SOC Updates: Understanding SOC for Cybersecurity and SSAE 18. May 23, 2017

Transcription

1 SOC Updates: Understanding SOC for Cybersecurity and SSAE 18 May 23, 2017 Baker Tilly refers to Baker Tilly Virchow Krause, LLP, an independently owned and managed member of Baker Tilly International.

2 Agenda 01 Learning objectives 02 NEW SOC terminology 03 SOC for Cybersecurity Revised Trust Services Criteria SSAE 18 updates and execution Scoping and SOC 2+ 2 Baker Tilly Virchow Krause, LLP. All rights reserved.

3 Learning objectives 1 SOC for Cybersecurity: Understand the new cybersecurity guidelines including the description criteria for an organization s cybersecurity risk management program and the revisions to the Trust Services Criteria. 2 SSAE 18 updates and execution: SSAE 18 took effect on May 1, Understand the impact of SSAE 18 on SOC execution and reporting. 3 Scoping: Focus on key risk areas and incorporate industry trends to efficiently and effectively meet users vendor management requirements and reporting needs. Understand what SOC 2 + is and how it can aid your organization s regulatory requirements. 3 Baker Tilly Virchow Krause, LLP. All rights reserved.

4 4 New SOC terminology

5 New SOC terminology > SOC has been redefined Formerly Service Organization Controls Now System and Organization Controls > SOC reports now include: SOC 1 SOC for Service Organizations: ICFR SOC 2 SOC for Service Organizations: Trust Services Criteria and SOC 2+ SOC 3 SOC for Service Organizations: Trust Services Criteria SOC for Cybersecurity 5 Baker Tilly Virchow Krause, LLP. All rights reserved.

6 6 SOC for Cybersecurity

7 SOC for Cybersecurity Key elements of SOC for Cybersecurity Whether management s description of it s cybersecurity risk management program meets the Description Criteria for Management s Description of an Entity s Cybersecurity Risk Management Program Whether controls are effective to criteria for security, availability and confidentiality 2017 Trust Services Criteria 7 Baker Tilly Virchow Krause, LLP. All rights reserved.

8 SOC for Cybersecurity Nine categories are included in the Description Criteria for Management s Description of an Entity s Cybersecurity Risk Management Program 1 6 Nature of the business and operations Cybersecurity risk assessment process 2 7 Nature of information at risk Cybersecurity communications and quality of cybersecurity information 3 8 Cybersecurity risk management program objectives Monitoring the cybersecurity risk management program 4 9 Factors that have a significant effect on inherent risk related technology Cybersecurity control processes 5 Cybersecurity risk governance structure 8 Baker Tilly Virchow Krause, LLP. All rights reserved.

9 SOC for Cybersecurity Major Differences between SOC 2 and SOC for Cybersecurity Scoping Reporting formats SOC 2 Focused on the customer facing/supporting system Test procedures included SOC for Cybersecurity Typically focuses on the whole organization Test procedures not included 9 Baker Tilly Virchow Krause, LLP. All rights reserved.

10 SOC for Cybersecurity Key questions?» Who is the intended audience of a SOC for Cybersecurity?» Should I be switching from a SOC 2 to SOC for Cybersecurity?» What should I be doing now to prepare? 10 Baker Tilly Virchow Krause, LLP. All rights reserved.

11 Revised Trust Services Criteria 11

12 Revised Trust Services Criteria Revised Trust Services Criteria Can be used for SOC 2 or SOC for Cybersecurity Effective periods ending on or after Dec. 15, 2018 Transition guidance on making it clear which criteria are used? Didn t we just revise them effective Dec. 15, 2016? 12 Baker Tilly Virchow Krause, LLP. All rights reserved.

13 Revised Trust Services Criteria Major Difference Between 2016 and 2017 Trust Services Criteria - TSC 2017 now includes 17 criteria from COSO 2013 This may cause more governance controls to be incorporated - Many of the other criteria are similar, but may have more detailed elements that need to be evaluated 13 Baker Tilly Virchow Krause, LLP. All rights reserved.

14 Revised Trust Services Criteria Scenario SOC for Cybersecurity Existing SOC 2 that has already adopted 2016 TSC Existing SOC 2 that has not already adopted 2016 TSC New SOC 2 Which Trust Services Criteria (TSC) will an organization use for periods prior to December 15, 2018? (typical individual facts and circumstances may change) 2017 TSC Continue using 2016 for current year and begin readiness for adopting 2017 TSC in 2018 Most likely transition first to 2016 TSC and begin readiness for adopting 2017 TSC in TSC 14 Baker Tilly Virchow Krause, LLP. All rights reserved.

15 SSAE 18 updates and execution 15

16 SSAE 18 updates and execution SSAE 18 is effective for auditors reports on or after May 1, Superseded and replaced SSAE 16 - Applies to all SOC reports, and some other types of reports - SOC 1 guide incorporating SSAE 18 has been updated and released May 1, Baker Tilly Virchow Krause, LLP. All rights reserved.

17 SSAE 18 updates and execution Key changes that may be more significant to service organizations - Focus on Information Provided by the Entity (IPE) - Monitoring the Effectiveness of Controls at Subservice Organizations Other Key Changes for Service Auditors - Auditor report dating Limited impact, but may cause slight delays in report issuances - Updated engagement assertions and rep letters 17 Baker Tilly Virchow Krause, LLP. All rights reserved.

18 SSAE 18 updates and execution Types of IPE as defined in the SOC 1 guide Will this be audited differently than before? How will these procedures be disclosed What to do for SOC 2 absent the guide? Information provided by the service organization in response to ad hoc requests from the service auditor Probably not - the service auditor already likely performed procedures around this type of IPE. Probably not unless issues exist with verifying completeness of the populations Typically follow same approach as SOC 1 Information used in the execution of a control Maybe some controls the service auditor may identify additional tests to perform, for some the tests may be embedded already These specific test procedures may be listed in the SOC report test procedures Typically follow same approach as SOC 1 Information prepared for user entities, for example, a reporting package provided to user entities Maybe management should prepare this listing and discuss with the service auditor if additional procedures need to be performed to validate the IPE Typically these key reports would now be included as a listing in Section 3. Most likely do not adopt at this point these concepts are more relevant to ICFR 18 Baker Tilly Virchow Krause, LLP. All rights reserved.

19 SSAE 18 updates and execution Monitoring the Effectiveness of Controls at Subservice Organizations (under carve-out method) - Service organizations should have controls to monitor the controls of subservice organizations. - There are two typical approaches: Detailed monitoring and visits to the subservice to test controls are working Reviewing SOC reports from the subservice providers 19 Baker Tilly Virchow Krause, LLP. All rights reserved.

20 SSAE 18 updates and execution > When service organizations take the approach of reviewing SOC reports from subservice organizations, the service organization should map which complementary user entity control considerations also apply to the service organization and it s users > Judgment will apply! > Using the same process, service organizations should identify which complimentary subservice controls need to exist at the subservice organizations to meet the objectives in the service organizations control objectives. 20 Baker Tilly Virchow Krause, LLP. All rights reserved.

21 SSAE 18 updates and execution This subservice organization topic sounds confusing! Editorial comment - it s not as complex as it seems when first describing it, the guide has some fairly straightforward examples If that s all from the SOC 1 guide, what part of the subservice organization concepts applies to SOC 2? 21 Baker Tilly Virchow Krause, LLP. All rights reserved.

22 22 Scoping and SOC 2+

23 Scoping and SOC 2+ System boundaries challenges Definition of suitable criteria How do you incorporate other frameworks into SOC 2? What are some of the scoping challenges? What is SOC 2+? 23 Baker Tilly Virchow Krause, LLP. All rights reserved.

24 Required disclosure > The information provided here is of a general nature and is not intended to address the specific circumstances of any individual or entity. In specific circumstances, the services of a professional should be sought. > Baker Tilly refers to Baker Tilly Virchow Krause, LLP, an independently owned and managed member of Baker Tilly International Baker Tilly Virchow Krause, LLP. 24 Baker Tilly Virchow Krause, LLP. All rights reserved.

25 Thank you! Baker Tilly refers to Baker Tilly Virchow Krause, LLP, an independently owned and managed member of Baker Tilly International.