Prüfung von Outsourcing mit SAS70
Transcrição
Prüfung von Outsourcing mit SAS70
Prüfung von Outsourcing mit SAS70 AGENDA • • • • • • Historical flashback Reasons for the standard Major contents Potential areas of SAS 70 application Audit approach and Responsibility Client and Service Provider benifits Presented by Tamer Basman, CISA August 2007 ISACA After Hours Seminar - Prüfung von Outsourcing mit SAS70 - Herr Tamer Basman Seite 1 Historical flashback I • As early as the 1960’s the Auditing Standards Board recognized the need for service providers to report on their controls to their customers (the “users”) • Historically, a CPA’s primary service was the audit of financial services • “Generally Accepted Auditing Standards” (GAAS) was created to provide uniform standards for the profession • GAAS was promulgated via “Statements on Auditing Standards” (or SAS) (pre-SOX) • All SAS’s collectively have been codified in the AICPA literature in the “AU” (short for “audit”) series of pronouncements AICPA=American Institute of Certified Public Accountants August 2007 ISACA After Hours Seminar - Prüfung von Outsourcing mit SAS70 - Herr Tamer Basman Seite 2 1 Historical flashback II • The concept of “Internal Control” is fundamental to an audit of Financial Statement (F/S) • SAS 55 first documented standards for the auditor’s consideration of Internal Controls (I/C) in a F/S audit • SAS 78 updated SAS 55 to incorporate the COSO framework • SAS 94 updated SAS 55/78 to reflect the impact of current technologies on I/C • These SASs are codified in Section AU319 • SAS 70 is codified in GAAS as section AU 324 COSO:Committee of Sponsoring Organizations of the Treadway Commission August 2007 ISACA After Hours Seminar - Prüfung von Outsourcing mit SAS70 - Herr Tamer Basman Seite 3 Reasons for the standard I Applying a Service Organization to a User Organization Service Organization Services Provided Scope of a SAS 70 Report Services Outsourced User Organization August 2007 ISACA After Hours Seminar - Prüfung von Outsourcing mit SAS70 - Herr Tamer Basman Seite 4 2 Reasons for the standard II • The early service providers were computer service bureaus, offering single applications • The F/S auditor of a user of a service provider is NOT relieved of their professional responsibilities under AU319 • Internal Controls at the service provider that relate to the financial statements of the user organization must still be considered August 2007 ISACA After Hours Seminar - Prüfung von Outsourcing mit SAS70 - Herr Tamer Basman Seite 5 Reasons for the standard III What is SAS 70? • An audit conducted in accordance with Statement on Auditing Standard (SAS) No. 70 is a highly specialized audit of the design and operational effectiveness of a service organization’s internal controls over processing transactions for user organizations. – A report issued by an independent auditor under Statement on Auditing Standards No. 70 – Covers controls exercised by a service organization on behalf of its customers – Relates to the user organization’s financial statement assertions • SOX 404 Audit relevance August 2007 ISACA After Hours Seminar - Prüfung von Outsourcing mit SAS70 - Herr Tamer Basman Seite 6 3 Major contents I Parties involved in SAS 70 Company A (Service Organization) Company A’s Customers (User Organizations and Internal Auditors) August 2007 CPA Firm (Service Auditor) CPA Firm (User Organization Third Party Auditor) ISACA After Hours Seminar - Prüfung von Outsourcing mit SAS70 - Herr Tamer Basman Seite 7 Major contents II Audit approach • • • • • Control environment Risk assessment Information and communication systems Monitoring Control Activities • COSO Framework is also adopted by the PCAOB Standard No.2 – refer to PCAOB p.A-11, paragraph 14 • SAS 70 recognizes COSO Framework – refer to AICPA Audit Guide(May 2004) par 2.17 and 2.28 August 2007 ISACA After Hours Seminar - Prüfung von Outsourcing mit SAS70 - Herr Tamer Basman Seite 8 4 Major contents III Audit approach COSO Framework Control Environment—The control environment sets the tone of an organization, influencing the control consciousness of its people Risk Assessment—Every entity faces a variety of risks from external and internal sources that must be assessed both at the entity and the activity level Control Activities—These policies and procedures help ensure management directives are carried out Information and Communication—Pertinent information must be identified, captured and communicated in a form and timeframe that supports all other control components Monitoring—Internal control systems need to be monitored—a process that assesses the quality of the system’s performance over time August 2007 ISACA After Hours Seminar - Prüfung von Outsourcing mit SAS70 - Herr Tamer Basman Seite 9 Major contents IV SAS 70 Report Components Report Contents Type I Type II 1. Independent service auditor's report (i.e. opinion). Included Included 2. Service organization's description of controls. Included Included 3. Information provided by the independent service auditor; includes a description of the service auditor's tests of operating effectiveness and the results of those tests. Optional Included 4. Other information provided by the service organization (e.g. glossary of terms). Optional Optional August 2007 ISACA After Hours Seminar - Prüfung von Outsourcing mit SAS70 - Herr Tamer Basman Seite 10 5 Potential areas of SAS 70 application • • • • • • • Application Service Providers Medical Claims Processing Employee Benefits Processing Banking Service Bureaus Credit Card Processing Internet Service Providers Trust Departments of banks and insurance companies • Transfer agents, custodians or record-keepers for investment companies • Mortgage services or depository institutions that service loans for others • Regional Transmission Organizations August 2007 ISACA After Hours Seminar - Prüfung von Outsourcing mit SAS70 - Herr Tamer Basman Seite 11 Responsibility I Report Sections and Responsibility SECTION August 2007 RESPONSIBILITY I. Independent Service Auditors’ Report External Auditor (Service Provider) II. Company A Description of Controls and Procedures Service Provider III. Tests of Operating Effectiveness External Auditor (Service Provider) IV. Other Information Provided by Company A (Optional) Service Provider ISACA After Hours Seminar - Prüfung von Outsourcing mit SAS70 - Herr Tamer Basman Seite 12 6 Responsibility II Refer to AICPA Audit Guide (May 2004) Section 4.05 to 4.28 The Service Provider is responsible for: – Determining control objectives – Providing description of internal controls – Determining the report type – Communicating significant changes to environment The Service auditor is responsible for: – Being independent – first and foremost – Determining appropriateness of control objectives – Examining description of controls – Conducting appropriate tests of controls – Expressing an opinion August 2007 ISACA After Hours Seminar - Prüfung von Outsourcing mit SAS70 - Herr Tamer Basman Seite 13 Client and Service Provider benifit • To reduce disruption from multiple user audits • Communicate information about the service provider’s internal control’s • SAS reports are for the benefit of our client, their customers and their customers’ auditors only. August 2007 ISACA After Hours Seminar - Prüfung von Outsourcing mit SAS70 - Herr Tamer Basman Seite 14 7 Questions and Answers ? http://www.aicpa.org http://www.itacs.ch/deutsch/pages/KU/KU_Kt_SAS_70.htm Contact: Tamer Basman 044.249.4780 [email protected] August 2007 ISACA After Hours Seminar - Prüfung von Outsourcing mit SAS70 - Herr Tamer Basman Seite 15 8