acumen insight ideas attention reach expertise depth agility talent sas 70 – readiness kick-off...
TRANSCRIPT
acumen
insight
ideas
attention
reach
expertise
depth
agility
talent
SAS 70 – Readiness Kick-off
Presented by
Rod Walsh
acumen
insight
ideas
attention
reach
expertise
depth
agility
talent
SAS 70 Solutions Agenda Definitions
What is it?
SAS 70 Report & Opinion
SAS 70 Services
Readiness Activities
Team Members & Process Owners
Samples & Documents
Timeline
acumen
insight
ideas
attention
reach
expertise
depth
agility
talent
Service Organizations Service Organization – provider of services that
may impact a user’s (client’s) financial statement
Such As: data centers transaction / claims processing centers application service providers bank processing centers
“Service auditor“ issues an opinion on a service organization's description of controls
acumen
insight
ideas
attention
reach
expertise
depth
agility
talent
User Organizations Users of the Service Organization – typically
considered your members or clients
“User Auditor”: (i.e. your client’s auditor) is auditing the financial statements of your client (the "user organization“) that obtains services from you (the "service organization“)
User auditors want to have assurance that adequate controls are in place such that they can rely on the service organization’s assertions and services that may affect their client’s financial statements
acumen
insight
ideas
attention
reach
expertise
depth
agility
talent
Other Common Phrases
Control Objective
Control Activity
User Controls
Testing
Supporting documentation
Narrative
acumen
insight
ideas
attention
reach
expertise
depth
agility
talent
What is it? Statement on Auditing Standards (SAS) No.
70, Service Organizations, (AICPA)
Standardized report by an independent CPA ("service auditor") to issue an opinion on a service organization's description of controls
Attestation Examination – Not an Audit (i.e. we are attesting to the representations made by management of the service organization)
Not a “checklist” exercise
acumen
insight
ideas
attention
reach
expertise
depth
agility
talent
Types of Control Objectives Management provides a Risk and Standards
Based Description of Controls, and specific Control Objectives and Activities that typically include: Organizational Controls / Control Environment
IT General Controls – Program Development and Program Change
IT General Controls – Computer Operations and Access to Programs and Data
Application Controls – Business Cycle
acumen
insight
ideas
attention
reach
expertise
depth
agility
talent
Report ComponentsSection Activity Type I Type II
I Our Opinion X X
II Narrative Description of Controls (from you)
X X
III Control Objectives:
Client Control Objectives & Activities
Testing Performed
Results
Optional X
IV Non Audited Information (Glossary / Disaster Rec.)
Optional Optional
acumen
insight
ideas
attention
reach
expertise
depth
agility
talent
Meaning of a SAS 70 Opinion Result: BKD Opinion on controls as stated by
Service Organizations’ Management
Components of Type I & II Opinions
Description of Controls is a fair representation
Controls are Suitably Designed
Controls have been Placed in Operation
Tests of Controls indicate Controls are Operating Effectively*
*Component of a Type II opinion only
acumen
insight
ideas
attention
reach
expertise
depth
agility
talent
SAS 70 Services Readiness Engagement
Preparatory Guidance
Gap Analysis
Type I SAS 70
Type II SAS 70
acumen
insight
ideas
attention
reach
expertise
depth
agility
talent
Readiness Activities
Organizational Review / Corporate organization
Review of organization and management structures
Identification and review of services / products to be examined
Identify Key Technologies / Software
Identify Key Third Parties
acumen
insight
ideas
attention
reach
expertise
depth
agility
talent
Readiness Activities Review process flow
By service / product area
Between and within sub corporations for identified processes
Define process responsibilities
Client
Data Center
Key Third Parties
acumen
insight
ideas
attention
reach
expertise
depth
agility
talent
Readiness Activities Define Control Objectives and Activities (Using
Process Documents and Samples)
Organizational Controls / Control Environment
IT General Controls – Program Development and Program Change
IT General Controls – Computer Operations and Access to Programs and Data
Application Controls – Business Cycle
acumen
insight
ideas
attention
reach
expertise
depth
agility
talent
Process Documents Review Sample Report
Description of Controls Outline
SAS 70 Overview
Master Control Objectives
Control Development / Process Owner Agenda
Control Obj. & Activity Development Grid
acumen
insight
ideas
attention
reach
expertise
depth
agility
talent
Process Documents Review Sample User Controls
Sample policy / procedure resources
Testing examples
acumen
insight
ideas
attention
reach
expertise
depth
agility
talent
Readiness Activities Gap Assessment
Remediation
acumen
insight
ideas
attention
reach
expertise
depth
agility
talent
Readiness Deliverables BKD Deliverables
Client Training / Samples / Mentoring Readiness Assessment Recommendations for Improvement to
above documents Deliverables From Client
Description of Controls (Narrative) Control Objectives & Activities “Mapping” to Policy, Procedure &
Documentation User Considerations
acumen
insight
ideas
attention
reach
expertise
depth
agility
talent
SAS 70 Type I Activities Provided by Client (PBC)
Description of Controls
Control Objectives & Activities
“Mapping” to Policy, Procedure & Documentation
BKD Deliverables
BKD staff according to IT / Process / Industry
Description of Controls is a fair representation
Controls Suitably Designed
Point in time sample testing for Existence
Report
acumen
insight
ideas
attention
reach
expertise
depth
agility
talent
SAS 70 Type II Activities PBC
Description of Controls
Control Objectives & Activities
“Mapping” to Policy, Procedure & Documentation
BKD Deliverables Type I Deliverables, plus -
Testing Design
Testing
Report
acumen
insight
ideas
attention
reach
expertise
depth
agility
talent
Timeline Discussion
Assessment or Management Review
Type I / II Activities
Target Report Date
acumen
insight
ideas
attention
reach
expertise
depth
agility
talent
Thank you