REGULATORY HOT TOPIC Third Party IT Vendor Management
|
|
- Arleen Charles
- 6 years ago
- Views:
Transcription
1 REGULATORY HOT TOPIC Third Party IT Vendor Management 1
2 Todays Outsourced Technology Services Core Processing Internet Banking Mobile Banking Managed Security Services Managed Data Center Services And More 2
3 Implementing a Comprehensive Vendor Management Program 3
4 Vendor Risk Management Program Risk Assessment Selection of the Service Provider Contracting with the Service Provider Monitoring Business Continuity 4
5 Vendor Management Responsibilities The Board and Senior Management retain the responsibility of the service You must manage the service as if it were completed internally by the bank Maintain the same controls Require the same information Monitor the process 5
6 Standard Risk Management Process Identify the risks Report the risk status and updates Measure the risks Monitor the risks Mitigate the risks 6
7 Deciding to Outsource Have an approved vendor management policy in place before you outsource a service. Complete and DOCUMENT your due diligence. Understand what you need in the contract to protect the interests of the bank. Ensure board oversight of the vendor management program. 7
8 What the Board Should Know Updates for: Service Level Agreements (SLAs) Data Security Audits and Attestations Vendor Business Recovery and Continuity Testing Results Financial Statements The degree of reporting should be increased based on risk to the bank. Regulatory reports should be obtained if available. ANNUAL BOARD REPORTING IS REQUIRED by Appendix B part 364- Also periodic reporting during vendor due diligence 8
9 Management Requirements Ensure the outsourced service provider is aligned with business and strategic plans and is appropriate for the size and complexity of the bank. Ensure the bank can properly oversee and manage the services. Ensure proper monitoring is in place based on the initial and current risk. Properly assign responsibilities for monitoring and reporting. 9
10 Vendor Management Components Risk Assessment Selection Contracts Monitoring 10
11 Implementing a Comprehensive Vendor Management Program RISK ASSESSMENT 11
12 The Risk Assessment To identify and make the board aware of inherent risk of the outsourced service like: Fraud Error Inability to delver services These are operational risks that the board should understand. Some of the risks can be mitigated by the service provider. Some of the risks have to be mitigated by the bank. 12
13 Other Risks to Consider Strategic Risk Poor planning for implementation or scalability for growth Compliance Risk Outsourcing to vendors that cannot provide the needed proof of compliance Reputational Risk Breaches Fraud Errors Service Level Interest Rate Risk Errors that lead to inaccurate decisions Liquidity Processing Delays or Errors Cyber Risk Disruption Malware 13
14 Quantifying the Risk- What to Consider Functional Risk Measurements Volume of transactions Sensitivity of the data involved Criticality of the service Provider Risk Measurements Financial Stability Experience Location Technology Risk Measurements Security Reliability Scalability 14
15 Who Should Complete the Risk Assessment A team with the ability to assess the risk measurements Consider carefully who has the expertise to assess the risk based on the services Internal Personnel Auditors Subject Matter Experts IT Security Recovery Cyber Security 15
16 Risk Mitigations by the Service Provider Controls in place that have been independently tested for Security Availability Confidentiality Processing Integrity Privacy Reporting 16
17 Risk Mitigation by the Bank What are the bank s responsibilities How are they defined Contracts? SOC reports? Testing these requirements Internal testing External testing Monitoring 17
18 Implementing a Comprehensive Vendor Management Program SELECTION AND DUE DILIGENCE 18
19 Selection and Due Diligence Due Diligence Should be Based on Level of Risk to the Bank High risk Very formalized Low risk Minimal formalization Key Points Financial Stability Capabilities to Scale Technology and Infrastructure Internal Controls and Audits Use of Subcontractors Qualifications and References History of Legal or Regulatory Issues Insurance Ability to Recover Physical and Environmental Controls 19
20 Implementing a Comprehensive Vendor Management Program CONTRACTS 20
21 Contracts Negotiating the Contract Meets the Banks Needs and Requirements Identified during the risk assessment process Some Common Contact Provisions Scope of Services Activities Implementation Plan Defined Responsibilities The Service Providers Controls and Responsibility to: Report incidents including time frames to report Notification provisions must be aligned with Appendix B Part 364 Provide reports on security and confidentiality controls such as: Cybersecurity Maintenance Notifications Notification provisions must be aligned with Appendix B Part
22 Key Contract Provisions (Cont.) Auditing Right to Audit Right to Receive Audits Frequency of Audits Types of Audits Completed Financial IT Security General Controls Recovery Funds Transfers 22
23 Key Contract Provisions (Cont.) Reporting Financial Service Level Regulatory Compliance Disaster Recovery Maintenance and Testing Availability of Test Results Bank Participation Sub-contracting Aware of ANY Sub-contracted Service Be careful of SOC insertion here Responsibility Remains with the Service Provider Regulatory Adherence Performance Standards (SLAs) Measurement and Remedies 23
24 Notification of Service Organization Contract Banks shall notify their regulator within 30 days of entering the contract or performance of the services begin. Whichever occurs first. 24
25 A Word About SLAs SLAs can provide service level promises for: Record Keeping Security Confidentiality Availably Processing Timeliness and Accuracy (Integrity of Data) System Changes and Updates Independent Testing Business Continuity 25
26 Implementing a Comprehensive Vendor Management Program VENDOR MONITORING 26
27 Vendor Monitoring Makes sure the vendor is meeting its obligations or has mitigated new risk Reevaluate Active Service Providers at Least Annually Align Monitoring with Risk Report Monitoring Information to the Board 27
28 What Should be Monitored Similar to Due Diligence Documentation Audit reports Type Scope and Frequency of Audits Review of Corrective Actions Financial Condition (at least annually) Compliance with SLAs GLBA and Incident Response Program Any incidents reflecting non-compliance with SLAs or other security standards should be reported to the board. Continuity Plans and Testing Some regulatory reports are available for service providers. Bank must be a client under contract Request from FDIC regional office Ensure the right personnel are used to monitor the vendor. 28
29 Business Continuity for Vendors Disruptive Events Cybersecurity Attacks Environmental Disasters Service Providers MUST be included in the continuity plans INCLUDING recovery time objectives. Management must review vendor continuity testing including: Connectivity Capacity or Alternate Facilities Transaction Volume Interdependences (internal and external) Revised Business Continuity Appendix J 29
30 Evaluating the Provider Service Organization Controls (SOC) Report SOC 1 (formally SAS70) May not completely cover all controls May not be the right report SOC 2- Uses Trust Principles What s important to you? Security Availability Processing Integrity Confidentiality Privacy SOC 3- Used as a marketing tool 30
31 Reviewing an SOC Report Does the report fit the services provided? SOC 1 or 2 Type 1 or 2 Does it address the correct services? Is it from a sub-service provider? (SOC Insertion) What are the dates of the report? Type 1- As of Type 2- For the period of Does the report cover the latest period? Is the opinion unqualified or qualified? What kind of exceptions are noted and what are the management responses. 31
32 Example of a Qualified Opinion Service Organization Controls (SOC) 32
33 Example of a Unqualified Opinion Service Organization Controls (SOC) 33
34 Exceptions Review for and SOC 34
35 Reviewing an SOC Report What are the client control considerations? These are critical because they are what YOUR responsibilities are. Are you completing these items? 35
36 Example of User Control Considerations 36
37 Other Reports to Consider Agreed Upon Procedures These can be custom tailored to the banks needs Agreed to by the bank, the vendor, and the auditor Specialized Reports PCI (Payment Card Industry) TR-39 Payment Card Processing 37
38 Other Areas to Consider Foreign Based Relationships Unique Risks Can Occur All risks may be more difficulty to measure Legal and Regulatory See Appendix C of Outsourcing Booklet 38
39 David Mills, MBA, CISA, CISSP, CGEIT, CRISC, MCSE IT Audit and Assurance Partner CRI Corporate Office Kathleen Zuniga, CPA Audit and Assurance Partner CRI New Orleans Office
Types of Systems Audit & Relevance. Presented By: Prasad Pendse, CISA
Types of Systems Audit & Relevance Presented By: Prasad Pendse, CISA Agenda Systems Audit Categories & Types of Systems Audit, Relevance IT & Application Audits Security Audits Process Audits Advantages
More informationGuidance Note: Corporate Governance - Audit Committee. March Ce document est aussi disponible en français.
Guidance Note: Corporate Governance - Audit Committee March 2015 Ce document est aussi disponible en français. Applicability The Guidance Note: Corporate Governance Audit Committee (the Guidance Note )
More informationNavigating the Intersection of Vendor Management and Business Continuity
Navigating the Intersection of Vendor Management and Business Continuity MICHAEL BERMAN, J.D. Table of Contents Why are we here? Business Continuity and Vendor Management Primary Intersection BCP Each
More informationPCI Data Breach Preparedness How To Prevent Your Organization From Becoming the Next Data Breach Headline
PCI Data Breach Preparedness How To Prevent Your Organization From Becoming the Next Data Breach Headline Presented by the Bryan Cave Payments Team and Special Guest Speaker Andi Baritchi Agenda Introduction
More informationSTATE OF NORTH CAROLINA
STATE OF NORTH CAROLINA OFFICE OF THE STATE CONTROLLER BEACON HUMAN RESOURCES AND PAYROLL SYSTEM INFORMATION TECHNOLOGY GENERAL CONTROLS JUNE 2012 PERFORMANCE AUDIT OFFICE OF THE STATE AUDITOR BETH A.
More informationVENDOR RISK MANAGEMENT FCC SERVICES
VENDOR RISK MANAGEMENT FCC SERVICES Introductions Chris Tait, CISA, CFSA, CCSK, CCSFP Principal, Financial Services Baker Tilly Russ Sommers, CPA, CISA Senior Manager, Financial Services Baker Tilly Agenda
More informationSelf Assessment Workbook
Self Assessment Workbook Corporate Governance Audit Committee January 2018 Ce document est aussi disponible en français. Applicability The Self Assessment Workbook: Corporate Governance Audit Committee
More informationThe past, present and future of service organization control reporting
The past, present and future of service organization control reporting Key takeaways from EY s Annual SOCR Client Conference March 2016 Study the past if you would define the future. Confucius b 1 Conference
More informationUpdate on Supply Chain Risk Management [SCRM] Standard
Update on Supply Chain Risk Management [SCRM] Standard Dr. Joseph B. Baugh Senior Compliance Auditor, Cyber Security WECC Compliance Workshop Portland OR November 14, 2017 Speaker Credentials Electrical
More informationTier I assesses an institution's process for identifying and managing risks. Tier II provides additional verification where risk is eviden
Appendix A: Examination Procedures EXAMINATION OBJECTIVE: Determine the quality and effectiveness of the organization's business continuity planning process, and determine whether the continuity testing
More informationSOUTHWEST AIRLINES CO. AUDIT COMMITTEE CHARTER
SOUTHWEST AIRLINES CO. AUDIT COMMITTEE CHARTER The Audit Committee of the Board of Directors of Southwest Airlines Co. shall consist of at least three directors, each of whom shall meet the independence
More informationLeiningerCPA, Ltd. INTERNAL AUDIT AND CONTROL POLICY STATEMENT. Summary of Overall Responsibilities and Objectives
LeiningerCPA, Ltd. INTERNAL AUDIT AND CONTROL POLICY STATEMENT This policy statement provides an overview of the internal audit and control process and defines the broad responsibilities for overseeing
More informationRSA ARCHER IT & SECURITY RISK MANAGEMENT
RSA ARCHER IT & SECURITY RISK MANAGEMENT INTRODUCTION Organizations battle growing security challenges by building layer upon layer of defenses: firewalls, anti-virus, intrusion prevention systems, intrusion
More informationSOLUTION BRIEF EU GENERAL DATA PROTECTION REGULATION COMPLIANCE WITH RSA ARCHER
EU GENERAL DATA PROTECTION REGULATION COMPLIANCE WITH RSA ARCHER ARRIVAL OF GDPR IN 2018 The European Union (EU) General Data Protection Regulation (GDPR), which takes effect in 2018, will bring changes
More informationThird Party Risk Management ( TPRM ) Transformation
Third Party Risk Management ( TPRM ) Transformation September 20, 2017 Internal use only An introduction to TPRM What is a Third Party relationship? A Third Party relationship is any business arrangement
More informationGUIDANCE NOTE FOR DEPOSIT TAKERS (Class 1(1) and Class 1(2))
GUIDANCE NOTE FOR DEPOSIT TAKERS (Class 1(1) and Class 1(2)) Operational Risk Management MARCH 2017 STATUS OF GUIDANCE The Isle of Man Financial Services Authority ( the Authority ) issues guidance for
More informationTAG Certified Against Fraud Guidelines. Version 1.0 Released May 2016
TAG Certified Against Fraud Guidelines Version 1.0 Released May 2016 About the TAG Certified Against Fraud Program The mission of the TAG Certified Against Fraud Program is to combat fraudulent non-human
More informationISACA S IT Audit, Information Security & Risk Insights Africa 2014 MAY, 2014
ISACA S IT Audit, Information Security & Risk Insights Africa 2014 MAY, 2014 MANAGING IT RISKS IN THE BANKING INDUSTRY Emmanuel Ofori Boateng, Dep. Head, IT, Ecobank Ghana OVERVIEW - HISTORY OF RISK MANAGEMENT
More informationModel Risk Management
Model Risk Management Presented by: Lisa Thouin, CPA, CGMA FMS May 2016 Meeting Certified Public Accountants Consultants Wealth Management Technology Agenda Overview Model Risk Development, Implementation,
More informationBOM/BSD 2/November 1994 BANK OF MAURITIUS. Guideline on Maintenance of Accounting and other Records and Internal Control Systems
BOM/BSD 2/November 1994 BANK OF MAURITIUS Guideline on Maintenance of Accounting and other Records and Internal Control Systems November 1994 Revised November 2013 Revised December 2017 TABLE OF CONTENTS
More informationStatement on Risk Management and Internal Control
INTRODUCTION The Board affirms its overall responsibility for the Group s system of internal control and risk management and for reviewing the adequacy and effectiveness of the system. The Board is pleased
More informationTHIRD-PARTY RISK MANAGEMENT
THIRD-PARTY RISK MANAGEMENT Beyond a Regulatory Requirement April 28, 2017 Ken Glascock, CPA, CAMS, CIA, CFSA, CRCM Director kglascock@bkd.com AGENDA Let s Break It Down What Is Third-Party Risk Management?
More informationThe Case for Outsourcing Accounts Payable
Presented by Lynn Belletti BNY Mellon Transaction Processing Director The & Procure-To-Pay Conference & Expo is produced by: The world is changing. How will you respond to the new pressures of regulatory
More informationIT Framework Memorandum. For. Supervised Institutions
CENTRALE BANK VAN CURAÇAO EN SINT MAARTEN (Central Bank) IT Framework Memorandum For Supervised Institutions WILLEMSTAD, Updated version April 2011 IT Framework Memorandum for Supervised Institutions 1.
More informationHOW TO AVOID THE DANGER OF WEAK CONTROLS IN THIRD-PARTY RISK MANAGEMENT
E-Guide HOW TO AVOID THE DANGER OF WEAK CONTROLS IN THIRD-PARTY RISK MANAGEMENT SearchSecurity S ecurity expert Michael Cobb explains how to put in place additional safeguards to protect the system and
More informationThe Do's and Don'ts of Vendor Risk Management
The Do's and Don'ts of Vendor Risk Management James ChrisMansen, VP InformaMon Risk Management, OpMv Security Professional Techniques T11 2013 Fall Conference Sail to Success CRISC CGEIT CISM CISA Agenda
More informationAnnexure B Section 22
Annexure B Section 22 Accreditation of Audit Firms, Reporting Accountants, Reporting Accountant Specialists and IFRS Advisers to provide accounting and/or advisory services to applicant issuers Scope of
More informationInternal Audit Policy and Procedures Internal Audit Charter
Mission Statement Internal Audit Policy and Procedures Internal Audit Charter The mission of the Internal Audit Department is to provide independent and objective reviews and assessments of the business
More informationAIST Investment Manager Operational Due Diligence Guidance Note February Investment Manager Operational Due Diligence Review Process
AIST Investment Manager Operational Due Diligence Guidance Note February 2017 Introduction The Australian Prudential Regulatory Authority (APRA) regularly communicates its expectations with the entities
More informationDecember 2015 THE STATUS OF GOVERNMENT S GENERAL COMPUTING CONTROLS:
December 2015 THE STATUS OF GOVERNMENT S GENERAL COMPUTING CONTROLS: 2014 www.bcauditor.com CONTENTS Auditor General s Comments 3 623 Fort Street Victoria, British Columbia Canada V8W 1G1 P: 250.419.6100
More informationImplementing Sound CASS Governance
Implementing Sound CASS Governance TISA Seminar 26 September 2012 Kevin Huby and Deb Weston Kinetic Partners 2010 Agenda What do we mean by CASS governance? Building a robust CASS oversight framework The
More informationAICPA STANDARDS FOR PERFORMING AND REPORTING ON PEER REVIEWS. Effective for Peer Reviews Commencing on or After January 1, 2009
AICPA STANDARDS FOR PERFORMING AND REPORTING ON PEER REVIEWS Effective for Peer Reviews Commencing on or After January 1, 2009 Guidance for Performing and Reporting on Peer Reviews Copyright 2008 by American
More informationNTGA Compliance & Operational Manager Due Diligence Process
NORTHERN TRUST 2010 PROGRAM SOLUTIONS CONFERENCE Investment Solutions in an Uncertain World: WHAT S NEXT? NTGA Compliance & Operational Manager Due Diligence Process Allison K. Fraser VP & Sr. Compliance
More informationABS GUIDELINES ON CONTROL OBJECTIVES & PROCEDURES FOR OUTSOURCED SERVICE PROVIDERS. FREQUENTLY ASKED QUESTIONS 15 June 2017.
ABS GUIDELINES ON CONTROL OBJECTIVES & PROCEDURES FOR OUTSOURCED SERVICE PROVIDERS FREQUENTLY ASKED QUESTIONS 15 June 2017 Contents 1. Objective and Benefits of the ABS Guidelines Page 2 2. Scope and Coverage
More information4A s Client Audit Guidance
4A s MSA Guidance Series January 2017 4A s Client Audit Guidance A Guidance Directive from the American Association of Advertising Agencies 4A s Client Audit Guidance A Guidance Directive from the American
More informationImproving the RFP and Contracts Process With COBIT 5
DISCUSS THIS ARTICLE Improving the RFP and Contracts Process With COBIT 5 By Przemek Tomczak, CISA, CA, CPA COBIT Focus 22 September 2014 English Spanish Russian Changing IT service providers is never
More informationTHE AUDIT COMMITTEE HANDBOOK
Summer 2009 THE AUDIT COMMITTEE HANDBOOK Ce document est également disponible en français. TABLE OF CONTENTS 1 INTRODUCTION 3... Part 1: ORGANIZATION OF THE AUDIT COMMITTEE 3... 1. Composition and Organization
More informationOPERATIONAL RISK MANAGEMENT MODULE
OPERATIONAL RISK MANAGEMENT MODULE MODULE OM Operational Risk Management Table of Contents OM-A OM-B OM-1 OM-2 OM-3 OM-4 Date Last Changed Introduction OM-A.1 Purpose 01/2012 OM-A.2 [This Chapter was deleted
More informationAUDIT COMMITTEE CHARTER REINSURANCE GROUP OF AMERICA, INCORPORATED. the audits of the Company s financial statements;
AUDIT COMMITTEE CHARTER REINSURANCE GROUP OF AMERICA, INCORPORATED I. Role of the Committee The Audit Committee (the Committee ) of the Reinsurance Group of America, Incorporated (the Company ) Board of
More informationTERMS OF REFERENCE OF THE AUDIT COMMITTEE OF THE BOARD OF DIRECTORS
TERMS OF REFERENCE OF THE AUDIT COMMITTEE OF THE BOARD OF DIRECTORS 1. Purpose An Audit Committee (hereinafter called the Committee ) of the Board of Directors (hereinafter called the Board ) of the Business
More informationOPERATIONAL RISK MANAGEMENT MODULE
OPERATIONAL RISK MANAGEMENT MODULE MODULE OM Operational Risk Management Table of Contents OM-A OM-B OM-1 OM-2 OM-3 OM-4 Date Last Changed Introduction OM-A.1 Purpose 01/2012 OM-A.2 [This Chapter was deleted
More informationSession 7: Corporate Governance
Session 7: Corporate Governance New York Bankers Association-Community Bank Auditors Group 2016 Internal Audit Training-June 6-8, 2016 MEMBER OF ALLINIAL GLOBAL, AN ASSOCIATION OF LEGALLY INDEPENDENT FIRMS
More informationLeiningerCPA, Ltd. RISK MANAGEMENT POLICY STATEMENT
LeiningerCPA, Ltd. RISK MANAGEMENT POLICY STATEMENT This policy provides an overview of the bank s risk management process and defines the broad responsibilities for overseeing corporate governance and
More informationMeasuring Compliance Program Effectiveness
Measuring Compliance Program Effectiveness Measuring Compliance Program Effectiveness: A Resource Guide HCCA Hawaii Regional Debbie Troklus, CHC-F, CCEP-F, CCEP-I, CHRC, CHPC Aegis Compliance and Ethics
More informationAUDIT COMMITTEE CHARTER
PURPOSE AUDIT COMMITTEE CHARTER (Adopted as of March 28, 2014 and effective as of the closing of the Company s initial public offering, amended as of February 12, 2018) The purpose of the Audit Committee
More informationFinal Report. Guidelines on ICT Risk Assessment under the Supervisory Review and Evaluation process (SREP) EBA/GL/2017/05.
EBA/GL/2017/05 11 May 2017 Final Report Guidelines on ICT Risk Assessment under the Supervisory Review and Evaluation process (SREP) 1 Contents Executive Summary 3 Background and rationale 5 Guidelines
More informationSarbanes-Oxley Compliance Kit
Kit February 2018 This product is NOT FOR RESALE or REDISTRIBUTION in any physical or electronic format. The purchaser of this template has acquired the rights to use it for a SINGLE Disaster Recovery
More informationEffective implementation of COSO s new anti-fraud guidance
Effective implementation of COSO s new anti-fraud guidance In September 2016, the Committee of Sponsoring Organizations of the Treadway Commission (COSO) published a new Fraud Risk Management Guide (Anti-fraud
More informationCHARTER FEDERAL RESERVE BANK OF RICHMOND BOARD OF DIRECTORS AUDIT AND RISK COMMITTEE
CHARTER FEDERAL RESERVE BANK OF RICHMOND BOARD OF DIRECTORS AUDIT AND RISK COMMITTEE Purpose The Audit and Risk Committee (the Committee) is a committee of the Board of Directors (the Board). The Committee
More informationSOLUTION BRIEF EU GENERAL DATA PROTECTION REGULATION COMPLIANCE WITH RSA ARCHER
EU GENERAL DATA PROTECTION REGULATION COMPLIANCE WITH RSA ARCHER ARRIVAL OF GDPR IN 2018 The European Union (EU) General Data Protection Regulation (GDPR) that takes effect in 2018 will bring changes for
More informationBSA/AML Self-Assessment Tool. Overview and Instructions
BSA/AML Self-Assessment Tool Overview and Instructions February 2018 1129 20 th Street, N.W. Ninth Floor Washington, DC 20036 www.csbs.org 202-296-2840 FAX 202-296-1928 2 Introduction and Overview The
More informationOutsourcing transparency evolution
Outsourcing transparency evolution How information transparency creates value across the extended enterprise Outsourcing transparency evolution Transparent communication is evolving for outsource service
More informationOPERATIONAL RISK MANAGEMENT MODULE
OPERATIONAL RISK MANAGEMENT MODULE MODULE OM Operational Risk Management Table of Contents OM-A OM-B OM-1 OM-2 OM-3 OM-4 Date Last Changed Introduction OM-A.1 Purpose 01/2012 OM-A.2 [This Chapter was deleted
More informationSUNEDISON, INC. AUDIT COMMITTEE CHARTER (Adopted October 29, 2008)
SUNEDISON, INC. AUDIT COMMITTEE CHARTER (Adopted October 29, 2008) I. Purpose The primary purpose of the Audit Committee of the Board of Directors (the Committee ) is to assist the Board of Directors in
More informationAn all-in-one risk management platform delivering fraud detection, transactions screening and customer due diligence capabilities
CGI Centaur An all-in-one risk management platform delivering fraud detection, transactions screening and customer due diligence capabilities What is CGI Centaur? CGI Centaur is a versatile and complex
More informationSOX 404 & IT Controls
SOX 404 & IT Controls IT Control Recommendations For Small and Mid-size companies by Ike Ugochuku, CIA, CISA TLK Enterprise 2006, www.tlkenterprise.com INTRODUCTION Small, medium, and large businesses
More informationWELLS FARGO & COMPANY AUDIT AND EXAMINATION COMMITTEE CHARTER
WELLS FARGO & COMPANY AUDIT AND EXAMINATION COMMITTEE CHARTER PURPOSE: The purpose of the Audit and Examination Committee is to assist the Board of Directors in fulfilling its responsibilities to oversee:
More informationSection 22. Scope of section. Accreditation. Eligibility Criteria
Section 22 Accreditation of Audit Firms, Reporting Accountants, Reporting Accountant Specialists and IFRS Advisers to provide accounting and/or advisory services to applicant issuers Scope of section The
More informationIIROC 2015 Financial Administrators Section Conference
IIROC 2015 Financial Administrators Section Conference September 11, 2015 kpmg.ca Presenters Chris Cornell KPMG Partner, Financial Services Steven Sharma KPMG Partner, Financial Services 2 Agenda Current
More informationCAMELS RATINGS AND FINANCIAL REGULATORY REFORM: THE (M)ANAGEMENT ELEMENT
CAMELS RATINGS AND FINANCIAL REGULATORY REFORM: THE (M)ANAGEMENT ELEMENT Thomas Hinkel, Director of Compliance Up until just shortly before it failed, Washington Mutual had received either average or above
More informationVendor Due Diligence: Keep The Risk Out!
Vendor Due Diligence: Keep The Risk Out! August 25, 2015 2015 ProcessUnity, Inc. All Rights Reserved. ProcessUnity Risk Suite Comprehensive, Flexible, Scalable RISK SUITE Enterprise Risk Regulatory Compliance
More informationEmerging Technology and Security Update
Emerging Technology and Security Update February 13, 2015 Jordan Reed Managing Director Agenda 2015 Internal Audit Capabilities and Needs Survey 2014 IT Priorities Survey Results 2014 IT Security and Privacy
More informationENERGY PERFORMANCE PROTOCOL QUALITY ASSURANCE SPECIFICATION
ENERGY PERFORMANCE PROTOCOL QUALITY ASSURANCE SPECIFICATION Version 1.0 April 2015 Table of Contents 1.0 INVESTOR CONFIDENCE PROJECT 1.1 ENERGY EFFICIENCY PERFORMANCE QUALITY ASSURANCE SPECIFICATION 1.2
More informationAudit quality a director s guide
Audit quality a director s guide November 2017 This handbook offers guidance for directors and shareholders of New Zealand FMC reporting entities about how to improve audit quality Contents About this
More informationInternational Finance Corporation
International Finance Corporation Corporate Governance and Internal Audit Overview Bob Lamm Independent Senior Advisor Center for Corporate Governance Deloitte LLP Neil White Global IA Analytics Leader
More informationWill Your Company Pass a Privacy Audit?
Will Your Company Pass a Privacy Audit? by Tammi K. Franke The Issue - Companies that collect personal information are under increasing scrutiny by both consumers and governments in the United States and
More informationBIOSCRIP, INC. CHARTER OF THE AUDIT COMMITTEE OF THE BOARD OF DIRECTORS
BIOSCRIP, INC. CHARTER OF THE AUDIT COMMITTEE OF THE BOARD OF DIRECTORS Statement of Purpose 1. Oversight Responsibility. The purpose of the Audit Committee of the Board of Directors of BioScrip, Inc.,
More informationENTERPRISE RISK SERVICES Managing Risk, Driving Results
ENTERPRISE RISK SERVICES Managing Risk, Driving Results Risk Management Solutions At MNP, our Enterprise Risk Services team assists organizations as they navigate through uncertainty by helping them effectively
More informationGuidelines for Information Asset Management: Roles and Responsibilities
Guidelines for Information Asset Management: Roles and Responsibilities Document Version: 1.0 Document Classification: Public Published Date: April 2017 P a g e 1 Contents 1. Overview:... 3 2. Audience...
More informationNavigating the New Health Economy
Navigating the New Health Economy How non-traditional healthcare players are using the HITRUST CSF to drive their security programs forward Speakers Dennis Quandt Risk Assurance Director, PwC Boston, MA
More informationTerms of Reference of the Audit Committee
ANNEX A Approved July 15, 2009 Terms of Reference of the Audit Committee 1. PURPOSE 1.1 The Audit Committee is appointed by the Boards, including the MIGA Board of Directors to the extent separately authorized
More informationASSESSMENT AND EVALUATION OF THE CITY OF PHILADELPHIA S INFORMATION TECHNOLOGY GENERAL CONTROLS FISCAL 2016
ASSESSMENT AND EVALUATION OF THE CITY OF PHILADELPHIA S INFORMATION TECHNOLOGY GENERAL CONTROLS FISCAL 2016 Charles J. Brennan Chief Information Officer Office of Innovation and Technology 1234 Market
More informationHITRUST CSF Assurance Program. The Common Healthcare Industry Approach for Assessing Security and Reporting Compliance
The Common Healthcare Industry Approach for Assessing Security and Reporting Compliance February 2017 Contents Background and Challenges.... 3 Improving Risk Management While Reducing Cost and Complexity...
More informationJOB DESCRIPTION. Manager Service Management Technical Systems & Proposed band. Job family
Job title Job family Manager Service Management Technical Systems & Proposed Delivery band E Job purpose The Manager, Service Management is responsible for leading a functional team in one of the specialist
More informationClass Action, Mass Tort & Claims Management
Class Action, Mass Tort & Claims Management Epiq is the leader in providing fully integrated services and technology for class action, mass tort and claims administration. From initial project planning
More informationEY Center for Board Matters. Leading practices for audit committees
EY Center for Board Matters for audit committees As an audit committee member, your role is increasingly complex and demanding. Regulators, standard-setters and investors are pressing for more transparency
More informationQuestions which state 'This question does NOT use the case study' do not use the case study, and may be answered without reference to it.
ITIL Qualification: MANAGING ACROSS THE LIFECYCLE (MALC) CERTIFICATE Case Study 1, version 1.1 CASE STUDY BOOKLET This booklet contains the case study upon which at least 8 of the 10 examination questions
More informationAUDIT COMMITTEE CHARTER DATED AS OF AUGUST 5, 2010
AUDIT COMMITTEE CHARTER DATED AS OF AUGUST 5, 2010 Committee Membership: The Audit Committee of the Board of Directors (the Board ) of KBS Strategic Opportunity REIT, Inc. (the Company ) shall be comprised
More informationChapter 4. Risk Assessment. Copyright 2012 by The McGraw-Hill Companies, Inc. All rights reserved. McGraw-Hill/Irwin
Chapter 4 Risk Assessment McGraw-Hill/Irwin Copyright 2012 by The McGraw-Hill Companies, Inc. All rights reserved. LO# 1 Audit Risk The risk that an auditor expresses an unqualified opinion on materially
More informationStocktake of IT risk supervision practices
Stocktake of IT risk supervision practices IT supervision outside European banking supervision 1 Introduction Between December 2015 and July 2016 the ECB organised working visits with the prudential banking
More informationHow Your Business Survival Depends On Disaster Recovery.
How Your Business Survival Depends On Disaster Recovery www.itgct.com 1 Business continuity and disaster recovery, known as BCDR or BC/DR, are essential for ensuring the survival of your business in the
More informationOFFICE OF FINANCIAL INSTITUTIONS
OFFICE OF FINANCIAL INSTITUTIONS OFI BULLETIN BL-01-2005 (B,SB,SL) February 1, 2005 TO: FROM: SUBJECT: THE CHAIRMAN OF THE AUDIT COMMITTEE AND CHIEF EXECUTIVE OFFICER/MANAGER OF ALL BANKS AND THRIFTS SIDNEY
More informationSTARWOOD HOTELS & RESORTS WORLDWIDE, INC. CHARTER OF THE AUDIT COMMITTEE OF THE BOARD OF DIRECTORS
STARWOOD HOTELS & RESORTS WORLDWIDE, INC. CHARTER OF THE AUDIT COMMITTEE OF THE BOARD OF DIRECTORS Starwood Hotels & Resorts Worldwide, Inc. (the Company ) has determined that it is of the utmost importance
More informationAuditing & Assurance Services, 7e (Louwers) Chapter 2 Professional Standards
Auditing & Assurance Services, 7e (Louwers) Chapter 2 Professional Standards 1) Control risk is A) the probability that a material misstatement could not be prevented or detected by the entity's internal
More informationBusiness Resilience: Proactive measures for forward-looking enterprises
IBM Global Services Business Resilience: Proactive measures for forward-looking enterprises protect deflect predict adapt Working with IBM, you can develop and implement a flexible business resilience
More informationERP IMPLEMENTATION RISK
ERP IMPLEMENTATION RISK Kari Sklenka-Gordon, Director at RSM National ERP Risk Advisory Leader March 2017 2015 2016 RSM US LLP. All Rights Reserved. Speaker Kari Sklenka-Gordon National RSM ERP Risk Advisory
More information3.17 Payment Card Industry (PCI) Compliance Policy
3.17 Payment Card Industry (PCI) Compliance Policy Policy Statement The Payment Card Industry (PCI) Security Standards Council (SSC) has developed standards, referred to as the Payment Card Industry Data
More information2017 Archaeology Audit Program Procedure Manual. April 2017
2017 Archaeology Audit Program Procedure Manual April 2017 Table of Contents Contents Table of Contents... 2 1.0 Introduction and Scope... 3 2.0 Audit Objectives... 3 3.0 Audit Procedures... 4 3.1 Audit
More informationUS Business Continuity Safeguarding Your Business from a Disaster
US Business Continuity Safeguarding Your Business from a Disaster Juanita Hardin BMO Harris Bank Head TPS Risk and Compliance William Simmons BMO Harris Bank Vice President Business Continuity Management
More informationSecuring Intel s External Online Presence
IT@Intel White Paper Intel IT IT Best Practices Information Security May 2011 Securing Intel s External Online Presence Executive Overview Overall, the Intel Secure External Presence program has effectively
More informationSarbanes-Oxley Act of 2002 Can private businesses benefit from it?
Sarbanes-Oxley Act of 2002 Can private businesses benefit from it? As used in this document, Deloitte means Deloitte Tax LLP, which provides tax services; Deloitte & Touche LLP, which provides assurance
More informationAdvanced External Auditing [AU2] Examination Blueprint
Purpose Advanced External Auditing [AU2] Examination Blueprint 2014-2015 The Advanced External Auditing [AU2] examination has been constructed using an examination blueprint. The blueprint, also referred
More informationAICPA STANDARDS FOR PERFORMING AND REPORTING ON PEER REVIEWS
December 2017 PRP Section 1000 AICPA STANDARDS FOR PERFORMING AND REPORTING ON PEER REVIEWS Notice to Readers In order to be admitted to or retain their membership in the AICPA, members of the AICPA who
More informationJPMC S MINIMUM CONTROL REQUIREMENTS FOR CONTINGENT LABOR SUPPLIERS
JPMC S MINIMUM CONTROL REQUIREMENTS FOR CONTINGENT LABOR SUPPLIERS These Minimum Control Requirements ( Minimum Control Requirements ) are stated at a relatively high level, and JPMC recognizes that there
More informationEnhancing Audit Committee Excellences through Internal Audit. 21 November 2017
Enhancing Audit Committee Excellences through Internal Audit 21 November 2017 Sharpen and Strengthen Excellences of Audit Committee Recent Trends and Emerging Challenges Global and Emerging Trends Roles
More informationExtended Enterprise Risk Management
Extended Enterprise Risk Management Driving performance through the extended enterprise October 2015 A network within a network The Extended Enterprise is the concept that an organization does not operate
More informationRamifications of the New COSO Framework & Recent PCAOB Actions
Ramifications of the New COSO Framework & Recent PCAOB Actions Panelists Moderator Bob Meyer, Senior Vice President of Finance & Corporate Controller, American Tower Joann Cangelosi, Partner, Grant Thornton
More informationGOVERNANCE AES 2012 INFORMATION TECHNOLOGY GENERAL COMPUTING CONTROLS (ITGC) CATALOG. Aut. / Man. Control ID # Key SOX Control. Prev. / Det.
GOVERNANCE 8.A.1 - Objective: Information Technology strategies, plans, personnel and budgets are consistent with AES' business and strategic requirements and goals. Objective Risk Statement(s): - IT Projects,
More informationA Framework for the Regulatory use of Penetration Testing in the Financial Services Industry
A Framework for the Regulatory use of Penetration Testing in the Financial Services Industry March 2018 1 Table of Contents Disclaimer... 2 Executive Summary... 3 Contributing Organizations... 6 Introduction...
More informationImplementing and maintaining ISAE 3402
Implementing and maintaining ISAE 3402 2 Implementing and maintaining ISAE 3402 Contents Introduction 4 Purpose and background 5 Benefits to the service organization 7 How Ernst & Young helps 8 Successful
More information