SOC Reports The 2017 Update: What s new, What s not, and What you should be doing with the SOC Reports you receive! Presented by Jeff Pershing

Transcription

1 SOC Reports The 2017 Update What s new, What s not, and What you should be doing with the SOC Reports you receive! presented to Northeast Ohio ISACA Thursday, April 20, 2017 Jeff Pershing, CISA, CISM, CISSP Principal, Pershing Consulting, LLC Introductions Slide 2 Page 1

2 Overview Brief history of reports on Service Organizations Overview of AT 101, SSAE 16/SOC 1, SOC 2, and SOC 3 Attestation Standards Updates / SSAE 18 Overview What s new with SOC Reports Trust Services Principles Overview and Updates What s new with SOC 2 User Auditor Requirements Lessons learned from the first years of SOC reporting Slide 3 Brief history of reports on Service Organizations Slide 4 Page 2

3 SAS70 In the beginning, the AICPA created the SAS70. The AICPA saw that the SAS70 was good and it was so. And then the AICPA rested... For nearly 20 years.... Okay, not quite... SAS78, SAS88, SAS94,... Until... He s dead, Jim... Leonard "Bones" McCoy Slide 5 Why the need for a SAS70 Report anyway? Computers give rise to EDP Electronic Data Processing Computers are very big and expensive (in the 60 s, 70 s, and 80 s) Okay, they re still expensive now... Let s share their use to be more efficient! This sounds like a business opportunity! Let s create a company to provide processing to several companies at once who can t afford their own (Can anyone say, cloud? ) Auditor: How do I know my financial calculations are correct and you have good internal controls? Service Provider: Trust us! Auditor: No, I will audit you. SAS55 says so. See you Monday. Here s my request list. Service Provider: Wait, I have hundreds of customers with auditors all saying the say thing! Slide 6 Page 3

4 Service Provider Audit Reports A Short History AICPA American Institute of Certified Public Accountants SAS - Statement on Auditing Standards SAS 55 Consideration of the Internal Control Structure in a Financial Statement Audit Released in 1988 Created death by auditing for service providers SAS70 Service Organizations Issued in 1992 as Reports on the Processing of Transactions by Service Organizations, effective for reports issued March 31, 1993 One report to meet the needs of multiple user auditors Amended by SAS 88 and renamed Service Organizations Slide 7 Service Provider Audit Reports A Short History (cont) SAS70 amended several times by subsequent SAS 1998 by SAS78 - Consideration of Internal Control in a Financial Statement Audit: An Amendment to Statement on Auditing Standards No by SAS88 Title changed to Service Organizations 2002 by SAS94 - The Effect of Information Technology on the Auditor's Consideration of Internal Control in a Financial Statement Audit 2002 by SAS98 - Omnibus Statement on Auditing Standards-2002 Other minor adjustments ( conforming changes ) in 2006 by SAS105 & SAS106, and 2007 by SAS109 & SAS110 SAS70 was superseded by three Service Organization Control (SOC) reports - SOC 1, SOC 2 and SOC 3 - for reports issued on or after June 15, 2011 SOC Reports were based on Attestation Standard 101 (AT 101) Slide 8 Page 4

5 Why Change? SAS70 was abused - Intended for ICFR, but used for much more: To obtain assurance on controls regarding compliance and operations E.g. Hosted Data Centers providing no financial reporting relevant services SysTrust or AT 101 should have been used instead SAS70 grew in familiarity outside the auditing world (e.g. IT), but not necessarily well understood Are you SAS70 Certified? Slide 9 Why Change? (cont) ISAE 3402/SSAE16 (SOC1) for ICFR International Standard on Assurance Engagements (ISAE) 3402 issued in December of 2009 AICPA issued SSAE No. 16 shortly afterwards as a US Standard in alignment with ISAE 3402 Minor differences between the two Drafted to help correct misuses of the SAS70 SOC2 for matters other than ICFR Specifically, for Security, Availability, Processing Integrity, Confidentiality, and Privacy SOC3, similar to SOC2, but with a general use report All three based on AT101 (SSAE 16 became AT801) Slide 10 Page 5

6 Overview of AT 101, SSAE 16/SOC 1, SOC 2, and SOC 3 Slide 11 Attestation Standards Section 101 Section provides a framework for attestation engagements that are completed by practitioners SOC 1, SOC 2 and SOC 3 reports are completed in accordance with AT Section 101 The subject matter of an attest engagement may take many forms, for example: Physical characteristics (for example, narrative descriptions, square footage of facilities) Historical events (for example, the price of a market basket of goods on a certain date) Systems and processes (for example, internal control) Suitability and Availability of Criteria Subject matter must be capable of evaluation against criteria that are suitable and available to users Slide 12 Page 6

7 Attestation Standards SSAE = Statement on Standards for Attestation Engagements SSAE 10, issued in 2001, established: AT Attest Engagements AT Agreed-Upon Procedures Engagements AT Financial Forecasts and Projections AT Reporting on Pro Forma Financial Information AT Compliance Attestation AT Management's Discussion and Analysis Slide 13 Other SSAEs SSAE 11 - Attest Documentation Updated AT 101, 201, and 301 SSAE 12 - Amendment to Statement on Standards for Attestation Engagement No. 10, Attestation Standards: Revision and Recodification Updated AT 101 SSAE 13 - Defining Professional Requirements in Statements on Standards for Attestation Engagements Created AT 20: Defining Professional Requirements for SSAE Engagements SSAE 14 - SSAE Hierarchy Created AT 50: SSAE Hierarchy SSAE 15 - An Examination of an Entity s Internal Control Over Financial Reporting That Is Integrated With an Audit of Its Financial Statements Created AT 501 (issued in 2008) SSAE 17 - Reporting on Compiled Prospective Financial Statements When the Practitioner s Independence is Impaired Updated AT 301 Slide 14 Page 7

8 NOTE: - SAS 130 withdrew AT 501 SAS 130 An Audit of Internal Control Over Financial Reporting That Is Integrated With an Audit of Financial Statements (AICPA, Professional Standards, AU-C sec. 940) - Issued in October 2015 AICPA Auditing Standards Board (ASB) determined it is appropriate to move the content of AT section 501 from the attestation standards into generally accepted auditing standards (GAAS). The ASB will consider developing, at a later date, an attestation standard addressing examinations of internal control other than internal control over financial reporting that is integrated with an audit of financial statements. SAS No. 130 is effective for integrated audits for periods ending on or after December 15, 2016, at which time AT 501 will be withdrawn. Slide 15 What Changed moving from SAS to AT? Attestation Standard vs. Auditing Standard Management Assertion An assertion is any declaration or set of declarations about whether the subject matter is based on or in conformity with the criteria selected. Description of System vs. Controls Use of suitable criteria Suitability of design opinion Materiality SAS70: point in time SSAE 16(SOC 1)/SOC 2: entire period deviations (not exceptions) Use of Internal Audit Must identify testing by IA in the report Opinion Format Slide 16 Page 8

9 What is a System? TSP sec. 100 paragraph.01 defines a system as follows: A system is designed, implemented, and operated to achieve specific business objectives (for example, delivery of services, production of goods) in accordance with management-specified requirements. System components can be classified into the following five categories: Infrastructure. The physical structures, IT, and other hardware (for example, facilities, computers, equipment, mobile devices, and telecommunications networks). Software. The application programs and IT system software that supports application programs (operating systems, middleware, and utilities). People. The personnel involved in the governance, operation, and use of a system (developers, operators, entity users, vendor personnel, and managers). Processes. The automated and manual procedures. NOTE: SOC 2 Guide, par. 1.26a(ii)(4) uses Procedures rather than Processes Data. Transaction streams, files, databases, tables, and output used or processed by a system. Slide 17 SSAE 16 / SOC 1 SSAE 16 - Reporting on Controls at a Service Organization Created AT 801 As an attestation standard, it is built upon AT 101 Established requirements for attestation engagements to report on controls at organizations that provide services to user entities when those controls are likely to be relevant to user entities' internal control over financial reporting (ICFR) Effective for reports issued on or after June 15, 2011 SOC 1 Audit Guide released May 2011, updated May 2013, new update just released January 2017 Two report types: SOC 1 Type I = SSAE 16 Type I Report SOC 1 Type II = SSAE 16 Type II Report Branded by AICPA as a SOC 1 - Service Organization Control Report 1 AICPA now prefers SOC 1 vs. SSAE16 Slide 18 Page 9

10 SOC 2 Reports Reports on Controls at a Service Organization over Security, Availability, Processing Integrity, Confidentiality, or Privacy Can report again just one Principle, or any combination of the five SOC 2 Guide released May 2011, updated March 2012 and July 2015 new update expected soon Report format designed to match the SSAE 16 SOC 2 Type I SOC 2 Type II Criteria is prescribed: Must use TSP Trust Services Principles Slide 19 Similar to a SOC 2 SOC 3 Reports Uses TSP100 Trust Service Principles Primary Differences Does not contain a description of the practitioner s tests of controls and results of those tests Is a general use report rather than a restricted use report Unqualified Opinion allows use of SOC Seal (SysTrust for Service Organizations ) on Service Provider s website, if the Service Auditor is licensed by CPA Canada (formerly CICA) SOC 3 Guide was planned for release in Q4, but we re still waiting... Slide 20 Page 10

11 Reports Comparison Slide 21 Attestation Standards Updates / SSAE 18 Overview Slide 22 Page 11

12 Attestation Clarity Project Designed to addressed concerns over the clarity, length, and complexity of Attestation Standards Objective: to make AT sections easier to read, understand and apply Redrafted standards utilizing clarity drafting conventions Resulted in SSAE 18 Attestation Standards: Clarification and Recodification Desire to converge with standards of the International Audit and Assurance Standards Board (IAASB) International Standard on Assurance Engagements (ISAE) 3000 (Revised), Assurance Engagements Other Than Audits or Reviews of Historical Financial Information served as the foundation for the common concepts, examination, and review sections of SSAE 18 Slide 23 Clarity Drafting Conventions SSAE 18 was drafted utilizing clarity drafting conventions, including: Establishing objectives for each AT-C section Including a definitions section, where relevant, in each AT-C section Separating requirements from application and other explanatory material Numbering application and other explanatory material paragraphs using an A- prefix and presenting them in a separate section that follows the requirements section Using formatting techniques, such as bulleted lists, to enhance readability Including, when appropriate, special considerations relevant to audits of smaller, less complex entities within the text of the AT-C section Including, when appropriate, special considerations relevant to examination, review, or agreed-upon procedures engagements for governmental entities within the text of the AT-C section The identifier AT-C is used to differentiate the sections of the clarified attestation standards ( AT-C" sections) from the sections of the attestation standards that are superseded by SSAE 18 ( AT sections) Slide 24 Page 12

13 SSAE 18 Supersedes SSAEs 10-17, except: SSAE 10, Chapter 7 (AT 701) - Management s Discussion and Analysis Renamed AT-C 395 SSAE 15 (AT 501 and 9501) - An Examination of an Entity s Internal Control Over Financial Reporting That Is Integrated With an Audit of Its Financial Statements, and related interpretation no. 1 However, SAS 130 withdrew AT 501 and related interpretations for integrated audits for periods ending on or after December 15, 2016 Effective for reports dated on or after May 1, 2017 Slide 25 AT-C Preface Contents of SSAE 18 AT-C Section Common Concepts AT-C Section Concepts Common to All Attestation Engagements AT-C Section Level of Service AT-C Section Examination Engagements AT-C Section Review Engagements AT-C Section Agreed Upon Procedures Engagements AT-C Section Subject Matter AT-C Section Prospective Financial Information AT-C Section Reporting on Pro Forma Financial Information AT-C Section Compliance Attestation AT-C Section Reporting on an Examination of Controls at a Service Organization Relevant to User Entities Internal Control Over Financial Reporting AT-C Section Management s Discussion and Analysis Slide 26 Page 13

14 What s New in SSAE 18? Separate discussion of review engagements AT 101 combined the discussion of examinations and reviews Required representation letters AT 101 allowed, but did not require, representation letters Risk assessment for examination engagements Requires obtaining a more in-depth understanding of the development of the subject matter than currently required in order to better identify the risks of material misstatement in an examination engagement Incorporation of detailed requirements Similar to SASs, specifies additional requirements (e.g. the need for an engagement letter, or the need to obtain written representations) Scope limitation imposed by the engaging party or the responsible party Now allows for a qualified opinion, not only disclaiming an opinion or withdrawing from the engagement Slide 27 Mapping AT to AT-C AT Sections Superseded by SSAE No. 18 AT-C Sections Designated by SSAE No. 18 AT Section Title AT-C Section Title 20 Defining Professional Requirements in Statements on Standards for Attestation Engagements 105 Concepts Common to All Attestation Engagements 50 SSAE Hierarchy 105 Concepts Common to All Attestation Engagements 101 Attest Engagements 105 Concepts Common to All Attestation Engagements 205 Examination Engagements 210 Review Engagements 201 Agreed-Upon Procedures Engagements 215 Agreed-Upon Procedures Engagements 301 Financial Forecasts and Projections 305 Prospective Financial Information 401 Reporting on Pro Forma Financial Information 310 Reporting on Pro Forma Financial Information 501 An Examination of an Entity's Internal Control Over Financial Reporting That Is Integrated With an Audit of Its Financial Statements Statement on Auditing Standards No. 130, An Audit of Internal Control Over Financial Reporting That Is Integrated With an Audit of Financial Statements, withdraws AT section Compliance Attestation 315 Compliance Attestation 701 Management s Discussion and Analysis 395 Management s Discussion and Analysis 801 Reporting on Controls at a Service Organization 320 Reporting on an Examination of Controls at a Service Organization Relevant to User Entities Internal Control Over Financial Reporting Slide 28 Page 14

15 Mapping AT-C to AT AT-C Sections Designated by SSAE No. 18 AT Sections Superseded by SSAE No. 18 AT-C Section Title AT Section Title Preface Preface to the Attestation Standards Introduction Attestation Standards Introduction 100 Common Concepts 105 Concepts Common to All Attestation Engagements 20 Defining Professional Requirements in Statements on Standards for Attestation Engagements 50 SSAE Hierarchy 101 Attest Engagements 200 Level of Service 205 Examination Engagements 101 Attest Engagements 210 Review Engagements 215 Agreed-Upon Procedures Engagements 201 Agreed-Upon Procedures Engagements 300 Subject Matter 305 Prospective Financial Information 301 Financial Forecasts and Projections 310 Reporting on Pro Forma Financial Information 401 Reporting on Pro Forma Financial Information 315 Compliance Attestation 601 Compliance Attestation 320 Reporting on an Examination of Controls 801 Reporting on Controls at a Service Organization at a Service Organization Relevant to User Entities Internal Control Over Financial Reporting 395 Management s Discussion and Analysis 701 Management s Discussion and Analysis Slide 29 What s new with SOC Reports Slide 30 Page 15

16 SOC 2 + Additional Subject Matter Introduced in (approximately) 2015 Allows for addressing additional criteria, additional subject matter using additional suitable criteria, or both E.g. In addition to addressing the Security Principle, also address the HIPAA Security Rule Mappings created from 2014 version of the Trust Services Principle to: CSA Cloud Controls Matrix HITRUST CSF COBIT 5 COSO 2013 ISO NIST SP R4 Slide 31 Underlying Standard has Changed SOC 1 Old Standard AT 801 (with attestation guidance provided by the SOC 1 Guide) New Standards AT-C 105, AT-C 205, AT-C 320 (and a brand new SOC 1 Guide!) SOC 2 / SOC 3 Old Standard AT 101 (with attestation guidance provided by the SOC 2 Guide issued in July 2015) New Standards AT-C 105, AT-C 205 (and the existing SOC 2 Guide) For all three SOC Reports, any dated on or after May 1, 2017, must follow the new AT-C standards (SSAE 18) Slide 32 Page 16

17 But that not all! SOC Report = Service Organization Control Report NO LONGER!!! SOC has been redefined to mean System and Organization Controls According to the AICPA: By redefining that acronym, the AICPA enables the introduction of new internal control examinations that may be performed (a) for other types of organizations, in addition to service organizations and (b) on either system-level or entity-level controls of such organizations. Slide 33 SOC Suite of Services SOC 1 SOC for Service Organizations: ICFR AT-C 320 (and AT-C 105 / AT-C 205) plus a new SOC 1 Guide SOC 2 SOC for Service Organizations: Trust Services Criteria AT-C 205 (and AT-C 105) plus existing SOC 2 Guide SOC 3 SOC for Service Organizations: Trust Services Criteria for General Use Report AT-C 205 (and AT-C 105) plus existing SOC 2 Guide SOC for Cybersecurity (coming soon!) AT-C 205 (and AT-C 105) plus forthcoming Guide Reporting on an Entity s Cybersecurity Risk Management Program and Controls SOC for vendor supply chains (planned for 2018) Slide 34 Page 17

18 SOC for Cybersecurity Called a Cybersecurity Examination, it will include: A description of the entity s cybersecurity risk management program An assessment of the effectiveness of the controls within that program to achieve the entity s cybersecurity objectives Management is responsible for selecting both the description criteria and the control criteria to be used in the engagement Proposed Description Criteria for Management s Description of the Entity s Cybersecurity Risk Management Program Issued 9/15/16; Comment period closed 12/5/16 Currently the only option for description criteria Proposed Revision of Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy Issued 9/15/16; Comment period closed 12/5/16 Includes updates to better address Cybersecurity risks Other cybersecurity control criteria may be used Slide 35 BREAK (?) Slide 36 Page 18

19 Trust Services Principles Overview and Updates Slide 37 The Trust Services Principles Security Availability Processing Integrity Confidentiality Privacy Slide 38 Page 19

20 Trust Service Principles (TSP) Revisions AICPA, Technical Practice Aids, TSP sec. 100 Originally released in 2006, then updated in 2009 Major Revision to TSP sec. 100 in March/April 2014 Removed significant redundancies in wording between the Principles Reorganized in a set Common Criteria applicable to all Principles, plus addition principle-specific criteria Criteria Common to All [Security, Availability, Processing Integrity, and Confidentiality] Principles 28 criteria statements Availability 3 more criteria statements Processing Integrity 6 more criteria statements Confidentiality 6 more criteria statements Mandatory adoption for reporting periods ending on or after Dec. 15, 2014 Privacy was updated separately Slide Revisions to the Trust Service Principles New version released mid-year 2016 Minor and clarifying updates to various criteria Two additional confidentiality criteria were added to address the retention and disposal of confidential information (total of 8 criteria statements now) Incorporated new criteria for Privacy to bring it back into TSP framework (removing the cross references to Generally Accepted Privacy Principles) Early adoption permitted, mandatory use beginning with reports ending on or after December 15, 2016 Slide 40 Page 20

21 Even more Trust Services Revisions! Proposed Revision of Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy Issued 9/15/16; Comment period closed 12/5/16 The proposed revision indicates these are expected to become mandatory by 6/15/2018 with early adoption permitted. However, a final version has not yet been issued. Significant Changes Renaming: trust services principles and criteria are now trust services criteria the five principles (security, availability, processing integrity, confidentiality, and privacy) are now trust services categories Aligns the Trust Services Criteria to the COSO 2013 Framework Includes updates to better address Cybersecurity risks Adds points of focus to all criteria (in a similar manner as COSO 2013) Slide 41 TSP Common Criteria Criteria Common to All [Security, Availability, Processing Integrity, and Confidentiality] Principles CC1.0 - Common Criteria Related to Organization and Management CC2.0 - Common Criteria Related to Communications CC3.0 - Common Criteria Related to Risk Management and Design and Implementation of Controls CC4.0 - Common Criteria Related to Monitoring of Controls CC5.0 - Common Criteria Related to Logical and Physical Access Controls CC6.0 - Common Criteria Related to System Operations CC7.0 - Common Criteria Related to Change Management Additional Criteria when reporting on Availability, Processing Integrity, or Confidentiality Slide 42 Page 21

22 What s new with SOC2 Slide 43 Contents of a SOC 2 Report Auditor s Report What Does It Cover: Fairness of Presentation of the Description Suitability of Design of the Controls Operating Effectiveness of Controls (Type 2 only) Criteria related to the auditor s evaluation Test of Controls and Results (Type 2 only) Whether carve out or inclusive was used Other Information from Service Organization (unaudited) Slide 44 Page 22

23 SOC 2 Guide Updated SOC 2 Guide Released July 1, 2015 Provides how-to guidance for service auditors performing examinations under AT section 101 Incorporates TSP sec. 100 updates from 2014 Updated guide expected in 2017(?) Other updates fall into two major categories Scoping Updates - Drive changes to the examination process Language Updates - Will be reflected in reporting deliverables Slide 45 Scoping Updates Non-Continuous exam periods Recommendation to either expand the period to cover the gap period or evaluate the potential effect of the excluded time period to users of the report [ref. par. 2.26] If addressing Confidentiality or Privacy System boundary must include information life cycle: collection, use, retention, disclosure, and disposal or anonymization of personal information [ref. par and 3.05] Monitoring of a Service Organization Regardless of subservice organization (carve-out or inclusive) approach, controls to monitor services provided by third parties should be included in the description. [ref. par. 1.26a(iv)(2) and 3.5] Slide 46 Page 23

24 Scoping Updates (cont) Complementary User Entity Controls (CUECs) and User Entity Responsibilities CUECs - Now emphasized as controls necessary to meet one or more criteria Otherwise, considered a User Entity Responsibility (new concept introduced in the current guide) User Entity Responsibilities are not required to be included in the system description. Ref. par through 3.37 Slide 47 Representation Letter Language Updates Additional representations by Management to the Service Auditor [ref. par ] Communications from regulators and others have been disclosed Acknowledge responsibility for the subject matter Effect of uncorrected misstatements are immaterial System Description Additional guidance to the service auditor on evaluating what fair presentation is [ref. par. 3.02] Slide 48 Page 24

25 Control Activities Language Updates (cont) Additional guidance to the service auditor on describing controls, including [ref. par. 3.07] What The subject matter to which the control applies Who The party responsible for performing the control How The nature of the activity performed, including sources of information used in performing the control When The frequency with which the control is performed or the timing of its occurrence Control Testing Conclusions Example wording for greatly clarity in particular situations Sampling Size, when there are deviations [ref. par. 4.09] Controls with no activity during the period [ref. par. 4.50] Slide 49 SOC 2 Guide - Other Useful Information Appendix C Illustrative Management Assertion and Related Service Auditor s Report Appendix D Illustrative Type 2 Service Organization Controls Report Appendix E Information for Management of a Service Organization Generally a restatement of Management s responsibilities from various other portions of the guide, but pulled together in one place, and in a more reader-friendly format and writing style. Slide 50 Page 25

26 SOC 2 Guide - Other Useful Information Appendix F Service Auditor Considerations in Performing SOC 2 or SOC 3 Engagements for Cloud Service Organizations (CSOs) Provides an overview of CSOs, deployment models, and challenges unique to CSOs and their impact on performing a SOC 2 / SOC 3 engagement Appendix H Additional Considerations for the Service Auditor Regarding the Trust Services Criteria Provides explanatory information on the seven Common Criteria categories and the additional criteria for Availability, Processing Integrity, and Confidentiality Adds additional context beyond the illustrative risk and controls provided in TSP sec. 100, Appendix B Slide 51 User Auditor Requirements Slide 52 Page 26

27 User Auditor Requirements Read the report!!! Does it cover the relevant services? Service Auditor s Opinion Unqualified? (Good) Qualified? (Not as good, but can be okay) Adverse? (Typically bad) Disclaim an opinion? (Typically very bad) Any deficiencies/deviations? If so, how does is affect the User Entity? SAS 122 / AU-C Section Audit Considerations Relating to an Entity Using a Service Organization Outlines various requirements for User Auditors when evaluating attestation reports Particularly important when evaluating in support of ICFR Slide 53 User Auditor Requirements (cont) Understand the Service Organization / Evaluate appropriateness of the report in support of the User Organization audit (Ref. AU-C 402 par ,.17) Service Auditor s Professional Competence Adequacy of Standards utilized Time period covered Sufficiency and appropriateness of the evidence provided for the understanding of the user entity's internal control Description of the system sufficient/understandable? Control Objectives/Criteria relevant, sufficient, understandable? Controls relevant, sufficient, understandable? Sufficiency and appropriateness of the tests of controls performed by the Service Auditor Evaluate complementary user entity controls for relevance, design and implementation Slide 54 Page 27

28 User Auditor Requirements (cont) Complementary User Entity Controls From AU-C 402, par..08: Controls that management of the service organization assumes, in the design of its service, will be implemented by user entities, and which, if necessary to achieve the control objectives stated in management's description of the service organization's system, are identified as such in that description. User auditor should determine which are relevant to the user entity audit, then evaluate the User Entity for design and implementation of those controls One way is to map Complementary User Entity Controls to User Entity Controls Slide 55 User Auditor Requirements (cont) What if the report is insufficient for the audit need? Contact the service organization, through the user entity, to obtain specific information Visit the service organization and perform procedures that will provide the necessary information about the relevant controls at the service organization Use another auditor to perform procedures that will provide the necessary information about the relevant controls at the service organization Refer to AU-C 402 par..12 for additional information Slide 56 Page 28

29 Common Issues / Lessons Learned SOC 1 SOC 2 Control Objectives included which are not relevant to ICFR System Descriptions insufficient to understand flow of transactions/processes Description of control insufficient to understand control activity Report only covers ITGC, but services provided include transaction or other information processing, etc. Description includes controls that have not been implemented. Descriptions of processes and related controls are incomplete and user unable to understand processing flow through system (who?, what?, where?, when?, how?) Applicable trust services criteria are intended to be met by controls at the subservice organization and description does not identify the controls expected to be implemented at a carved-out service organization Slide 57 Questions? Slide 58 Page 29

30 References and Sources: AICPA.org Links to all current SAS and SSAEs, including SSAE 18 (AT-C 105, AT-C 205, AT-C 320, etc.) AICPA SOC Reports home page AICPA Guides, Alerts (available in a variety of formats for purchase), and Information SOC 1: SOC 2: SOC 2+: Trust Services Principles and Criteria (2016) (download or online subscription): Proposed Trust Services Criteria Updates Exposure Draft Mapping proposed criteria to existing (2016) criteria Cloud Security Alliance Position Paper on AICPA SOC Reports Brief History of all SAS with links to full text for many AICPA Cybersecurity Resources AICPA Cybersecurity Initiative: AICPA Cybersecurity Resource Center: Slide 59 Thank You! Jeff Pershing, CISA, CISM, CISSP Jeff@PershingConsulting.com Page 30