1 / 12

Third Party/SAS 70 Reports: A Regulatory and Standards Update

Learn about the importance of understanding and managing outside service organizations' control structures and the regulations and standards that pertain to third-party relationships. Explore the responsibilities of boards and management in overseeing outsourcing relationships and discover risk management approaches to vendor management. Discover how to effectively use vendor SAS 70 reports to assess controls and address any weaknesses. Presented by Francis P. Thomas from The Glenmede Trust Co., N.A.

gregoryhall
Download Presentation

Third Party/SAS 70 Reports: A Regulatory and Standards Update

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. FIRMA National Risk Management Training Conference – Orlando, FLWednesday April 9, 2008 Third Party / SAS 70 Reports A Regulatory and Standards Update Francis P. Thomas The Glenmede Trust Co., N.A.

  2. Background • If you use an outside service organization to accomplish a task, you need to know something about that organization’s control structure. • If clients hire your firm to make investment decisions for them, (especially employee benefit clients) they want to know about your controls.

  3. Regulatory References • FFIEC Outsourcing Technology Services IT Exam Handbook June 2004 • FFIEC Supervision of Technology Service Providers Handbook March 2003 • OCC Bulletin 2001-47 “Third Party Relationships” • OCC Advisory Letter AL 2000-9 “Third Party Risk”

  4. Board and Management Responsibilities • Ensuring each outsourcing relationship supports the institution’s overall requirements and strategic plans • Ensuring the institution has sufficient expertise to oversee and manage the relationship • Evaluating prospective providers based on the scope and criticality of oursourced services

  5. Board and Management Responsibilities (continued) • Tailoring the enterprise-wide, service provider monitoring program based on initial and ongoing risk assessments of outsourced services; and • Notifying the primary regulator regarding outsourced relationships when required (OTS needs 30 day notice before establishing a relationship with a foreign service provider)

  6. Risk Management approach to Vendor Management • Inventory all vendors – establish database to record information • Establish initial due diligence criteria • Identify “significant” vendors • Establish annual due diligence criteria for significant vendors • Vendor Management Com. oversight

  7. What is a significant vendor? • Someone with access to client or employee NPI • High business impact if product or service not available from vendor • High business impact due to vendor interaction with clients/prospects • High business impact if vendor fails

  8. Vendor Management Committee Duties • Oversee the establishment of all practices and procedures • Review exceptions to the program and recommend or implement responses • Report up in the committee structure and escalate any security concerns • Report any risk concerns to the Risk Management Committee

  9. Using a vendor SAS-70 • What type of report is supplied (Type I/A or Type II/B – with testing results)? • Is the product or service you purchase specifically addressed in the report? • Go to results and look for disclosures about the controls over your product or service. Are they acceptable?

  10. Using a vendor SAS-70 cont. • If control weaknesses were identified, do they have a management response. Are the situations deemed significant to you? • If significant, do you have an action plan to discuss with the vendor? • If vendor is unwilling to address your concerns, can you modify or exit the contract? If you are locked in, what alternate controls can be used?

  11. Does your SAS-70 give away too much information? • Don’t give flowcharts on how data moves and is controlled. • Don’t identify the actual systems you use. Say “trust accounting system” or “trade order entry system” • Don’t identify your strategic partners by name (telecommunications vendor, name brand routers and switches, etc.)

  12. Questions / comments • Thank you for attending this session and we hope you take home some good information to implement in your shops! • Have a safe trip home.

More Related