3. Course Objective
To educate participants regarding the nature
of vendor risks and the mechanisms to
f d ik d th h i t
effectively assess, manage and control those
risks by providing a learning forum where
risks by providing a learning forum where
individuals with greater audit and third party
assurance experience can share their
assurance experience can share their
knowledge with peers who are interested in
learning about third party assurance and the
different mechanisms and standards available
to accomplish it.
Copyright 2010 Riebeeck Stevens Ltd
Page 3
4. Today’s Discussion Topics
• Overview of outsourcing arrangements
• Rights to audit
Ri h di
• Diversity of service organizations
• Assessment mechanisms
Assessment mechanisms
o SAS 70
o Shared Assessments
o ISAE 3402
• SAS 70 No More
• Conducting an assessment engagement
C d ti t t
• Using a third party assessment
• Project management considerations
Project management considerations
Copyright 2010 Riebeeck Stevens Ltd
Page 4
6. Background
• Many entities use outside service organizations
to accomplish tasks that affect the entity’s
li h k h ff h i ’
management and information system
• In recent years, there has been an increase in
I t th h b i i
the use of service organizations
• Why do you think BPO (business process
Why do you think BPO (business process
outsourcing) has increased so much?
• “Practical IT Auditing” Checklist to evaluate
Practical IT Auditing Checklist to evaluate
candidates for outsourcing
Copyright 2010 Riebeeck Stevens Ltd
Page 6
7. Typical Service Organizations
• Fund accounting agents/Fund administrators
• Custodians/Trustees/Investment advisors
• Transfer agents/Retirement plan record keepers
• Claims processors
Cl i
• ASPs
• ISPs
• Payroll processors
• Network/Security management
• Thoughts on Cloud Computing Providers?
Copyright 2010 Riebeeck Stevens Ltd
Page 7
8. Outsourcing Arrangements
• Total outsourcing – complete business or
business function
• Production outsourcing – Call centers
• Processing outsourcing – Payroll
• Recordkeeping outsourcing – Transfer agent
• Reporting outsourcing – FISERV and Crawford
Technologies
• Physical Facilities outsourcing – Hosting/Co‐
location
Copyright 2010 Riebeeck Stevens Ltd
Page 8
9. Sample Outsourcing Agreements
• 2002: $4 billion / 7‐year utility based deal between
American Express and IBM
American Express and IBM
• 1998: $3 billion application development and
maintenance agreement between BellSouth and
g
Andersen Consulting
• 1998: $4 billion infrastructure outsourcing agreement
between BellSouth and EDS
b t B llS th d EDS
• 1996: $4.5 billion / 10 year outsourcing and strategic
alliance agreements between Dupont and CSC and
g p
Andersen Consulting
• 1994: $3 billion / 10‐year IT services between Xerox and
EDS
EDS
Copyright 2010 Riebeeck Stevens Ltd
Page 9
10. Classification of Vendor Risks
• Operational Risk
• Reputation Risk
• Strategic Risk
Strategic Risk
• Compliance Risk
• Financial Risk
Fi i l Ri k
• Support Risk
Copyright 2010 Riebeeck Stevens Ltd
Page 10
11. Classification of Vendor Risks
• Operational Risk ‐ Operational risk not only
includes operations and transaction
processing, but also areas such as customer
service, Information Technology security and
the protection of non‐public data, systems
development and support programs, internal
control processes, and capacity and
contingency planning.
Copyright 2010 Riebeeck Stevens Ltd
Page 11
12. Classification of Vendor Risks
• Reputation Risk – Errors, delays, or omissions
in outsourced services that become public
i t d i th t b bli
knowledge or directly affect the company's
customers can significantly affect reputation.
customers can significantly affect reputation
For example, a vendor's failure to maintain
adequate service levels and contingencies for
adequate service levels and contingencies for
key items such as cash deliveries, network
hardware devices or ATM servicing could
disrupt the ability to deliver service to
customers.
Copyright 2010 Riebeeck Stevens Ltd
Page 12
13. Classification of Vendor Risks
• Strategic Risk – Inadequate management
experience and expertise can lead to a lack of
understanding of key risks facing the industry
today and into the future. Additionally,
inaccurate information from vendors can
cause the company's management and board
of directors to make poor strategic decisions.
Copyright 2010 Riebeeck Stevens Ltd
Page 13
14. Classification of Vendor Risks
• Compliance Risk – Outsourced activities that
fail to comply with legal or regulatory
requirements can subject the company to
legal sanctions. For example, inaccurate or
untimely consumer compliance disclosures
or unauthorized disclosure of confidential
customer information could expose the
company to civil money penalties or
litigation.
Copyright 2010 Riebeeck Stevens Ltd
Page 14
15. Classification of Vendor Risks
• Financial Risk – financial strength of the
vendor, cash position, credit rating,
bankruptcy history, historical financial
performance indicators – return on equity,
return on investment, return on assets
Copyright 2010 Riebeeck Stevens Ltd
Page 15
16. Classification of Vendor Risks
• Support Risk – ability to perform according to
service level agreements, professional
diversity and capacity of staff, experienced of
workers, staff rotation policy, operational
performance in the market – are they losing
customers, is their quality falling
Copyright 2010 Riebeeck Stevens Ltd
Page 16
17. Rights to Audit
• Contract clause allowing the user
organization to audit or have access to audits
i ti t dit h t dit
of the services contracted
• Sh ld b
Should be a standard part of every
t d d t f
outsourcing contract
• U
Use more frequently
f tl
• Demanding specific types of audits
• Make sure you are specific in terms of period
of audits
Copyright 2010 Riebeeck Stevens Ltd
Page 17
18. Case Study
New York ‐ 30 Dec 2002: J.P. Morgan Chase & Co. today finalized with IBM
a groundbreaking seven‐year outsourcing agreement, in excess of $5
billion, the largest of its kind. The agreement will enable JPMorgan Chase
, g g g
to transform its technology infrastructure through absolute costs savings,
increased cost variability, access to the best research and innovation, and
improved service levels. By moving from a traditional fixed‐cost approach
to one with increased capacity and cost variability, JPMorgan Chase will be
able to respond more quickly to changing market conditions.
JPMorgan Chase will outsource a significant portion of its data processing
technology infrastructure, including data centers, help desks, distributed
computing, data networks and voice networks. The agreement includes
the transfer of approximately 4,000 JPMorgan Chase employees and
contractors as well as selected resources and systems to IBM in the first
half of 2003. Application delivery and development, desktop support and
other core competencies will largely be retained inside JPMorgan Chase.
Copyright 2010 Riebeeck Stevens Ltd
Page 18
19. Case Study ‐ Instructions
• Study the JPM/IBM press release
• Identify the key risks faced by JPM when
transferring functions to IBM
• Discuss methods JPM can use to stay informed
of controls at IBM to address those risks
• Discuss impact to security, audit and compliance
• Should JPM require IBM to include a right to
q g
audit clause in their contract? Why?
Copyright 2010 Riebeeck Stevens Ltd
Page 19
20. Summary
After completing this module, you should now:
• Understand the business drivers behind the
outsourcing decision
• Understand the various types of outsourcing
arrangements
• Understand the key classes of vendor risk
• Begin to understand the need to evaluate
controls at service organizations
Copyright 2010 Riebeeck Stevens Ltd
Page 20
22. Definition of Key Players
Service Organization – The entity that provides
services to a user organization
i t i ti
Subservice Organization – An entity that is a
service organization of another service
service organization of another service
organization
Service Auditor – Reports on the processing of
p p g
transactions by a service organization
User Organization – The entity that has engaged
a service organization
i i ti
User Auditor – Auditor of a user organization
Copyright 2010 Riebeeck Stevens Ltd
Page 22
23. Key Players
User Organization Service Auditor
Service Organization
Subservice
User Auditor Organization
Copyright 2010 Riebeeck Stevens Ltd
Page 23
24. Evaluating Internal Control
at Service Organizations
• How can a user of a service organization (and its
internal/external auditor) obtain a sufficient
i l/ l di ) b i ffi i
level of comfort that there is an effective control
environment at the service organization?
environment at the service organization?
• How can user management ensure that
outsourced processes are managed following
outsourced processes are managed following
policies, procedures and practices that are
aligned with those of his/her own company?
Copyright 2010 Riebeeck Stevens Ltd
Page 24
25. Assessment Mechanism:
Traditional Approach
• User management submits an internal
control questionnaire to service organization
• Service organization provides a self‐
assessment report to clients
• User organization management (internal
audit) performs audit procedures at service
organization
• User auditor performs audit procedures at
service organizations
Copyright 2010 Riebeeck Stevens Ltd
Page 25
26. Assessment Mechanisms:
Third Party Assurance Approach
• One independent firm (third party) is
brought in to issue an opinion as to
whether management’s description of
the control environment is presented
fairly.
• In many cases, the independent firm is
g g p p
also engaged to perform tests of specific
controls and report on the result of
those tests.
Copyright 2010 Riebeeck Stevens Ltd
Page 26
27. Assessment Mechanisms:
Third Party Assurance Approach
• Agreed‐Upon Procedures
• Shared Assessments
• Standard Compliance Audit
Standard Compliance Audit
• SAS 70
• Attestation
Att t ti
• Who can issue reports using these
mechanisms?
h i ?
Copyright 2010 Riebeeck Stevens Ltd
Page 27
28. Assessment Mechanisms:
Third Party Assurance Approach
• Agreed‐Upon Procedures
Issued by independent CPA
• Shared Assessments
Issued by independent CPA or assessment firm
Issued by independent CPA or assessment firm
• Standard Compliance Audit
Issued by certified party – i.e. PCI and ISO
y p y
• SAS 70
Issued by CPA or CA
• Attestation
Issued by CPA or CA
Copyright 2010 Riebeeck Stevens Ltd
Page 28
29. Module Summary
After completing this module, you should now:
• Understand the process to evaluate internal
d d h l l
controls at Service Organizations
• Understand the basic concepts of Third Party
d d h b i f hi d
Assurance (TPA)
• Identify different mechanisms for conducting
d if diff h i f d i
TPA engagements
• U d
Understand who can issue third party
d h i hi d
assurance reports
Copyright 2010 Riebeeck Stevens Ltd
Page 29
31. What are Agreed Upon Procedures
• Section 201 of the AICPA Statements on Standards
for Attestation Engagements (SSAE)
f A i E (SSAE)
• An agreed‐upon procedures engagement is one in
which a practitioner is engaged by a Responsible
which a practitioner is engaged by a Responsible
Party to issue a report of findings based on
specific procedures performed on subject matter.
specific procedures performed on subject matter
The Responsible Party engages the practitioner to
assist Specified Parties in evaluating subject
p g j
matter or an assertion as a result of a need or
needs of the Specified Parties.
Copyright 2010 Riebeeck Stevens Ltd
Page 31
32. What is an AUP Report
• An AUP Report is a report issued according to
SSAE 10 Section 201
• An AUP Report contains the procedures
agreed‐upon by the parties and the findings
identified by the auditor
• An AUP Report does not contain an opinion
from the auditor just the facts of the results
from the auditor just the facts of the results
Copyright 2010 Riebeeck Stevens Ltd
Page 32
33. Who Uses a AUP report
• Agreed‐Upon procedures are used by the
service organization, user management,
external auditors and regulators
• Internal users include senior management,
compliance, internal audit, security and risk
management
• External users typically limited to external
External users typically limited to external
auditors and regulators
Copyright 2010 Riebeeck Stevens Ltd
Page 33
34. Distribution of the Report
• As an Attestation report, AUP reports have
limited distribution
• The Service Organization and the specified
parties can have access to the report
• Other parties interested in the report need
Other parties interested in the report need
to agree as to the sufficiency of the
procedures with respect to the subject
procedures with respect to the subject
matter or assertion prior to receiving the
report
Copyright 2010 Riebeeck Stevens Ltd
Page 34
35. AUP Auditor’s Responsibilities
• Carry out the procedures
• Report the findings in accordance with the
professional standards (general, fieldwork
and reporting)
• Adequately plan and supervise the audit and
Adequately plan and supervise the audit and
exercise due professional care in performing
the procedures, determining the findings,
the procedures, determining the findings,
and preparing the report
Copyright 2010 Riebeeck Stevens Ltd
Page 35
36. AUP Auditor’s Responsibilities
• Risk that misapplication of the procedures may
result in inappropriate findings being reported
l i i i fi di b i d
• Risk that appropriate findings may not be
reported or may be reported inaccurately
reported or may be reported inaccurately
• These risks are reduced by becoming
knowledgeable about the subject matter and
knowledgeable about the subject matter and
thoroughly planning and executing the work
• The AUP Auditor has no responsibility to
p y
determine completeness or adequacy of the
agreed‐upon procedures
Copyright 2010 Riebeeck Stevens Ltd
Page 36
37. Layout of a Typical AUP Report
• A title that includes the word independent
• Identification of the specified parties
• Identification of the subject matter (or the
Identification of the subject matter (or the
written assertion related thereto) and the
character of the engagement
character of the engagement
• Identification of the responsible party
• A t t
A statement that the subject matter is the
t th t th bj t tt i th
responsibility of the responsible party
Copyright 2010 Riebeeck Stevens Ltd
Extracted from “AICPA Attestation Standards Section 201”
Page 37
38. Layout of a Typical AUP Report
• A statement that the procedures performed were
those agreed to by the specified parties identified
h d b h ifi d i id ifi d
in the report
• A statement that the agreed‐upon procedures
A statement that the agreed upon procedures
engagement was conducted in accordance with
attestation standards established by the AICPA
attestation standards established by the AICPA
• A statement that the sufficiency of the procedures
is solely the responsibility of the specified parties
y p y p p
and a disclaimer of responsibility for the
sufficiency of those procedures
Copyright 2010 Riebeeck Stevens Ltd
Extracted from “AICPA Attestation Standards Section 201”
Page 38
39. Layout of a Typical AUP Report
• A list of the procedures performed (or reference
thereto) and related findings (The practitioner
th t ) d l t d fi di (Th titi
should not provide negative assurance
• Where applicable, a description of any agreed‐upon
Where applicable a description of any agreed‐upon
materiality limits
Copyright 2010 Riebeeck Stevens Ltd
Extracted from “AICPA Attestation Standards Section 201”
Page 39
40. Layout of a Typical AUP Report
• A statement that the practitioner was not engaged
to and did not conduct an examination of the
t d did t d t i ti f th
subject matter, the objective of which would be the
expression of an opinion, a disclaimer of opinion on
expression of an opinion a disclaimer of opinion on
the subject matter, and a statement that if the
p
practitioner had performed additional procedures,
p p ,
other matters might have come to his or her
attention that would have been reported
Copyright 2010 Riebeeck Stevens Ltd
Extracted from “AICPA Attestation Standards Section 201”
Page 40
41. Layout of a Typical AUP Report
• A statement of restrictions on the use of the report
because it is intended to be used solely by the specified
because it is intended to be used solely by the specified
parties
• Where applicable, reservations or restrictions
pp ,
concerning procedures or findings.
• For an agreed‐upon procedures engagement on
prospective financial information.
ti fi i li f ti
• Where applicable, a description of the nature of the
assistance provided by a specialist.
p y p
• The manual or printed signature of the practitioner's
firm
• The date of the report
Th d f h
Copyright 2010 Riebeeck Stevens Ltd
Extracted from “AICPA Attestation Standards Section 201”
Page 41
42. Procedures to be Performed
• Can be as limited or as extensive as the specified
parties desire
ti d i
• Mere description of assertion or subject matter
does not constitute a valid procedure
does not constitute a valid procedure
• There is flexibility in determining the procedures
• Changes to the procedures are acceptable as long
g p p g
as the specified parties accept responsibility for the
sufficiency of the procedures
• Matters that need to be agreed upon include the
nature, timing and extent of the procedures
Copyright 2010 Riebeeck Stevens Ltd
Page 42
43. Procedures to be Performed
• Procedures should not be subjective and
open to interpretations
• Terms of uncertain meaning (such as general
review, limited review or check) should be
avoided
• For each procedure, there should be
evidential matter supporting the finding or
evidential matter supporting the finding or
findings
Let s explore the Q‐Services report
Let’s explore the Q‐Services report
Copyright 2010 Riebeeck Stevens Ltd
Page 43
44. Project Management Considerations
• Use Of a Specialist
• Internal Auditors and Other Personnel
• Findings
• Working Papers
Copyright 2010 Riebeeck Stevens Ltd
Page 44
45. AUP Sample Findings
• Procedure: Inspect the shipment dates for a
sample (agreed‐upon) of specified shipping
sample (agreed upon) of specified shipping
documents, and determine whether any such
dates were subsequent to December 31, 20XX.
q ,
• Finding (Appropriate description): No shipment
dates shown on the sample of shipping
documents were subsequent to December 31,
doc ments ere s bseq ent to December 31
20XX.
• Finding (Inappropriate description): Nothing came
g ( pp p p ) g
to my attention as a result of applying that
procedure.
• Sample findings matrix from AT 201
S l fi di ti f AT 201
Copyright 2010 Riebeeck Stevens Ltd
Page 45
46. AUP Auditor Considerations
• Validate that the Specified Parties have agree to the
procedures
d
• Document the steps taken in performing the
procedures
• Obtain and maintain appropriate evidence of the
work conducted
• Ensure all changes to the procedures are approved
by the Specified Parties
• Obtain representations from management
Copyright 2010 Riebeeck Stevens Ltd
Page 46
47. Using a AUP Report
• A AUP Report contains the results of applying
the procedures only – No Opinion
• Each procedure and related result must be
evaluated by the user in the context of its
entity’s internal control
• Be careful not to extrapolate the findings to
systems or dates not related to the AUPs
systems or dates not related to the AUPs
Copyright 2010 Riebeeck Stevens Ltd
Page 47
48. AUP Exercise
• With the JPM/IBM agreement, multiple systems are
being processed and supported at IBM
being processed and supported at IBM
• You work for JPM and some of your clients (your team
members) want to audit the system at IBM to evaluate
) y
the security controls at IBM
• Identify and describe 5 audit procedures and discuss
them in your group until everyone agrees they are
th i til th
sufficient to meet your objective
• Ensure the wording of the procedures is specific and
g p p
avoid vague terms
• Draft the result of applying the procedure and share
them with the group
h ih h
Copyright 2010 Riebeeck Stevens Ltd
Page 48
49. Module Summary
After completing this module, you now have an
understanding of:
• What Agreed‐Upon Procedures are
• What an AUP Report is
• The content of AUPs
• The responsibilities of the AUP Auditor
• Key considerations of managing an AUP
project
• The usability of AUP reports
Copyright 2010 Riebeeck Stevens Ltd
Page 49
51. Shared Assessments
• Special application of the AICPA AUP
standard
• Shared Assessments is a program created by
BITS, a division of the Financial Services
Roundtable
• Initially targeted the financial services
industry, it is quickly expanding to other
industry, it is quickly expanding to other
industries such as health care
• Program managed by the Santa Fe Group
Program managed by the Santa Fe Group
Copyright 2010 Riebeeck Stevens Ltd
Page 51
52. Shared Assessments
• Standardized Information Gathering (SIG)
Questionnaire
• Agreed‐Upon Procedures (AUP)
• Created under the principle of getting
everyone involved
everyone involved
• Sort of like Skype and IP telephony, when
everyone is connected, there is no need to
everyone is connected there is no need to
pay for phone service
Copyright 2010 Riebeeck Stevens Ltd
Page 52
53. Who uses a Shared Assessments Report?
• SIG is used by the Service Organization and
the Outsourcer
• AUP report can be used by all related parties
who approved the procedures
• Limited distribution report – others can use it
Limited distribution report others can use it
but need to agree to the sufficiency of the
procedures to evaluate the related controls
procedures to evaluate the related controls
Copyright 2010 Riebeeck Stevens Ltd
Page 53
54. Shared Assessments Risk Domains
• Information security policy
• Organization of information security
Organization of information security
• Asset management
• Human resources security
• Physical and environmental security
• Communications and operations management
• Access control
Access control
• Information systems acquisition, development and
maintenance
• Information security incident management
I f ti it i id t t
• Business continuity management
• Compliance
p
• Privacy
Copyright 2010 Riebeeck Stevens Ltd
Page 54
55. Shared Assessments Project
• Scoping questions – determine:
• Service provider and its business model
S i id d it b i d l
• Target systems and processes
• Data that it collects, stores, uses, shares, transports,
Data that it collects stores uses shares transports
retains, secures and/or deletes:
o Target Data
o Protected Target Data
o Privacy Target Data
o Protected Privacy Target Data
Protected Privacy Target Data
• Based on this information, identify hardware,
software and procedures to be tested.
software and procedures to be tested
Copyright 2010 Riebeeck Stevens Ltd
Page 55
56. Shared Assessments Lite
• SIG v5 Level 1
• Contains 91 questions
• Intended for low risk scenarios
Intended for low risk scenarios
• Inquiry of Service Organization management
• No testing is involved
N t ti i i l d
SIG v5 L1 Questions
Copyright 2010 Riebeeck Stevens Ltd
Page 56
57. Shared Assessments AUP
• Full SIG v5 and management tools
• AUP v5
AUP v5
• 12 Risk Domains
• Specific procedures to be executed by assessor
• Each AUP control area contains:
E h AUP t l t i
o Objective(s): Statement(s) describing the business interest
behind assessing the Domain
o C t l( ) St t
Control(s): Statement(s) about the controls service
t( ) b t th t l i
providers should have in place
o Procedure(s): The action or actions a practitioner will
perform to test each control Area
perform to test each control Area
o Industry Relevance: Reference(s) to other standards that
apply to the same objective and control as the procedure
Copyright 2010 Riebeeck Stevens Ltd
Page 57
58. Shared Assessments Sample Procedure
F.5 Secure Workspace Access Reporting
Objective:
An organization should maintain access and
An organization should maintain access and
incident reports.
Control:
Access to Secure Workplace is logged and
incident reports are maintained.
i id t t i t i d
.
Copyright 2010 Riebeeck Stevens Ltd
Extracted from the Shared Assessments AUP document
Page 58
60. Shared Assessments Sample Procedure
4. Company name
5. Visiting
6. Equipment
7. Sign out and return of badge
8. Date of last update
8. Date of last update
Incident Logs:
1. Name
2. Date and time
2 D t d ti
3. Company name
4. Incident type
yp
5. Date of last update
b. Report the attributes listed in step a not in evidence, the
date the access logs and incident log was last updated, or
date the access logs and incident log was last updated or
the nonexistence of the access log or incident log.
Copyright 2010 Riebeeck Stevens Ltd
Extracted from the Shared Assessments AUP document
Page 60
61. Shared Assessments
Exercise
• Review the JPM/IBM outsourcing
arrangement and based on the limited
information provided, review the questions
on Section C2.2 of SIG v5 and the
corresponding procedures in Section C of
Shared Assessments AUP v5
• Could this provide any comfort when
performed by a trusted party?
performed by a trusted party?
Copyright 2010 Riebeeck Stevens Ltd
Page 61
62. Shared Assessments Report Layout
• The Shared Assessments report follows the
AUP standard of the AICPA
• Description of scope
• Domain area
• Control objective
• Control
• Procedure
• Results of applying the procedure
Copyright 2010 Riebeeck Stevens Ltd
Page 62
63. Using a Shared Assessments Report
• The Shared Assessments report does not
provide assurance just attestation of the result
d f h l
• Each user of the report must evaluate the
results in the context of their own risk universe
lt i th t t f th i ik i
• Some controls may be applicable others may
not
• The absence of certain controls may not be
relevant to the user s environment
relevant to the user’s environment
• Do not extrapolate in time and space
Copyright 2010 Riebeeck Stevens Ltd
Page 63
64. Using a Shared Assessments Report
• Limitations of the Shared Assessment Report
• Limited to Security, business continuity and
d b d
privacy
• No third party opinion
N thi d t i i
• Can it be relied upon for purposes of an audit of
financial statements? Only if issued by CPA?
financial statements? Only if issued by CPA?
What about internal audit of the user
organization?
g
• What about sub‐service organizations? What
options are there to report on that relationship?
Copyright 2010 Riebeeck Stevens Ltd
Page 64
65. Module Summary
After completing this module, you should now
understand:
d t d
• What are Shared Assessments
• What is a Shared Assessments Report
What is a Shared Assessments Report
• The content of a Shared Assessments Report
• The responsibilities of the Shared Assessments
The responsibilities of the Shared Assessments
Auditor
• Key considerations of managing a Shared
y g g
Assessments project
• The usability of Shared Assessments reports
Copyright 2010 Riebeeck Stevens Ltd
Page 65
67. What is “SAS 70”?
• Statement on Auditing Standards (SAS) No. 70,
Service Organizations, as amended
S i O i i d d
• Issued by the American Institute of Certified
Public Accountants (AICPA)
P bli A t t (AICPA)
Copyright 2010 Riebeeck Stevens Ltd
Page 67
68. What is a “SAS 70” Report?
A report containing:
• Description of the control environment
• Description of management’s control objectives
• Description of specific controls, policies and
f f l l d
procedures
• Description of tests of those specific controls,
p p
policies and procedures
• Results of those tests
• Independent auditor s opinion
Independent auditor’s opinion
• Supplemental information provided by the Service
Organization (optional)
Copyright 2010 Riebeeck Stevens Ltd
Page 68
70. Who uses the SAS 70 report?
Benefits of the report to external users
• Enhanced understanding of the control
environment
• Additional level of comfort
• Contained audit costs
Contained audit costs
• Ability to compare service organizations
• Reliance on controls
Copyright 2010 Riebeeck Stevens Ltd
Page 70
72. Who uses the SAS 70 report?
Benefits of the report to internal users
• Independent evaluation of processes and controls
• Standard documentation of processes and controls for
future evaluation of efficiencies
f l i f ffi i i
• Improved risk management
• Potential reduction of coordination with your client’s
P t ti l d ti f di ti ith li t’
auditors
• Marketing
Copyright 2010 Riebeeck Stevens Ltd
Page 72
74. Types of Reports
• Type I – Report on Controls placed in
Operation as of a specified date
• Type II – Report on Controls placed in
Operation as of a specified date
Operation as of a specified date
AND
Results of Tests of Operating Effectiveness
R lt f T t f O ti Eff ti
during a specified period
Copyright 2010 Riebeeck Stevens Ltd
Page 74
75. Service Auditor’s Responsibilities:
Type I Engagement
• Determine whether the description of controls
Determine whether the description of controls
presents fairly the relevant aspects of the
controls placed in operation as of the date of
report
• Determine whether the controls are suitably
h h h l bl
designed to achieve the specified control
objectives
Copyright 2010 Riebeeck Stevens Ltd
Page 75
76. Service Auditor’s Responsibilities :
Type II Engagement
• Same as in Type I Engagement
AND
• Determine whether the controls that were
Determine whether the controls that were
tested were operating with sufficient
effectiveness to achieve control objectives
for the specified period of the report
Copyright 2010 Riebeeck Stevens Ltd
Page 76
77. Sub‐Service Organizations: Carve‐out
• Exclude sub‐service organization’s relevant controls and
control objectives from report and from auditor s scope
control objectives from report and from auditor’s scope
• If Carve‐Out sub‐servicer, then:
Modify scope paragraph in the auditor’s report for the controls of
the sub service organization
the sub‐service organization
o Describe the functions and nature of processing performed by sub‐
service organization
o That the description of the controls includes only the controls and
related control objectives of the service organization
o That our examination does not extend to the controls at the sub‐service organization
Service Organization modifies description of controls to summarize
the functions and nature of the processing performed by the sub‐
h f i d f h i f db h b
service organization that are omitted from the report
• May be necessary to modify opinion paragraph in auditor’s
report
Copyright 2010 Riebeeck Stevens Ltd
Page 77
78. Sub‐Service Organizations: Inclusive
• Include sub‐service organization’s relevant controls and
control objectives in report and in auditor’s scope
• Ensure description of controls and control objective
discussion in report clearly differentiates controls at service
organization and at sub‐service organization, but includes
both in reporting
• Modify auditor’s report throughout (scope, opinion, Company
references) to include sub‐service organization (and its
related controls, etc.)
• Perform procedures at the sub‐servicer to determine
whether:
controls (functions/nature of processing and controls) are fairly
presented
controls are suitably designed to achieve the related control objectives
controls are operating with sufficient effectiveness (For Type II
controls are operating with sufficient effectiveness (For Type II
engagements)
Copyright 2010 Riebeeck Stevens Ltd
Page 78
79. User Control Considerations
• Complementary Controls that may be
required at the User Organization
• Include in report’s description of controls
• Include in auditor’s report
Include in auditor s report
• Sample UCC: User Organization should
remove terminated employees when access
t i t d l h
no longer needed
Copyright 2010 Riebeeck Stevens Ltd
Page 79
80. Service Auditor’s Responsibilities
• Addressing the representations in the service
auditor’s report
p
• Adhere to the AICPA general standards and
with the relevant AICPA fieldwork and
with the relevant AICPA fieldwork and
reporting standards
Copyright 2010 Riebeeck Stevens Ltd
Page 80
81. Layout of Typical SAS 70 Report
Opinion
Section I – Information provided by the Service Organization
Section I Information provided by the Service Organi ation
Overview of the business
Control Environment
Applicability of Report
Description of Controls
Section II Information Provided by the Service Auditor
Section II – Information Provided by the Service Auditor
Section III – Controls, Control Objectives and Tests of
Operating Effectiveness
Section IV – Other information provided by the Service
Organization
Copyright 2010 Riebeeck Stevens Ltd
Page 81
83. Project Management:
j g
Useful information for the
Service Auditor Engagement Team
Service Auditor Engagement Team
Copyright 2010 Riebeeck Stevens Ltd
Page 83
85. Engagement Time Management
Time Management
• Activity Definition
• Activity Sequencing
• Activity Duration Estimating
• Schedule Development
• Schedule Control
Schedule Control
Copyright 2010 Riebeeck Stevens Ltd
Page 85
86. Service Organization Involvement
• Project Sponsor (leader/owner) of the
Process
j ( y
• Project Coordinator (daily task
management)
• Internal Pre‐Assessment and Remediation
Internal Pre Assessment and Remediation
• “Buy‐In” of Senior Management within all
functional departments/areas
functional departments/areas
Copyright 2010 Riebeeck Stevens Ltd
Page 86
87. Senior Management Buy‐In
• Assists in obtaining information timely
• Ensures right personnel/contacts are met
• Ensures personnel/contacts will provide all
necessary assistance
• Ensures personnel/contacts know the
importance of the project to their department
leaders
Copyright 2010 Riebeeck Stevens Ltd
Page 87
88. Responsibilities
May impact:
May impact:
• Timing
• Deadlines
• Budgets/fees
• Staffing mix
Staffing mix
• Expectations set by client or by auditor
• Satisfaction with meeting expectations and
S ti f ti ith ti t ti d
• The ability to manage expectations
Copyright 2010 Riebeeck Stevens Ltd
Page 88
89. Reporting Responsibilities
Generally, Client should draft most areas the Report
• Overview of Operations (Organization Definition)
• Description of Controls and Control Environment
• Control Objectives and Controls
Control Objecti es and Controls
• Other Information provided by the Service Organization
Generally, the Service Auditor should focus on:
Generally the Service Auditor should focus on:
• Opinion
• Information Provided by Service Auditor
Information Provided by Service Auditor
• Testing of Controls and Results of Testing
Copyright 2010 Riebeeck Stevens Ltd
Page 89
90. Managing Expectations
• Expectations of Significant Changes During Report
Period (mid‐year significant changes in
controls/processes to consider)
• Presence of Exceptions in the Report
• Multi‐location Considerations
• Report is evolving
R i l i
• Recommendations to be Provided to Client
• Regular Status Meetings with Project Champion and
Day‐to‐Day Contact Person is important
Copyright 2010 Riebeeck Stevens Ltd
Page 90
91. Managing Expectations
• Timeline/Deadline for Stages of Engagement
Timeline/Deadline for Stages of Engagement
Setting project milestones minimizes time overages
• Detailed Project Plan by Control Objective
Detailed Project Plan by Control Objective
Breaking down project plan to task level increases
accuracy of cost estimation and subsequent budgeting
y q g g
• Monitor Timing/Fees (budget to actual)
Enhanced cost control through frequent budget to actual
g q g
monitoring
Copyright 2010 Riebeeck Stevens Ltd
Page 91
92. Module Summary
After completing this module, you should now:
• Understand key aspects of managing a SAS 70
project effectively and efficiently.
• Understand common pitfalls/challenges and
successes that we have encountered in our
experience with SAS 70 engagements.
Copyright 2010 Riebeeck Stevens Ltd
Page 92
96. Types of Tests
• Inquiry
• Inspection
• Observation
• Re‐performance of the control
Copyright 2010 Riebeeck Stevens Ltd
Page 96
97. Sample Sizes
• No definitive guidance
• Driven by four variables
Significance of control
g
Frequency
Past experience
Past experience
Client expectation
Copyright 2010 Riebeeck Stevens Ltd
Page 97
101. Testing Strategies
• Report must be applicable to internal
controls in place during the entire testing
period.
• Narrative update can occur at six month
point
• Controls can be tested at any time during the
testing period
testing period
Copyright 2010 Riebeeck Stevens Ltd
Page 101
102. Module Summary
After completing this module, you should now:
• Understand important items to consider when
performing a SAS 70 engagement including
sample sizes, testing strategies and addressing
findings.
Copyright 2010 Riebeeck Stevens Ltd
Page 102
104. Is the SAS 70 Useful?
• Address the applications and/or locations used by
the Service Organization that are relevant to
the Service Organization that are relevant to
financial statement assertions?
• Adequate to understand flow of transactions?
Adequate to understand flow of transactions?
• Sufficient detail of controls that prevent or detect
possible errors?
• Are there findings within control tests?
• Does opinion address any exceptions?
• Are any areas being carved‐out?
Copyright 2010 Riebeeck Stevens Ltd
Page 104
105. Procedures when using a SAS 70 Report
• Read report to:
• U d t d th fl
Understand the flow of transactions and the controls
ft ti d th t l
• Determine that controls were operating as intended
• Determine whether significant control deficiencies
Determine whether significant control deficiencies
were noted
• Inquire of client as to changes since date of SAS 70
• Consider whether additional procedures are
necessary
Copyright 2010 Riebeeck Stevens Ltd
Page 105
106. Assessing User Control Considerations
• Read service auditor’s report to determine:
Whether the considerations are relevant to your
client
o If relevant, ensure during your planning that the
controls have been implemented by the client
Nature of complementary controls that should
Nature of complementary controls that should
be in place at our client
Copyright 2010 Riebeeck Stevens Ltd
Page 106
107. Updating a SAS 70
When date of SAS 70 report is within the client’s
fiscal year (and assessed controls as effective):
• Update through client discussions
When date of SAS 70 is outside of our client’s
y ( p g
fiscal year (and anticipate assessing controls as
effective):
• Can use the report as a starting point in gaining
p gp g g
an understanding of the control environment
y y p
• You may not rely on this report as audit evidence
Copyright 2010 Riebeeck Stevens Ltd
Page 107
109. Using a SAS 70 Report
• Make sure you understand which significant
processes are covered
• Can you rely on the testing which was
performed?
• Determine the results of any testing that was
Determine the results of any testing that was
performed
Copyright 2010 Riebeeck Stevens Ltd
Page 109
111. Module Summary
After completing this module, you should now:
• Understand when you can rely on a SAS 70
report.
• Understand the documentation requirements
g g p
when leveraging a SAS 70 report.
• Understand how you can benefit from a SAS
70 report.
70 report
Discuss the SAS 70 Reliance Decision Tree
Copyright 2010 Riebeeck Stevens Ltd
Page 111
113. What is an Attest Engagement?
• Examination, audit or review of subject
matter or management assertion
• Higher level of assurance
• Generally includes an opinion of the auditor
• Follows the Statement on Standards for
Follows the Statement on Standards for
Attestation Engagements of the AICPA
Copyright 2010 Riebeeck Stevens Ltd
Page 113
114. Why Do We Need Attest Reports?
• Many financial situations require an attest
report
• In the controls space, they can cover areas
that are not possible to cover in SAS 70 or
other reports
• An example is business continuity planning
and the availability principle
and the availability principle
Copyright 2010 Riebeeck Stevens Ltd
Page 114
118. Attest Auditor Responsibilities
• Training and proficiency
• Adequate knowledge of the subject matter
• Independence
• Due professional care
• If report issued according to the AICPA
If ti d di t th AICPA
standard then auditor should be a CPA
Copyright 2010 Riebeeck Stevens Ltd
Page 118
119. Layout of Attest Report
• Differences in content for an Examination
and a Review report
• Considerations as to whether opining on
subject matter or management assertion
• Statement that the work conducted supports
Statement that the work conducted supports
the opinion provided
• Compliance with AICPA standards
Compliance with AICPA standards
Copyright 2010 Riebeeck Stevens Ltd
Page 119
120. Project Management Considerations
• Obtain clear management assertion
• Ensure there are suitable criteria
• Delineate an plan every activity
Delineate an plan every activity
• Discuss and walkthrough every risk and area
of control
of control
• Establish a clearly defined timeline
• Obtain concurrence from management on all
identified findings
Copyright 2010 Riebeeck Stevens Ltd
Page 120
121. Attest Auditor Considerations
• Planning and supervision
• Obtaining sufficient evidence
• Management representations
Management representations
• Reporting
• Analysis of other information presented by
A l i f th i f ti t db
management
Copyright 2010 Riebeeck Stevens Ltd
Page 121
122. Using an Attest Report
• Ensure focus and scope are relevant
• Review criteria
• Evaluate findings
Evaluate findings
• Consider period of the attestation
• Determine whether subsequent events
D t i h th b t t
occurred
• Integrate controls in the report with risks in
your organization
Copyright 2010 Riebeeck Stevens Ltd
Page 122
123. Module Summary
After completing this module, you should now be
able to understand:
• What are Attest engagements
• What is an Attestation Report
• The content of an Attestation Report
• The responsibilities of the Attest Auditor
• Key considerations of managing a Attest
project
• The usability of Attest reports
Copyright 2010 Riebeeck Stevens Ltd
Page 123
124. Good Bye SAS 70
Copyright 2010 Riebeeck Stevens Ltd
Page 124
125. SAS 70 No More
• Recent Developments
• International Demand
• IFAC ISAE 3402
IFAC ‐ ISAE 3402
• AICPA SSAE 16 – Reporting on Controls at a
Service Organization
Service Organization
• New SAS – Audit Considerations Relating to
an Entity Using a Service Organization
E tit U i S i O i ti
Copyright 2010 Riebeeck Stevens Ltd
Page 125
126. SAS 70 No More
• New Standards do not affect inquiries of
management
• New Standards do not affect AUP/Shared
Assessments
• New Standards do not affect the Attest
New Standards do not affect the Attest
Engagements
Copyright 2010 Riebeeck Stevens Ltd
Page 126
127. AICPA SSAE 16
• Separates Service Audit from existing SAS
• Falls under different family of standards
• Instead of an audit standard, it is an attest
Instead of an audit standard, it is an attest
standard
• Requires a written management assertion
Requires a written management assertion
• And suitable criteria
• Does not consider the usability in a financial
statement audit ONLY
Copyright 2010 Riebeeck Stevens Ltd
Page 127
128. SSAE 16 – Impact
• Management of the service organization required
to provide the service auditor with a written
t id th i dit ith itt
assertion about
1. The fairness of the presentation of the description of
1 The fairness of the presentation of the description of
the service organization’s system
2. The suitability of the design of the controls to
achieve the related control objectives stated in the
description, and, in a type 2 engagement
3. The operating effectiveness of those controls to
3 The operating effectiveness of those controls to
achieve the related control objectives stated in the
description.
Copyright 2010 Riebeeck Stevens Ltd
Page 128
129. SSAE 16 – Impact
• A service auditor is able to report on controls
at a service organization other than controls
that are relevant to user entities’ financial
reporting, for example, controls related to
user entities’ regulatory compliance,
production, or quality control.
• This is probably the greatest benefit of all!
Copyright 2010 Riebeeck Stevens Ltd
Page 129
130. SSAE 16 – Impact
• In a type 2 report, the service auditor’s
opinion on the fairness of the presentation of
the description of the service organization’s
system and on the suitability of the design of
the controls is for a period of time rather
than as of a specified date, as is the case in
the current standard
Copyright 2010 Riebeeck Stevens Ltd
Page 130
131. SSAE 16 – Impact
• When obtaining an understanding of the
service organization‘s system, the service
auditor would be required to obtain
information to identify risks that the
description of the service organization’s
system is not fairly presented or that the
control objectives stated in the description
were not achieved due to intentional acts by
service organization personnel.
Copyright 2010 Riebeeck Stevens Ltd
Page 131
132. SSAE 16 – Impact
• Indicates that when assessing the operating
effectiveness of controls in a type 2
engagement, evidence obtained in prior
engagements about the satisfactory
operation of controls in prior periods does
not provide a basis for a reduction in testing,
even if supplemented with evidence
obtained during the current period.
Copyright 2010 Riebeeck Stevens Ltd
Page 132
133. SSAE 16 – Impact
• A service auditor’s type 2 report would
identify the customers to whom use of the
report is restricted as "customers of the
service organization’s system during some or
all of the period covered by the service
auditor’s report,"and in a service auditor’s
type 1 report, as, "customers as of the date
of the service organization’s description
covered by the report."
Copyright 2010 Riebeeck Stevens Ltd
Page 133
134. SSAE 16 – Key Considerations
• Effective date – the AICPA/ASB has proposed
making the SSAE effective concurrently with
the new ISAE 3402
• Management assertion – An assertion‐based
engagement includes an explicit
acknowledgement by management of its
responsibility for the matters addressed in its
assertion
• Convergence with International Standards
Copyright 2010 Riebeeck Stevens Ltd
Page 134
135. IFAC – ISAE 3402
• ISAE 3402 – Assurance Reports on Controls at
a Service Organization
• Based on original structure of SAS 70 but very
similar to the New SSAE
l h
• Applies to all countries where IFAC is
recognized
i d
• Scope – applies to engagements that convey
reasonable assurance when the service
bl h th i
organization is responsible for the suitable
design of controls
design of controls
Copyright 2010 Riebeeck Stevens Ltd
Page 135
136. ISAE 3402
• The standard deals with assurance
engagements by professional accountants in
public practice to provide a report for use by
the user entities and their auditors on the
controls at a service organization that
provides a service to user entities that is
likely to be relevant to user entities’ internal
control, as it relates to financial reporting.
Copyright 2010 Riebeeck Stevens Ltd
Page 136
137. ISAE 3402
The standard does not deal with assurance
engagements:
• To report on whether controls at a service
organization operated as described, or
• To report ONLY on controls at a service
To report ONLY on controls at a service
organization that are not related to a service
that is likely to be relevant to user entities
that is likely to be relevant to user entities’
internal controls as it relates to financial
reporting
Copyright 2010 Riebeeck Stevens Ltd
Page 137
138. Why is ISAE 3402 Important
• Impact at domestic and international levels
• It updates/replaces (potentially)/complements:
It d t / l ( t ti ll )/ l t
• US ‐ Statement on Auditing Standards (SAS) No. 70
• CA ‐ Canadian Institute of Chartered Accountants
CA Canadian Institute of Chartered Accountants
(CICA) 5970
• UK ‐ Audit and Assurance Faculty Standard (AAF)
01/06
/
• AU ‐ Guidance Statement (GS) 007
• HK ‐ HKSA Statements – Auditing Practice Note 860 2
HK HKSA Statements Auditing Practice Note 860.2
• JP ‐ Audit Standards Committee Report No. 18
• DE (Germany) ‐ IDW PS 951
Copyright 2010 Riebeeck Stevens Ltd
Page 138
139. IFAC – ISAE 3402
• Introduces the concept of materiality
• Not with respect to the financial statements
but with respect to the system
The concept of materiality takes into account that
the service auditor’s assurance report provides
information about the service organization s system
information about the service organization’s system
to meet the common information needs of a broad
range of user entities and their auditors who have an
understanding of the manner in which that system
has been used.
Copyright 2010 Riebeeck Stevens Ltd
Page 139
140. IFAC – ISAE 3402
• Materiality with respect to the fair presentation of
the service organization’s description of its system,
th i i ti ’ d i ti f it t
and with respect to the design of controls, includes
primarily the consideration of qualitative factors,
primarily the consideration of qualitative factors
for example: whether the description includes the
significant aspects of processing significant
g p p g g
transactions; whether the description omits or
distorts relevant information; and the ability of
controls, as designed, to provide reasonable
assurance that control objectives would be
achieved.
achieved
Copyright 2010 Riebeeck Stevens Ltd
Page 140
141. IFAC – ISAE 3402
• Materiality with respect to the service
auditor’s opinion on the operating
effectiveness of controls includes the
consideration of both quantitative and
qualitative factors, for example, the tolerable
rate and observed rate of deviation (a
quantitative matter), and the nature and
cause of any observed deviation (a
qualitative matter).
Copyright 2010 Riebeeck Stevens Ltd
Page 141
142. Critical Steps in Assurance Reporting
Under ISAE 3402
• Assessing the Suitability of the Criteria
• Obtaining an Understanding of the Service
Organization’s System
• Obtaining Evidence Regarding the
Description
• Obtaining Evidence Regarding Design of
Controls
• Obtaining Evidence Regarding the Operating
Effectiveness of Controls
Copyright 2010 Riebeeck Stevens Ltd
Page 142
143. Critical Steps in Assurance Reporting
Under ISAE 3402
• The Work of an Internal Audit Function
• Other Information
• Preparing the Service Auditor’s Assurance
Preparing the Service Auditor s Assurance
Report
• Other Communication Responsibilities
Other Communication Responsibilities
Copyright 2010 Riebeeck Stevens Ltd
Page 143
144. Comparison of SAS 70 with ISAE/SSAE
Topic Existing SAS 70 Standard ISAE 3402 / SSAE
Scope SAS 70 is limited to controls Report can be extended
over the processing of
p g beyond financial
y
financial transactions by a reporting.
service organization.
Opinion / The auditor provides an In addition to the
Assertion opinion based directly on auditor's opinion,
the subject matter with no management of the
f
formal management service organization
assertion. p
provides a formal
assertion affirming its
responsibilities for the
controls in the report.
report
Copyright 2010 Riebeeck Stevens Ltd
Extracted from “Good‐bye SAS 70” by Fiona Gaskin
Page 144
145. Comparison of SAS 70 with ISAE/SSAE
Topic Existing SAS 70 Standard ISAE 3402 / SSAE
Disclosure Work performed by internal Work performed by internal audit
requirements audit to support the service used in part to form the service
for
f use of IA
f auditor's opinion i not
di ' i i is auditor’s opinion shall i l d a
di ’ i i h ll include
disclosed. description of the internal
auditor’s work and of the service
auditor’s procedures with respect
to that work.
Audit Guidance Guidance is provided in an Guidance for the service auditor
annually updated Audit
d d d will be solely contained in the
d
Guide, which includes ISAE itself and will not contain
illustrative control objectives illustrative control objectives.
for various types of service The US will continue to provide
organizations. audit guidance to support the
SSAE/SAS 70
standards.
standards
Copyright 2010 Riebeeck Stevens Ltd
Extracted from “Good‐bye SAS 70” by Fiona Gaskin
Page 145
146. Comparison of SAS 70 with ISAE/SSAE
Topic Existing SAS 70 Standard ISAE 3402 / SSAE
Example of Type I - report on the Type 1 - report on the
Terminology fairness of the fairness of the description
Differences description of controls of controls and whether
and whether those those controls were suitably
controls were suitably designed.
designed.
Type II - report also Type 2 - report also includes
includes an opinion on an opinion on the operating
the operating effectiveness of the controls.
effectiveness of the
controls.
Copyright 2010 Riebeeck Stevens Ltd
Extracted from “Good‐bye SAS 70” by Fiona Gaskin
Page 146
147. ISAE 3402 Report
• Internal control is a process designed to provide
reasonable assurance regarding the achievement of
bl di th hi t f
objectives related to the reliability of financial
reporting, effectiveness and efficiency of operations
reporting, effectiveness and efficiency of operations
and compliance with applicable laws and regulations.
• Control objectives and controls at the User
Organizations
• Control objectives and controls at the Service
Organization
• Controls at the Service Organization that need to be
complemented at User Organizations
p g
Copyright 2010 Riebeeck Stevens Ltd
Page 147
148. Module Summary
After completing this module, you should now be
able to understand:
able to understand:
• The latest developments in Third Party Assurance
Sta da ds
Standards
• The impact of new Standards
• The benefits of the new Standards
• Key differences and similarities between domestic
and international standards
• K Key considerations and responsibilities of a
id ti d ibiliti f
service auditor and the user of a third party
assurance report
p
Copyright 2010 Riebeeck Stevens Ltd
Page 148
150. Using Third Party Reports
• A report is not relevant if it does not address your
company’s risks
’ ik
• Prepare your own ICQ or use a standard one as a
pre‐audit tool
di l
• Use your company’s risk and control matrices as
the basis to evaluate ICQ, AUP, SAS 70, ISAE and
h b i l ICQ AUP SAS 70 ISAE d
SSAE findings
• Starting point is your company’s risks not what is
St ti i ti ’ ik t h ti
in the reports
Copyright 2010 Riebeeck Stevens Ltd
Page 150
151. Third Party Assurance – Final Comments
• Businesses will continue to look for opportunities
to increase efficiency and effectiveness of
to increase efficiency and effectiveness of
business processes
• Globalization will not stop
Globalization will not stop
• Cloud Computing will make this field more
interesting and complex
g p
• Third party assurance practice will continue to
grow
• We will be either auditing or will be audited by a
service auditor …
Copyright 2010 Riebeeck Stevens Ltd
Page 151
152. Contact
Felix Ramirez
(W) 646 290 8998
(W) 646‐290‐8998
(C) 908‐230‐4562
(e) felix.ramirez@riebeeckstevens.com
( ) f li i @i b kt
Copyright 2010 Riebeeck Stevens Ltd
Page 152