Internal Control Certification –

It’s Not Just an Accounting Thing

Presented by

Jeff Ziliani, CPA

Burns-Fazzi, Brock & Associates

Internal Controls in the News

“Corzine’s lack of internal controls at MF Global

gets exposed with missing money”

– Bloomberg News, November 2, 2011

“UBS says some internal controls were not

effective”

– Reuters, October 25, 2011

Internal Controls in the News (cont.)

“A Red Flag on G.M. Internal Controls”

– New York Times, August 20, 2010

“Lack of internal controls could present problems

for cattle industry”

– Farm & Dairy, August 12, 2010

Internal Controls in the News (cont.)

“The ability to plan for the short- and long-term,

determine product offerings, perform initial and

ongoing due diligence over any third-party

relationships and set appropriate limits through

policies and procedures mitigates strategic risk.”

- Debbie Matz, NCUA Chairman

Excerpt from Letter No.: 11-CU-16

Issued Oct. 2011

IC Certification / Due Diligence

The Challenge:

• Increasing reliance on the outsourcing of

certain tasks or functions

• Increasing dependency on external technology

and information systems

• Pressures of profitability, fraud and

embezzlement at an all-time high

IC Certification / Due Diligence (cont.)

• Consumer confidence stressed – need for

“peace of mind”

The Solution:

• Building trust and confidence through a

report issued by an independent Certified

Public Accountant

Examples of Services Within Scope

Examples of Services Within Scope (cont.)

• Financial Services Customer Accounting

• Loan / Claims Management and Processing

• Cloud Computing

• Managed Security

• Customer Support

• Sales Force Automation

• Enterprise IT Outsourcing Services

Changing Standards

Statement of Auditing Standards

(SAS) No. 70, Service

Organizations

Effective – April 1992

Changing Standards (cont.)

Statement on Standards for

Attestation Engagements (SSAE)

No. 16, Reporting on Controls at a

Service Organization

Effective – On or after June 15,

2011

What Changed?

1.The name.

2.Now have 3 different Service Organization

Controls (SOC) reports to meet specific user

needs.

3.Management to provide a written assertion to

be included in the auditor’s report.

• Description of Service Organization’s System

• CPA’s opinion on fairness of presentation of the

description, suitability of design and in a type 2

report, the operating effectiveness of controls

• A type 2 report includes a description of the

CPA’s tests of controls and results

• Unaudited system description used to

delineate the boundaries of the system

• CPA’s opinion on whether the entity

maintained effective controls over its

system

Walkthrough of the Process

Responsibilities of Management

• Determine the scope of engagement to be

performed

- What service / system / process are we

looking to be included in this

engagement?

- Is this a Type 1 or 2 engagement?

Walkthrough of the Process (cont.)

Responsibilities of Management (cont.)

• Prepare a written description of the system /

controls within scope.

• Provide a written assertion regarding the

design, implementation and operation of the

controls of the service organization’s system.

Walkthrough of the Process (cont.)

Identification of Control Objectives

• SOC 1 Engagements:

- Control objectives determined and

documented by Management.

• SOC 2 & 3 Engagements:

- Control objectives based on applicable

Trust Services Principles and Criteria.

Walkthrough of the Process (cont.)

Trust Services Principles and Criteria

“Checklist” approach broken into the following

areas:

• Security

• Availability

• Processing Integrity

• Confidentiality

• Privacy

The engagement may cover one,

multiple or all of the principles.

Walkthrough of the Process (cont.)

Additional Guidance

• Provide access to all information.

• Be proactive in documenting changes in

controls/systems.

• Disclose any design or operating

deficiencies.

Walkthrough of the Process (cont.)

Additional Guidance (cont.)

• Provide evidence that a control is operating

effectively.

• For Type 2 engagements, the auditor will

be testing to see if the control has been

operating effectively over the period within

scope, typically no shorter than a 6 month

period.)

Walkthrough of the Process (cont.)

Q. Does obtaining a SSAE16 report

mean that the entire organization is

now “SSAE16 certified”?

A. No. The auditor’s report is limited

in scope to the specific services or

systems controls and does not

encompass all controls and areas of

the organization.

Walkthrough of the Process (cont.)

Q. Is this a one-time process?

A. No. At least quarterly, it is a best

practice to document any changes

to controls. In addition, the report

itself will need to be “kept current”

as the report tells the users that the

controls addressed in the report

existed and operating effectively at

or during a certain period of time.

Due Diligence- What to Look For

Due Diligence- What to Look For (cont.)

• Is the service or specific system controls

covered by the SSAE 16 report?

• Which accounting firm performed the work?

• What is the period of time covered by the

report?

• What type of report is it?

Due Diligence- What to Look For (cont.)

• Were there any exceptions or deficiencies

noted in the auditor’s report?

• Is there any other useful information about

the vendor that is included in the report? (ie:

disaster recovery plan)

• What are the next steps?

Additional Resources

American Institute of Certified Public Accountants

www.AICPA.org

SSAE16 Information, FAQ, Latest News, etc.

www.SSAE16.com

IT Governance Institute

www.ITGI.org

“Internal Controls cannot make an

institution successful, but the lack of

controls or only partial controls can be

and commonly is a cause of its failure.”

- Gene Bucciarelli, CPA,

BankersOnline.com