FIRMA National Risk Management Training Conference – Orlando, FL Wednesday April 9, 2008 Third Party / SAS 70 Reports A Regulatory and Standards Update Francis P. Thomas The Glenmede Trust Co., N.A.
Background If you use an outside service organization to accomplish a task, you need to know something about that organization’s control structure. If clients hire your firm to make investment decisions for them, (especially employee benefit clients) they want to know about your controls.
Regulatory References FFIEC Outsourcing Technology Services IT Exam Handbook June 2004 FFIEC Supervision of Technology Service Providers Handbook March 2003 OCC Bulletin “Third Party Relationships” OCC Advisory Letter AL “Third Party Risk”
Board and Management Responsibilities Ensuring each outsourcing relationship supports the institution’s overall requirements and strategic plans Ensuring the institution has sufficient expertise to oversee and manage the relationship Evaluating prospective providers based on the scope and criticality of oursourced services
Board and Management Responsibilities (continued) Tailoring the enterprise-wide, service provider monitoring program based on initial and ongoing risk assessments of outsourced services; and Notifying the primary regulator regarding outsourced relationships when required (OTS needs 30 day notice before establishing a relationship with a foreign service provider)
Risk Management approach to Vendor Management Inventory all vendors – establish database to record information Establish initial due diligence criteria Identify “significant” vendors Establish annual due diligence criteria for significant vendors Vendor Management Com. oversight
What is a significant vendor? Someone with access to client or employee NPI High business impact if product or service not available from vendor High business impact due to vendor interaction with clients/prospects High business impact if vendor fails
Vendor Management Committee Duties Oversee the establishment of all practices and procedures Review exceptions to the program and recommend or implement responses Report up in the committee structure and escalate any security concerns Report any risk concerns to the Risk Management Committee
Using a vendor SAS-70 What type of report is supplied (Type I/A or Type II/B – with testing results)? Is the product or service you purchase specifically addressed in the report? Go to results and look for disclosures about the controls over your product or service. Are they acceptable?
Using a vendor SAS-70 cont. If control weaknesses were identified, do they have a management response. Are the situations deemed significant to you? If significant, do you have an action plan to discuss with the vendor? If vendor is unwilling to address your concerns, can you modify or exit the contract? If you are locked in, what alternate controls can be used?
Does your SAS-70 give away too much information? Don’t give flowcharts on how data moves and is controlled. Don’t identify the actual systems you use. Say “trust accounting system” or “trade order entry system” Don’t identify your strategic partners by name (telecommunications vendor, name brand routers and switches, etc.)
Questions / comments Thank you for attending this session and we hope you take home some good information to implement in your shops! Thank you for attending this session and we hope you take home some good information to implement in your shops! Have a safe trip home. Have a safe trip home.