Documente Academic
Documente Profesional
Documente Cultură
Dear Rashard,
Thank you for considering CAS Assurance, LLC for the audit of your Controlled Substance
Ordering and Prescription System (name TBD), located in Orlando, Florida. At CAS Assurance,
LLC, we are committed to delivering services that meet the specific needs of every client with
excellence. We fulfil this commitment through (1) clear understanding of client’s challenges and
needs, (2) competent and experienced personnel for engagement performance, and (3) a quality-
driven process for delivering our services.
With respect to the proposed audit, we bring the following expertise and value to the table to
provide you with an audit of the highest quality:
Engagement personnel with a mix of relevant business and technical expertise, professional
certifications and educational background
IT audit experience across a wide range of environments, including banking and government
Membership of global professional associations that facilitates adherence to high level of
quality service
The above-mentioned specifics and the additional details in the pages that follow are the reasons
we believe we are the right company to meet your project needs. We look forward to further
discussion with you.
Sincerely,
1
Extending Expectations of Excellent Service
About CAS Assurance, LLC
CAS Assurance, LLC is a dynamic certified public accountant (CPA) firm licensed and located
in the state of Florida, United States. We are specialized in providing tax, accounting, assurance
(audit), and advisory services to small and mid-sized corporate entities. Our assurance service
offerings include financial statements review and audit, information technology and security
audit, including System and Organization Controls (SOC), compliance assessment for HIPPA,
GLBA, and examinations based on other unique criteria.
Our goal is to assist our clients to make the best use of their financial resources, fulfill their
compliance and financial reporting obligations, manage their business and technology risks
effectively, and operate resourcefully through efficient business processes and solutions. We
operate based on the core values of respect, excellence, leadership, integrity, and team.
Michael O. Bayere
CAS Assurance, LLC’s Principal Officer, Michael
Bayere will personally work on this proposed audit
engagement. He is a professional accountant and
auditor with over 20 years combined experience in
accounting, financial reporting, taxation, budgeting,
auditing, business process review, and information
system security audit and management in both private
and public sectors. His work experience include
working as accountant for a group of companies for
three years, as bank auditor for more than six years, and
as internal and information technology auditor for the largest county government in the state of
Florida for more than nine years.
Michael is a Certified Public Accountant (CPA) licensed both in the state of Florida and the
Commonwealth of Virginia. He also holds the following globally recognized certifications:
Certified Internal Auditor (CIA), Certified Information Systems Auditor (CISA), Certified
Information Systems Security Professional (CISSP), and the AICPA issued Advanced SOC for
Service Organizations Certificate. Michael holds two master degrees – one in accounting and the
other in information technology (major in information security management), both from Nova
Southeastern University, Florida. Michael is an active member of the following professional
associations and industry groups:
o The American Institute of Certified Public Accountants (AICPA)
o The International Information System Security Certification Consortium (ISC)2
o The Institute of Internal Auditors (IIA)
o The Information Systems Audit and Control Association (ISACA)
o Infragard, South Florida Chapter
2
Extending Expectations of Excellent Service
Michael’s involvements with the above listed organizations provide forum for sharing ideas and
resources in order to provide benefits to our clients in a consistently superior manner. As part of
our firm’s association with these organizations, we receive a wide range of support that includes
education, training, contacts and resources to help us better serve our clients with the highest
degree of quality and competence.
Among other audit project types, Michael has performed and managed IT Audit engagements
covering:
Software development lifecycle
General IT and application controls
Database security and controls
Physical security
Wireless network security
ATM security and controls, including PIN and key management
Network security and system patch management
Web application security
To assure consistent quality services, we monitor our system of quality control continuously
throughout the year. Our audit and accounting policies and procedures are subject to an
independent outside review (referred to as a peer review) every three years as required by our
membership in the American Institute of Certified Public Accountants. CAS Assurance, LLC
system of quality control is based on the AICPA’s quality control standards.
Audit Objective: To perform examination of your Controlled Substance Ordering System which
is a part of an ERP system, to verify your assertions about the system’s compliance with relevant
requirements of Title 21 CFR part 1305 - Orders for Schedule I & II Controlled Substances,
and Part 1311 - Requirements for Electronic Orders and Prescriptions.
3
Extending Expectations of Excellent Service
More specifically, we will plan and perform audit procedures to obtain sufficient appropriate
evidence to express opinion on your assertions concerning the system’s compliance with the
following requirements of the above referenced legislation.
Part/Subpart Requirements
4
Extending Expectations of Excellent Service
Part/Subpart Requirements
or bulk containers furnished on each item and the
date on which the supplier shipped the containers to
the purchaser. And that the linked record also include
any data on the original order that the supplier
completes
o Ensures that, in case of an order filled in part, no
order is valid more than 60 days after its execution by
the purchaser, except as specified in paragraph (h) of
section 1305.22
That the system enables the purchaser, upon the receipt of
shipment of controlled substance order, to create a record of
the quantity of each item received and the date received. And
that the record be electronically linked to the original order
and archived.
§1305.23 - Endorsing That the system does not allow a supplier to endorse an
electronic orders electronic order to another supplier to fill.
§1305.24 - Central If a supplier that has more than one registered location and
processing of orders has a central processing computer on which orders are
stored, for order filled by more than one locations, the
system must enables the supplier to:
o Creates a record linked to the central file noting both
which items a location filled and the location identity.
o Ensures that no item is filled by more than one
location.
o Maintains the original order with all linked records
on the central computer system
§1305.25 - Unaccepted and That the system enables the supplier to ensures that no
defective electronic orders electronic order may be filled if:
o The required data fields have not been completed
o The order is not signed using a digital certificate
issued by DEA
o The digital certificate used had expired or had been
revoked prior to signature
o The purchaser's public key will not validate the
digital signature
o The validation of the order shows that the order is
invalid for any reason
When a purchaser receives an unaccepted electronic order
from the supplier, the system enables the purchaser to
5
Extending Expectations of Excellent Service
Part/Subpart Requirements
electronically link the statement of noacceptance to the
original order, and to retain the original order and the
statement in accordance with §1305.27.
That the system does not allow either a purchaser or a
supplier to correct a defective order.
§1305.26 - Lost electronic If a purchaser executes an order to replace a lost order, the
orders system enables the purchaser to electronically link an
electronic record of the second order and a copy of a signed
statement with the record of the first order and retain them.
If the supplier to whom the order was directed subsequently
receives the first order, the system must enable the supplier
to indicate that it is "Not Accepted" and return it to the
purchaser.
The system must enable the purchaser to link the returned
order to the record of that order and the statement.
§1305.27 - Preservation of That the system allows both purchaser and supplier to retain
electronic orders. each original order filled and the linked records for two
years.
§1305.28 - Canceling and That the system allows the purchaser, if necessary, to void
voiding electronic orders. all or part of an electronic order and return it to the
purchaser.
§1305.29 - Reporting to That the systems enables the supplier to send an electronic
DEA. report of each order filled in a format that DEA specifies to
DEA.
The system must archive the digitally signed orders and any
other records required in part 1305, including any linked
data.
The system must create an order that includes all data fields
listed under Sec. 1305.21.
(c) A system used to The cryptographic module must be FIPS 140-2, Level 1
receive, verify, and create validated.
linked records for orders The digital signature system and hash function must be
signed with a CSOS digital compliant with FIPS 186-2 and FIPS 180-2
certificate The system must determine that an order has not been altered
during transmission. The system must invalidate any order
that has been altered.
The system must check the validity of the certificate and the
7
Extending Expectations of Excellent Service
Part/Subpart Requirements
Certification Authority certificate and invalidate any order
that fails these validity checks.
The system must archive the order and associate with it the
digital certificate received with the order
8
Extending Expectations of Excellent Service
Part/Subpart Requirements
specified in Section 1311.125 or 1311.130. Except for
institutional practitioners, a practitioner authorized to sign
controlled substance prescriptions must approve logical
access control entries.
9
Extending Expectations of Excellent Service
Part/Subpart Requirements
o The statement required under Section 1311.140(a)(3)
10
Extending Expectations of Excellent Service
Part/Subpart Requirements
archive the digitally signed record.
11
Extending Expectations of Excellent Service
Part/Subpart Requirements
that has been printed.
12
Extending Expectations of Excellent Service
Part/Subpart Requirements
o Generate a log of all controlled substance
prescriptions issued by a practitioner during the
previous calendar month and provide the log to the
practitioner no later than seven calendar days after
that month.
o Be capable of generating a log of all controlled
substance prescriptions issued by a practitioner for a
period specified by the practitioner upon request.
Prescription information available from which to
generate the log must span at least the previous two
years.
o Archive all logs generated
o Ensure that all logs are easily readable or easily
rendered into a format that a person can read.
o Ensure that all logs are sortable by patient name, drug
name, and date of issuance of the prescription.
As part of the procedures for obtaining evidence concerning the processing integrity of the
system as required in the table above, we will examine the system’s control environment for
assuring its confidentiality, integrity, and availability as necessary.
Fieldwork
In this phase, we will perform test procedures in our audit plan to obtain sufficient appropriate
evidence to enable us express opinion concerning the compliance of the system with the relevant
requirements specified in Title 21 CFR Parts 1305 and 1311. Our procedures will include a
combination of inquiry, inspection, observation, re-performance, recalculation, and confirmation.
Reporting
Our work in this phase will include discussing the results of our test procedures with you. We
will obtain written assertions and description concerning the system from you, finalize our work
and issue audit report.
14
Extending Expectations of Excellent Service
Time estimate
We estimate the following timing for the engagement phases. This is based on the expectation
that needed information and personnel will be readily available to facilitate our procedures.
15
Extending Expectations of Excellent Service