA, HIPAA, PCI)
•Industry best practices (CoBIT, FFIEC, ISO 27001,
NIST, ITIL)
•Company standards and policies
•Audit and reporting standards (PCI, SOX, SAS 70)
Risk Assessment and
Control Selection
•Define system data flow
•Identify system responsibilities
•Perform
risk assessment
•Select justifie
d controls
•Identify control metrics
•Measure control effectiveness
•Identify a roadmap to jointly m
itigate risks to sensitive
data
PCI
PCI
SOX
SOX
HIPAA
HIPAA
GLBA
GLBA
ISO
ISO-- 17799
17799
Privacy Laws
Privacy Laws
Unified IT
Controls
LogginPenetration
Testing
Firewall
IDS
Code
Review
Security Arch.
Design
Access
Controls
Training
Security
Policy
NIDS/HIDS
Unified Compliance Programs
SAS 70 : What is it?
•The SAS 70 examination and its predecessor engagement has
been in existence for more than 30 years.
•Commercial and Government organizations are becoming
increasingly reliant on shared services processing.
•An examination conducted in accordance with the AIC
PA’s Statement
on Auditing Standards (SAS) No. 70 “Service O
rganizations”is a highly
specialized examination of the design and operational effectiveness of
a service organization’s internal controls over processing transactions
for user organizations.
–A report m
ust be issued by an independent auditor CPA.
–Covers controls exercised by a service organization on behalf ofits
user organizations.
–Control O
bjectives are customizable based upon service
organization and the functions perform
ed.
–Relates to the user organization’s financial statement assertions.
Misconceptions
Misco
nce
ptio
n that a SAS 70 exa
minatio
n is some sort of
certificatio
n”proce
ss that is gove
rned by established criteria.
–Organizatio
ns have
referred to their “SAS 70 Certificatio
n”
on their W
eb site
s.
–SAS 70 is not a certificatio
n.
–A SAS 70 exa
minatio
n is m
ost close
ly aligned with an
audit, as it is gove
rned by audit standards established by
the AICPA.
–SAS 70 guidance
was written to provide the auditor the
flexibility to address varied control e
nvironments and
control o
bjective
s.
–The AICPA’sSAS 70 is a framework for auditors to follow
in providing an opinion ove
r a given control environment.
–Non CPAs m
ay attempt to issu
e –
confusing website
s.
Importance of a SAS 70
•Communication of inform
ation about the service
provider’s controls
–The financial statement auditors of user organizations
are required under professional standards to
understand all aspects of transaction processing and
control, includingprocessing perform
ed by a third
party service organization.
–Clients of se
rvice organizations are beginning to
demand service auditor reviews be perform
ed on a
regular basis over outsourced business processes.
•SAS 70 auditors can develop familiarity with the service
organization’s environment and leverage that knowledge
for audit efficiencies across business offerings and
platform
s
•What are the alternatives that a financial statement
auditor has when faced with an external service
provider?
–Test the relevant controls at the service provider that
support m
anagement’s assertions on the financial
statements
–Identify and test controls at the user organization that
would prevent, detect and correct any control failures
for key controls at the service provider (not always a
possibility)
–Rely on the results of a SAS 70 exa
mination
(assuming appropriate scope, timing and results of
testing)
The above are not mutually exclusive alternatives
Importance of a SAS 70
Parties Involved
•A service auditoris the auditor who reports on controls
of a service organization that may be relevant to a user
organization’s internal control as it relates to an audit of
financial statements.
•A service organizationis the entity or segment of an
entity that provides services to a user organization that
are part of the user organization’s inform
ation system.
•A user auditoris the auditor that reports on the financial
statements of the user organization and relies on the
report issued by the service auditor.
•A user organizationis the entity that has engaged a
service organization and whose financial statements are
being audited.
�Organizations that host or support customer hardware and software
–Data center providers
–Application service providers (ASPs)
–Managed inform
ation security services
–Web-hosting or eCommerce infrastructure services
�Organizations that assist customers with
initiating, authorizing,
recording, or processing transactions
–Transfer agents and custodians
–Third-party administrators (TPAs)
–Claim
s processing facilities
–Data warehouses
–Call center and customer service centers
Providing services that im
pact a customer organization’s internal control
What is a Service Organization?
Establishing the Terms of the
Engagement
•Most audit firms require a signed engagement letter
before beginning the work.
•Must be dated before field w
ork starts
•Includes:
–Scope –
Typ
e I or Type II report and period of review
–Areas to be covered and control objectives to be
reviewed
–Management’s responsibilities
–Staff to be assigned to the engagement
–Professional fees
SAS 70 Sample Approach
•Evaluate testing results and determ
ine if
additional testing is necessary
•Report results to m
anagement
•Develop report
•Obtain m
anagement representation letter
•Finalize and Issue report
Content of a SAS 70 Report
•Independent Service Auditor’s Report
Provided by (Audit O
rganization)
•Descriptio
n of control provided by the
Service O
rganization
–Overview of Operations
–Relevant aspects of a control environment,
risk assessment and m
onitoring
–Inform
ation and C
ommunication
Management Representation
Letters
•Communication from Service O
rganization m
anagement
to Independent Auditors
•Dated last day of audit field w
ork
•Key disclosures:
–Service O
rganization m
ust disclose to the auditor all
significant changes in controls that have occurred
since the last exa
mination and they m
ust reflect such
changes in their description of controls
–Service O
rganization m
ust disclose to the auditor any
illegal acts, fraud, or uncorrected errors attributable
to m
anagement or employees that may affect one or
more of the user organizations.
Management Representation
Letters
•Key disclosures:
–Any design deficiencies in the controls m
ust be
disclosed for which the service organization believes
the cost of corrective action m
ay exceed benefits.
–No subsequent events have occurred that would have
a significant effect on user organizations that have not
been disclosed to auditor.
–Service organization has disclosed to the auditor all
instances in which they are aware that controls have
not operated with sufficient effectiveness to achieve
the specified control objectives.
•Reports on the processing of transactions
perform
ed by service organizations;
•Provides for reporting on a service
organization’s internal controls to clients, clie
nts’
auditors and other interested parties including
prospective clie
nts;
•Often referred to as a “service auditors’report”.
Purpose of SAS 70 Report
Type 1
�Reports on controls placed
in operation (as of a point
in time)
�Looks at the design of
controls-not operating
effectiveness
�Considered for information
purposes only
�Not considered a significant
use for purposes of reliance
by user
auditors/organizations
�Most often performed only
in the first year a client has
a SAS 70
Type 2
�Reports on controls placed
in operation and tests of
operating effectiveness (for
a period of time, generally
not less than 6 months)
�Differentiating factor:
Includes Tests of Operating
Effectiveness
�More comprehensive
�Requires more internal and
external effort
�Identifies instances of non-
compliance
�More emphasis on evidential
matter
Types of SAS 70 Reports
�Section One-Independent Service Auditors’
Report (the auditors’opinion)
�Section Two-Description of Internal Controls
and Control Objectives
•Overview of the O
rganization
•Control Environment Elements
•System D
escription
•Control Objectives, Control Activities and User Control
Considerations
Report Structure
�Section Three-Inform
ation Provided by the
Independent Service Auditor
•Type 1 includes the test related to the design of the
control environment
•Type 2 also includes the tests of operating effectiveness
with results and exceptions
�Section Four-Inform
ation Provided by the
Service O
rganization (Optional)
Report Structure
The Value of the SAS 70 Examination
•Provides the User Organization and their auditors w
ith
basic assurance around specified controls at the Service
Organization
•Decreases interruptions from m
ultiple user organization
audits
•Increases consistency of inform
ation provided to user
organizations
•Provides m
anagement within the Service O
rganization
independent assurance of the design and operating
effectiveness of key controls used to process user
organizations’transactions
•Increases audit efficiencies for the User Auditor and the
Service Auditor
•Reduce disruption from m
ultiple user
organization audits
–The SAS 70 review was designed by the
AICPA to enable service organizations to
obtain a single audit to accommodate all or
most of its user organizations’audit
requirements, substantially reducingits audit
support costs.
Key benefit of a SAS 70
SAS 70 assignment execution
•SAS 70 And SA 402 (AAS 24)AUDIT Considerations Relating
To Entities Using Service O
rganizations(1-4-2003)
•http://www.icai.org/resource_file/17343Link_20_402SA-AAS24_12oct09.pdf
•The Sarbanes-O
xley Act requires accounting firms to register
with the PCAOB in order to prepare, issue, or participate in
audit reports of issuers. Non-U
.S. accounting firms that
furnish, prepare, or play a substantial role in preparing an
audit report for any issuer also are subject to PCAOB rules
•Preparation of Internal control documentation (SOP)
•Continuous assessment effectiveness of controls
"What's in it for me?"
SAS 70 assignment execution
SAS 70 Drivers: Legislation
Legislation does notmandate the production of SAS
70’sHowever, the Legislation has:
•Increased the awareness and scrutiny of internal controls
•Made obtaining a SAS 70 from external as w
ell as internal
service organizations a sound and prudent risk
management practice
•Made CEOs and CFOs responsible for establishing,
evaluating, and m
onitoring the effectiveness of internal
controls over financial reporting and disclosure
Leveraging existing certification
To SAS 70 compliance
•The Initial Solution
–Document requirements for
SAS 70
–Develop / re deploy
controls
–Maintain SAS 70
compliance
•The Pain
–Separate initiatives for
each compliance driver
–Duplication of effort
–Confused employees
•The Smart Solution
–Leverage existing certificatio
ns
–Combination of ISO 9001 and
ISO 27001 controls to m
eet SAS
70 requirements, Have Q
uality
management maintain SAS 70
compliance
•Benefit:
–SAS 70 compliance at no extra
cost
–Centralized records to address
documentation requirements
–Extension of this innovative
deployment to other
engagements
–Site certification of SAS 70 –
proactive demonstration of
commitment
Prevention vs. Response
•A recent Gartner study showed that
preventing an incident was typically less
than 4% of the cost of the incident
Questions
or
Comments?
Questions
or
Comments?