Session 11 Other Assurance Services

Slides:



Advertisements
Similar presentations
Surviving the PCI Self -Assessment James Placer, CISSP West Michigan Cisco Users Group Leadership Board.
Advertisements

Additional Assurance Services: Other Information
Complying With Payment Card Industry Data Security Standards (PCI DSS)
2014 PCI DSS Meeting OSU Business Affairs Process Improvement Team (PIT) Robin Whitlock & Dan Hough 10/28/2014.
JEFF WILLIAMS INFORMATION SECURITY OFFICER CALIFORNIA STATE UNIVERSITY, SACRAMENTO Payment Card Industry Data Security Standard (PCI DSS) Compliance.
Dr. Mohamed A. Hamada Lecturer of Accounting Information Systems Advanced Auditing Lecture 1 Assurance and Attestation Services.
March 6, 2012 SOC Reporting: What is New in the Audit Guides?
PCI Compliance Forrest Walsh Director, Information Technology California Chamber of Commerce.
Other Assurance & Attestation Services By David N. Ricchiute
©2008 Prentice Hall Business Publishing, Auditing 12/e, Arens/Beasley/Elder The Demand for Audit and Other Assurance Services Chapter 1.
Payment Card Industry (PCI) Data Security Standard (DSS) Compliance Commonwealth of Massachusetts Office of the State Comptroller March 2007.
The Demand for Audit and Other Assurance Services Chapter 1.
©2006 Prentice Hall Business Publishing, Auditing 11/e, Arens/Beasley/Elder Other Assurance Services Chapter 25.
GPUG ® Summit 2011 November 8-11 Caesars Palace – Las Vegas, NV Payment Processing Online and Within Dynamics GP PCI Compliance and Secure Payment Processing.
CSE 4482, 2009 Session 21 Personal Information Protection and Electronic Documents Act Payment Card Industry standard Web Trust Sys Trust.
©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley Other Assurance Services Chapter 24.
Why Comply with PCI Security Standards?
Payment Card Industry (PCI) Data Security Standard
Disclaimer Copyright Michael Chapple and Jane Drews, This work is the intellectual property of the authors. Permission is granted for this material.
Payment Card Industry Data Security Standard (PCI DSS) By Roni Argetsinger
SOC1 vs. SOC2 vs. SOC3 Source: ryServices/Pages/AICPASOC3Report.aspx.
An Introduction to PCI Compliance. Data Breach Trends About PCI-SSC 12 Requirements of PCI-DSS Establishing Your Validation Level PCI Basics Benefits.
NUAGA May 22,  IT Specialist, Utah Department of Technology Services (DTS)  Assigned to Department of Alcoholic Beverage Control  PCI Professional.
Teresa Macklin Information Security Officer 27 May, 2009 Campus-wide Information Security Activities.
The Payment Card Industry (PCI) Data Security Standard: What it is and why you might find it useful Fred Hopper, CISSP TASK - 27 March 2007.
PCI requirements in business language What can happen with the cardholder data?
Service Organization Control (SOC) Reporting Options and Information
Credit Card Processing Gail “Montreal” Shoffey Keeler August 14, 2007.
Introduction to Payment Card Industry Data Security Standard
Chapter 7 Auditing Internal Control over Financial Reporting McGraw-Hill/Irwin ©2008 The McGraw-Hill Companies, All Rights Reserved.
1 - 1 ©2006 Prentice Hall Business Publishing, Auditing 11/e, Arens/Beasley/Elder The Demand for Audit and Other Assurance Services Chapter 1.
Introduction To Plastic Card Industry (PCI) Data Security Standards (DSS) April 28,2012 Cathy Pettis, SVP ICUL Service Corporation.
PCI Compliance: The Gateway to Paradise PCI Compliance: The Gateway to Paradise.
Copyright © 2007 Pearson Education Canada 1 Chapter 1: The Demand for Auditing and Assurance Services.
©2010 Prentice Hall Business Publishing, Auditing 13/e, Arens//Elder/Beasley Other Assurance Services Chapter 25.
Data Security and Payment Card Acceptance Presented by: Brian Ridder Senior Vice President First National September 10, 2009.
Information Security 2013 Roadshow - PCI. Roadshow Outline  What IS PCI  Why we Care about PCI  What PCI Means to You and Me.
Copyright © 2006 by The McGraw-Hill Companies, Inc. All rights reserved. McGraw-Hill/Irwin 7-1 Chapter Seven Auditing Internal Control over Financial Reporting.
ThankQ Solutions Pty Ltd Tech Forum 2013 PCI Compliance.
1 Payment Card Industry (PCI) Security Standard Developed by the PCI Security Council formed by major card issuers: Visa, MasterCard, American Express,
©2010 Prentice Hall Business Publishing, Auditing 13/e, Arens/Elder/Beasley The Demand for Audit and Other Assurance Services Chapter 1.
Standards in Use. EMV June 16Caribbean Electronic Payments LLC2.
SAS No. 70, Service Organizations A standard for reporting on a service organization’s controls affecting user entities' financial statements. Only for.
By: Matt Winkeler.  PCI – Payment Card Industry  DSS – Data Security Standard  PAN – Primary Account Number.
©2005 Prentice Hall Business Publishing, Auditing and Assurance Services 10/e, Arens/Elder/Beasley Other Assurance Services Chapter 25.
The Payment Card Industry Data Security Standard (PCI DSS) is a proprietary information security standard for organizations that handle branded credit.
EECS David C. Chan1 Computer Security Management Session 1 How IT Affects Risks and Assurance.
Payment Card Industry (PCI) Rules and Standards
Performing Risk Analysis and Testing: Outsource or In-house
Session 11 Other Assurance Services
The Demand for Audit and Other Assurance Services
PCI-DSS Security Awareness
Payment Card Industry (PCI) Data Security Standard (DSS) Compliance
Payment card industry data security standards
The Demand for Audit and Other Assurance Services
Larry Brownfield, CPO, OHE – KOA, Inc.
Internet Payment.
Secure Electronic Transaction
Service Organization Control (SOC)
Chapter 20 Additional Assurance Services: Other Information
Session 11 Other Assurance Services
Other Assurance Services
Payment Card Industry (PCI) Data Security Standard (DSS) Compliance
PCI Compliance : Whys and wherefores
Other Assurance Services
Payment Card Industry (PCI) Data Security Standard (DSS) Compliance
Other Assurance Services
Presentation transcript:

Session 11 Other Assurance Services Sys Trust Payment Card Industry security standard compliance EECS4482 2015 David Chan 1

SysTrust A system assurance service developed by American Institute of Certified Public Accountants (AICPA) and Chartered Professional Accountants Canada (CPA Canada). Audits have been on new systems in an organization or systems shared by a number of partner organizations High control assurance EECS4482 2015 David Chan

SysTrust Principles The Availability Principle addresses accessibility to the defined system, products, or services as advertised or committed by contract, service-level, or other agreements. The Security Principle requires an entity to meet high standards for the protection of the system components from unauthorized access, both logical and physical. EECS4482 2015 David Chan

Main Trust Principles Processing Integrity Principle requires an entity to meet high standards for the completeness, accuracy, timeliness, and authorization of system processing including the processing of electronic commerce transactions. All three principles must be satisfied. EECS4482 2015 David Chan

Optional Trust Principles Confidentiality – no unauthorized viewing Privacy – confidentiality of personal info EECS4482 2015 David Chan

Sys Trust Audit The auditor has to be licensed by AICPA or CPA Canada specifically for SysTrust engagements. The outcome of the audit consists of a report and an unqualified opinion on the internal controls to support the system. High control assurance. EECS4482 2015 David Chan

Control Criteria Operating organization of the system selects criteria (objectives) from the list provided by CPA Canada or AICPA to satisfy each main principle and each selected optional principle. Unless a criterion does not apply to the environment, it must be selected. There is no wording change to criteria. Each control criterion is supported by control activities (procedures), which can be manual or automated, developed by management. EECS4482 2015 David Chan

Difference Between SysTrust and CSAE 3416 Each stated criterion in the report must be met by controls in order to get an unqualified SysTrust report. CSAE 3416 report has restricted distribution. Sys Trust addresses system reliability, whereas CSAE 3416 addresses financial statement assertions. CSAE 3416 is more flexible, as it uses control objectives instead of principles prescribed by CPA Canada and AICPA. EECS4482 2015 David Chan

SysTrust Users Hosting organization User organizations Trading partners, e.g., automated vendor inventory replenishment Financial statement auditors EECS4482 2015 David Chan

SysTrust Report An opinion on management’s asserted controls. Opinion does not cover system description, although system description is often included in the report. But if the auditor knows that system description is misleading, s/he should not issue an opinion on the controls. Opinion covers the reporting period of not more than one year. EECS4482 2015 David Chan

Drivers for SysTrust Audit The potential conflict of interest between the system operator and system user or owner. The complexity of systems, requiring expertise to conduct an audit that would provide a reasonable degree of assurance about their conformity with system reliability principles and criteria. EECS4482 2015 David Chan

Drivers for SysTrust Audit The remoteness of users from systems requiring an independent objective representative to observe the system on their behalf. The consequences of system unreliability. The four conditions above may contribute individually to the need for assurance services related to the reliability of an entity’s key information system(s) and they may also interact to increase the need for such assurance. EECS4482 2015 David Chan

Process of a Sys Trust Audit System hosting organization decides to pursue a Sys Trust audit. System hosting organization hires an accounting firm. System hosting organization selects optional principles as well as criteria for the mandatory and optional principles. Management develops control activities for each criterion. EECS4482 2015 David Chan

Process of a Sys Trust Audit Accounting firm assesses the adequacy of control criteria and procedures. Accounting firm conducts testing. Accounting firm provides report to system hosting organization. System hosting organization shares report with user organizations. EECS4482 2015 David Chan

Options to Address Control Deficiency Fix the control if there is still time. Replace the control with another existing control. Remove an optional principle. Cancel the engagement. EECS4482 2015 David Chan

Payment Card Industry (PCI) Security Standard Developed by the PCI Security Council formed by major card issuers: Visa, MasterCard, American Express, Diners Club, JCB International and Discover Card. All issuing financial institutions and merchants that take credit card transactions on the Internet have to comply. Failure to comply may lead to financial penalty. EECS4482 2015 David Chan Chan 16

PCI Security Standard Visa and MasterCard require major merchants and IT service organizations (over 1 million transactions annually or over 20,000 eTransactions annually) to have an annual external validation for compliance. EECS4482 2015 David Chan

PCI Standards 1.Install and maintain a firewall configuration to protect cardholder data. 2. Do not use vendor supplied defaults for system passwords and other security parameters. 3. Protect stored cardholder data, including encryption. 4. Encrypt transmission of cardholder data across the Internet EECS4482 2015 David Chan 18

PCI Standards 5. Use regularly updated anti-virus software 6. Develop and maintain secure systems and applications 7. Restrict access to cardholder data by business on a need-to-know basis 8. Assign a unique ID to each person with computer access EECS4482 2015 David Chan 19

PCI Security Standard 9. Restrict physical access to cardholder data 10. Track and monitor all access to network resources and cardholder data 11. Regularly test security systems and processes 12. Maintain a policy that addresses information security EECS4482 2015 David Chan 20

Conclusion SysTrust engagements are increasing because of increasing use of externally hosted systems. PCI is gaining prominence because the PCI Council (credit card companies) are now starting to enforce this standard. EECS4482 2015 David Chan

Review Questions Map the SysTrust principles to the control matrix we discussed in Chapter Six. What are the management options to avoid a qualified SysTrust audit opinion when a control deficiency is identified by the auditor? What parties can benefit from a SysTrust audit report? EECS4482 2015 David Chan

Review Questions 4.What kinds of organizations are held to comply with the Payment Card Industry Security Standard? 5. What kinds of organizations are required to provide an annual external validation of compliance with the PCI Security Standard? EECS4482 2015 David Chan

Review Questions 6.According to the PCI Security Standard, what kind of access has to be monitored? 7. How does the PCI Security Standard affect the financial statement audits of large retail merchants? 8. How does the PCI Security Standard affect the profit of large retail merchants? EECS4482 2015 David Chan

MC Question Which of the following is an optional SysTrust principle? A. Confidentiality B. Security C. Processing integrity D. Availability EECS4482 2015 David Chan

MC Question Who is the primary audience of a SysTrust report? A. Service organization management B. Shareholders’ auditors of service organization C. User organization(s) management D. Shareholders’ auditors of user organization(s) EECS4482 2015 David Chan

MC Question Who is responsible for developing control procedures in a SysTrust audit? A. External auditors B. Service organization management C. Internal auditors D. User organization management EECS4482 2015 David Chan

MC Question Which SysTrust principle addresses application controls? A. Security B. Confidentiality C. Processing integrity D. Availability EECS4482 2015 David Chan

MC Question What kind of access to cardholder data must be monitored by a bank? A. All B. Update C. External D. Create EECS4482 2015 David Chan

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.