Resources

• A fundamental element of the American Institute of Certified Public Accountants (AICPA) auditing standards in the United States and eventually became the standard for enterprise external auditors in their reviews certifying that enterprise internal controls were adequate following the SOx rules.
• SOx does not mandate the strict use of the COSO internal control framework but only calls for its utilization for understanding and evaluating internal controls.
• 5 Components and 17 Principles of Internal Control Framework.

• Internal audit tool to better understand and evaluate the risks surrounding internal controls at all levels.

• A more IT-oriented internal control framework. This framework has been in place since well before SOx, and many enterprises began to use COBIT when SOx became the law as a preferred tool for complying with its Section 404 internal control procedures.
• Helps enterprises create optimal value from IT by maintaining a balance between realising benefits and optimising risk levels and resource use.
• Based on two concepts:
  • Five Principles
    1. Meeting stakeholder needs
    2. Covering the enterprise end-to-end
    3. Applying a single integrated framework
    4. Enabling a holistic approach
    5. Separating governance from management
  • Seven Enablers
    1. Principles, policies and frameworks
    2. Processes
    3. Organisational structures
    4. Culture, ethics and behaviour
    5. Information
    6. Services, infrastructure and applications
    7. People, skills and competencies

• A detailed framework of significant IT best practices, with comprehensive checklists, tasks, procedures, and responsibilities designed to be tailored to any IT organization. Dividing key processes between those covering IT service delivery and those for service support, ITIL has become the de facto standard for describing many fundamental processes in IT service management, such as configuration or change management.

• U.S. law enacted in 2002 to improve financial reporting audit processes and to correct a series of board of director, public accounting, and other practices.
• Particularly relevant:
  • Section 404: Assessment of Internal Control. Internal audit, outside consultants, or even the management team—but not the external auditors—have the responsibility to review and assess the effectiveness of their internal controls, and external auditors are then to attest to the sufficiency of these internal control reviews built and controlled by management.
  • AS5: Risk-based approach to auditing. A set of standards for the external auditors who review and certify published financial statements. These new rules are important for internal auditors and financial managers as well. AS5 introduces risk-based rules with an emphasis on the effectiveness of enterprise-level controls that are more oriented to enterprise facts and circumstances.
• Relevant papers and resources:
  • Sarbanes-Oxley compliance, internal control and ERP systems: Automation and the case of mySAP ERP
  • SOX And ERP Adoption

• Specifies requirements for a quality management system, intended to be applicable to any organization, regardless of its type or size, or the products and services it provides.
• ISO 9001:2015 Internal Audit explained.
• Internal Audit Checklist

(https://www.iso-9001-checklist.co.uk/9.2-internal-audit.htm)

Because WAP provides ERP service to other companies, the Internal Control & Audit system that we designed is to be applied to other companies. Depending on the area and industry, WAP may need to comply to one or some of these standards.

Hosting provider needs to meet HIPAA compliance in order to ensure sensitive patient information is protected.

Mandated by the U.S. Health and Human Services Dept., the Health Insurance Portability and Accountability Act of 1996 specifies laws to secure protected health information (PHI), or patient health data (medical records).

The Statement on Auditing Standard No. 70 was the original audit to measure a data center’s financial reporting and record keeping controls. Developed by the AICPA (American Institute of CPAs, there are two types:

• Type 1 – Reports on a company’s description of their operational controls
• Type 2 – Reports on an auditor’s opinion on how effective these controls are over a specified period of time (six months)

Source: Onlinetech

The Statement on Standards for Attestation Engagements No. 16 replaced SAS 70 in June 2011. A SSAE 16 audit measures the controls relevant to financial reporting. SSAE 16 itself was replaced by SSAE 18 on May 1, 2017.

• Type 1 – A data center’s description and assertion of controls, as reported by the company.
• Type 2 – Auditors test the accuracy of the controls and the implementation and effectiveness of controls over a specified period of time.

In addition to SSAE 16, three new reports have also been established as the framework for examining controls at a service organization, aptly named Service Organization Control (SOC) reports.

The first of three new Service Organization Controls reports developed by the AICPA, this report measures the controls of a data center as relevant to financial reporting. It is essentially the same as a SSAE 16 audit.

This report and audit is completely different from the previous. SOC 2 measures controls specifically related to IT and data center service providers. The five controls are security, availability, processing integrity (ensuring system accuracy, completion and authorization), confidentiality and privacy. There are two types:

• Type 1 – A data center’s system and suitability of its design of controls, as reported by the company.
• Type 2 – Includes everything in Type 1, with the addition of verification of an auditor’s opinion on the operating effectiveness of the controls.

This public-facing report includes the auditor’s opinion of SOC 2 components with an additional seal of approval to be used on websites and other documents. The report is less detailed and technical than a SOC 2 report.

Source: Onlinetech

A series of enhancements aimed to increase the usefulness and quality of SOC reports, now, superseding SSAE 16. There are a couple key changes that Companies currently performing a SOC 1 or 2, or, will be performing one in the near future, need to take into consideration this year and going forward.

1. Service Organizations will need to implement a formal Third Party Vendor Management Program
2. Service Organizations will need to implement a formal Annual Risk Assessment process

• Catalog
• Documents
• Documents in HUE Internal Control & Audit Project
• Documents in Team Internal Control & Audit FW