5970 Audit > 5970 Audit

Banking Software

better banking softwareTM

About SIT

Products

Customer Success

Contact

News

Support

Partners

Solutions

Careers
 

SIT Portfolio Plus Support

SIT Advantage
Website

Portfolio Plus
User Group

Banking Software
System Implementations

Portfolio Plus
LinkedIn Group

GICSERV

5970 Audit

Technical Solutions Group

Glossary of Terms

 

FOLLOW SIT

5970 Audit

5970 Audit

Have your auditors talked to you about a 5970 audit? Don’t fret. As your banking software vendor, we’re here to help. SIT’s process for handling this audit is relatively painless. We simply create a work request to cover our costs, and invite your auditors in to examine the controls we have in place.

At SIT we believe our approach is more prudent and conservative than simply having our own auditors state that we're 5970 compliant. Using your auditors gives you the satisfaction of knowing SIT's processes and controls meet your standards.

CICA 5970: What Is It?

Simply put, a Section 5970 is a financial control audit.

In strict "audit-speak", SIT is considered a service organization and our customers are considered a user organization.

The theory of the 5970 audit is simple. A service organization (like SIT) that performs any work with an operating platform of a user organization inherently becomes part of that user organization's operating platform. Therefore when an audit is to be conducted on the user organization the service organization needs to be included.

CICA 5970: Canada’s Version of SAS 70

Developed by the Canadian Institute of Chartered Accountants (CICA) in 2004, the Section 5970 audit largely adopted its guidelines from an already established American equivalent—the American Institute of Certified Public Accountants Statement on Auditing Standards No. 70 (SAS 70). Both standards examine policies and procedures of organizations in the financial services industry.

These kinds of industry standards have taken on a particular importance since the Sarbanes-Oxley Act was passed in 2002. This United States federal law was created in response to major corporate accounting scandals, including those surrounding Enron. The 5970 is Canada’s response to these high profile cases.

5970 Audit: A bit of History

  • 1987: the 5900 and 5130 standards are issued by the Canadian Institute of Chartered Accountants (CICA) to cover service organizations.
  • 2001: Enron goes bankrupt with investors losing billions due to accounting fraud.
  • 2002: Sarbanes-Oxley Act is passed in the United States with Section 404 focused on stricter audit for internal and external control. As a result, the American Statement on Auditing Standards 70 (SAS 70) takes on increased importance.
  • 2004: CICA’s Auditing and Assurance Standards Board (AASB) is influenced by the revised SAS 70 controls in the USA, and creates a new standard to cover the audit of service organizations in Canada—Section 5970.

5970 Audit: An Example—Employee Termination

One example of a "control" that can be audited is employee termination. Certain processes must be in place to ensure an employee who has just been terminated gives up all access to any financial data, security systems, security cards, login information, or any access to financial information.

The following is an example of a "Employee Termination Process"

The list below is fictional and is by no means reflective of any actual list that exists at SIT or any of the financial institutions that we serve. It is meant for illustration and education purposes only.

Termination Checklist Example

  • Create Termination Letter
    • Double check date of termination
    • "Pay in lieu" notice must be outlined
    • Any additional compensation needs to be outlined
    • A copy needs to be sent to all HR employees prior to issuance
  • Termination of Employee: Procedures
    • Have an HR employee clean out non-company items from desk the night before employee termination
    • Book an office or training room for the morning of employee termination
    • Have the employee sign Termination Letter
      • If refused, the Termination Letter must state this and be signed by the representative assigned to undertake the termination
    • Provide a letter of termination to the employee, if requested
  • Arrange for the following:
    • Return of building and office entrance keys
    • Return of security cards
    • Return of company cell phone, if applicable
    • Return of company computer, if applicable
    • Return of desk and file keys, if applicable
    • Removal of the employee from emergency or after hours list, if applicable
    • Alarm code change (issue new code to staff non-electronically)
  • <this list is intentionally incomplete>

The above "list" is a small and incomplete example of a control that a 5970 auditor may want to analyze.

Futures: ISAE 3402 May Replace CICA Section 5970

A new standard has recently been proposed to amend Section 5970. The International Standard on Assurance Engagements, Assurance Reports on Controls at a Service Organization (ISAE 3402) could take effect as early as 2011 in Canada.

This standard is already set to affect the SAS 70 standard in the United States as of July 2011, when the American Institute of Certified Public Accountants (AICPA) implements a new SSAE No.16 standard—a standard that will update the SAS 70, and comply with the ISAE 3402 global standard.

CICA, however, has yet to adopt the proposed standard.

WARNING: Major Breaches Occur Despite Industry Standard Compliance.

On November 10, 2010, The New York Times published an article by James Verini entitled "The Great Cyberheist". According to Verini, more than 500 banks were affected by the recent and widely publicized Heartland breach.

The mastermind behind the breach, Albert Gonzalez, a former CIA informant, cost Heartland and other companies "more than $400 million in reimbursements and forensic and legal fees".

And much of the damage remains unknown.

During the time of the breach, however, Heartland Payment Systems Inc. was PCI compliant. This is the Data Security Standard for the Payment Card Industry, a standard that most people believe is more stringent than the CICA 5970 standard.

"By the time Heartland realized something was wrong, the heist was too immense to be believed: data from over 130 million transactions had been exposed." (Verini, "The Great Cyberheist", New York Times.)

SIT recommends that you go beyond any written standard and develop your own security policies and procedures that can help guard sensitive data. SIT will be glad to help you develop and implement any proposed changes to help make your environment more secure.

SIT & Your Auditor

If you find yourself subject to a 5970 audit, you need to call your relationship manager at SIT. We'll be glad to accommodate your auditors on our premises to ensure our processes meet the latest industry standards!

 
  

 

 

SIT News

SIT Customers Adopt "Client Name" GIC Automation

SIT Commits to GICSERV

Marathon Mortgage Chooses Portfolio Plus

SIT Completes 15 Upgrades in the Last Year

SIT Launches Redesigned Advantage Website to Enhance Customer Support

SIT Agrees to be Part of RDSP Advisory Committee

SIT Interchange 2011 Agenda (October 24 & 25)Now Available

Quick Solution Finder

 • Banking Software

 • Core Banking Software

 • Credit Union Software

 • Nominee Term Deposits

 • de novo Banking Software

 • Government Loan Mgmt.

 • Peer-to-Peer Banking

 • Trust Company Software

 • Virtual Banking

 • Bank in a Box

 • Debt Collection Software

Overwhelmed by Choice?
Call us. Email us.
No Pressure. No Commissions.

905-640-0808
 
   

PRIVACY · CAREERS · CONTACT US · SITE MAP

BANKING SOFTWARE · CREDIT UNION SOFTWARE · TRUST COMPANY SOFTWARE

VIRTUAL BANKING SOFTWARE ·  CORE BANKING SOFTWARE

Copyright © 1996-2010
Strategic Information Technology Ltd.
All Rights Reserved
 



This page was created and/or refreshed on May 14, 2012 @ 15:39:22
by Strategic Information Technology (SIT) Ltd., Stouffville, Ontario, Canada
The page subject is: 5970 Audit > 5970 Audit

5970 Audit