PwC Internal Control Reports: Facts, Myths and Best Practices FIRMA National Risk Management Training Conference – San Francisco, CA Wednesday March 31, 2010 Suzanne Faulkner, Partner PricewaterhouseCoopers LLP

PricewaterhouseCoopers Background Information and Overview Common SAS 70 Terminology SAS 70 Report Overview Evaluating a SAS 70 Report Agenda 2

PwC Background Information and Overview

PricewaterhouseCoopers Increasingly, U.S. Companies (User Organization) outsource parts of their operations such as Payroll, Custodial Services, Claims Processing, and Data Center Operations to other companies (Service Providers). Although a process has been outsourced, the User Organization is responsible for the accuracy and integrity of the financial data associated with the outsourced process. The User Organization must understand the design and operating effectiveness of internal controls at the Service Provider and how those controls interact with their own. A SAS 70 report can be used to help reduce management’s need to perform independent evaluation procedures of Service Provider’s internal controls. Significant Outsourced Operations 4

PricewaterhouseCoopers Statement on Auditing Standards (SAS) No. 70, Service Organizations, is an auditing standard developed by the American Institute of Certified Public Accountants (AICPA). −SAS 70 defines the professional standards used by a Service Auditor to assess the internal controls of a Service Provider and issue a report. A SAS 70 is a report prepared by an independent auditor on the internal controls at a Service Provider, for use by the customers of the Service Provider. Statement on Auditing Standards (SAS) No. 70 5

PricewaterhouseCoopers A SAS 70 report answers one or both questions: −Are internal controls designed effectively −Are internal controls operating effectively for a specified period? A SAS 70 report is tied to internal controls over financial reporting and is not designed to provide assurance over other areas such as business continuity, privacy, or compliance with laws and regulations. Statement on Auditing Standards (SAS) No. 70 6

PricewaterhouseCoopers SAS 70 reports have become common because they enable a Service Provider's customers to efficiently gain an understanding of the Service Provider’s internal control environment. As part of its assessment of controls for Sarbanes-Oxley 404, management can obtain and evaluate a Service Provider’s SAS 70 report and significantly reduce the need to test the controls in place at the Service Provider (and reduce costs associated with independently testing controls). In addition, the User Organization’s external auditors (User Auditors) can use the report to gain an understanding of, and potentially place reliance on, testing of the internal controls at the Service Provider. Management should consider requesting a SAS 70 from third party Service Providers that provide substantial services directly impacting internal controls over financial reporting. Benefits to User Organizations 7

PricewaterhouseCoopers A Service Auditor's Report with an unqualified opinion that is issued by an Independent Accounting Firm differentiates the service organization from its peers by demonstrating the establishment of effectively designed control objectives and control activities. A Service Auditor's Report also helps a service organization build trust with its user organizations (i.e. customers). A Service Auditor's Report ensures that all user organizations and their auditors have access to the same information and in many cases this will satisfy the user auditor's requirements. A SAS 70 engagement allows a service organization to have its control policies and procedures evaluated and tested (in the case of a Type II engagement) by an independent party. Benefits to Service Organizations 8

PwC Common SAS 70 Terminology

PricewaterhouseCoopers Service Organization/Service Provider: The entity (or segment of an entity) that provides services to the user organization. User Organization: The entity that has engaged a Service Provider and whose financial statements are being audited. Service Auditor: The independent auditor firm performing the SAS 70 audit services. User Auditor: The auditor who reports on the financial statements of the user organization. Service Auditor's Report: The report issued by the service auditor expressing an opinion on whether the Service Provider’s internal controls are designed and operating effectively as of a specific date. Common SAS 70 Terminology 10

PricewaterhouseCoopers User Control Considerations (UCC): Controls the Service Provider expects User Organizations to be performing. It is the responsibility of the User Organization to design and implement these controls. Coverage Period: Applies to a Type II SAS 70 and refers to the period of time that the control objectives and related control activities were in place and tested for operational effectiveness (i.e., 10/1/05 to 9/30/06). Tests of controls are performed on a sample selected from the coverage period. Gap Period: The difference in the "as of" or "period end" date in the SAS 70 Report and the year end date of the User Organization financial statements. For example, if a SAS 70 Report's "as of" or "period end" date were 9/30, based on the User Organization’s fiscal year end date of 12/31, the Gap Period, or period not covered by the SAS 70 Report is three months. Common SAS 70 Terminology 11

PricewaterhouseCoopers Control Activities: The policies, procedures and practices that are put into place to ensure that business objectives are achieved and risk mitigation strategies are carried out. Control activities are developed to specifically address each control objective to mitigate the risks identified Common SAS 70 Terminology 12

PwC SAS 70 Report Overview

PricewaterhouseCoopers Type I SAS 70 Report Purpose is to answer the following question: Are the internal controls designed effectively to meet stated control objectives and were the controls in place as of specified date? −Controls documented −No testing involved SAS 70 Reports – Type I 14

PricewaterhouseCoopers Type II SAS 70 Report Purpose is to answer the following question: Are controls designed AND operating effectively over a six month minimum period? −Controls documented −Controls tested to determine if operating as designed −Testing period must be at least 6 months SAS 70 Reports – Type II 15

PricewaterhouseCoopers Type I SAS 70 Report: For informational uses only since no testing performed. User Auditor cannot rely on the report during audit fieldwork. User Auditor required to conduct their own tests of controls to gain assurance (i.e., visit Service Organization). Impact of Each Report 16

PricewaterhouseCoopers Type II SAS 70 Report: Provides evidence of effectiveness of controls. User Auditor can place reliance of the report during planning and fieldwork phases of the audit. Additional testing by the User Auditor not necessarily required. Impact of Each Report 17

PricewaterhouseCoopers Report of Independent Service Auditors – Contains the Service Auditor’s opinion letter and states whether the opinion is qualified or unqualified (also referred to as a “clean” opinion). Service Provider's Description of Controls – Prepared by the Service Provider and provides a narrative description of the processes and controls covered by the scope of the report. Information provided by the Service Auditor – Contains the Service Auditor’s procedures and results (auditor's control tests and results). Other Information provided by the Service Organization – Contains additional information not covered by the Service Auditor’s opinion, often disaster recovery/ business continuity planning information. SAS 70 Report Format and Content 18

PricewaterhouseCoopers Written solely by independent Service Auditor (“letter” format addressed to Service Organization) Contains standard language for: −Specifying the scope of the SAS 70 review performed by the independent Service Auditor, including whether subservice organizations are included in the examination (“inclusive method”) or excluded (“carve-out method”); −Indicating if internal control examination procedures extended to assessing design only (Type I) or included tests of operating effectiveness (Type II); and −Concluding on the description, design and operating effectiveness of internal controls Qualified Opinion: One or more control objectives were not achieved. Unqualified Opinion: “Clean Report. All control objectives were achieved. Report of Independent Service Auditors 19

PricewaterhouseCoopers Written by the Service Provider (with input from Service Auditor) “Free Format” (not standardized) Typically includes wording to define purpose and scope of report Bulk of the section is for management to describe control environment and to define control objectives (may include process flows and control narratives) User Control Considerations (UCCs) are typically defined within this section and define control activities that the Service Organization would expect its User Organizations to have in place in addition to the Service Organization’s controls defined within the report Service Organization’s Description of Controls 20

PricewaterhouseCoopers “Meat and Potatoes” of report Typically in a matrix format and identifies the following for each specified control objective: −Control Activities: All in-scope control activities that, together, achieve the control objective (if designed and operating effectively); −Test Procedures: Validation procedures performed by the Service Auditor to determine if the control activities had operated effectively throughout the SAS 70 audit period; −Test Results: Results of testing (usually either “No Exceptions Noted” or “Exceptions Noted”); and −Management Responses: May include management’s responses to test exceptions Information Provided by the Service Auditor 21

PricewaterhouseCoopers No requirements May contain any additional information that the Service Organization would like to disclose to its User Organizations Other information may include: −The Service Organization’s Disaster Recovery Plan −Other Certifications (PCI, HIPAA, etc.) Other Information Provided by the Service Auditor 22

PricewaterhouseCoopers SAS 70 Report Types - Summary 23 Report CharacteristicsType I SAS 70Type II SAS Independent Service Auditors Opinion: Included o Whether the Service Provider’s description of controls presents fairly, in all material respects, the relevant aspects of the Service Provider's controls that had been placed in operation as of a specific date. Included o Whether the controls were suitably designed to achieve specified control objectives. Included o Whether the controls that were tested were operating with sufficient effectiveness to provide reasonable, but not absolute, assurance that the control objectives were achieved during the period specified. Not IncludedIncluded 2. Service Organization's Description of Controls Included 3. Information provided by the Service Auditor (Service Auditors Testing, Results of Testing) OptionalIncluded 4. Other Information provided by the Service Organization (Section 4) Optional 5. Tests of operating effectiveness for a period of time (usual minimum is 6 months) Not IncludedIncluded

PricewaterhouseCoopers Service Organization typically sponsors and pays for the audit. Service Organization typically identifies −Type of report (I or II) to be issued −The scope of the report −The control objectives and control activities to be documented and/or tested −Reporting period (6 months, 1 year) Report Responsibilities 24

PricewaterhouseCoopers Service Auditors must agree on the control objectives and control activities. User Organizations can request SAS 70 Service Organizations can initiate report and use as marketing device to attract new customers (User Organizations). Report Responsibilities 25

PwC Evaluating a SAS 70 Report

PricewaterhouseCoopers 1.Assess Scope of Report 2.Evaluate Opinion and Exceptions 3.Map User Control Considerations 4.Address Gap Period 5.Document Management’s Assessment Key Components to Evaluating SAS 70 Reports 27

PricewaterhouseCoopers Management should outline all of the significant operations that the Service Provider performs to help evaluate sufficiency of the SAS 70 scope. Management should evaluate the report to ensure all significant areas are examined. If significant operations performed by the Service Provider are not included in the scope of the SAS 70 report, management must assess the impact to and determine whether additional procedures are required. Additional procedures may include engaging Corporate Audit or another risk management function to gain an understanding of and test key controls over significant operations not covered by the SAS 70 report. Assess Scope of Report 28

PricewaterhouseCoopers If the SAS 70 opinion is qualified on one or more control objectives, management should evaluate the impact of the qualification and assess whether mitigating controls exist within the user organization’s internal control environment to reduce the likelihood that a material error at the Service Provider would not be detected. Although the Service Auditor may issue an unqualified opinion, exceptions in testing may still exist and have an impact on the user organization. It is the responsibility of management to consider the nature and extent of any exceptions in the SAS 70 report. −Evaluate the implications of the exceptions and determine whether the exceptions relate to a key control for User Organization; and −Consider the effect of any complementary controls at the User Organization that might mitigate the effect of the exception. Evaluate Opinion and Exceptions 29

PricewaterhouseCoopers Typically included in section II of the SAS 70 Report, UCCs are controls that the Service Provider expects the User Organization to have in place. Management should assess its actual controls against the UCCs identified by the Service Provider and identify any gaps. Management should evaluate and map the UCCs to key controls documented and tested to ensure the UCCs are adequately addressed by internal controls at the Company. Map User Control Considerations 30 Example User Control ConsiderationExample Key Control Mapping  Controls to provide reasonable assurance that application and script changes submitted to ABC Service Provider are authorized and approved.  Application and script change requests must be formally documented and approved by BU management before submission to ABC Service Provider. See control refer ISO.ABC.2.

PricewaterhouseCoopers Subsequent period of “as of” date for a Type I and “period end” date for a Type II and fiscal year end for user organization is considered “Gap Period”. Generally, Gap period should be less than six months. Management should determine if additional procedures are required based on Gap period. Management may consider obtaining a memo from the service provider to address the gap period. Address Gap Period 31

PricewaterhouseCoopers Management’s assessment of the significance of the operations outsourced to Service Providers and its evaluation and reliance on a SAS 70 report from a Service Provider should be formally documented. Key data to include in the assessment of the significance of outsourced operations should include an inventory of the Service Provider relationships, the scope of services provided and the availability and scope of a SAS 70. Key considerations for evaluating a specific SAS 70 include scope assessment, understanding and mapping any UCC’s to key controls within the Company, and evaluation of any exceptions in the SAS 70 report related to key controls management relies upon, whether the exceptions resulted in a qualified opinion or not. Document Management’s Assessment 32

PwC Questions