Beruflich Dokumente
Kultur Dokumente
ENGAGEMENTS
What is a WEBTRUST ENGAGEMENTS?
• Security
The system is protected against unauthorized access (both physical and logical).
• Availability
The system is available for operation and use as committed or agreed.
• Processing Integrity
System processing is complete, accurate, timely, and authorized.
• Online Privacy
Personal information obtained as a result of e-commerce is collected, used, disclosed, and
retained as committed or agreed.
• Confidentiality
Information designated as confidential is protected as committed or agreed.
SYSTRUST
ENGAGEMENTS
What is a SYSTRUST ENGAGEMENT?
• Availability
The system is available for operation and use at times set forth in service-level statements or
agreements.
• Security
The system is protected against unauthorized physical and logical access.
• Integrity
System processing is complete, accurate, timely, and authorized.
FINANCIAL PROJECTIONS
FINANCIAL PROJECTIONS include financial
statement forecasts and pro form financial
information. This analysis is often performed
in conjunction with seeking loans or issuing
stock. IT Auditors are less involved with this
type of attest service. They are usually only
involved to the extent the auditor needs to
use special software to perform projections.
COMPLIANCE REVIEWS
- compliance reviews usually involve verifying a
company’s compliance with business regulations.
Compliance reviews might use IT auditors, but
usually rely to the extent they are intended to
access the technology used by the client company.
For example, IT auditors may be involved in a PIN
( PERSONAL IDENTIFICATION NUMBER ) encryption
security review. A PIN encryption review is a
special type of AUP whereby the auditor test the
integrity of the clients encryption process for
FINDINGS AND RECOMMENDATIONS
A findings and recommendation report includes most
reviews that would be considered consulting or advisory
services. Examples of engagement that fall under this
category include system implementations, including
enterprise resource planning ( ERP ) implementations
like an SAP, Oracle or PeopleSoft implementation
engagement. Security reviews; database application
reviews; IT infrastructure and improvements needed
engagement; project management and IT internal audit
services.
A findings and recommendations report does not
produce an opinion. Rather it is a summary of the work
SAS 70 AUDIT
Statement on Auditing Standards
Statement on Auditing Standards (SAS) No. 70, Service
Organizations, was a widely recognized auditing standard
developed by the American Institute of Certified Public
Accountants (AICPA). A service auditor's examination
performed in accordance with SAS No. 70 (also commonly
referred to as a "SAS 70 Audit") represents that a service
organization has been through an in-depth examination of
their control objectives and control activities, which often
include controls over information technology and related
processes. In today's global economy, service organizations
or service providers must demonstrate that they have
adequate controls and safeguards when they host or process
data belonging to their customers. In addition, the
requirements of Section 404 of the Sarbanes-Oxley Act of
2002 make SAS 70 audit reports even more important to the
process of reporting on the effectiveness of internal
SAS No. 70 provides guidance to enable an independent auditor "service auditor" to
issue an opinion on a service organization's description of controls through a Service
Auditor's Report SAS 70 does not specify a pre-determined set of control objectives
or control activities that service organizations must achieve. Service auditors are
required to follow the AICPA's standards for fieldwork, quality control, and reporting.
A SAS 70 Audit is not a "checklist" audit.
Service organizations receive significant benefits and value from having a SAS
70 audit performed. A Service Auditor's Report with an unqualified opinion that is
issued by an Independent Accounting Firm differentiates the service organization from
its peers by demonstrating the establishment of effectively designed control
objectives and control activities. A Service Auditor's Report also helps a service
organization build trust with its user organizations.
BENEFITS TO SERVICE ORGANIZATIONS
Without a current Service Auditor's Report in hand, a service organization may have
to entertain multiple audit requests from its customers and their respective auditors.
Multiple visits from user auditors can place a strain on the service organization's
resources. A Service Auditor's Report ensures that all user organizations and their
auditors have access to the same information and in many cases this will satisfy the
user auditor's requirements. A Type II service auditor's report will also allow the user
organizations and the user auditors to possibly place reliance on the controls at the
service organization. This can be a significant component to the user auditor's control
evaluations and the user organization's own assessments of internal control over
financial reporting.
CASE STUDY