Internal Control Certification – It’s Not Just an Accounting Thing (Credit Union Conference...
-
Upload
nafcu-services-corporation -
Category
Business
-
view
921 -
download
0
description
Transcript of Internal Control Certification – It’s Not Just an Accounting Thing (Credit Union Conference...
![Page 1: Internal Control Certification – It’s Not Just an Accounting Thing (Credit Union Conference Presentation)](https://reader033.fdocuments.net/reader033/viewer/2022051513/547a72925906b502358b46a2/html5/thumbnails/1.jpg)
Internal Control Certification –
It’s Not Just an Accounting Thing
Presented by
Jeff Ziliani, CPA
Burns-Fazzi, Brock & Associates
![Page 2: Internal Control Certification – It’s Not Just an Accounting Thing (Credit Union Conference Presentation)](https://reader033.fdocuments.net/reader033/viewer/2022051513/547a72925906b502358b46a2/html5/thumbnails/2.jpg)
Internal Controls in the News
“Corzine’s lack of internal controls at MF Global
gets exposed with missing money”
– Bloomberg News, November 2, 2011
“UBS says some internal controls were not
effective”
– Reuters, October 25, 2011
![Page 3: Internal Control Certification – It’s Not Just an Accounting Thing (Credit Union Conference Presentation)](https://reader033.fdocuments.net/reader033/viewer/2022051513/547a72925906b502358b46a2/html5/thumbnails/3.jpg)
Internal Controls in the News (cont.)
“A Red Flag on G.M. Internal Controls”
– New York Times, August 20, 2010
“Lack of internal controls could present problems
for cattle industry”
– Farm & Dairy, August 12, 2010
![Page 4: Internal Control Certification – It’s Not Just an Accounting Thing (Credit Union Conference Presentation)](https://reader033.fdocuments.net/reader033/viewer/2022051513/547a72925906b502358b46a2/html5/thumbnails/4.jpg)
Internal Controls in the News (cont.)
“The ability to plan for the short- and long-term,
determine product offerings, perform initial and
ongoing due diligence over any third-party
relationships and set appropriate limits through
policies and procedures mitigates strategic risk.”
- Debbie Matz, NCUA Chairman
Excerpt from Letter No.: 11-CU-16
Issued Oct. 2011
![Page 5: Internal Control Certification – It’s Not Just an Accounting Thing (Credit Union Conference Presentation)](https://reader033.fdocuments.net/reader033/viewer/2022051513/547a72925906b502358b46a2/html5/thumbnails/5.jpg)
IC Certification / Due Diligence
The Challenge:
• Increasing reliance on the outsourcing of
certain tasks or functions
• Increasing dependency on external technology
and information systems
• Pressures of profitability, fraud and
embezzlement at an all-time high
![Page 6: Internal Control Certification – It’s Not Just an Accounting Thing (Credit Union Conference Presentation)](https://reader033.fdocuments.net/reader033/viewer/2022051513/547a72925906b502358b46a2/html5/thumbnails/6.jpg)
IC Certification / Due Diligence (cont.)
• Consumer confidence stressed – need for
“peace of mind”
The Solution:
• Building trust and confidence through a
report issued by an independent Certified
Public Accountant
![Page 7: Internal Control Certification – It’s Not Just an Accounting Thing (Credit Union Conference Presentation)](https://reader033.fdocuments.net/reader033/viewer/2022051513/547a72925906b502358b46a2/html5/thumbnails/7.jpg)
Examples of Services Within Scope
![Page 8: Internal Control Certification – It’s Not Just an Accounting Thing (Credit Union Conference Presentation)](https://reader033.fdocuments.net/reader033/viewer/2022051513/547a72925906b502358b46a2/html5/thumbnails/8.jpg)
Examples of Services Within Scope (cont.)
• Financial Services Customer Accounting
• Loan / Claims Management and Processing
• Cloud Computing
• Managed Security
• Customer Support
• Sales Force Automation
• Enterprise IT Outsourcing Services
![Page 9: Internal Control Certification – It’s Not Just an Accounting Thing (Credit Union Conference Presentation)](https://reader033.fdocuments.net/reader033/viewer/2022051513/547a72925906b502358b46a2/html5/thumbnails/9.jpg)
Changing Standards
Statement of Auditing Standards
(SAS) No. 70, Service
Organizations
Effective – April 1992
![Page 10: Internal Control Certification – It’s Not Just an Accounting Thing (Credit Union Conference Presentation)](https://reader033.fdocuments.net/reader033/viewer/2022051513/547a72925906b502358b46a2/html5/thumbnails/10.jpg)
Changing Standards (cont.)
Statement on Standards for
Attestation Engagements (SSAE)
No. 16, Reporting on Controls at a
Service Organization
Effective – On or after June 15,
2011
![Page 11: Internal Control Certification – It’s Not Just an Accounting Thing (Credit Union Conference Presentation)](https://reader033.fdocuments.net/reader033/viewer/2022051513/547a72925906b502358b46a2/html5/thumbnails/11.jpg)
What Changed?
1.The name.
2.Now have 3 different Service Organization
Controls (SOC) reports to meet specific user
needs.
3.Management to provide a written assertion to
be included in the auditor’s report.
![Page 12: Internal Control Certification – It’s Not Just an Accounting Thing (Credit Union Conference Presentation)](https://reader033.fdocuments.net/reader033/viewer/2022051513/547a72925906b502358b46a2/html5/thumbnails/12.jpg)
![Page 13: Internal Control Certification – It’s Not Just an Accounting Thing (Credit Union Conference Presentation)](https://reader033.fdocuments.net/reader033/viewer/2022051513/547a72925906b502358b46a2/html5/thumbnails/13.jpg)
• Description of Service Organization’s System
• CPA’s opinion on fairness of presentation of the
description, suitability of design and in a type 2
report, the operating effectiveness of controls
• A type 2 report includes a description of the
CPA’s tests of controls and results
![Page 14: Internal Control Certification – It’s Not Just an Accounting Thing (Credit Union Conference Presentation)](https://reader033.fdocuments.net/reader033/viewer/2022051513/547a72925906b502358b46a2/html5/thumbnails/14.jpg)
• Unaudited system description used to
delineate the boundaries of the system
• CPA’s opinion on whether the entity
maintained effective controls over its
system
![Page 15: Internal Control Certification – It’s Not Just an Accounting Thing (Credit Union Conference Presentation)](https://reader033.fdocuments.net/reader033/viewer/2022051513/547a72925906b502358b46a2/html5/thumbnails/15.jpg)
Walkthrough of the Process
Responsibilities of Management
• Determine the scope of engagement to be
performed
- What service / system / process are we
looking to be included in this
engagement?
- Is this a Type 1 or 2 engagement?
![Page 16: Internal Control Certification – It’s Not Just an Accounting Thing (Credit Union Conference Presentation)](https://reader033.fdocuments.net/reader033/viewer/2022051513/547a72925906b502358b46a2/html5/thumbnails/16.jpg)
Walkthrough of the Process (cont.)
Responsibilities of Management (cont.)
• Prepare a written description of the system /
controls within scope.
• Provide a written assertion regarding the
design, implementation and operation of the
controls of the service organization’s system.
![Page 17: Internal Control Certification – It’s Not Just an Accounting Thing (Credit Union Conference Presentation)](https://reader033.fdocuments.net/reader033/viewer/2022051513/547a72925906b502358b46a2/html5/thumbnails/17.jpg)
Walkthrough of the Process (cont.)
Identification of Control Objectives
• SOC 1 Engagements:
- Control objectives determined and
documented by Management.
• SOC 2 & 3 Engagements:
- Control objectives based on applicable
Trust Services Principles and Criteria.
![Page 18: Internal Control Certification – It’s Not Just an Accounting Thing (Credit Union Conference Presentation)](https://reader033.fdocuments.net/reader033/viewer/2022051513/547a72925906b502358b46a2/html5/thumbnails/18.jpg)
Walkthrough of the Process (cont.)
Trust Services Principles and Criteria
“Checklist” approach broken into the following
areas:
• Security
• Availability
• Processing Integrity
• Confidentiality
• Privacy
The engagement may cover one,
multiple or all of the principles.
![Page 19: Internal Control Certification – It’s Not Just an Accounting Thing (Credit Union Conference Presentation)](https://reader033.fdocuments.net/reader033/viewer/2022051513/547a72925906b502358b46a2/html5/thumbnails/19.jpg)
Walkthrough of the Process (cont.)
Additional Guidance
• Provide access to all information.
• Be proactive in documenting changes in
controls/systems.
• Disclose any design or operating
deficiencies.
![Page 20: Internal Control Certification – It’s Not Just an Accounting Thing (Credit Union Conference Presentation)](https://reader033.fdocuments.net/reader033/viewer/2022051513/547a72925906b502358b46a2/html5/thumbnails/20.jpg)
Walkthrough of the Process (cont.)
Additional Guidance (cont.)
• Provide evidence that a control is operating
effectively.
• For Type 2 engagements, the auditor will
be testing to see if the control has been
operating effectively over the period within
scope, typically no shorter than a 6 month
period.)
![Page 21: Internal Control Certification – It’s Not Just an Accounting Thing (Credit Union Conference Presentation)](https://reader033.fdocuments.net/reader033/viewer/2022051513/547a72925906b502358b46a2/html5/thumbnails/21.jpg)
Walkthrough of the Process (cont.)
Q. Does obtaining a SSAE16 report
mean that the entire organization is
now “SSAE16 certified”?
A. No. The auditor’s report is limited
in scope to the specific services or
systems controls and does not
encompass all controls and areas of
the organization.
![Page 22: Internal Control Certification – It’s Not Just an Accounting Thing (Credit Union Conference Presentation)](https://reader033.fdocuments.net/reader033/viewer/2022051513/547a72925906b502358b46a2/html5/thumbnails/22.jpg)
Walkthrough of the Process (cont.)
Q. Is this a one-time process?
A. No. At least quarterly, it is a best
practice to document any changes
to controls. In addition, the report
itself will need to be “kept current”
as the report tells the users that the
controls addressed in the report
existed and operating effectively at
or during a certain period of time.
![Page 23: Internal Control Certification – It’s Not Just an Accounting Thing (Credit Union Conference Presentation)](https://reader033.fdocuments.net/reader033/viewer/2022051513/547a72925906b502358b46a2/html5/thumbnails/23.jpg)
Due Diligence- What to Look For
![Page 24: Internal Control Certification – It’s Not Just an Accounting Thing (Credit Union Conference Presentation)](https://reader033.fdocuments.net/reader033/viewer/2022051513/547a72925906b502358b46a2/html5/thumbnails/24.jpg)
Due Diligence- What to Look For (cont.)
• Is the service or specific system controls
covered by the SSAE 16 report?
• Which accounting firm performed the work?
• What is the period of time covered by the
report?
• What type of report is it?
![Page 25: Internal Control Certification – It’s Not Just an Accounting Thing (Credit Union Conference Presentation)](https://reader033.fdocuments.net/reader033/viewer/2022051513/547a72925906b502358b46a2/html5/thumbnails/25.jpg)
Due Diligence- What to Look For (cont.)
• Were there any exceptions or deficiencies
noted in the auditor’s report?
• Is there any other useful information about
the vendor that is included in the report? (ie:
disaster recovery plan)
• What are the next steps?
![Page 26: Internal Control Certification – It’s Not Just an Accounting Thing (Credit Union Conference Presentation)](https://reader033.fdocuments.net/reader033/viewer/2022051513/547a72925906b502358b46a2/html5/thumbnails/26.jpg)
Additional Resources
American Institute of Certified Public Accountants
www.AICPA.org
SSAE16 Information, FAQ, Latest News, etc.
www.SSAE16.com
IT Governance Institute
www.ITGI.org
![Page 27: Internal Control Certification – It’s Not Just an Accounting Thing (Credit Union Conference Presentation)](https://reader033.fdocuments.net/reader033/viewer/2022051513/547a72925906b502358b46a2/html5/thumbnails/27.jpg)
“Internal Controls cannot make an
institution successful, but the lack of
controls or only partial controls can be
and commonly is a cause of its failure.”
- Gene Bucciarelli, CPA,
BankersOnline.com