Business Process Audits | The Keiter Stephens Accounting Blog

Posts Tagged ‘Business Process Audits’

Real World ERM

Wednesday, June 10th, 2009

The Institute of Internal Auditors (IIA) released a great series of articles on Enterprise Risk Management (ERM), “Real-world ERM” and “12 Key ERM Challenges”, that convey the struggles of implementing ERM and some great insights on how to ‘make it real.’

A quote that stuck out to me was, “there is no shortage of guidance to explain what ERM is and how to implement it, though most of this information is written for risk and control specialists. To succeed, ERM efforts need to include people with other priorities.”

Getting buy-in from management is a top roadblock to successfully implementing an ERM program – or at least to implementing an ERM program that won’t fizzle out quickly. Fortunately, as noted above, there is a multitude of documentation on the concept and benefits of ERM…. and in a later post, I’ll identify the most relatable ways to talk about ERM with management.

Tags: Business Process Audits, Internal Audit Outsourcing, Internal Controls Reviews, IT Governance & Strategy, Regulatory Compliance, risk assessment
Posted in IT Audit, Internal Audit | 1 Comment »

What’s in a SAS 70?

Wednesday, June 10th, 2009

What is in a SAS 70 audit report depends on the type of report being obtained.

In a Type I report, the service auditor will express an opinion on (a) whether the service organization’s description of its controls was accurate and (b) whether the controls were suitably designed to achieve specified control objectives. The report will include sections 1 and 2 below, however sections 3 and 4 are optional.

In a Type II report, the service auditor will express an opinion on the same items noted above in a Type I report, and (c) whether the controls were operating effectively during the period. The report will include sections 1, 2, and 3 below, however section 4 is optional.
Section 1: Service Auditor’s Report – completed by the Auditor and describes the scope of the audit and the includes the opinion of the auditor.

Section 2: Description of Relevant Controls – completed by the company and describes the control environment, process, and systems being audited. Additionally, it includes the controls that the company is not responsible for and which the customer should ensure are in place in their organization.

Section 3: Information Provided by the Service Auditor – completed by the auditor and describes the results of control testing.

Section 4: Other Information Provided by the Service Organization – completed by the company and may include management responses to identified gaps, information on business continuity and disaster recovery, or a glossary of terms used in the audit report

See more posts on SAS 70

Tags: Business Process Audits, Change Control, Data Center and Network Operations, Information Security, Internal Controls Reviews
Posted in SAS 70 | 1 Comment »

Benefits of a SAS 70

Wednesday, June 10th, 2009

We’ve talked about SAS 70s in previous posts (What is SAS 70 and who needs it? and Types of SAS 70 Services), but where will your organization see a real benefit?

Efficiency and Cost Reduction – Your company can have one audit performed and provide one report to interested parties. This allows your company to focus on what it does best and reduces the time required to respond to audit inquiries.

Piece of Mind – It makes good business sense to make sure you have controls in place to prevent/detect unnecessary mistakes, unauthorized transactions, unauthorized modifications to data, and fraudulent activity. Having an independent party assess your processes and systems can provide a level of assurance that may be unattainable through self assessment.

Strengthen Existing Relationships – Customers value transparency and assurance that your processes and systems are sound.

Attract Customers – New customers want to know that they will be working with a company that has standards in place and has been reviewed by an independent party.

Differentiate from Competitors – If your company has a clean audit opinion and your competitors don’t or don’t have an audit opinion at all, you should stand out in the marketplace.

Compliance – There may be overlapping regulations that a SAS 70 may meet. The Sarbanes Oxley Act requires your customers to have controls over financially material processes and systems. The Graham Leach Bliley Act requires financial institutions to provide security over customer information to safeguard their privacy.

Are you interested in strengthening existing relationships, attracting new customers and differentiating your company from competitors?

Do you want to reduce the time and cost of audit inquiries?

Tags: Business Process Audits, Change Control, Compliance, Data Center and Network Operations, Data Privacy, Information Security, Internal Controls Reviews, sas 70 audit report, sas 70 virginia
Posted in SAS 70 | 1 Comment »

Posts Tagged ‘Business Process Audits’

Real World ERM

What’s in a SAS 70?

Benefits of a SAS 70

Recent Posts

Categories

Archives

Pages