SAS 70

Jun 3 2009   6:34PM GMT

SAS 70 | Surprise Examination | Internal Control Report for Investment Advisers

Posted by: Charles Denyer
The investment Advisers Act of 1940, surprise examination, internal control report, charles denyer, SAS 70, sample sas 70 type II report, qualified custodian, client funds, securities, File No. S7-09-09

The SAS 70 auditing standard is sure to become a necessary element of the proposed changes for the Investment Advisers Act of 1940. The SEC released a draft of proposed changes regarding “Custody of Funds or Securities of Clients by Investment Advisers” (File No. S7-09-09). In short, this comprehensive document is proposing the use of “surprise examinations” and a “internal control report” on entities that have custody of client funds or securities or instead serves as a qualified custodian for client funds or securities.

Currently the “surprise examination” is discussed as a “written report from an independent public accountant” while the “internal control report” is being described as that of a SAS 70. At this point, what distinctions will be made, if any, between the auditing framework for the “surprise examination” and “internal control report” are not completely clear. More than likely, the SAS 70 auditing standard will be utilized for both the “surprise examination” and the “internal control report”.

You can obtain a sample SAS 70 Type II Report and list of sample custodial control objectives by visiting the SAS 70 Resource Guide.

May 30 2009   8:26PM GMT

SAS 70 Control Objectives for Investment Advisers | Custodial Operations

Posted by: Charles Denyer
Custody of Funds or Securities of Clients by Investment Advisers, File No. S7-09-09, charles denyer, SAS 70, control objectives, investment advisors, custodial operations, client funds or securities along with performing custodial duties and operations, cash and security positions, net settlement procedures, securities income, market values of securities, sample sas 70 type II report, sas70.us.com, investment advisers

The SEC released a draft of proposed changes regarding “Custody of Funds or Securities of Clients by Investment Advisers” (File No. S7-09-09), calling for more oversight and controls over investment advisers or related persons who have custody of client funds or securities along with performing custodial duties and operations.

In short, the proposed changes will possibly require a “surprise examination” and an “internal control report” on these very entities that have custody of client funds or securities along with performing custodial duties and operations.

The proposed control objectives are as follows:

• Physical securities are safeguarded from loss or misappropriation;
• Cash and security positions are reconciled accurately and on a timely basis between the custodian and depositories, and between the custodian and accounting systems;
• Client-initiated trades are properly authorized and recorded completely and accurately in the client account;
• Securities income and corporate action transactions are processed to client accounts in an accurate and timely manner;
• Net settlement procedures for delivery and receive transactions are performed accurately;
• Documentation for the opening of accounts is received and authenticated, and established completely and accurately on the applicable system; and
• Market values of securities obtained from various outside pricing sources have been recorded accurately in client accounts.

If you want to learn more about these proposed changes and would like to receive a sample SAS 70 Type II report, then visit the official SAS 70 Resource Guide at sas70.us.com.

May 10 2009   2:59PM GMT

COSO | SAS 55 | SAS 70 | SAS 78 | Understanding the Relationship

Posted by: Charles Denyer
coso, sas 55, SAS 70, sas 78, charles denyer, SAS 70 Type I, type ii audit, internal controls, aicpa, american institute of certified public accountants, The Committee of Sponsoring Organizations of the Treadway Commission

COSO is a widely used and accepted internal control framework in today’s growing corporate governance initiatives. It’s also heavily found in Statement on Auditing Standards No. 70 (SAS 70) audits.

The Committee of Sponsoring Organizations of the Treadway Commission (COSO) framework essentially defines internal control as a process, effected by an entity’s board of directors, management and other personnel. This process is designed to provide reasonable assurance regarding the achievement of objectives in effectiveness and efficiency of operations, reliability of financial reporting, and compliance with applicable laws and regulations.

1. Internal control is a process. It is a means to an end, not an end in itself.
2. Internal control is not merely documented by policy manuals and forms. Rather, it is put in by people at every level of an organization.
3. Internal control can provide only reasonable assurance, not absolute assurance, to an entity’s management and board.
4. Internal control is geared to the achievement of objectives in one or more separate but overlapping categories.

What’s notable about the relationship with COSO and SAS 70 are COSO’s framework for internal control, which consists of the following five (5) broad based themes:

1. Control Environment
2. Control Activities
3. Risk Assessment
4. Information and Communication
5. Monitoring

Many SAS 70 Type I and Type II audit reports will discuss, in narrative form, these above five areas and how they relate to the organization undergoing the SAS 70 audit and what specific controls they have in place in relation to these five areas.

And let’s not forget the Statement on Auditing Standards (SAS pronouncements) that help bring these five internal control themes to light.

In 1988, the American Institute of Certified Public Accountants (AICPA) issued SAS 55, which describes internal control in terms of its three major components: control environment, accounting system, and control procedures. Shortly thereafter, the Committee of Sponsoring Organizations (COSO) released the following: Internal Control: Integrated Framework, in which internal control was characterized as five components: control environment, control activities, risk assessment, information and communication, and monitoring.

Thus, in 1995, the AICPA adopted COSO’s definition and it’s five components of internal control, issuing SAS No. 78 to supplement SAS No. 55.

So, you should be able to now clearly see the relationship with SAS 70 and COSO and the relationship with SAS 70 and other SAS pronouncements, specifically, SAS 55 and SAS 78.

If you want to learn more about SAS 70 audits, visit the official SAS 70 Resource Guide.

Apr 27 2009   11:18AM GMT

Virtualization and Cloud Computing | How and Why Auditing WILL change

Posted by: Charles Denyer
charles denyer, SAS 70, pci audits, cloud, Virtualization, cloud computing

The whole new wave of I.T. spreading through businesses today is that of virtualization, cloud computing, the “cloud”, or any other similar and broad based terms or themes. Many people have hailed this new concept for obvious reasons, such as the reduction of overall hardware gear and space taken along with the ability to “virtualize” and share many common systems and applications via a centralized platform, just to name a few.

The challenge in this new I.T. arena is for auditors to truly understand what this new concept is and how they can apply new and improved auditing methods for ensuring that many popular assessment and audit initiatives (SAS 70 and PCI, just to name a few) remain viable. For example, both SAS 70 audits and PCI assessments rely heavily on “sampling” for testing. Sampling in a virtual world, though doable, will require truly understanding a virtual/cloud platform and how to logically isolate one customer’s system or environment from another customer.

In short, the old world auditing of having a single service or function residing on a dedicated, stand alone physical server box is, well, going to the grave very quickly. It’s time to roll up our sleeves and embrace the “cloud” and start to frame and shape improved audit procedures.

Apr 27 2009   2:06AM GMT

Sarbanes Oxley (SOX) and SAS 70 | What Does the Future Hold?

Posted by: Charles Denyer
Compliance, Sarbanes-Oxley, SAS 70, SOX, PCI, charles denyer, corporate governance

Sarbanes Oxley and SAS 70 audits have had a monumental impact on corporate governance and compliance. So much so, they almost invented a huge part of the pie. As a SAS 70 auditor, i’m often asked what does the future hold for Sarbanes Oxley (SOX) compliance and also SAS 70.

Well, my friends, let’s take a look at the crystal ball and let me give you my thoughts on SOX and SAS 70.

First and foremost, compliance is NOT going away. Sure, there have been growing pains with the cost and time associated with SOX compliance, but those costs are starting to become greatly streamlined as organizations are finding ways to be more efficient with SOX compliance. In short, it’s here to stay, so consider it a part of life in the business world. With the rash of fraud that occurred on Wall Street which almost toppled the capital markets overnight, there will no doubt be MORE compliance laws, regulations, and rules echoing out of the halls of congress. I would not be worried and thinking too much about SOX, but rather, what else is in the witches brew that could be cooked up on Capital Hill. Think i’m kiding? PCI compliance recently became codified into law in MN with many other states following closely behind.

With SOX staying, you can rest assured that SAS 70 will be hanging around like a little brother. And why not, it’s been a hugely successful internal control auditing mechanism that has shed light on service organizations and how they conduct business.

Compliance is a way of life; as sure as death and taxes. The key is finding a way to meet compliance in a cost-effective and streamlined manner.

Mar 20 2009   6:20PM GMT

SAS 70 Compliance | Tips on Scoping a SAS 70 Audit

Posted by: Charles Denyer
sas 70 compliance, SAS 70, sas 70 type ii, audit, general controls audit, sas 70 resource guide, charles denyer, managed services sas 70

SAS 70 compliance is commonplace for many of today’s businesses. Unfortunately, one of the missing ingredients in understanding SAS 70 compliance is the scope of the audit. That’s right. The who, what, when, where, and why of the actual SAS 70 audit process. Most service organizations undergoing a SAS 70 audit think that they are all the same, that is, one SAS 70 report should “look and feel” like another report. This is incorrect, as different industries and companies alike have varying requirements on what needs to be covered for SAS 70 compliance.

Here are some things you need to know to help determine SAS 70 scope:

1. What is the test period (if a SAS 70 Type II audit is being conducted)
2. Where are all the locations (physical offices, data centers) that will be included in the testing of the audit.
3. What is the audit actually COVERING? That is, is it a general controls audit or are their certain business processes that are being included in the scope of the audit? (This is essentially one of the biggest scoping issues you need to understand and come to an agreement on).

To learn more about SAS 70 compliance and scoping, visit the official SAS 70 Resource Guide.

Feb 18 2009   7:53PM GMT

PCI DSS and SAS 70 Audits | Audit Efficiencies? Maybe…just Maybe

Posted by: Charles Denyer
payment card industry data security standards (PCI DSS), qsa, PCI DSS, SAS 70, sas70, sas 70 audits, pci dss assessments

As a SAS 70 auditor and a PCI QSA, i’m often asked about the efficiencies of scale that can be achieved with SAS 70 audits and PCI DSS assessments. I have blogged about this a few times before, so let me be more clear and transparent in what i believe can actually be obtained in regards to audit efficiencies when conducting a SAS 70 and a PCI DSS assessment on an entity.

First and foremost, as an auditor, there should still be independence within the SAS 70 audit and the PCI DSS assessment. Independence how? Simple, do not treat them as one audit, because they are simply not that. Technically speaking, a PCI assessment is just that, an assessment, not an audit, which requires “attestation”. Moreover, there are significant differences between the audit and the assessment, which can be discussed at length (and will be) in a whole different blog.

I stress in the title of this blog that “maybe” there can be audit efficiencies, however, it many times is dependent on the quality of the auditors, their expertise in both conducting a PCI and a SAS 70 audit, and how much they are willing to rely on evidence from the PCI DSS assessment for the SAS 70 audit, and vice versa. Good auditors will find ways to create these efficiencies; other auditors might want to conduct a PCI DSS assessment and rubber stamp a SAS 70-this is a BIG NO NO.

Want to learn more about where these efficiencies of scale can be maximized? To learn more about SAS 70 audits, visit the official SAS 70 Resource Guide and to learn more about PCI DSS Assessments, visit the PCI Resource Guide.

Jan 29 2009   1:09PM GMT

California Security Breach Information Act (SB-1386) | What You Need to Know.

Posted by: Charles Denyer
California SB-1386, MN plastic card security act, MN PCI DSS, SAS 70, California Security Breach Information Act (SB-1386), HIPAA, GLBA, Gramm Leach Bliley

In short, the California Security Breach Information Act (SB-1386) is a California state law requiring organizations that maintain personal information about individuals to inform those individuals if the security of their information has been breached or compromised. thus, the Act stipulates that if there’s a security breach of a database containing personal data, the responsible entity must notify each and every individual for whom it maintained the information for. The Act, which went into effect July 1, 2003, was created to help stem the alarming growth of identity theft, which has many consumers on the edge and frightened concerning the protection of their personal data.

Here’s what’s important to grasp for a regulatory compliance aspect. The California SB-1386 is a trend that is sweeping the nation and will only continue to grow as concerns for the security of confidential information become more paramount. Gov. Tim Pawlenty signed the MN Plastic Card Security Act, essentially codifying parts of the Payment Card Industry Data Security Standards (PCI DSSS) into law.

Auditors need to be aware of these rules and regulations and their overall impact they can have on an audit, be a SAS 70 audit, HIPAA or GLBA audit or even a PCI DSS Assessment.

Jan 16 2009   3:46PM GMT

SAS 70 Audits & Data Centers | Tips on Preparing for the Audit

Posted by: Charles Denyer
SAS 70, sas70, payment card industry, PCI, PCI DSS, sas 70 data centers, co-locations, managed services sas 70, change management sas 70, incident management sas 70, physical security, environmental security, incident management

Today’s data centers and managed services providers are complex businesses, providing customers with a wide array of services. As such, SAS 70 audits have become the standard compliance audit for assessing internal controls for data centers and managed services. But buyer beware, not all SAS 70 audits are the same when being conducted on data centers and managed service providers. So, what’s the scope, you say? Well, generally speaking a good quality SAS 70 audit process and its subsequent report should include the following areas for considerations of controls:

1. Executive Management/Strategic Management Drivers
2. Human Resources
3. Quality Assurance Activities
3. Client Contract Processes
4. Technical Client Provisioning Processes and Activities
5. Change Management
6. Incident Management
7. Logical Security
8. Network Security
9. Shipping and Receiving Management
10. Physical Security
11. Environmental Security

Any SAS 70 conducted on data centers, managed services providers and co-locations entities that encompass the following above referenced areas can be considered a quality audit and report, at least in terms of scope. It’s then up to the CPA firm conducting the audit to actually perform testing for these above referenced areas, but that’s a whole other topic of discussion for a later date.

To learn more about SAS 70 audits, visit the official SAS 70 Resource Guide.
To learn more about PCI DSS assessments, visit the Payment Card Industry (PCI) Resource Guide.

Dec 31 2008   11:36PM GMT

SAS 70 Audit Reports | Learn About SAS 70 by Obtaining a Sample Report

Posted by: Charles Denyer
sas70, SAS 70, SAS 70 Type I, type ii audit

Many service organizations who have to undergo a SAS 70 Type I or Type II audit have never had the ability to see or read what a final report looks like after the audit has been completed. With this now available, service organizations can gain a greater understanding of the auditing standard, while also having an expectation of what the final report should look and “feel” like.

It’s one of the elements that was missing in the compliance industry, so we thought it was necessary and helpful to put forth an excellent example of a SAS 70 Type II service auditor’s report. And remember, because of the looseness within the auditing standard, no two reports are going to look exactly alike. Sure, there are slightly different variations of SAS 70 reports, but they should encompass and include most of the elements contained within our sample sas 70 available to all who wish to read on and learn more about statement on auditing standards no. 70.

Please take time to educate yourself on this highly used auditing standard by visiting a number of other areas on the website, such as the white papers section, industry news section, along with the what is sas 70 section.