Address: 3600 S.

State Road 7, Ste 48, Miramar, FL 33023

Phone: 954-362-7113 Website: www.casassurance.com

Date: August 2, 2019

Rashard Dyess-Lane

Dear Rashard,

Subject: Information System Audit of a Controlled Substance Ordering and Prescription

System

Thank you for considering CAS Assurance, LLC for the audit of your Controlled Substance
Ordering and Prescription System (name TBD), located in Orlando, Florida. At CAS Assurance,
LLC, we are committed to delivering services that meet the specific needs of every client with
excellence. We fulfil this commitment through (1) clear understanding of client’s challenges and
needs, (2) competent and experienced personnel for engagement performance, and (3) a quality-
driven process for delivering our services.

With respect to the proposed audit, we bring the following expertise and value to the table to
provide you with an audit of the highest quality:
 Engagement personnel with a mix of relevant business and technical expertise, professional
certifications and educational background
 IT audit experience across a wide range of environments, including banking and government
 Membership of global professional associations that facilitates adherence to high level of
quality service

The above-mentioned specifics and the additional details in the pages that follow are the reasons
we believe we are the right company to meet your project needs. We look forward to further
discussion with you.

Sincerely,

Michael O. Bayere, CIA, CISA, CISSP, CPA

Principal Officer

1
Extending Expectations of Excellent Service
About CAS Assurance, LLC
CAS Assurance, LLC is a dynamic certified public accountant (CPA) firm licensed and located
in the state of Florida, United States. We are specialized in providing tax, accounting, assurance
(audit), and advisory services to small and mid-sized corporate entities. Our assurance service
offerings include financial statements review and audit, information technology and security
audit, including System and Organization Controls (SOC), compliance assessment for HIPPA,
GLBA, and examinations based on other unique criteria.

Our goal is to assist our clients to make the best use of their financial resources, fulfill their
compliance and financial reporting obligations, manage their business and technology risks
effectively, and operate resourcefully through efficient business processes and solutions. We
operate based on the core values of respect, excellence, leadership, integrity, and team.

Engagement Personnel Experience and Qualifications

Michael O. Bayere
CAS Assurance, LLC’s Principal Officer, Michael
Bayere will personally work on this proposed audit
engagement. He is a professional accountant and
auditor with over 20 years combined experience in
accounting, financial reporting, taxation, budgeting,
auditing, business process review, and information
system security audit and management in both private
and public sectors. His work experience include
working as accountant for a group of companies for
three years, as bank auditor for more than six years, and
as internal and information technology auditor for the largest county government in the state of
Florida for more than nine years.

Michael is a Certified Public Accountant (CPA) licensed both in the state of Florida and the
Commonwealth of Virginia. He also holds the following globally recognized certifications:
Certified Internal Auditor (CIA), Certified Information Systems Auditor (CISA), Certified
Information Systems Security Professional (CISSP), and the AICPA issued Advanced SOC for
Service Organizations Certificate. Michael holds two master degrees – one in accounting and the
other in information technology (major in information security management), both from Nova
Southeastern University, Florida. Michael is an active member of the following professional
associations and industry groups:
o The American Institute of Certified Public Accountants (AICPA)
o The International Information System Security Certification Consortium (ISC)2
o The Institute of Internal Auditors (IIA)
o The Information Systems Audit and Control Association (ISACA)
o Infragard, South Florida Chapter

2
Extending Expectations of Excellent Service
Michael’s involvements with the above listed organizations provide forum for sharing ideas and
resources in order to provide benefits to our clients in a consistently superior manner. As part of
our firm’s association with these organizations, we receive a wide range of support that includes
education, training, contacts and resources to help us better serve our clients with the highest
degree of quality and competence.

Among other audit project types, Michael has performed and managed IT Audit engagements
covering:
 Software development lifecycle
 General IT and application controls
 Database security and controls
 Physical security
 Wireless network security
 ATM security and controls, including PIN and key management
 Network security and system patch management
 Web application security

Our Commitment to Quality of Service

In performing our audit engagement, a critical step is to understand our client’s operations,
environment, relevant systems, processes and people. We will develop a thorough understanding
of your products or/and services, business processes, and system(s) relevant to this engagement.
We will use this information to plan and perform an efficient audit that will deliver needed value.

To assure consistent quality services, we monitor our system of quality control continuously
throughout the year. Our audit and accounting policies and procedures are subject to an
independent outside review (referred to as a peer review) every three years as required by our
membership in the American Institute of Certified Public Accountants. CAS Assurance, LLC
system of quality control is based on the AICPA’s quality control standards.

Our Understanding of the Scope and Nature of Work to be Performed

Based on the preliminary discussion with you and the documents we received from you, the
following details our understanding of the scope of proposed audit, nature of work we would
perform with a time estimate to achieve the audit objective.

Audit Objective: To perform examination of your Controlled Substance Ordering System which
is a part of an ERP system, to verify your assertions about the system’s compliance with relevant
requirements of Title 21 CFR part 1305 - Orders for Schedule I & II Controlled Substances,
and Part 1311 - Requirements for Electronic Orders and Prescriptions.

3
Extending Expectations of Excellent Service
More specifically, we will plan and perform audit procedures to obtain sufficient appropriate
evidence to express opinion on your assertions concerning the system’s compliance with the
following requirements of the above referenced legislation.

Part/Subpart Requirements

1305 subpart C – Electronic Orders

§1305.21- Requirements  That the system controls verifies that the purchaser of a
for electronic orders Schedule I or II controlled substance signed an electronic
order with a digital signature issued to the purchaser or the
purchaser's agent by DEA before validating the order.

 That the system includes the following fields as required data

§1305.22 - Procedure for  That the system is compliant with part 1311 and enables the
filling electronic orders
fields for electronic orders of Schedule I or II controlled
substance:
o A unique number (in the required format) the
purchaser assigns to track the order
o The purchaser's DEA registration number
o The name of the supplier
o The complete address of the supplier
o The supplier's DEA registration number
o The date the order is signed
o The name (including strength where appropriate) of
the controlled substance product or the National Drug
Code (NDC) number
o The quantity in a single package or container
o The number of packages or containers of each item
ordered
supplier to:
o Verify the integrity of the order and the purchaser’s
signature to validate the order.
o Verifies that the digital certificate has not expired
o Check the validity of the certificate holder's
certificate by checking the Certificate Revocation
List
o Verify the registrant's eligibility to order the
controlled substances by checking the certificate
extension data
o Retain an electronic record of every order, and linked
to each order, a record of the number of commercial

4
Extending Expectations of Excellent Service
Part/Subpart
§1305.23 - Endorsing
electronic orders
§1305.24 - Central
processing of orders
§1305.25 - Unaccepted and
defective electronic orders
Requirements
or bulk containers furnished on each item and the
date on which the supplier shipped the containers to
the purchaser. And that the linked record also include
any data on the original order that the supplier
completes
o Ensures that, in case of an order filled in part, no
order is valid more than 60 days after its execution by
the purchaser, except as specified in paragraph (h) of
section 1305.22
 That the system enables the purchaser, upon the receipt of
shipment of controlled substance order, to create a record of
the quantity of each item received and the date received. And
that the record be electronically linked to the original order
and archived.
 That the system does not allow a supplier to endorse an
electronic order to another supplier to fill.
 If a supplier that has more than one registered location and
has a central processing computer on which orders are
stored, for order filled by more than one locations, the
system must enables the supplier to:
o Creates a record linked to the central file noting both
which items a location filled and the location identity.
o Ensures that no item is filled by more than one
location.
o Maintains the original order with all linked records
on the central computer system
 That the system enables the supplier to ensures that no
electronic order may be filled if:
o The required data fields have not been completed
o The order is not signed using a digital certificate
issued by DEA
o The digital certificate used had expired or had been
revoked prior to signature
o The purchaser's public key will not validate the
digital signature
o The validation of the order shows that the order is
invalid for any reason
 When a purchaser receives an unaccepted electronic order
from the supplier, the system enables the purchaser to
5
Extending Expectations of Excellent Service
Part/Subpart Requirements
electronically link the statement of noacceptance to the
original order, and to retain the original order and the
statement in accordance with §1305.27.
 That the system does not allow either a purchaser or a
supplier to correct a defective order.
§1305.26 - Lost electronic  If a purchaser executes an order to replace a lost order, the
orders system enables the purchaser to electronically link an
electronic record of the second order and a copy of a signed
statement with the record of the first order and retain them.
 If the supplier to whom the order was directed subsequently
receives the first order, the system must enable the supplier
to indicate that it is "Not Accepted" and return it to the
purchaser.
 The system must enable the purchaser to link the returned
order to the record of that order and the statement.
§1305.27 - Preservation of  That the system allows both purchaser and supplier to retain
electronic orders. each original order filled and the linked records for two
years.
§1305.28 - Canceling and  That the system allows the purchaser, if necessary, to void
voiding electronic orders. all or part of an electronic order and return it to the
purchaser.
§1305.29 - Reporting to  That the systems enables the supplier to send an electronic
DEA. report of each order filled in a format that DEA specifies to
DEA.

§1311.55 - Requirements for systems used to process digitally signed orders

(b) A system used to  The system’s cryptographic module must be FIPS 140-2,
digitally sign Schedule I or Level 1 validated.
II orders
 The system digital signature system and hash function must
be compliant with FIPS 186-2 and FIPS 180-2

 The private key must be stored on a FIPS 140-2 Level 1

validated cryptographic module using a FIPS-approved
encryption algorithm

 The system must use either a user identification and

password combination or biometric authentication to access
the private key. Activation data must not be displayed as
6
Extending Expectations of Excellent Service
Part/Subpart Requirements
they are entered.

 The system must set 10-minute inactivity time period after

which the certificate holder must re-authenticate the
password to access the private key.

 When the signing module is deactivated, the system must

clear the plain text private key from the system memory to
prevent the unauthorized access to, or use of, the private key.

 The system must be able to digitally sign and transmit an

order.

 The system must have a time system that is within five

minutes of the official National Institute of Standards and
Technology time source.

 The system must archive the digitally signed orders and any
other records required in part 1305, including any linked
data.

 The system must create an order that includes all data fields
listed under Sec. 1305.21.
(c) A system used to  The cryptographic module must be FIPS 140-2, Level 1
receive, verify, and create validated.
linked records for orders  The digital signature system and hash function must be
signed with a CSOS digital compliant with FIPS 186-2 and FIPS 180-2
certificate  The system must determine that an order has not been altered
during transmission. The system must invalidate any order
that has been altered.

 The system must validate the digital signature using the

signer's public key. The system must invalidate any order in
which the digital signature cannot be validated.

 The system must validate that the DEA registration number

contained in the body of the order corresponds to the
registration number associated with the specific certificate.

 The system must check the Certificate Revocation List

automatically and invalidate any order with a certificate
listed on the Certificate Revocation List.

 The system must check the validity of the certificate and the
7
Extending Expectations of Excellent Service
Part/Subpart Requirements
Certification Authority certificate and invalidate any order
that fails these validity checks.

 The system must have a time system that is within five

minutes of the official National Institute of Standards and
Technology time source.

 The system must check the substances ordered against the

schedules that the registrant is allowed to order and
invalidate any order that includes substances the registrant is
not allowed to order.

 The system must ensure that an invalid finding cannot be

bypassed or ignored and the order filled.

 The system must archive the order and associate with it the
digital certificate received with the order

 If a registrant sends reports on orders to DEA, the system

must create a report in the format DEA specifies.

§1311.120 - Electronic prescription application requirements

Electronic prescription  The system must link each registrant, by name, to at least
application one DEA registration number.

 System must link each practitioner exempt from registration

under Section 1301.22(c) of this chapter to the institutional
practitioner's DEA registration number and the specific
internal code number required under Section 1301.22(c)(5).

 The system must be capable of the setting of logical access

controls to limit permissions for the following functions:
o Indication that a prescription is ready for signing and
signing controlled substance prescriptions
o Creating, updating, and executing the logical access
controls for the functions specified above

 Logical access controls must be set by individual user name

or role.

 The application must require that the setting and changing of

logical access controls specified under paragraph (b)(2) of
this section involve the actions of two individuals as

8
Extending Expectations of Excellent Service
Part/Subpart Requirements
specified in Section 1311.125 or 1311.130. Except for
institutional practitioners, a practitioner authorized to sign
controlled substance prescriptions must approve logical
access control entries.

 The application must accept two-factor authentication that

meets the requirements of Section 1311.115 and require its
use for signing controlled substance prescriptions and for
approving data that set or change logical access controls
related to reviewing and signing controlled substance
prescriptions.

 The application must be capable of recording all of the

applicable information required in part 1306 of this chapter
for the controlled substance prescription.

 If a practitioner has more than one DEA registration number,

the electronic prescription application must require the
practitioner or his agent to select the DEA registration
number to be included on the prescription.

 The application must have a time application that is within

five minutes of the official National Institute of Standards
and Technology time source.

 The application must present for the practitioner's review and

approval all of the following data for each controlled
substance prescription:
o The date of issuance.
o The full name of the patient
o The drug name
o The dosage strength and form, quantity prescribed,
and directions for use
o The number of refills authorized, if applicable, for
prescriptions for Schedule III, IV, and V controlled
substances
o For prescriptions written in accordance with the
requirements of Section 1306.12(b) of this chapter,
the earliest date on which a pharmacy may fill each
prescription
o The name, address, and DEA registration number of
the prescribing practitioner

9
Extending Expectations of Excellent Service
Part/Subpart Requirements
o The statement required under Section 1311.140(a)(3)

 The application must require the prescribing practitioner to

indicate that each controlled substance prescription is ready
for signing. The electronic prescription application must not
permit alteration of the DEA elements after the practitioner
has indicated that a controlled substance prescription is ready
to be signed without requiring another review and indication
of readiness for signing. Any controlled substance
prescription not indicated as ready to be signed shall not be
signed or transmitted.

 While the information required by paragraph (b)(9) of this

section and the statement required by Section 1311.140(a)(3)
remain displayed, the electronic prescription application
must prompt the prescribing practitioner to authenticate to
the application, using two-factor authentication.

 The application must not permit a practitioner other than the

prescribing practitioner whose DEA number (or institutional
practitioner DEA number and extension data for the
individual practitioner) is listed on the prescription as the
prescribing practitioner and who has indicated that the
prescription is ready to be signed to sign the prescription.

 Where a practitioner seeks to prescribe more than one

controlled substance at one time for a particular patient, the
application may allow the practitioner to sign multiple
prescriptions for a single patient at one time using a single
invocation of the two-factor authentication protocol provided
the following has occurred: The practitioner has individually
indicated that each controlled substance prescription is ready
to be signed while the information required by paragraph
(b)(9) of this section for each such prescription is displayed
along with the statement required by Section 1311.140(a)(3).

 The application must time and date stamp the prescription

when the signing function is used.

 When the practitioner uses his two-factor authentication

credential as specified in Section 1311.140(a)(4), the
application must digitally sign at least the information
required by part 1306 of this chapter and electronically

10
Extending Expectations of Excellent Service
Part/Subpart Requirements
archive the digitally signed record.

 If the practitioner signs the prescription with his own private

key, as provided in Section 1311.145, the electronic
prescription application must electronically archive a copy of
the digitally signed record, but need not apply the
application's digital signature to the record.

 The digital signature functionality must meet the following

requirements:
o The cryptographic module used to digitally sign the
data elements required by part 1306 of this chapter
must be at least FIPS 140–2 Security Level 1
validated.
o The digital signature application and hash function
must comply with FIPS 186–3 and FIPS 180–3
o The electronic prescription application's private key
must be stored encrypted on a FIPS 140–2 Security
Level 1 or higher validated cryptographic module
using a FIPS-approved encryption algorithm
o When the signing module is deactivated, the
application must clear the plain text password from
the application memory to prevent the unauthorized
access to, or use of, the private key.

 Unless the digital signature created by an individual

practitioner's private key is being transmitted to the
pharmacy with the prescription, the application must include
in the data file transmitted an indication that the prescription
was signed by the prescribing practitioner.

 The application must not transmit a controlled substance

prescription unless the signing function described in Section
1311.140(a)(4) has been used.

 The application must not allow alteration of any of the

information required by part 1306 of this chapter after the
prescription has been digitally signed. Any alteration of the
information required by part 1306 of this chapter after the
prescription is digitally signed must cancel the prescription.

 The application must not allow transmission of a prescription

11
Extending Expectations of Excellent Service
Part/Subpart Requirements
that has been printed.

 The application must allow printing of a prescription after

transmission only if the printed prescription is clearly labeled
as a copy not for dispensing. The application may allow
printing of prescription information if clearly labeled as
being for informational purposes.

 If the transmission of an electronic prescription fails, the

application may print the prescription. The prescription must
indicate that it was originally transmitted electronically to,
and provide the name of, a specific pharmacy, the date and
time of transmission, and that the electronic transmission
failed.

 The application must maintain an audit trail of all actions

related to the following:
o The creation, alteration, indication of readiness for
signing, signing, transmission, or deletion of a
controlled substance prescription
o Any setting or changing of logical access control
permissions related to the issuance of controlled
substance prescriptions
o Notification of a failed transmission
o Auditable events as specified in Section 1311.150

 The application must record within each audit record the

following information:
o The date and time of the event
o The type of event
o The identity of the person taking the action, where
applicable.
o The outcome of the event (success or failure)

 The application must conduct internal audits and generate

reports on any of the events specified in Section 1311.150 in
a format that is readable by the practitioner.

 The application must protect the stored audit records from

unauthorized deletion. The electronic prescription
application shall prevent modifications to the audit records.

 The application must do the following:

12
Extending Expectations of Excellent Service
Part/Subpart Requirements
 Where the application is required by this part to archive or
1311.150 - Additional  The application provider must establish and implement a list
requirements for internal
application audits.
Extending Expectations of Excellent Service
o Generate a log of all controlled substance
prescriptions issued by a practitioner during the
previous calendar month and provide the log to the
practitioner no later than seven calendar days after
that month.
o Be capable of generating a log of all controlled
substance prescriptions issued by a practitioner for a
period specified by the practitioner upon request.
Prescription information available from which to
generate the log must span at least the previous two
years.
o Archive all logs generated
o Ensure that all logs are easily readable or easily
rendered into a format that a person can read.
o Ensure that all logs are sortable by patient name, drug
name, and date of issuance of the prescription.
otherwise maintain records, it must retain such records
electronically for two years from the date of the record's
creation and comply with all other requirements of Section
1311.305.
of auditable events. Auditable events must, at a minimum,
include the following:
o Attempted unauthorized access to the application, or
successful unauthorized access where the
determination of such is feasible.
o Attempted unauthorized modification or destruction
of any information or records required by this part, or
successful unauthorized modification or destruction
of any information or records required by this part
where the determination of such is feasible.
o Interference with application operations of the
prescription application.
o Any setting of or change to logical access controls
related to the issuance of controlled substance
prescriptions.
o Attempted or successful interference with audit trail
functions.
o For application service providers, attempted or
13
 Part/Subpart Requirements
successful creation, modification, or destruction of
controlled substance prescriptions or logical access
controls related to controlled substance prescriptions
by any agent or employee of the application service
provider.
o The application must analyze the audit trail at least
once every calendar day and generate an incident
report that identifies each auditable event.

As part of the procedures for obtaining evidence concerning the processing integrity of the
system as required in the table above, we will examine the system’s control environment for
assuring its confidentiality, integrity, and availability as necessary.

Our Procedures and Methodology

We will perform the audit engagement in compliance with AT-C Section 105 – Concept Common
to All Attestation Engagements, and AT-C Section 205 – Examination Engagement published by
the American Institute of Certified Public Accountants (AICPA). The engagement will contain
the following three phases:

Planning and Risk Assessment

During this phase, we will obtain relevant information concerning the system and its
environment, including system and user manuals, platform, architecture, interfaces, dataflow
diagram, data dictionary, tables listing, hardware, project management reports, security policies
and procedures, and other relevant information. We will hold planning meeting(s) with the
relevant personnel on your team. We will perform risk assessment to aid proper determination of
our test procedures in the fieldwork phase.

Fieldwork
In this phase, we will perform test procedures in our audit plan to obtain sufficient appropriate
evidence to enable us express opinion concerning the compliance of the system with the relevant
requirements specified in Title 21 CFR Parts 1305 and 1311. Our procedures will include a
combination of inquiry, inspection, observation, re-performance, recalculation, and confirmation.

Reporting
Our work in this phase will include discussing the results of our test procedures with you. We
will obtain written assertions and description concerning the system from you, finalize our work
and issue audit report.

14
Extending Expectations of Excellent Service
Time estimate
We estimate the following timing for the engagement phases. This is based on the expectation
that needed information and personnel will be readily available to facilitate our procedures.

Phase Time Estimate

Planning and Risk Assessment One Week
Fieldwork Two Weeks
Reporting One Week

Engagement Pricing and Billing

Our fees and billing for this engagement will be as follow:
Service Fees ($)
Audit engagement 15,200
Out-of-pocket expenses Included
Discount (15%) (2,300)
Total 12,900

Timing of billing is as follows:

Timing % of Total Fees Amount
Prior to the commencement of the Planning and Risk 25% $3,225
Assessment phase
At the end of the fieldwork phase 50% $6,450
Upon the delivery of audit report 25% $3,225

15
Extending Expectations of Excellent Service