Presentation is loading. Please wait.

Presentation is loading. Please wait.

Automating Vendor Management

Published byFay Harrington Modified over 6 years ago

Similar presentations

Presentation on theme: "Automating Vendor Management"— Presentation transcript:

1

2 Automating Vendor Management
Tuesday 11:30 am – 12:30 pm Roger Chalkley Home Bank S B

3 Home Bank S B Located in South Central Indiana Three Branches
Established in February 1890 $230 Million in Assets OCC Regulated 70 Employees

4 Governance Policy Access Management Incident Response Asset Management Business Continuity Vendor Management Security Standards AUP Risk Analysis In late 2011, we decided to revamp our whole IT Governance Program and Policies. The consulting firm that helped us with our Risk Assessment, infotex, has actually mapped all of the FFIEC requirements to a policy set that they showed us how to migrate to, with one of the components being Vendor Management.

5 Accounts Payable Vendors
Where we started? Accounts Payable Vendors Created Spreadsheet Eliminated all “Marketing Vendors” Charitable Donations Yearbook Ads Assign Vendor Owners

6 Definitions Vendor A person or entity that provides a product or service to the bank Risk Rating We risk rate Vendors based on: The amount and sensitivity of customer information to which they have access The extent to which our business would be disrupted if Vendor relationship ends Amount of money spent annually

7 Definitions Critical Vendors “Hosting” of customer information
Access to large volume of customer information or highly sensitive customer information Terminated relationship would cause major disruption Annual payments from bank > $50K Regulated Vendors Vendors who are legally required to comply with federal privacy laws by virtue of being regulated by a federal agency

8 Critical Vendor Documentation Need Components
SAAS 16 Financial Statements Tracking/Reporting on Performance Are they meeting SLAs Reporting and follow up of issues with Vendor

9 NEW SSAE 16 Standard Replaced old SAS 70 effective June 15, 2011
SOC-1 Financial Reporting Controls Includes written assertion from management on the fairness of the auditor’s presentation of the system description Type 1 also reports on the control design Type 2 reports on the control design AND effectiveness Clarifies that the user auditor evaluates the proper choice of controls SOC-2 Operational Controls Reports on management’s description of a service organizations’ system AND Type 1 also reports on suitability of design of controls Type 2 also reports on suitability of design and operating effectiveness of controls SOC-3 Operational Controls Trust Service Report for Service Organizations CPA’s opinion Most vendors issue SOC-1 type 1; Type 1 = Point in Time; Type 2 = Period of Time

10 FIS GOVERNANCE SITE INFO
If you do not have access credentials, send request to: Subject Line: “Governance Website Access Request” and following info in body: First Name: Last Name: Company Name: Contact Phone: Contact (must be a company address) Desired User Name: Please note: It can take up to 24 hours to process your registration once it is received. You will receive an your login credentials once your registration is processed.

11

12

13

14

15

16

17 Reviewing a SOC-1 or SOC-2 Report
Understand the scope of the review Read the entire report Pay attention to auditor’s opinion Were all controls tested without exception (Type II) If exceptions, are there sufficient controls Review User Control Considerations Document controls you have in place to address areas

18 Reviewing a SOC-1 or SOC-2 Report
Document your Review Conclusion “Based on our review of FIS Charlotte Service Center SOC-1 report for the period of February to October 31, 2011, the FIS controls upon which Home Bank relies were appropriately designed and operating effectively”

19 Software Automation Gathering / Storage of Documentation
Vendor Owner Assessment Annual Risk Assessment Key Date Notifications SSAE 16 Financial Review Insurance SLA & Performance Wish list for software to automate Vendor Management process.

20

21

22

23

24

25 Automating Vendor Management
Roger Chalkley Home Bank S B

26 Automating Vendor Management
Roger Chalkley Home Bank S B

Download ppt "Automating Vendor Management"

Similar presentations

Financial Statements Audit

Financial Statements Audit
Bill McClanahan – Principal Business Consultant LPS Integration.

Bill McClanahan – Principal Business Consultant LPS Integration.
Ethics Ethics are the rules of personal behavior and conduct established by a social group for those existing within the established framework of the social.

Ethics Ethics are the rules of personal behavior and conduct established by a social group for those existing within the established framework of the social.
SERVICE ORGANIZATION CONTROL REPORTS SM Formerly SAS 70 Reports.

SERVICE ORGANIZATION CONTROL REPORTS SM Formerly SAS 70 Reports.
March 6, 2012 SOC Reporting: What is New in the Audit Guides?

March 6, 2012 SOC Reporting: What is New in the Audit Guides?
Audit Committee in Albania Legal framework Law 9226 /2006 “On banks in Republic of Albania” Law 9901/2008 “On entrepreneurs and commercial companies” Corporate.

Audit Committee in Albania Legal framework Law 9226 /2006 “On banks in Republic of Albania” Law 9901/2008 “On entrepreneurs and commercial companies” Corporate.
Data Ownership Responsibilities & Procedures

Data Ownership Responsibilities & Procedures
Welcome! Internal Auditing CHAPTER 1. Definition Internal auditing is an independent, objective, assurance and consulting activity designed to add value.

Welcome! Internal Auditing CHAPTER 1. Definition Internal auditing is an independent, objective, assurance and consulting activity designed to add value.
Audit Guidance Using the Federal Information System Controls Audit Manual (FISCAM) to Achieve Audit Objectives in Financial and Performance Audits Mickie.

Audit Guidance Using the Federal Information System Controls Audit Manual (FISCAM) to Achieve Audit Objectives in Financial and Performance Audits Mickie.
OMB Circular A-123 – Management’s Responsibility for Internal Control Policy Applicability Sources of Information Assessment, Documentation and Reporting.

OMB Circular A-123 – Management’s Responsibility for Internal Control Policy Applicability Sources of Information Assessment, Documentation and Reporting.
Sarbanes-Oxley Compliance Process Automation

Sarbanes-Oxley Compliance Process Automation
SOX and IT Audit Programs John R. Robles Thursday, May 31, 2007 Tel: 787-647-396.

SOX and IT Audit Programs John R. Robles Thursday, May 31, Tel:
CSE 4482, 2009 Session 21 Personal Information Protection and Electronic Documents Act Payment Card Industry standard Web Trust Sys Trust.

CSE 4482, 2009 Session 21 Personal Information Protection and Electronic Documents Act Payment Card Industry standard Web Trust Sys Trust.
Centers for IBM e-Business Innovation :: Chicago © 2005 IBM Corporation IBM Project October 2005.

Centers for IBM e-Business Innovation :: Chicago © 2005 IBM Corporation IBM Project October 2005.
Vendor Management Frequent regulatory findings:

Vendor Management Frequent regulatory findings:
Network security policy: best practices

Network security policy: best practices
Best Practices for User Access Controls and Segregation of Duties Presented by: Jeffrey T. Hare, CPA CISA CIA ERP Seminars.

Best Practices for User Access Controls and Segregation of Duties Presented by: Jeffrey T. Hare, CPA CISA CIA ERP Seminars.
SAS 112: The New Auditing Standard Jim Corkill Controller Accounting Services & Controls.

SAS 112: The New Auditing Standard Jim Corkill Controller Accounting Services & Controls.
SOC1 vs. SOC2 vs. SOC3 Source: ryServices/Pages/AICPASOC3Report.aspx.

SOC1 vs. SOC2 vs. SOC3 Source: ryServices/Pages/AICPASOC3Report.aspx.
Compliance & Internal Auditing By David N. Ricchiute

Compliance & Internal Auditing By David N. Ricchiute

Similar presentations

Ads by Google