Class Notes (972,604)
CA (572,777)
UTSG (51,191)
Rotman Commerce (1,204)
RSM427H1 (56)
Lecture 10

RSM427H1 Lecture 10: 10-4
Premium

by OneClass292959 , Winter 2018
2 Pages
61 Views

Department
Rotman Commerce
Course Code
RSM427H1
Professor
Michael Khan
Lecture
10

This preview shows half of the first page. Sign up to view the full 2 pages of the document.
Lecture 10 Audit Considerations of Outsourcing
SysTrust/WebTrust
The SysTrust/WebTrust review encompasses a combination of the following principles:
o Security: the system is protected against unauthorized access (both physical and logical)
o Availability: the system is available for operation and use as committed or agreed
o Processing integrity: system processing is complete, accurate, timely, and authorized
o Confidentiality: information designated as confidential is protected as committed or
agreed
SysTrust/WebTrust Users
o Management
o Customers
o Trading partners
o Financial statement auditors
SysTrust/WebTrust Report
o A opiio o aageet’s asserted otrols
Does not formally include the system description
o Opinion covers the reporting period of no more than 1 year
Drivers for SysTrust/WebTrust Review: the potential conflict of interest between the service
organization and the user organization
o The complexity of systems
o Remoteness of users and user organizations
o Consequences of unreliability
o Frequent system failure
Process of a SysTrust/WebTrust Reivew
o Decision by System hosting organization to pursue a SysTrust Review
System hosting organization hires a qualified firm
o System hosting organization selects
Optional principles
Criteria for the mandatory and optional principles
o Management develops control activities for each criterion
Process of a SysTrust Review
o Accounting firm assesses the adequacy of control criteria and procedures
o Accounting firm conducts testing
o Accounting firm provides report to system hosting organization
o System hosting organization shares report with user organizations
Trust Criteria
o Required: security
o Optional: confidentiality, privacy, availability, processing integrity
SysTrust/WebTrust Review
o Licensing
o Report
Difference Between SysTrust/WebTrust and CSAE 3416
Each stated criteria in the report must be met by controls in order to get an unqualified SysTrust
report
CSAE 3416 report has restricted distribution
Reliability vs. Financial Statement Assertions
find more resources at oneclass.com
find more resources at oneclass.com

Loved by over 2.2 million students

Over 90% improved by at least one letter grade.

Leah — University of Toronto

OneClass has been such a huge help in my studies at UofT especially since I am a transfer student. OneClass is the study buddy I never had before and definitely gives me the extra push to get from a B to an A!

Leah — University of Toronto
Saarim — University of Michigan

Balancing social life With academics can be difficult, that is why I'm so glad that OneClass is out there where I can find the top notes for all of my classes. Now I can be the all-star student I want to be.

Saarim — University of Michigan
Jenna — University of Wisconsin

As a college student living on a college budget, I love how easy it is to earn gift cards just by submitting my notes.

Jenna — University of Wisconsin
Anne — University of California

OneClass has allowed me to catch up with my most difficult course! #lifesaver

Anne — University of California
Description
Lecture 10 Audit Considerations of Outsourcing SysTrust/WebTrust The SysTrust/WebTrust review encompasses a combination of the following principles: o Security: the system is protected against unauthorized access (both physical and logical) o Availability: the system is available for operation and use as committed or agreed o Processing integrity: system processing is complete, accurate, timely, and authorized o Confidentiality: information designated as confidential is protected as committed or agreed SysTrust/WebTrust Users o Management o Customers o Trading partners o Financial statement auditors SysTrust/WebTrust Report o An opinion on managements asserted controls Does not formally include the system description o Opinion covers the reporting period of no more than 1 year Drivers for SysTrust/WebTrust Review: the potential conflict of interest between the service organization and the user organization o The complexity of systems o Remoteness of users and user organizations o Consequences of unreliability o Frequent system failure Process of a SysTrust/WebTrust Reivew o Decision by System hosting organization to pursue a SysTrust Review System hosting organization hires a qualified firm o System hosting organization selects Optional principles Criteria for the mandatory and optional principles o Management develops control activities for each criterion Process of a SysTrust Review o Accounting firm assesses the adequacy of control criteria and procedures o Accounting firm conducts testing o Accounting firm provides report to system hosting organization o System hosting organization shares report with user organizations Trust Criteria o Required: security o Optional: confidentiality, privacy, availability, processing integrity SysTrust/WebTrust Review o Licensing o Report Difference Between SysTrust/WebTrust and CSAE 3416 Each stated criteria in the report must be met by controls in order to get an unqualified SysTrust report CSAE 3416 report has restricted distribution Reliability vs. Financial Statement Assertions CSAE 3416 is more flexible Differences Between SOC Reports A SOC 1 report documents a service organizations control that may be relevant to financial reporting SOC 2 is a report based on ACIPAs existing Trust Services Principles and criteria (is based on the existing SysTrust and WebTrust). The purpose of the SOC 2 report is to evaluate an organizations information systems relevant to security, availability, processing integrity, and confidentiality or privacy SOC 3 is based on the existing SysTrust and WebTrust principles and is a publicly available report of controls over security, availability, and confidentiality SSAE 18 Requirements for SOC 1 Monitoring the effectiveness of controls at subservice organizations Identifying complementary subservice organization controls Clarification of complementary user entity control considerations Evaluating reliability of information produced by the servi
More Less
Unlock Document

Only half of the first page are available for preview. Some parts have been intentionally blurred.

Unlock Document
You're Reading a Preview

Unlock to view full version

Unlock Document

Log In


OR

Don't have an account?

Join OneClass

Access over 10 million pages of study
documents for 1.3 million courses.

Sign up

Join to view


OR

By registering, I agree to the Terms and Privacy Policies
Already have an account?
Just a few more details

So we can recommend you notes for your school.

Reset Password

Please enter below the email address you registered with and we will send you a link to reset your password.

Add your courses

Get notes from the top students in your class.


Submit