Using DoD SSAE 16/18 Service Organization Control (SOC) Reports (to Support Your Audit and A-123 Compliance)

Transcription

1 Office of the Under Secretary of Defense (Comptroller) Office of the Deputy Chief Financial Officer Using DoD SSAE 16/18 Service Organization Control (SOC) Reports (to Support Your Audit and A-123 Compliance) American Society of Military Comptrollers (ASMC) PDI June 2, 2017 James Davila Accountant, FIAR Directorate, Office of the Deputy Chief Financial Officer, OUSD(C) Bradley Keith Director PwC Public Sector, LLP

2 Discussion Topics Using DoD SSAE 16/18 Service Organization Control (SOC) Reports 1) Service Organization Relationships Key Concepts End-to-End Process Relationships Service Organization Identification 2) Addressing Service Organization Controls Available Options Available SOC 1 Reports Relevant SOC 1 Reports 3) Using the Service Organization Controls Report Desired Outcomes SOC 1 Report Sections Areas for Consideration CUECs and CSOCs Reliability of Data (and Reports) Common Evaluation Pitfalls Reporting / User Entity Responsibilities 4) OUSD(C) FIAR Support and Available Resources 2

3 Service Organization Relationships Key Concepts

4 End to End Business Process Parts of audit relevant Reporting Entity business process are performed by one or more Third Parties. Reporting Entity Initiate / Execute Initiate / Execute Third Party Financial Statements The Reporting Entity is responsible for internal controls over financial reporting. 4

5 End to End Business Process It is critical to determine which Third Parties meet the definition of a Service Organization for A-123 and audit purposes (and which do not). Service Providers Vendors Third Parties Working Capital Funds Service Organizations Trading Partners What is the specific nature of the relationship (i.e., who does what)? 5

6 End to End Business Process AU-C 402: Audit Considerations Relating to an Entity Using a Service Organization.A7 The significance of the controls at the service organization to the user entity's internal control also depends on the degree of interaction between the service organization's activities and those of the user entity. The degree of interaction refers to the extent to which a user entity is able to and elects to implement effective controls over the processing performed by the service organization. For example, a high degree of interaction exists between the activities of the user entity and those at the service organization when the user entity authorizes transactions and the service organization processes and accounts for those transactions. In these circumstances, it may be practicable for the user entity to implement effective controls over those transactions. On the other hand, when the service organization initiates or initially records, processes, and accounts for the user entity's transactions, a lower degree of interaction exists between the two organizations. In these circumstances, the user entity may be unable to, or may elect not to, implement effective controls over these transactions at the user entity and may rely on controls at the service organization. Who Does What? Initiates Executes / Internally Records Accounting Processing? and? and? The Financial Statement Auditor will follow the Auditing Standards 6

7 End to End Business Process Why is this so important? If a Service Organization relationship / dependency exists. The Reporting Entity must address Service Organization (and Sub-service Organization) controls for OMB Circular A-123 (Appendix A) / ICOFR. Third Parties Service Providers Working Capital Funds Vendors Service Organizations The Reporting Entity financial statement auditor will also need to address the Service Organization (and Sub-service Organization) controls in financial statement audits and examinations. Trading Partners Service Organization Controls? You and / or your auditor can t ignore / assume what happens inside the Black Box. 7

8 End to End Business Process Reporting / User Entities User Auditors Service Organizations Sub-Service Organizations If a Service Organization relationship exists, all of the pieces need to fit. Roles and responsibilities must be aligned. 8

9 Addressing Service Organization Controls

10 Addressing Service Organization Controls How do I do this? There are a few options. Compliance with OMB Circular A-123 (Appendix A) / ICOFR Reporting Entity team documents and tests Service Organization controls. Reporting Entity obtains controls documentation and testing performed by Service Organization management and reviews for adequacy. Reporting Entity team or Service Organization management addresses gaps. Reporting Entity obtains / reviews Service Organization Controls (SOC 1) Reports on the design and operating effectiveness of internal controls over financial reporting at Service Organizations (and Sub-service Organizations). Service Organization Controls? Financial Statement Audit (must comply with audit independence requirements) Reporting Entity financial statement auditors (User Auditor) documents and tests Service Organization controls. Reporting Entity financial statement auditors (User Auditor) obtains / reviews Service Organization Controls (SOC 1) Reports on the design and operating effectiveness of internal controls over financial reporting at Service Organizations (and Sub-service Organizations). It is very inefficient for each / every Reporting Entity and their auditor to redundantly test Service Organization controls versus relying on the SOC 1 Reports. 10

11 Addressing Service Organization Controls How do I do this? What SOC 1 reports are available? 2018 U.S. Army GFEBS FY DFAS FBWT Treasury Reconciliation 2017 U.S. Army Conventional Munitions 2016 Compensation Benefit & Payment DFAS Vendor Pay (OWCP) Bill Processing 2016 Citigroup Technology Infrastructure (CTI) 2016 Treasury Admin Resource Center 2016 Treasury Invest & Borrowings Treasury Funds Management FY 2018 FY Total Systems Services Elavon, Inc Retail Payment Processing 2016 DFAS FBWT Treasury Distribution 2016 DLA SOIDC FY US Bank AXOL 2015 DISA (ATAAPS) 2015 DMDC DTS FY DFAS Contract Pay DCMA Contract Pay DFAS Financial Reporting DLA irapt DLA DAI FY DFAS Standard Disbursing DMDC DCPDS US Bank SYNCADA DFAS Military Pay 2013 DLA DAAS FY 2013 Legend 2012 AT&L / DLA DPAS DISA (EIS) DFAS Civilian Pay Unqualified / Unmodified Opinion Qualified / Modified Opinion TBD 0 FY 2012 FY 2005 Significant progress has been achieved but much remains to be done. 11

12 Addressing Service Organization Controls How do I do this? What SOC 1 reports are available? DoD SSAE 16/18s as of May 2017 SSAE 16/18 FY 2014 FY 2015 FY 2016 FY 2017 Service Provider Assessable Unit System(s) Included IPA Firm FY 14 Opinion Reporting Period IPA Firm FY 15 Opinion Reporting Period SSAE 16 for FY 16? IPA Firm FY 16 Opinion Reporting Period Report Issuance Date / Expected Issuance Date SSAE 16 for FY 17? IPA Firm FY 17 Opinion Projected Reporting Period for FY 17 Expected Report Issuance Date Civilian Pay DCPS KPMG Unmodified Oct Jun 2014 KPMG Unmodified Oct Jun 2015 Yes KPMG Unmodified Oct Jun 2016 Aug 12, 2016 Yes KPMG TBD Oct Jun 2017 Aug 15, 2017 Military Pay DJMS-AC, DJMS-RC, DMO (Web) KPMG Unmodified Oct Jun 2014 KPMG Modified Oct Jun 2015 Yes KPMG Modified Oct Jun 2016 Aug 17, 2016 Yes KPMG TBD Oct Jun 2017 Aug 17,2017 ADS, ADS IPAC MegaWizard 22 MicroApps: DFAS Standard Disbursing Service DD 2657 Statement of Accountability, State Tax Access Database, State Tax Microsoft Excel workbook, Post Certification Validation Tracking Workbook, GTN_Month_YR Excel Workbook, DJMSwkstmmyy excel workbook, Defense Civilian Payroll System (DCPS) Tracking Spreadsheet, 8522 IPAC Tracking Workbook (Excel), SSN 8522 ACH Spreadsheet, MMYYYY Batch Tracker, 6102 Voucher Workbook (Excel), Cleveland Consolidated Workbook (Excel), 2657 Workbook (Excel), E&C Reconciliation Workbook (Excel), DIT Tracker Workbook (Excel), IPAC Tracking Workbook (Excel), Kansas City Central Site IPAC Wizard (Access) KPMG Unmodified Oct Jun 2014 KPMG Unmodified Oct Jun 2015 Yes KPMG Unmodified Oct Jun 2016 Aug 15, 2016 Yes KPMG TBD Oct Jun 2017 Aug 15, 2017 Contract Pay Vendor Pay MOCAS, EAS, EUD (APVM / PPVM), SCRT, BAM ERMP OnePay, CAPS-W, CAPS-W Data Center, ODS, DCD/DCW, STARS, BAM, APVM GT Unmodified Nov Apr 2014 GT Unmodified Oct Jun 2015 Yes GT Unmodified Oct Jun 2016 Aug 15, 2016 Yes GT TBD Oct Jun 2017 Aug 15, 2017 NA NA NA NA NA NA No NA NA NA NA Yes GT TBD Feb Jul 2017 Sep 15, 2017 FBWT - Transaction Distribution DCAS, SAMS NA NA NA NA NA NA Yes KPMG Modified Mar Sep 2016 Nov 14, 2016 Yes KPMG TBD Oct Jun 2017 Aug 15, 2017 FBWT - Treasury Reconciliation DRRT, CMR NA NA NA NA NA NA No NA NA NA NA No NA NA NA NA DDRS (AFS, B, DCM), 8 MicroApps: Financial Reporting NWCF Trading Partner DB, Eliminator, MOCAS Data Call, Data Call Validation Tool, OMB Max Recon, Inventory Control, Employee Benefits, Buyer & Seller Side Elimations Kearney Modified Mar Nov 2014 Kearney Modified Dec Jul 2015 Yes Kearney Modified Oct Jul 2016 Sept 15, 2016 Yes Kearney TBD Oct Jul 2017 Sept 15, 2017 GT = Grant Thornton PwC - Price Waterhouse Coopers Kearney = Kearney & Company WACO= Williams Adley & Co. E&Y = Ernst & Young CBH = Cherry, Bekaert & Holland RMA = RMA Associates RESJ = Robins, Eskew, Smith & Jordan Multiple SOC 1s are underway or planned. 12

13 Addressing Service Organization Controls How do I do this? What SOC 1 reports are available? DoD SSAE 16/18s as of May 2017 SSAE 16/18 FY 2014 FY 2015 FY 2016 FY 2017 Service Provider Assessable Unit System(s) Included IPA Firm FY 14 Opinion Reporting Period IPA Firm FY 15 Opinion Reporting Period SSAE 16 for FY 16? IPA Firm FY 16 Opinion Reporting Period Report Issuance Date / Expected Issuance Date SSAE 16 for FY 17? IPA Firm FY 17 Opinion Projected Reporting Period for FY 17 Expected Report Issuance Date DMDC Defense Civilian Personnel Data System (DCPDS) DCPDS PwC Modified Oct Jun 2014 KPMG Unmodified Oct Jun 2015 Yes KPMG Unmodified Oct Jun 2016 Aug 15, 2016 Yes KPMG TBD Oct Jun 2017 Aug 15, 2017 Defense Travel System (DTS) DTS N/A N/A N/A WACO Modified Oct Jun 2015 Yes WACO Modified Oct Jun 2016 Sep 08, 2016 Yes KPMG TBD Oct Jun 2017 Aug 15, 2017 DCMA Contract Pay MOCAS, etools GT Modified Feb Oct 2014 GT Modified Feb Sept 2015 Yes GT Modified Jan June 2016 Aug 15, 2016 Yes GT TBD Oct Jun 2017 Aug 15,2017 Wide Area Work Flow - Invoices Receipt Acceptance and Property Transfer (WAWF - irapt) irapt RMA Modified Mar Aug 2014 WACO Modified Oct Jun 2015 Yes GT Modified Oct Jun 2016 Aug 15, 2016 Yes RMA TBD Oct Jun 2017 Aug 15, 2017 Defense Agency Initiative (DAI) DAI WACO Modified Jan Jun 2014 WACO Unmodified Oct Jun 2015 Yes GT Modified Oct Jun 2016 Aug 15, 2016 Yes RMA TBD Oct Jun 2017 Aug 15, 2017 DLA Defense Automatic Addressing System (DAAS) DAAS E&Y Modified Sep Feb 2014 WACO Modified Oct Jun 2015 Yes GT Modified Oct Jun 2016 Aug 15, 2016 Yes RMA TBD Oct Jun 2017 Aug 15, 2017 Service Owned Items in DLA Custody (SOIDC) DSS NA NA NA NA NA NA Yes Kearney Modified Jan Sept 2016 Apr 28, 2017 No NA NA NA NA Defense Property Accountability System (DPAS) DPAS CBH Unmodified Oct Jun 2014 CBH Unmodified Jul Jun 2015 Yes CBH Unmodified Oct Jun 2016 Aug 26, 2016 Yes CBH TBD Oct Jun 2017 Aug 15, 2017 Operations Center (FY Scope) Mechanicsburg, Ogden, Oklahoma City, Montgomery KPMG Unmodified Oct Jun 2014 E&Y Unmodified Oct Jun 2015 Yes E&Y Unmodified Oct Jun Aug-16 Yes E&Y TBD Oct Jun 2017 Aug 15, 2017 DISA Automated Time Attendance and Production System (ATAAPS) ATAAPS N/A N/A N/A E&Y Modified Oct Jun 2015 Yes E&Y Modified Oct Jun Aug-16 Yes E&Y TBD Oct Jun 2017 Aug 15, 2017 Conventional Ammunition LMP, WARS-NT, SAAS-MOD Yes KPMG TBD Oct Mar 2017 TBD U.S. Army General Fund Enetrprise Business System (GFEBS) GFEBS No NA NA NA NA Corporate Payment Systems (CPS) U.S. Bank Freight Payment Transaction Procerssing System Syncada E&Y Unmodified Oct Sept 2014 E&Y Unmodified Oct Sept 2015 Yes E&Y Unmodified Oct Jul 2016 Sept 19,2016 Yes E&Y TBD Aug Jul 2017 Sept 15, 2017 Total Systems Services (TSYS), Subservice Org to CPS, for credit management processing TS1 & TS2 Yes KPMG Unmodified Jan Sep 2016 Oct 31, 2016 Yes KPMG TBD Jan Sep 2017 Oct 2017 U.S. Bancorp Elavon, Inc., Subservice Org to CPS, for daily processing services related to carrier billing Merchant Processing System (MPS) Yes E&Y Unmodified Nov Oct 2016 Dec 19, 2016 Yes E&Y TBD Nov Oct 2017 Dec 2016 Retail Payment Processing (RPS), Subservice Org to CPS, for processing check, electronic payments & research payment discrepancies Integrated Card System, Triad, ACAPS, Falcon, SeQual, CASPER, CME, SAR, CA Web Viewer, IVR, ARMS Yes E&Y Unmodified Nov Oct 2016 Dec 19, 2016 Yes E&Y TBD Nov Oct 2017 Dec 2016 Commercial Card Transaction Processing System (ELAN) Access Online, SeQual, Corporate Payments Mgt Information System (CPMIS), Automated Credit Application Processing System (ACAPS) N/A N/A N/A E&Y Unmodified Nov Oct 2015 Yes E&Y Unmodified Nov Oct 2016 Dec 15, 2016 Yes E&Y TBD Nov Oct 2017 Dec 15, 2017 Multiple SOC 1s are underway or planned. 13

14 Addressing Service Organization Controls How do I do this? What SOC 1 reports are available? DoD SSAE 16/18s as of May 2017 SSAE 16/18 FY 2014 FY 2015 FY 2016 FY 2017 Service Provider Assessable Unit System(s) Included IPA Firm FY 14 Opinion Reporting Period IPA Firm FY 15 Opinion Reporting Period SSAE 16 for FY 16? IPA Firm FY 16 Opinion Reporting Period Report Issuance Date / Expected Issuance Date SSAE 16 for FY 17? IPA Firm FY 17 Opinion Projected Reporting Period for FY 17 Expected Report Issuance Date Compensation Benefit & Payment for Medical Services for Federal Civilian Employees U.S. Department of Labor Integrated Federal Employees' Compensation System (ifecs) Office of the Assistant Secretary for Administration and Management (OASAM) General Support System (GSS) Yes KPMG Unmodified Oct Jun 2016 Rec'd Oct Yes KPMG TBD Oct Jun 2016 Early Sept Office of Workers' Compensation Program (OWCP) Bill Processing / Central Bill Processing System Central Bill Processing System Yes RESJ Unmodified Oct Mar 2016 Rec'd Oct Yes RESJ TBD Oct Mar 2016 Early Sept Travel Card Mainframe Systems Include: IBM z/os, Unisys ClearPath Citi Citigroup Technology Infrastructure (CTI), Global Information Security (GIS), Global Identity Admin (GIDA) Midrange include: Stratus, Nonstop Tandem, & IBM series and various types of physical & virtual UNIX, Linux Windows operating systems) Yes KPMG Unmodified Jan Sep 2016 Rec'd Jan 26, 2017 Yes KPMG TBD Jan Sep 2017 Dec 2017 U.S. Treasury Oracle Federal Financials (Oracle) & Discoverer Admin Resource Accounting, Budgeting, Reporting, Travel, Procurement, Systems Support & Platform Services Feeder Systems: PRISM, IPP, CGE, movelinq & E- Payroll to Oracle Reporting (EOR). ARC provides Yes KPMG Unmodified Jul Jun 2016 Sep 1, 2016 Yes KPMG TBD Jul Jun 2017 Sep 2017 Center application admin of feeder systems. U.S. Treasury Federal Investment Transactions for Government Securities InvestOne Accounting System & FedInvest Subsystem Yes KPMG Unmodified Aug Jul 2016 Sep 23, 2016 Yes KPMG TBD Aug Jul 2017 Sep 2017 Investments & Borrowings U.S. Treasury Management & Accounting Services for Select Gov't Trust Funds, Treasury managed accounts, accounts Funds of Treasury's Office of the Asst Sec for Int'l Affairs Management InvestOne Accounting System & FedInvest Subsystem Yes KPMG Unmodified Aug Jul 2016 Sep 23, 2016 Yes KPMG TBD Aug Jul 2017 Sep 2017 Multiple SOC 1s are underway or planned. 14

15 Addressing Service Organization Controls How do I do this? Which SOC 1s do I need? Projected FY 2017 SSAE 18 Distribution List to DoD Components (Based on Components' Responses) As of Jan 27, 2017 DFAS - Service Provider DLA - Service Provider AT&L - Service Provider DoDHRA DMDC - Service Provider DCMA - Service Provider DISA - Service Provider Standard Disbursing Services Military Pay Financial Reporting Civilian Pay No. DoD Component Tier (ADS) (DJMS & DMO) (DDRS) (DCPS) Contract Pay Vendor Pay Fund Balance with Treasury - Wide Area Work Flow - Invoices Receipt Corporate Payment Systems - Freight (MOCAS, EAS, EUD (CAPSW, OnePay, ODS, Transaction Distribution Defense Automatic Addressing System Defense Agency Initiative Service Owned Items in DLA Custody - SOIDC Defense Property Accountability System Commercial Credit Card Processing System Defense Civilian Personnel Data System Defense Travel System Acceptance and Property Transfer Payments System (APVM/PPVM), SCRT, BAM- DCD/DCW, STARS, CAPSW Data Defesne Cash Accountability System (DAAS) (DAI) Distribution Standard System (DSS) (DPAS) (Access Online) (DCPDS) (DTS) (WAWF - irapt) (Syncada) ERMP) Center, BAM-ERMP, APVM) (DCAS) Contract Pay (MOCAS) Automated Time Attendance and Production System Enterprise Computing Service (ATAAPS) 1 Air Force GF 1 2 Air Force WCF 1 3 Army GF 1 4 Army WCF 1 5 Navy GF & WCF 1 6 USACE 1 7 USMC GF & WCF 1 8 DIA (Defense Intelligence Agency) 2 9 NGA (National Geospatial-Intelligence Agency) 2 10 NRO (National Reconnaissance Office) 2 11 NSA (National Security Agency) 2 See Note Below 12 DCAA 2 13 DeCA (GF & WCF) 2 14 DFAS (as reporting entity) 2 15 DHA-CRM 2 16 DHA (FOD, NCR, Comptroller) 2 17 SMA-Army 2 18 SMA-Navy 2 19 SMA-USAF 2 20 DISA (GF & WCF) 2 21 DLA (GF, WCF & Strategic Materials) 2 22 USSOCOM 2 23 USTRANSCOM 2 USTRANSCOM reviewing USTRANSCOM reviewing USTRANSCOM reviewing 24 USUHS 2 25 CBDP 3 26 DARPA 3 27 DCMA 3 28 DoDEA 3 29 DSCA 3 30 DTRA 3 31 MDA 3 32 Office of Chairman of JCS 3 33 WHS 3 34 DAU 4 35 DHRA 4 36 DLSA 4 37 DMA (Defense Media Activity) 4 38 DMEA (Defense Micro-Electronics Activity) 4 39 DoDIG 4 40 DPMO / DPAA (Def POW/MIA Accounting Agency) 4 41 DSS 4 42 DTIC 4 43 DTSA 4 44 NDU 4 45 OEA 4 46 AT&L DPAS (as a service provider) N/A 47 DCMA Contract Pay (as a service provider) N/A DFAS (Std Disb, Mil Pay, Fin Rpting, Civ Pay, Contract 48 N/A Pay, FBWT-DCAS (as a service provider) 49 DLA (irapt, DAI & DAAS) (as a service provider) N/A 50 DISA ATAAPS (as a service provider) N/A 51 DMDC DTS (as a service provider) N/A User Entities are responsible for report distribution within their organizations. 15

16 Addressing Service Organization Controls How do I do this? Which SOC 1s do I need? DISA Subservice Organizations Other (DoD) Other (Non-DoD) Service Organization - SOC 1 (expected FY 17) DISA Enterprise Services (ES) DISA Joint Interoperability Test Command (JITC) DFAS Accounting Operations Directorate Defense Finance and Accounting Service (DFAS) DFAS (ATAAPS) DFAS (DCPS) Defense Logistics Agency (DLA) Defense Contract Management Agency (DCMA) Defense Manpower Data Center (DMDC) Federal Retirement Thrift Investment Board (FRTIB) Total System Services, Inc. (TSYS) Elavon, Inc. Carpathia (Hosting Facility Contractor) Convergys Corporation U.S. Bank Retail Payment Solutions (RPS) U.S. Bank National Retail Lockbox Xerox Verizon First Federal Sprint and SunGard Edgeweb DFAS - Civilian Pay X X X DFAS - Military Pay X X X X DFAS - Standard Disbursing X X DFAS - Contract Pay X X X DFAS - Vendor Pay* DFAS FBWT - Transaction Distribution X X DFAS FBWT - Treasury Reconciliation* DFAS - Financial Reporting X DMDC - Defense Civilian Personnel Data System (DCPDS) DMDC - Defense Travel System (DTS) X DCMA - Contract Pay X DLA - Invoice Receipt Acceptance and Property Transfer (irapt) X X DLA - Defense Agency Initiative (DAI) X X DLA - Defense Automatic Addressing System (DAAS) DLA - Service Owned Items in DLA Custody (SOIDC) DLA - Defense Property Accountability System (DPAS) X X DISA - Enterprise Services (Hosting) DISA - Automated Time & Attendance Production System (ATAAPS) X X X U.S. Bancorp - Freight Payment Transaction Processing X X X U.S. Bancorp - Commercial Card Transaction Processing System X X X X U.S Department of Labor Integrated Federal Employees' Compensation System. X X X X X (Relates to Federal Employees' Compensation Act (FECA)) Expected FY 17 Subservice Organizations updates / changes are probable. 16

17 Addressing Service Organization Controls How do I do this? Which SOC 1s do I need? Civilian Pay SOC 1 Page 41 - DISA ES provides the physical hosting and administration of DCPS. Specific functions / responsibilities include: - Maintenance of the hardware and system software supporting DCPS. - Protection of computer platforms and resident software and data from unauthorized physical access and environmental hazards. - Administration of logical access to ACF 2. - Performance of certain computer operations activities for the mainframe platforms supporting DCPS, including monitoring of processing, and resolution of any deviations from the pre-defined processing schedule. - Administration of data transmission utilities and monitoring of data transmissions to and from the mainframe platforms supporting DCPS. - Performance of uptime monitoring and assistance with the resolution of availability issues related to DCPS. - System software, application, and data backup and recovery. Civilian Pay FY 16 SOC 1 Family DISA Enterprise Services Defense Civilian Personnel Data System (DCPDS) DAI / ATAAPS Time & Attendance DFAS Civilian Payroll (DCPS) DFAS Standardized Disbursing (ADS) DFAS FBWT Transaction Distribution (DCAS) Civilian Pay SOC 1 Page 41 - DCPDS is and HR information support system for maintaining civilian personnel data in the DoD. DCPDS is used to provide HR / personnel support such as applicant ratings, employee appointments, reassignments, and promotions. Civilian Pay SOC 1 Page 29 - Some user entities send their T&A data into DCPS using batch files generated from separate, userentity operated T&A systems. Civilian Pay SOC 1 Page 33 - The DD 592 file is sent to ADS for processing by Disbursing Operations and to the Defense Cash Accountability System (DCAS) for use in downstream reconciliations and financial reporting. - Check and EFT Payment Files: On a bi-weekly basis, DCPS produces check and EFT payment files interfaced to ADS for disbursement to user entity civilian employees. Note: The DLA DAAS SOC 1 may also be applicable for those entities routing interface files through this system. SOC 1 reports may point you / your auditor where to go. Follow the End-to-End Process. 17

18 Using the Service Organization Controls Report

19 How do I use the SOC 1 report? Desired Outcomes Reporting / User Entity What are we trying to achieve? Unqualified / Unmodified SOC 1 Opinions (performed under the examination standards SSAE 18, AT-C 105, AT-C 205, AT-C 320) Controls Reliance User Entities Place Reliance on the SOC 1 Reports (following A-123 Appendix A / ICOFR requirements) User Auditors Place Reliance on the SOC 1 Reports (as allowed by the auditing standards ex., AU-C 402) An Unqualified SOC 1 does not automatically result in User Auditor reliance. 19

20 How do I use the SOC 1 report? Desired Outcomes The User Auditor s ability to rely on internal controls directly affects audit and audit support costs Level of Controls Reliance Auditor Sample Sizes High Internal Controls Reliance Optimum for a large financial statement audit Minimum Sample Sizes Some Internal Controls Reliance Sufficient for a financial statement audit Reduced Sample Sizes No Internal Controls Reliance Inefficient and Unsustainable Maximum Sample Sizes 10s to 100s of thousands of sample items across DoD An Unqualified SOC 1 does not automatically result in User Auditor reliance. 20

21 How do I use the SOC 1 report? SOC 1 Report Structure A SOC 1 Report typically includes the following sections: Section 1 Independent Service Auditor s Report Section 2 Assertion Provided by Management of the Service Organization Section 3 Description of the Service Organization, including an overview of relevant operations and applications Complementary User Entity Controls (CUECs) Subservice Organizations and Complementary Subservice Organization Controls CSOCs Section 4 Service Organization s Control Objectives and Related Controls (Control Objectives, Controls, and Test of Operating Effectiveness) Section 5 Other Information Provided by Service Organization Management (UNAUDITED) Read the report and assess the impact on your risk of financial misstatement. 21

22 How do I use the SOC 1 report? Areas for Consideration 1 Service auditor competency 6 Evaluation of relevant controls 2 Scope exclusions 7 Reliability of data 3 Carve-outs 8 Results of tests CUECs 4 9 Opinion 5 CSOCs 10 Gap Periods Your auditor will consider these. So should you. 22

23 How do I use the SOC 1 report? What are CUECs and CSOCs Example DFAS Control Objective: Controls provide reasonable assurance that logical access to DCPS programs and data is restricted to authorized users. CSOCs (SSAE 18) DFAS controls were designed assuming certain controls were in place at the Subservice Organization (DISA). These assumptions will now be included in Management s Description for each Subservice Organization. Some basis is needed for the assumptions and DFAS is responsible for monitoring Sub-service providers. DFAS Controls Designed & Operating Effectively CUECs (SAS 70, SSAE 16, and SSAE 18) DFAS controls were designed assuming certain controls were in place at the customer (Reporting Entity). These assumptions have been and will continue to be included in Management s Description. Some basis is needed for the assumptions but DFAS is not responsible for monitoring customers. DISA Controls User Entity Controls Appropriate controls need to be in place at the Reporting Entity, Service Organization(s), and Sub-service Organization(s) to achieve the Control Objective. 23

24 How do I use the SOC 1 report? What are CUECs and CSOCs Reporting / User Entities Controls Controls CUECs (SSAE 16 & 18) DFAS controls were designed assuming certain controls were in place at the customer (Reporting Entity). CUECs DFAS Civilian Pay Service SOC 1 Controls Reporting Entity / User Auditors Controls CSOCs CUECs (SSAE 16 & 18) DISA controls were designed assuming certain controls were in place at the customer (DFAS). CSOCs (SSAE 18) DFAS controls were designed assuming certain controls were in place at the Subservice Organization (DISA). CUECs Controls DISA Hosting Services SOC 1 Appropriate controls need to be in place at the Reporting Entity, Service Organization(s), and Sub-service Organization(s) to achieve the Control Objective. 24

25 How do I use the SOC 1 report? Reliability of Data (and Reports) Background: The clarified standards require the service auditor to evaluate whether system generated information is sufficiently reliable for the service auditor s purposes by obtaining evidence about its accuracy and completeness and evaluating whether the information is sufficiently precise and detailed. They also require the service auditors and the service organization to validate system generated information and reports by detailing how they are generated, who prepares such reports and ensuring the requisite level of detail in such reports. Effectiveness of controls depends in part on the controls over the accuracy and completeness of the system-generated data or reports. Classes of system generated information: The following are the types of data that should be evaluated as part of the SOC 1 attestation: Information used in the execution of controls within the SOC 1 report. Information provided by the service organization to the service auditor to perform testing of controls. Information provided to the user entity. User Entities should understand what reports are being generated by the Service Organization and then confirm whether those reports are included in the SOC 1. 25

26 How do I use the SOC 1 report? Reliability of Data (and Reports) Translation: 1. Reports / data that are relied upon by the Service Organization to perform controls in their SOC 1 (e.g., user access list, reconciliation reports, spreadsheets, etc.) 2. Reports / data that are used by the Service Auditor to perform SOC 1 testing (e.g., user access listings, transaction populations). 3. Reports / data that are provided to the User Entity and are relied upon in your financial reporting (e.g., reporting package, external outputs). User Entities should understand what reports are being generated by the Service Organization and then confirm whether those reports are included in the SOC 1. 26

27 How do I use the SOC 1 report? Common Evaluation Pitfalls Certain applications, interface programs used by some user entities might not be included in the scope of the report and / or important IT controls may be scoped out. The report may be directed at only a limited number of user entities or the coverage is only for certain locations. Relevant reports from the Service Organization may not be included within the scope of the procedures performed by the Service Auditor. All exceptions (not just those within qualified objectives) are not considered for relevance and impact to the User Entity. Subservice Organization SOC 1 reports are not obtained and reviewed. Reporting / User Entities Service Organizations User Auditors Sub-Service Organizations Your auditor will consider these. So should you. 27

28 Reporting Entity Responsibilities for Service Organization Controls Establish MOUs that clearly identify who is responsible for what. 1. Identify all Service Organizations (Service Providers) that impact the Reporting Entity s internal controls over financial reporting. 2. Document an understanding of the Service Providers impact on the Reporting Entity s Financial Reporting and Associated Risks. 3. Document the Reporting Entity s Understanding of Service Provider Controls in Place to Mitigate Financial Reporting Risks. 4. Evaluate the Design and Operating Effectiveness of Service Provider Controls in Place to Mitigate Financial Reporting Risks. 5. Address Complementary User Entity Controls (CUECs) Identified by the Service Provider (i.e., implement effective controls within the Reporting Entity). D O C U M E M T 6. Establish Regular Communications with Service Providers to Monitor Performance and Identify Events that may Impact Internal Controls Over Financial Reporting. Attend and actively participate in the Service Provider Working Group meetings. 28

29 Reporting Entity Responsibilities for Service Organization Controls Other Important Responsibilities Update the FIAR System Database (FSD) to reflect changes. At a minimum, this should be completed to support the bi-annual FIAR Plan Status Report. Notify OUSD(C) FIAR of needed SOC 1s Notify OUSD(C) FIAR if points of contact for SOC 1 distribution have changed. Distribute SOC 1 reports within your own organization, in a timely manner, to all personnel who need them. Communication Protocols Must be Established and Maintained 29

30 OUSD(C) FIAR Support and Available Resources

31 OUSD(C) FIAR Support & Available Resources OUSD(C) FIAR Support Activities Service Provider Working Group Meetings (January, May, and August) Dates / timing requested by User Auditor s performing financial statement audits. Updates provided on SOC 1 scope changes, CUEC changes, status of NFRs, progress on current SOC 1s, etc. IPA Roundtable Meetings Periodic meetings with GAO, DOD IG, and IPA firms performing financial statement audits, audit readiness examinations, and SOC 1 engagements to solicit input on SOC 1 report usability and other audit relevant topics. CUEC Workshops Nine separate workshops were conducted covering audit relevant SOC 1 reports. Included participants from User/Reporting Entities and Service Organizations. MILSTRIP workshops with DLA and customer entities. Detailed walkthroughs of multiple MILSTRIP buy / sell scenarios. Focus on financial statement audit impacting roles and responsibilities. User / Reporting Entity participation is essential. 31

32 OUSD(C) FIAR Support & Available Resources Available Resources SOC 1 Improvement Policy Memo Deputy Chief Financial Officer Policy Memo Issued in February 2016 Identified Ten Required Changes to SOC 1 Reports 1. SOC 1 Reports to be Issued by August 15 th of each year. 2. Nine Month Attestation Period (October 1 June 30). 3. Bridge Letters to be Issued by October 8 th of each year. 4. CUECs to be Aligned to Control Objectives 5. Describe Service Provider Controls in Place to Monitor Subservice Providers and Identify Service Provider Controls in Place to Address Subservice Provider CUECs. 6. Establish an Interim Milestone of April 30 th to Obtain Service Auditor Feedback. 7. Identify Key Inputs and Management s Rationale / Approach. 8. Identify Edit Checks and Management s Rationale / Approach. 9. Identify Interfaces and Management s Rationale / Approach. 10. Identify Outputs and Management s Rationale / Approach. Action has been taken on IPA feedback and status updates provided. 32

33 OUSD(C) FIAR Support & Available Resources Available Resources SSAE 18 Policy Memo Memo was sent to Service Organizations for comment and addresses the following key points: 1. Service Organizations to meet with their IPA(s) to establish an understanding of SSAE 18 impact by January 13, Service Organization to validate the reliability of key output reports / data. 3. Service Organizations to document Complementary Subservice Organization Controls (CSOCs), their basis for assuming the CSOC is in place at the Subservice Organization, and the associated monitoring controls in place at the Service Organization. 4. Service Organizations to communicate of CSOCs to Subservice Organizations by January 23, Provides a deadline for Subservice Organizations to inform Service Organizations that they do not plan to have controls in place to address the CSOCs. 6. Provides a deadline for Subservice Organizations to provide corrective plans to Service Organizations for those instances where remediation is needed to put controls in place to address the CSOCs.. Input was solicited from IPAs performing financial statement audits and SOC 1 engagements. 33

34 OUSD(C) FIAR Support & Available Resources Available Resources FIAR Systems Database Home Page System Owner Data Entry System User Data Entry Important to make timely updates to support FIAR Plan Status Report and responses to ad-hoc requests. 34

35 OUSD(C) FIAR Support & Available Resources Available Resources CUECs OUSD(C) maintains and has distributed the following: An Excel file containing all CUECs from all relevant SOC 1 reports (with additions, deletions, changes from the prior year highlighted Baseline control descriptions that can be customized to address CUECs. Test plans for the Baseline controls. If you have questions or needs, please ask! 35

36 OUSD(C) FIAR Support & Available Resources Available Resources Service Organization Vs. Trading Partner Assessment & CSOCs Auditing Standards based Service Organization vs. Trading Partner Assessment Template Complementary Subservice Organization Controls (CSOCs) Identification Template If you have questions or needs, please ask! 36

37 OUSD(C) FIAR Support & Available Resources Available Resources Contact Information James Davila Accountant, FIAR Directorate, Office of the Deputy Chief Financial Officer, OUSD(C) (703) Bradley Keith Director, PwC Public Sector, LLP (571) (703) If you have questions or needs, please ask! 37

38 Questions