SAS 70 Audit Concepts

and Benefits

JAYACHANDRAN.B,CISA,CISM

jb@esecurityaudit.com

August 2010

Vendor & Service Provider Management

Whatis SAS 70 & Indian Equivalent

Opportunities

Questions?

Compliancerequirements Overview

IT

Governance

and

Compliance

Management

Agenda

Business Environment

Risk Management Programs

Risk Management Programs

Critical Drivers

More

Regulatory

Requirements

Reduced

Tolerance

for Service

Disruption

Increasing

Threats

IT Governance at a Glance

1970-1980

1980-1990

1990-2000

2000-

Present

The Regulatory Environment Represents

The Regulatory Environment Represents

a New Enterprise Challenge

a New Enterprise Challenge

�Computer Security Act of 1987

�EU Data Protection

�HIPAA

�FDA 21CFR Part 11

�C6-Canada

�GLBA

�COPPA

�USA Patriot Act 2001

�EC Data Privacy Directive

�CLERP 9

�CAN-SPAM Act

�FISMA

�Sarbanes Oxley (SOX)

�CIPA 2002

�Basel II

�NERC 1200 (2003)

�CISP

�Payment Card Industry

(PCI)

�California Individual

Privacy SB1386

�Other State Privacy Laws

(38)

�Privacy Act of 1974

�Foreign Corrupt

Practice Act

of 1977

Compliance Trends

You are responsible for your vendors and

service providers.

Responsibility

•Regulations assign data protection responsibility

to the data owner

•Most regulations define provisions for data

owners to provide oversight

•Law is m

ore thoroughly defining data protection

responsibilities

Are These your service

Providers?

•Vendors and Service providers introduce

unique risks

•The current state of vendor data security is

inconsistent

•Regulators have inserted vendor management

as a key element for all significant data

security programs

•Complia

nce by service providers with those

regulations is in the early stages (i.e. don’t

expect much)

Common Theme

Demystifying certifications

“Business knowledge makes your decision making easier”

The certification obsession

•Almost a million organizations have obtained ISO 9001

certification

–About 5,600 have obtained ISO 27001 Certification

•India has over 40K organizations that are ISO 9001 certified;

–369 Indian Organizations have obtained ISO 27001

Certification

–India Ranked #3 for ISO 27001 after Japan (3,790) and UK

(487)

•ROI of Certification –easier to establish when it’s a competitive

differentiator

•Assigning a Rupee (Dollar) value to benefits of certification –

hard to establish

Vendor Management

Overview

Vendor Management

Program

RISK

Know your vendor

Alig

ned expectations

Effective C

ontrols

Enforced

PROGRAM

Due Diligence

Contract Term

s

Joint Risk Assessment

Defined Standards

Defined Control Responsibility

Vendor Reporting

Periodic Audit

A History of Issues

•Poor Controls

–A Fortune 500 Company reports a lost

server with sensitive data at a m

arketing firm

•UnsecureApplications-VISA reports that unsecured

applications and services are the highest risk to

cardholder data processing

•Weak NDA

–Service Provider sells sensitive data and

gets $10 m

illion

•Poor Staff Supervision

–A careless firewall management

firm

leaves unsecured ports open to a organisationnetwork

Due Diligence

•Service Provider capabilities alig

ned to business needs

•Financial stability

•Reference checks

•Form

al review and approval process

•Maintain evidence of due diligence valid

ation

Contract Term

s

•Acknowledge access to sensitive data

•Agree to protect sensitive data

•Non-D

isclosure and C

onfidentiality Agreement (N

DA)

•Risk assessment and selection of controls

•Specify standards

•Define control responsibility

•Periodic reporting of control effectiveness

•Audit

•Notification of breach and support of incident

investigation

Standards

Not all service providers are aware of industry or regulatory

standards for data protection. The data owner must make

service providers aware of standards to include:

•Regulatory requirements (GLBA, HIPAA, PCI)

•Industry best practices (CoBIT, FFIEC, ISO 27001,

NIST, ITIL)

•Company standards and policies

•Audit and reporting standards (PCI, SOX, SAS 70)

Risk Assessment and

Control Selection

•Define system data flow

•Identify system responsibilities

•Perform

risk assessment

•Select justifie

d controls

•Identify control metrics

•Measure control effectiveness

•Identify a roadmap to jointly m

itigate risks to sensitive

data

PCI

PCI

SOX

SOX

HIPAA

HIPAA

GLBA

GLBA

ISO

ISO-- 17799

17799

Privacy Laws

Privacy Laws

Unified IT

Controls

LogginPenetration

Testing

Firewall

IDS

Code

Review

Security Arch.

Design

Access

Controls

Training

Security

Policy

NIDS/HIDS

Unified Compliance Programs

SAS 70 : What is it?

•The SAS 70 examination and its predecessor engagement has

been in existence for more than 30 years.

•Commercial and Government organizations are becoming

increasingly reliant on shared services processing.

•An examination conducted in accordance with the AIC

PA’s Statement

on Auditing Standards (SAS) No. 70 “Service O

rganizations”is a highly

specialized examination of the design and operational effectiveness of

a service organization’s internal controls over processing transactions

for user organizations.

–A report m

ust be issued by an independent auditor CPA.

–Covers controls exercised by a service organization on behalf ofits

user organizations.

–Control O

bjectives are customizable based upon service

organization and the functions perform

ed.

–Relates to the user organization’s financial statement assertions.

Misconceptions

Misco

nce

ptio

n that a SAS 70 exa

minatio

n is some sort of

certificatio

n”proce

ss that is gove

rned by established criteria.

–Organizatio

ns have

referred to their “SAS 70 Certificatio

n”

on their W

eb site

s.

–SAS 70 is not a certificatio

n.

–A SAS 70 exa

minatio

n is m

ost close

ly aligned with an

audit, as it is gove

rned by audit standards established by

the AICPA.

–SAS 70 guidance

was written to provide the auditor the

flexibility to address varied control e

nvironments and

control o

bjective

s.

–The AICPA’sSAS 70 is a framework for auditors to follow

in providing an opinion ove

r a given control environment.

–Non CPAs m

ay attempt to issu

e –

confusing website

s.

Importance of a SAS 70

•Communication of inform

ation about the service

provider’s controls

–The financial statement auditors of user organizations

are required under professional standards to

understand all aspects of transaction processing and

control, includingprocessing perform

ed by a third

party service organization.

–Clients of se

rvice organizations are beginning to

demand service auditor reviews be perform

ed on a

regular basis over outsourced business processes.

•SAS 70 auditors can develop familiarity with the service

organization’s environment and leverage that knowledge

for audit efficiencies across business offerings and

platform

s

•What are the alternatives that a financial statement

auditor has when faced with an external service

provider?

–Test the relevant controls at the service provider that

support m

anagement’s assertions on the financial

statements

–Identify and test controls at the user organization that

would prevent, detect and correct any control failures

for key controls at the service provider (not always a

possibility)

–Rely on the results of a SAS 70 exa

mination

(assuming appropriate scope, timing and results of

testing)

The above are not mutually exclusive alternatives

Importance of a SAS 70

Parties Involved

•A service auditoris the auditor who reports on controls

of a service organization that may be relevant to a user

organization’s internal control as it relates to an audit of

financial statements.

•A service organizationis the entity or segment of an

entity that provides services to a user organization that

are part of the user organization’s inform

ation system.

•A user auditoris the auditor that reports on the financial

statements of the user organization and relies on the

report issued by the service auditor.

•A user organizationis the entity that has engaged a

service organization and whose financial statements are

being audited.

�Organizations that host or support customer hardware and software

–Data center providers

–Application service providers (ASPs)

–Managed inform

ation security services

–Web-hosting or eCommerce infrastructure services

�Organizations that assist customers with

initiating, authorizing,

recording, or processing transactions

–Transfer agents and custodians

–Third-party administrators (TPAs)

–Claim

s processing facilities

–Data warehouses

–Call center and customer service centers

Providing services that im

pact a customer organization’s internal control

What is a Service Organization?

Establishing the Terms of the

Engagement

•Most audit firms require a signed engagement letter

before beginning the work.

•Must be dated before field w

ork starts

•Includes:

–Scope –

Typ

e I or Type II report and period of review

–Areas to be covered and control objectives to be

reviewed

–Management’s responsibilities

–Staff to be assigned to the engagement

–Professional fees

SAS 70 Sample Approach

•Evaluate testing results and determ

ine if

additional testing is necessary

•Report results to m

anagement

•Develop report

•Obtain m

anagement representation letter

•Finalize and Issue report

Content of a SAS 70 Report

•Independent Service Auditor’s Report

Provided by (Audit O

rganization)

•Descriptio

n of control provided by the

Service O

rganization

–Overview of Operations

–Relevant aspects of a control environment,

risk assessment and m

onitoring

–Inform

ation and C

ommunication

Management Representation

Letters

•Communication from Service O

rganization m

anagement

to Independent Auditors

•Dated last day of audit field w

ork

•Key disclosures:

–Service O

rganization m

ust disclose to the auditor all

significant changes in controls that have occurred

since the last exa

mination and they m

ust reflect such

changes in their description of controls

–Service O

rganization m

ust disclose to the auditor any

illegal acts, fraud, or uncorrected errors attributable

to m

anagement or employees that may affect one or

more of the user organizations.

Management Representation

Letters

•Key disclosures:

–Any design deficiencies in the controls m

ust be

disclosed for which the service organization believes

the cost of corrective action m

ay exceed benefits.

–No subsequent events have occurred that would have

a significant effect on user organizations that have not

been disclosed to auditor.

–Service organization has disclosed to the auditor all

instances in which they are aware that controls have

not operated with sufficient effectiveness to achieve

the specified control objectives.

•Reports on the processing of transactions

perform

ed by service organizations;

•Provides for reporting on a service

organization’s internal controls to clients, clie

nts’

auditors and other interested parties including

prospective clie

nts;

•Often referred to as a “service auditors’report”.

Purpose of SAS 70 Report

Type 1

�Reports on controls placed

in operation (as of a point

in time)

�Looks at the design of

controls-not operating

effectiveness

�Considered for information

purposes only

�Not considered a significant

use for purposes of reliance

by user

auditors/organizations

�Most often performed only

in the first year a client has

a SAS 70

Type 2

�Reports on controls placed

in operation and tests of

operating effectiveness (for

a period of time, generally

not less than 6 months)

�Differentiating factor:

Includes Tests of Operating

Effectiveness

�More comprehensive

�Requires more internal and

external effort

�Identifies instances of non-

compliance

�More emphasis on evidential

matter

Types of SAS 70 Reports

�Section One-Independent Service Auditors’

Report (the auditors’opinion)

�Section Two-Description of Internal Controls

and Control Objectives

•Overview of the O

rganization

•Control Environment Elements

•System D

escription

•Control Objectives, Control Activities and User Control

Considerations

Report Structure

�Section Three-Inform

ation Provided by the

Independent Service Auditor

•Type 1 includes the test related to the design of the

control environment

•Type 2 also includes the tests of operating effectiveness

with results and exceptions

�Section Four-Inform

ation Provided by the

Service O

rganization (Optional)

Report Structure

The Value of the SAS 70 Examination

•Provides the User Organization and their auditors w

ith

basic assurance around specified controls at the Service

Organization

•Decreases interruptions from m

ultiple user organization

audits

•Increases consistency of inform

ation provided to user

organizations

•Provides m

anagement within the Service O

rganization

independent assurance of the design and operating

effectiveness of key controls used to process user

organizations’transactions

•Increases audit efficiencies for the User Auditor and the

Service Auditor

•Reduce disruption from m

ultiple user

organization audits

–The SAS 70 review was designed by the

AICPA to enable service organizations to

obtain a single audit to accommodate all or

most of its user organizations’audit

requirements, substantially reducingits audit

support costs.

Key benefit of a SAS 70

SAS 70 assignment execution

•SAS 70 And SA 402 (AAS 24)AUDIT Considerations Relating

To Entities Using Service O

rganizations(1-4-2003)

•http://www.icai.org/resource_file/17343Link_20_402SA-AAS24_12oct09.pdf

•The Sarbanes-O

xley Act requires accounting firms to register

with the PCAOB in order to prepare, issue, or participate in

audit reports of issuers. Non-U

.S. accounting firms that

furnish, prepare, or play a substantial role in preparing an

audit report for any issuer also are subject to PCAOB rules

•Preparation of Internal control documentation (SOP)

•Continuous assessment effectiveness of controls

"What's in it for me?"

SAS 70 assignment execution

SAS 70 Drivers: Legislation

Legislation does notmandate the production of SAS

70’sHowever, the Legislation has:

•Increased the awareness and scrutiny of internal controls

•Made obtaining a SAS 70 from external as w

ell as internal

service organizations a sound and prudent risk

management practice

•Made CEOs and CFOs responsible for establishing,

evaluating, and m

onitoring the effectiveness of internal

controls over financial reporting and disclosure

Leveraging existing certification

To SAS 70 compliance

•The Initial Solution

–Document requirements for

SAS 70

–Develop / re deploy

controls

–Maintain SAS 70

compliance

•The Pain

–Separate initiatives for

each compliance driver

–Duplication of effort

–Confused employees

•The Smart Solution

–Leverage existing certificatio

ns

–Combination of ISO 9001 and

ISO 27001 controls to m

eet SAS

70 requirements, Have Q

uality

management maintain SAS 70

compliance

•Benefit:

–SAS 70 compliance at no extra

cost

–Centralized records to address

documentation requirements

–Extension of this innovative

deployment to other

engagements

–Site certification of SAS 70 –

proactive demonstration of

commitment

Prevention vs. Response

•A recent Gartner study showed that

preventing an incident was typically less

than 4% of the cost of the incident

Questions

or

Comments?

Questions

or

Comments?