The SAS 70 examination standard was established by the American Institute of Certified Public Accountants (AICPA) and is internationally recognized as an in-depth examination of a company's description of controls, their suitability of design, and their operating effectiveness, which generally include controls over information technology and processes. The Type II examination required the testing of Intercontinental's controls by Ernst & Young for the period of June 1, 2002 through December 31, 2002, and followed a Type I audit completed in July 2002. The Trust Services engagement evaluated Intercontinental's security processes and controls with respect to established security evaluation criteria specified by the AICPA/CICA. The Trust Services engagement was supplemented with custom assertions developed by Intercontinental's management to provide additional assurances that are not covered by established criteria.
"These examinations provide independent assurance of the operational controls and security of the ICE platform," said Jerry Perullo, Director of Information Security. "These positive results demonstrate the sound infrastructure and internal controls upon which Intercontinental continues to build its business. Intercontinental's ability to effectively deploy and manage technology plays a central role in reliably serving the needs of our participants."
The SAS 70 Type II Examination required testing of Intercontinental's controls to provide reasonable assurance that system security and other stated control objectives were satisfied. Intercontinental's system and software controls were the subject of examination, including: computer equipment, storage media, internal documentation, physical and environmental protection measures, and access to systems and data. In addition to reviewing physical and logical security, the examination covered critical management functions and procedures. The SAS 70 is a limited distribution report intended for participants, their auditors, and regulatory agencies, and can be requested through Intercontinental.
The Trust Services attestation found that Intercontinental systems maintained effective controls against unauthorized physical or logical access according to AICPA/CICA evaluation criteria. Additionally, custom criteria added by Intercontinental were used to attest to management's assertions regarding stated exchange guidelines and index calculation procedures. The Trust Services certification is available for public disclosure and can be viewed under the "Security" link of www.theice.com.