Automating Vendor Management

Slides:



Advertisements
Similar presentations
Financial Statements Audit
Advertisements

Bill McClanahan – Principal Business Consultant LPS Integration.
Ethics Ethics are the rules of personal behavior and conduct established by a social group for those existing within the established framework of the social.
SERVICE ORGANIZATION CONTROL REPORTS SM Formerly SAS 70 Reports.
March 6, 2012 SOC Reporting: What is New in the Audit Guides?
Audit Committee in Albania Legal framework Law 9226 /2006 “On banks in Republic of Albania” Law 9901/2008 “On entrepreneurs and commercial companies” Corporate.
Data Ownership Responsibilities & Procedures
Welcome! Internal Auditing CHAPTER 1. Definition Internal auditing is an independent, objective, assurance and consulting activity designed to add value.
Audit Guidance Using the Federal Information System Controls Audit Manual (FISCAM) to Achieve Audit Objectives in Financial and Performance Audits Mickie.
OMB Circular A-123 – Management’s Responsibility for Internal Control Policy Applicability Sources of Information Assessment, Documentation and Reporting.
Sarbanes-Oxley Compliance Process Automation
SOX and IT Audit Programs John R. Robles Thursday, May 31, Tel:
CSE 4482, 2009 Session 21 Personal Information Protection and Electronic Documents Act Payment Card Industry standard Web Trust Sys Trust.
Centers for IBM e-Business Innovation :: Chicago © 2005 IBM Corporation IBM Project October 2005.
Vendor Management Frequent regulatory findings:
Network security policy: best practices
Best Practices for User Access Controls and Segregation of Duties Presented by: Jeffrey T. Hare, CPA CISA CIA ERP Seminars.
SAS 112: The New Auditing Standard Jim Corkill Controller Accounting Services & Controls.
SOC1 vs. SOC2 vs. SOC3 Source: ryServices/Pages/AICPASOC3Report.aspx.
Compliance & Internal Auditing By David N. Ricchiute
Auditing Internal Control over Financial Reporting
Planning an Audit The Audit Process consists of the following phases:
PwC Internal Control Reports: Facts, Myths and Best Practices FIRMA National Risk Management Training Conference – San Francisco, CA Wednesday March 31,
Auditing Internal Control over Financial Reporting
2015 Tennessee Government Auditor Training Seminars Program The Investigative Process and its Impact on Contract Audits Kevin B. Huffman, CPA, CGFM, CFE,
Chapter 07 Internal Control McGraw-Hill/IrwinCopyright © 2014 by The McGraw-Hill Companies, Inc. All rights reserved.
INTERNAL CONTROL OVER FINANCIAL REPORTING
Chapter 7 Auditing Internal Control over Financial Reporting McGraw-Hill/Irwin ©2008 The McGraw-Hill Companies, All Rights Reserved.
1 The Impact of SAS 112 on Governmental Financial Statement Audits GAQC Member Conference Call January 4, 2007 Presented by Chuck Landes, CPA.
1 Today’s Presentation Sarbanes Oxley and Financial Reporting An NSTAR Perspective.
Policy Review (Top-Down Methodology) Lesson 7. Policies From the Peltier Text, p. 81 “The cornerstones of effective information security programs are.
Assurance Report on Controls at Service Organizations SAE 3402
Best Practices for Implementing Third Party Software to Monitor SOD and User Access Controls Presented by: Jeffrey T. Hare, CPA CISA CIA ERP Seminars.
Chapter 7 Auditing Internal Control over Financial Reporting McGraw-Hill/IrwinCopyright © 2012 by The McGraw-Hill Companies, Inc. All rights reserved.
Managed by the International Fuel Tax Association, Inc. Funds Netting 2011 Annual IFTA Business Meeting Lonette L. Turner Executive Director IFTA, Inc.
1 Chapter Nine Conducting the IT Audit Lecture Outline Audit Standards IT Audit Life Cycle Four Main Types of IT Audits Using COBIT to Perform an Audit.
CHAPTER 5 INTERNAL CONTROL OVER FINANCIAL REPORTING.
ISSAI 400 Compliance Auditing
McGraw-Hill/Irwin © 2003 The McGraw-Hill Companies, Inc., All Rights Reserved. 6-1 Chapter 6 CHAPTER 6 INTERNAL CONTROL IN A FINANCIAL STATEMENT AUDIT.
Copyright © 2006 by The McGraw-Hill Companies, Inc. All rights reserved. McGraw-Hill/Irwin 7-1 Chapter Seven Auditing Internal Control over Financial Reporting.
1 Kingsley Karunaratne, Department of Accounting, University of Sri Jayewardenepura, Colombo - Sri Lanka Practice Management.
Service Organization Controls (SOC) Overview Shared Assessment Member Forum Presentation April 10, 2012.
McGraw-Hill/Irwin © The McGraw-Hill Companies 2010 Auditing Internal Control over Financial Reporting Chapter Seven.
Dino Tsibouris & Mehmet Munur Privacy and Information Security Laws and Updates.
SAS No. 70, Service Organizations A standard for reporting on a service organization’s controls affecting user entities' financial statements. Only for.
Service Organization Control Reports What Have We Learned? Chris Bruhn DIRECTOR, IT RISK SERVICES, BKD, LLP SAS 70 ENDS EXIT TO SSAE 16.
Introduction to Employee Navigator
Take Charge of your Finances
The Demand for Audit and Other Assurance Services
Internal and external control in an automated environment
Take Charge of your Finances
Session 11 Other Assurance Services
Internal and Governmental Financial Auditing and Operational Auditing
Service Organization Control (SOC)
Understanding an External Federal Financial Statement Audit
Vendor Management & Business Value
SSAE18 Language: SOC1s, CUECs, and CSOCs… Oh My!
Paying the Employee.
Contents subject to change.
Unit 11 October 22, 2017.
Update on the Developments in Government Auditing Standards
Neopay Practical Guides #2 PSD2 (Should I be worried?)
Take Charge of your Finances
Internal Control Internal control is the process designed and affected by owners, management, and other personnel. It is implemented to address business.
PERSONALLY IDENTIFIABLE INFORMATION: AUDIT CONSIDERATIONS
SOFE CDS – Monday, July 16th, 2018
Contract Requirements for Suppliers
Presentation transcript:

Automating Vendor Management Tuesday 11:30 am – 12:30 pm Roger Chalkley Home Bank S B

Home Bank S B Located in South Central Indiana Three Branches Established in February 1890 $230 Million in Assets OCC Regulated 70 Employees

Governance Policy Access Management Incident Response Asset Management Business Continuity Vendor Management Security Standards AUP Risk Analysis In late 2011, we decided to revamp our whole IT Governance Program and Policies. The consulting firm that helped us with our Risk Assessment, infotex, has actually mapped all of the FFIEC requirements to a policy set that they showed us how to migrate to, with one of the components being Vendor Management.

Accounts Payable Vendors Where we started? Accounts Payable Vendors Created Spreadsheet Eliminated all “Marketing Vendors” Charitable Donations Yearbook Ads Assign Vendor Owners

Definitions Vendor A person or entity that provides a product or service to the bank Risk Rating We risk rate Vendors based on: The amount and sensitivity of customer information to which they have access The extent to which our business would be disrupted if Vendor relationship ends Amount of money spent annually

Definitions Critical Vendors “Hosting” of customer information Access to large volume of customer information or highly sensitive customer information Terminated relationship would cause major disruption Annual payments from bank > $50K Regulated Vendors Vendors who are legally required to comply with federal privacy laws by virtue of being regulated by a federal agency

Critical Vendor Documentation Need Components SAAS 16 Financial Statements Tracking/Reporting on Performance Are they meeting SLAs Reporting and follow up of issues with Vendor

NEW SSAE 16 Standard Replaced old SAS 70 effective June 15, 2011 SOC-1 Financial Reporting Controls Includes written assertion from management on the fairness of the auditor’s presentation of the system description Type 1 also reports on the control design Type 2 reports on the control design AND effectiveness Clarifies that the user auditor evaluates the proper choice of controls SOC-2 Operational Controls Reports on management’s description of a service organizations’ system AND Type 1 also reports on suitability of design of controls Type 2 also reports on suitability of design and operating effectiveness of controls SOC-3 Operational Controls Trust Service Report for Service Organizations CPA’s opinion Most vendors issue SOC-1 type 1; Type 1 = Point in Time; Type 2 = Period of Time

FIS GOVERNANCE SITE INFO HTTPS://GOVERNANCE.FNIS.COM If you do not have access credentials, send request to: FIS.Security.Governance@fisglobal.com Subject Line: “Governance Website Access Request” and following info in email body: First Name: Last Name: Company Name: Contact Phone: Contact E-mail: (must be a company e-mail address) Desired User Name: Please note: It can take up to 24 hours to process your registration once it is received. You will receive an e-mail from FIS.Security.Governance@fnis.com with your login credentials once your registration is processed.

Reviewing a SOC-1 or SOC-2 Report Understand the scope of the review Read the entire report Pay attention to auditor’s opinion Were all controls tested without exception (Type II) If exceptions, are there sufficient controls Review User Control Considerations Document controls you have in place to address areas

Reviewing a SOC-1 or SOC-2 Report Document your Review Conclusion “Based on our review of FIS Charlotte Service Center SOC-1 report for the period of February 1. 2011 to October 31, 2011, the FIS controls upon which Home Bank relies were appropriately designed and operating effectively”

Software Automation Gathering / Storage of Documentation Vendor Owner Assessment Annual Risk Assessment Key Date Notifications SSAE 16 Financial Review Insurance SLA & Performance Wish list for software to automate Vendor Management process.

Automating Vendor Management Roger Chalkley Home Bank S B

Automating Vendor Management Roger Chalkley Home Bank S B