In this recorded 2012 NAFCU Technology & Security Conference session, you will learn about the internal control certification process and how it impacts more than just the accounting department. Discover the importance of becoming internal control certified, gain insight on the impact of recent regulation change from SAS70 to SSAE 16, and get a walkthrough of the process and audit reports (Type I & Type II) as well as discuss the involvement from the “technology side of the house,” including documentation of systems controls, disaster recovery and more!
Presented by Jeff Ziliani, CPA, Director of Finance and Administration, Burns-Fazzi, Brock
Burns-Fazzi, Brock is the NAFCU Services Preferred Partner for Executive Benefits and Compensation Consulting and Long Term Care Insurance.
More information at http://www.nafcu.org/bfb
Value Proposition canvas- Customer needs and pains
Internal Control Certification – It’s Not Just an Accounting Thing (Credit Union Conference Presentation)
1. Internal Control Certification –
It’s Not Just an Accounting Thing
Presented by
Jeff Ziliani, CPA
Burns-Fazzi, Brock & Associates
2. Internal Controls in the News
“Corzine’s lack of internal controls at MF Global
gets exposed with missing money”
– Bloomberg News, November 2, 2011
“UBS says some internal controls were not
effective”
– Reuters, October 25, 2011
3. Internal Controls in the News (cont.)
“A Red Flag on G.M. Internal Controls”
– New York Times, August 20, 2010
“Lack of internal controls could present problems
for cattle industry”
– Farm & Dairy, August 12, 2010
4. Internal Controls in the News (cont.)
“The ability to plan for the short- and long-term,
determine product offerings, perform initial and
ongoing due diligence over any third-party
relationships and set appropriate limits through
policies and procedures mitigates strategic risk.”
- Debbie Matz, NCUA Chairman
Excerpt from Letter No.: 11-CU-16
Issued Oct. 2011
5. IC Certification / Due Diligence
The Challenge:
• Increasing reliance on the outsourcing of
certain tasks or functions
• Increasing dependency on external technology
and information systems
• Pressures of profitability, fraud and
embezzlement at an all-time high
6. IC Certification / Due Diligence (cont.)
• Consumer confidence stressed – need for
“peace of mind”
The Solution:
• Building trust and confidence through a
report issued by an independent Certified
Public Accountant
8. Examples of Services Within Scope (cont.)
• Financial Services Customer Accounting
• Loan / Claims Management and Processing
• Cloud Computing
• Managed Security
• Customer Support
• Sales Force Automation
• Enterprise IT Outsourcing Services
9. Changing Standards
Statement of Auditing Standards
(SAS) No. 70, Service
Organizations
Effective – April 1992
10. Changing Standards (cont.)
Statement on Standards for
Attestation Engagements (SSAE)
No. 16, Reporting on Controls at a
Service Organization
Effective – On or after June 15,
2011
11. What Changed?
1.The name.
2.Now have 3 different Service Organization
Controls (SOC) reports to meet specific user
needs.
3.Management to provide a written assertion to
be included in the auditor’s report.
12.
13. • Description of Service Organization’s System
• CPA’s opinion on fairness of presentation of the
description, suitability of design and in a type 2
report, the operating effectiveness of controls
• A type 2 report includes a description of the
CPA’s tests of controls and results
14. • Unaudited system description used to
delineate the boundaries of the system
• CPA’s opinion on whether the entity
maintained effective controls over its
system
15. Walkthrough of the Process
Responsibilities of Management
• Determine the scope of engagement to be
performed
- What service / system / process are we
looking to be included in this
engagement?
- Is this a Type 1 or 2 engagement?
16. Walkthrough of the Process (cont.)
Responsibilities of Management (cont.)
• Prepare a written description of the system /
controls within scope.
• Provide a written assertion regarding the
design, implementation and operation of the
controls of the service organization’s system.
17. Walkthrough of the Process (cont.)
Identification of Control Objectives
• SOC 1 Engagements:
- Control objectives determined and
documented by Management.
• SOC 2 & 3 Engagements:
- Control objectives based on applicable
Trust Services Principles and Criteria.
18. Walkthrough of the Process (cont.)
Trust Services Principles and Criteria
“Checklist” approach broken into the following
areas:
• Security
• Availability
• Processing Integrity
• Confidentiality
• Privacy
The engagement may cover one,
multiple or all of the principles.
19. Walkthrough of the Process (cont.)
Additional Guidance
• Provide access to all information.
• Be proactive in documenting changes in
controls/systems.
• Disclose any design or operating
deficiencies.
20. Walkthrough of the Process (cont.)
Additional Guidance (cont.)
• Provide evidence that a control is operating
effectively.
• For Type 2 engagements, the auditor will
be testing to see if the control has been
operating effectively over the period within
scope, typically no shorter than a 6 month
period.)
21. Walkthrough of the Process (cont.)
Q. Does obtaining a SSAE16 report
mean that the entire organization is
now “SSAE16 certified”?
A. No. The auditor’s report is limited
in scope to the specific services or
systems controls and does not
encompass all controls and areas of
the organization.
22. Walkthrough of the Process (cont.)
Q. Is this a one-time process?
A. No. At least quarterly, it is a best
practice to document any changes
to controls. In addition, the report
itself will need to be “kept current”
as the report tells the users that the
controls addressed in the report
existed and operating effectively at
or during a certain period of time.
24. Due Diligence- What to Look For (cont.)
• Is the service or specific system controls
covered by the SSAE 16 report?
• Which accounting firm performed the work?
• What is the period of time covered by the
report?
• What type of report is it?
25. Due Diligence- What to Look For (cont.)
• Were there any exceptions or deficiencies
noted in the auditor’s report?
• Is there any other useful information about
the vendor that is included in the report? (ie:
disaster recovery plan)
• What are the next steps?
26. Additional Resources
American Institute of Certified Public Accountants
www.AICPA.org
SSAE16 Information, FAQ, Latest News, etc.
www.SSAE16.com
IT Governance Institute
www.ITGI.org
27. “Internal Controls cannot make an
institution successful, but the lack of
controls or only partial controls can be
and commonly is a cause of its failure.”
- Gene Bucciarelli, CPA,
BankersOnline.com