SAS 70

We have successfully completed our SAS 70 Type II Examination (“Statement of Auditing Standards No. 70”) through a third-party auditor, Ernst & Young LLP, as of October 31, 2007. This examination resulted in an unqualified opinion.

Ernst & Young LLP assessed Aon RiskConsole on the following processes, activities, and operational control objectives:

• Program change management:  Operating system and application software development, maintenance, and configuration is authorized, tested, and approved prior to implementation into production.
• Physical security:  Physical access to the Aon RiskConsole data center, which houses computer and related IT equipment, is limited to authorized personnel.
• Logical access:  Logical access to programs, data, systems, security software, and job scheduling software is limited to properly authorized individuals.
• Internet access: Only authorized individuals have access to the RiskConsole client website and deviations from standard expected activity are identified, investigated, and resolved.
• Computer operations:  Processing is scheduled appropriately and deviations are identified, approved, and resolved.
• Backup:  Operating systems and related operations data that have been identified as requiring periodic backup, either for availability or data integrity purposes, are appropriately backed up as scheduled.

 

This examination provides customers transparency and reasonable, objective assurance that we have appropriate internal controls in place to help ensure the integrity and security of customer information.

The SAS 70 Type I Examination substantiates our dedication to provide quality service to our clients. More importantly, a SAS 70 Examination means that you can use our services with confidence and provides you reasonable assurance that we have achieved operational excellence with the highest levels of reliability and predictability for our system.