Archive for June, 2010

Update on SEC Custodial Audit Requirements

Posted by Douglas Barbin
June 22nd, 2010

Back in December, we posted about a new SEC rule requiring that financial advisors with “custodial” access to funds under a controls audit to ensure that client data is being handled appropriately.  Specifically, a “Custodial Controls Review” was required to be performed by a PCAOB approved CPA firm.

Recent, the SEC provided an update including several FAQs on the final ruling.  Of note are the following question and answer pairs.


Question I.7

Q: Rule 206(4)-2(a)(6) requires that an adviser or its related person that maintains client assets as a qualified custodian must obtain (or receive from the related person) a written internal control report (e.g., Type II SAS 70 report) regarding the adviser’s or its related person’s custodial practices. What is the compliance date for the internal control report?

A: The compliance date for obtaining an internal control report is September 12, 2010 for advisers subject to the requirement on March 12, 2010. Advisers that are newly subject to Rule 206(4)-2(a)(6) (e.g., newly maintaining, or having a related person maintaining, client assets as a qualified custodian after March 12, 2010) must obtain the internal control report within six months of becoming subject to the requirement.

Question I.8

Q: [With regards to the same requirement] Does the internal control report need to address the effectiveness of controls over custodial services prior to March 12, 2010, the effective date of the amended rule?

A: No, the internal control report does not need to address the effectiveness of controls over custodial services prior to March 12, 2010, the effective date of the amended rule, even if it results in a shortened examination period for the 2010 internal control report.

Question I.9

Q: Currently, qualified custodians often obtain custody-related SAS 70 reports prepared on a regular reporting cycle. If a qualified custodian obtained a SAS 70 report in 2009 and plans to obtain a SAS 70 report in 2010, is the qualified custodian expected to alter its reporting cycle to meet (or allow its related person investment adviser to meet) the initial September 12, 2010 compliance date?

A: No, a qualified custodian that obtained a custody-related SAS 70 report in 2009 is not expected to alter its reporting cycle in 2010.

In summary, the deadline is obtain a control report is either September 12th of this year or six month after being considered a custodial advisor under the requirements.    The only exception is that if you are already under a schedule to perform SAS 70 audits.  Given the amount of time that most audits take from planning to report, if you haven’t spoken to your IT audit firm… you are very behind!

SocialTwist Tell-a-Friend

Posted in Fiduciary Controls Audits, SAS 70 | No Comments »

SAS 70 Resource Center Relaunched

Posted by Douglas Barbin
June 15th, 2010

SAS 70 Solutions has “relaunched” its resource center for SAS 70 audit information.  Here you will find the same rich content we have provided on the SAS 70 topic and more!  Included are preparedness questionnaires, RFP/vendor evaluation tools, terms, FAQs, and more.

SocialTwist Tell-a-Friend

Posted in News | No Comments »

More Details on DEA e-Prescription Requirements

Posted by Scott Zelko
June 10th, 2010

On Monday, we posted an article announcing that the DEA had issued new regulations for “Electronic Prescriptions of Controlled Substances.”  Since then we have further reviewed the ruling and also spoken with many clients and prospects that have contacted us on the subject.

The following points provide additional context and background for any service provider (ASP, SaaS, etc) that provides an application for generating and fulfilling prescriptions of controlled substances.

  • The primary goals of ruling are to 1) maintain a protected “closed system” for prescription fulfillment 2) reduce the risk prescription forgery and diversion and 3) promote the use of Electronic Health Records (EHR) building on the incentives and goals outlined in the Health Information Technology for Economic and Clinical Health (or HITECH) Act components within the American Recovery and Reinvestment Act of 2009 (a.k.a. the Recovery Act).
  • Controlled substances make up approximately 10% of all prescriptions.  That said, the classifications of controlled substances approved for medical use (schedules II through V) are carried by most major pharmacies.
  • The control requirements, highlighted below, as well as the third-party audit requirements are focused on electronic prescription applications, which can be installed on a standalone basis or hosted by an Application Service Provider (ASP).   A medical provider (i.e. doctor) or pharmacy is not required to undergo a third-party audit unless it develops the e-Prescriptions software itself.
  • It is also worth noting that requirements for identity management and access control not only aim to protect access to data but to restrict who can generate, approve, and fulfill a prescription thus reducing the risk of unauthorized fulfillment of controlled substances (referred to as diversion).
  • e-Prescription technologies have been available for some time and there are standards for the communication of prescription data between a medical provider and a pharmacy.   For instance the SCRIPT standard (currently in version 10 release 6) specifies the data field requirements such that the data can be shared across different applications.
  • The DEA clearly noted that it has “not been able to identify any organization that sets standards for or certifies pharmacy applications for security issues.”

(more…)

SocialTwist Tell-a-Friend

Tags: , , ,
Posted in Pharmaceutical / DEA, SAS 70, SysTrust | 1 Comment »

DEA Requires Third Party Audits of e-Prescription Applications

Posted by Scott Zelko
June 9th, 2010

With the medical industry quickly moving towards electronic records and transactions, why wouldn’t pharmacies do the same?

When they are not taking down drug cartels and enforcing narcotics statutes, the Drug Enforcement Administration (DEA) plays a critical role in overseeing the handling of controlled narcotics.  The DEA regulates the wholesale and retail distribution of these controlled substances by pharmaceutical manufacturers, doctors, and pharmacies.  This includes oversight of communication between these parties.

The DEA recently issued “Electronic Prescriptions for Controlled Substances (21 CFR Parts 1300, 1304, 1306, and 1311) which provide practitioners with the option of writing prescriptions for controlled substances electronically.  This rule will be effective June 1, 2010, assuming no changes to the effective date during congressional review.  The Federal Register summarizes the purpose and benefits of the new rule as follows:

The Drug Enforcement Administration (DEA) is revising its regulations to provide practitioners with the option of writing prescriptions for controlled substances electronically.  The regulations will also permit pharmacies to receive, dispense, and archive these electronic prescriptions.  These regulations are in addition to, not a replacement of, the existing rules.  The regulations provide pharmacies, hospitals, and practitioners with the ability to use modern technology for controlled substance prescriptions while maintaining the closed system of controls on controlled substances dispensing; additionally, the regulations will reduce paperwork for DEA registrants who dispense controlled substances and have the potential to reduce prescription forgery.  The regulations will also have the potential to reduce the number of prescription errors caused by illegible handwriting and misunderstood oral prescriptions.  Moreover, they will help both pharmacies and hospitals to integrate prescription records into other medical records more directly, which may increase efficiency, and potentially reduce the amount of time patients spend waiting to have their prescriptions filled.

One of the important mandates is found within section 1311.300, Application provider requirements—Third-party audits or certifications. This section requires that “both electronic prescription applications and the prescription processing module in pharmacy applications should be subject to a third-party audit that met the requirements of SysTrust or WebTrust audits (or for pharmacies, SAS 70).”  The rule goes onto to require that the application provider have a SysTrust, WebTrust, or SAS 70 audit performed for processing integrity and physical security of pharmacy application 1) before the application may be used to create, sign, transmit, or process controlled substance prescriptions and 2) whenever a functionality related to controlled substance prescription requirements is altered or every two years, whichever occurs first.

Only a certified public accounting firm can perform these services.  Organizations that are subject to this rule are encouraged to consult with SAS 70 Solutions, a major provider of SAS 70 audit services, as well as SysTrust and WebTrust certifications.   And of course, you can always obtain further guidance by e-mailing our team at consultation@sas70solutions.com.

Note:  The June 10th follow-up to this article with more detail about service provider implications and control requirements can be found here.

SocialTwist Tell-a-Friend

Tags: , , ,
Posted in Pharmaceutical / DEA, SAS 70, SysTrust, WebTrust | No Comments »

Hey Marketers… Try Talking About Security Features!

Posted by Douglas Barbin
June 1st, 2010

Another day and another set of Google Alerts on SAS 70.   Most links are press releases saying that a service provider has been SAS 70 certified, SAS 70 secured or some other mischaracterization of what SAS 70 was actually intended to do. Other links are blog posts blasting these same marketers (and indirectly the CPAs) about how a SAS 70 is insufficient and not prescriptive enough to be a basis for comparison of security controls.

For several years, I ran the product lines for one of the largest managed security service providers in the world.  I was ALWAYS being asked about security controls, whether it was before, during, or after the negotiation of a large global outsourcing contract.

So from my perspective, I would equate this dialogue to the following:

My wife: Doug have you had your H1N1 shot?
My response: I get an annual physical.

Sure a physical is a good thing to have, but it didn’t answer her question. The same thing happens here when customers and prospects ask questions about what controls are in place only to be provided with an answer that the controls (which aren’t stated) have been audited.  Another good thing to have done but does not answer to the question.

So here’s a novel idea…. how about tell them?  Better yet, how about a white paper? Now before the security professionals start throwing  tomatoes my way for suggesting more marketing involvement in security assurance, hear me out.

  • The problem is that most providers are not talking about what they are doing to protect their customers’ data.  Instead they are citing audit reports, which are generally restricted in nature to use by customers and their auditors.
  • In this day of cloud computing (and paranoia), security features are key product features.
  • Service providers, your audit reports should serve to validate what you are already telling people you do, not become your source of information sharing.  They should be your response when a customer says “prove it” not “show me.”

The following are some examples found online:

  • GotoMyPC.com – Paranoid about GoToMyPC could do in the wrong hands?  Citrix published a 9 page white paper on all of the security features and also what the user’s responsibilities are.
  • WebEx Security – Cisco provides an overview of controls in place but also guidance on how WebEx users can be more careful.
  • Switch and Data – S&D provides a good listing of available security, physical, and environmental controls.
  • Rackspace – A concise but descriptive 1 page overview of security controls.  (Rackspace has many other whitepapers on security as well).

While I think these are a good start, it is clear that that sharing information about security is not common-place (and often taboo) for service providers.  This is not rocket science, its marketing 101 where you promote the features and functionality that your customers care about and we know they care about security and reliability.  Despite what your CISO may say, you can actually can share information about security controls without naming platforms, versions, IP addresses, and other data which could get put to use by the wrong persons.

So how about a mid-year resolution to tell your customers more about how you secure their data?

This is also why I am an active participant with Chris Hoff and the cloudaudit.org group.  We are not trying to create new standards but create an automated mechanism (via open APIs) to share security and control data with the people that need it to make decisions.  While the data doesn’t come from the audit firms, the providers certainly have the opportunity to prove what they are doing through SAS 70 audits, PCI validation, ISO certification, and other independent means.

In a world of “show me don’t tell me” a little tell me could go a long way here.

SocialTwist Tell-a-Friend

Tags: ,
Posted in Cloud Audit, Cloud Computing, Payment Card Industry (PCI) Data Security, SAS 70 | No Comments »