SAS 70 SOC 1 SOC 2 SOC 3. Type 1 Type 2

Size: px
Start display at page:

Download "SAS 70 SOC 1 SOC 2 SOC 3. Type 1 Type 2"

Transcription

1 SAAABA Changes in Reports on Service Organization Controls April 18, 2012 Changes in Reports on Service Organization Controls (formerly SAS 70) April 18, 2012 Duane M. Reyhl, CPA Andrews Hooper Pavlik PLC Terms Galore SAS 70 SOC 1 SOC 2 SOC 3 Type 1 Type 2 1

2 SAAABA Changes in Reports on Service Organization Controls April 18, 2012 Objectives and Definitions Objectives Description Design Effectiveness Selected definitions Value 2

3 SAAABA Changes in Reports on Service Organization Controls April 18, 2012 User Perspectives Builds trust and confidence 3 types of reports SOC 1 SOC 2 SOC 3 How to Choose the Right Report Standards Subject matter Purpose Components Users 3

4 SAAABA Changes in Reports on Service Organization Controls April 18, 2012 Report Elements Comparisons Modifications Samples SSAE 16 Overview Reporting on Controls at a Service Organization AICPA Professional Standards, AT 801 Periods ending after 6/15/11 Moves guidance from SAS 70 Based on IAASB s ISAE No. 3402, Assurance Reports on Controls at a Service Organization 4

5 SAAABA Changes in Reports on Service Organization Controls April 18, 2012 Changes from SAS No. 70 Reports on a period rather than a date Obtain written assertion from management about the subject matter Description Suitability of design Effective operation of controls (Type 2) Changes from SAS No. 70 (cont.) Use suitable criteria to measure, present, and evaluate subject matter No carryover of prior period evidence Describe tests performed by internal auditors and the service auditor s procedures with respect to that work Report must contain specified elements 5

6 SAAABA Changes in Reports on Service Organization Controls April 18, 2012 Requirements of the Standard General Assessing suitability of criteria Materiality Understanding SO system Obtaining evidence regarding: Description Design Effectiveness Other Requirements Written representations Other information Subsequent events Documentation 6

7 SAAABA Changes in Reports on Service Organization Controls April 18, 2012 SSAE Interpretations Interpretation No. 8 of AT Section Attest Engagements Reporting on Controls of fservice Organizations Including a Description of Tests of Controls or Other Procedures, and the Results Thereof, in an Examination Report Issued July 2010 System Description 7

8 SAAABA Changes in Reports on Service Organization Controls April 18, 2012 Subject Matter Management s description of system Suitability of Criteria Benchmark Consistency Availability 8

9 SAAABA Changes in Reports on Service Organization Controls April 18, 2012 Type 1 vs. Type 2 Assurance Both provide assurance: Description of the design and implementation of system Suitability of the design of controls Reports are different, but intent is consistent with current practice Type 1 vs. Type 2 Descriptions Both describe controls: Controls that an SO implements to prevent, or detect and correct, errors or omissions in information it provides user entities. 9

10 SAAABA Changes in Reports on Service Organization Controls April 18, 2012 Type 1 vs. Type 2 Type 2 also provides: Assurance about effectiveness of control throughout a specified period Type 1 vs. Type 2 Dates Type 1: As of a specified date Type 2 Throughout a specified period 10

11 SAAABA Changes in Reports on Service Organization Controls April 18, 2012 Complementary user controls Controls that SO management assumes will be implemented by user entities If necessary to achieve the control objectives stated in the description of the SO s system, are identified as such in that description. SO Subsystems Carve out method: Identifies the nature of the subservices, but does not include the related control objectives and controls nor does the auditor test the subservice component 11

12 SAAABA Changes in Reports on Service Organization Controls April 18, 2012 SO Subsystems (cont.) Inclusive method: Identifies the nature of the subservices and describes the subservice organization s related control objectives and controls Evaluation of Reports 1. Types of services provided including, asappropriate appropriate, the classes of transactions processed 12

13 SAAABA Changes in Reports on Service Organization Controls April 18, 2012 Evaluation of Reports 2. Automated and manual procedures by which services are provided, including the ways transactions are initiated, authorized, recorded, processed, corrected as necessary, and transferred to the reports and other information prepared for user entities. Evaluation of Reports 3. Electronic / manual accounting records and supporting information used to initiate, authorize, record, process, and report transactions; including correction of incorrect information and how information is transferred to reports and other information prepared for user entities 13

14 SAAABA Changes in Reports on Service Organization Controls April 18, 2012 Evaluation of Reports 4. How system captures and addresses significantevents and conditions other than transactions. Evaluation of Reports 5. Process used to prepare reports and other information for user entities. 14

15 SAAABA Changes in Reports on Service Organization Controls April 18, 2012 Evaluation of Reports 6. Specified control objectives and controlsdesigned to achievethose objectives, including complementary user entity controls contemplated in the design of the SO s controls. Evaluation of Reports 7. Other aspects of control environment, risk assessment process, information and communication systems (including the related business processes), control activities, and monitoring controls that are relevant to the services provided. 15

16 SAAABA Changes in Reports on Service Organization Controls April 18, 2012 Evaluation of Reports 8. For type 2 reports, evaluate whether the description includes relevant details of changes to the system during the period covered by the description. Assess Effectiveness No evidence from prior periods (type 2) Inquire about changes in controls that might affect description Need to test superseded controls or determine effect on report 16

17 SAAABA Changes in Reports on Service Organization Controls April 18, 2012 Assess Effectiveness (cont.) Procedures in combination with inquiry How control was applied Consistency of application By whom or how control was applied Determine dependency on other controls Determine method ofselecting items If applicable, refer to sampling guidance Assess Effectiveness (cont.) Investigate nature and cause of deviations Compare to expectations Will more tests support effectiveness? Do existing tests support ineffectiveness? Consider whether matters were intentional 17

18 SAAABA Changes in Reports on Service Organization Controls April 18, 2012 Using the Work of IA 5 areas to consider 1) Understanding of the IA function 2) Planning considerations 3) Using the work of IA 4) Effect of IA work on report 5) Direct assistance Using the Work of IA (cont.) Evaluate and perform procedures to determine adequacy for SSAE 16 purposes. a) Technical training and proficiency; b) Supervision, review, and documentation c) Sufficient appropriate evidence obtained d) Appropriate conclusions reached e) Relevant exceptions are resolved 18

19 SAAABA Changes in Reports on Service Organization Controls April 18, 2012 Evaluation of Specific IA Work Procedures may include: Examination of items already examined by IA Examination of other similar items Observation of procedures performed by IA Effect of IA Work on Report Procedures may include: Examination of items already examined by IA Examination of other similar items Observation of procedures performed by IA 19

20 SAAABA Changes in Reports on Service Organization Controls April 18, 2012 Questions? 20

21 SOC Reports and How to Choose the Right One 1 Service Organization Controls (SOC) reports are designed to help service organizations, organizations that operate information systems and provide information system services to other entities, build trust and confidence in their service delivery processes and controls through a report by an independent Certified Public Accountant. Each type of SOC report is designed to help service organizations meet specific user needs: SOC 1 Report Report on Controls at a Service Organization Relevant to User Entities Internal Control over Financial Reporting (SSAE 16) These reports, prepared in accordance with Statement on Standards for Attestation Engagements (SSAE) No. 16, Reporting on Controls at a Service Organization, are specifically intended to meet the needs of the of entities that use service organizations (user entities) and the CPAs that audit the user entities financial statements (user auditors), in evaluating the effect of the controls at the service organization on the user entities financial statements. User auditors use these reports to plan and perform audits of the user entities financial statements. There are two types of reports for these engagements: Type 2 report on the fairness of the presentation of management s description of the service organization s system and the suitability of the design and operating effectiveness of the controls to achieve the related control objectives included in the description throughout a specified period. Type 1 report on the fairness of the presentation of management s description of the service organization s system and the suitability of the design of the controls to achieve the related control objectives included in the description as of a specified date. Use of these reports is restricted to the management of the service organization, user entities, and user auditors. SOC 2 Report Report on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality or Privacy These reports are intended to meet the needs of a broad range of users that need information and assurance about the controls at a service organization that affect the security, availability, and processing integrity of the systems the service organization uses to process users data and the confidentiality and privacy of the information processed by these systems. Examples of stakeholders who may need these reports are, management or those charged with governance of the user entities and of the service organization, customers of the service organization, regulators, business partners, suppliers, and others who have an understanding of the service organization and its controls. Use of these reports generally is restricted to parties that have this understanding The 1 Source: ServiceOrganization%27sManagement.aspx, April 15,

22 AICPA Guide: Reports on Controls at a Service Organization over Security, Availability, Processing Integrity, Confidentiality, or Privacy (currently under development) provides guidance for performing these engagements. These reports can play an important role in: Oversight of the organization Vendor management programs Internal corporate governance and risk management processes Regulatory oversight Similar to a SOC 1 report there are two types of report : A type 2, report on management s description of a service organization s system and the suitability of the design and operating effectiveness of controls; and a type 1, report on management s description of a service organization s system and the suitability of the design of controls. Use of these reports is generally restricted. SOC 3 Report Trust Services Report for Service Organizations These reports are designed to meet the needs of users who need assurance about the controls at a service organization that affect the security, availability, and processing integrity of the systems used by a service organization to process users information, and the confidentiality, or privacy of that information, but do not have the need for or the knowledge necessary to make effective use of a SOC 2 Report. These reports are prepared using the AICPA/Canadian Institute of Chartered Accountants (CICA) Trust Services Principles, Criteria, and Illustrations for Security, Availability, Processing Integrity, Confidentiality, and Privacy. Because they are general use reports, SOC 3 reports can be freely distributed or posted on a website as a SysTrust for Service Organizations seal. For more information about the SysTrust for Service Organization seal program go to Unlike a SOC 1 report, which is only an auditor to auditor communication, SOC 2 Reports are generally restricted use report (at the discretion of the auditor using the guidance in the standard) and SOC 3 Report (in all cases) will enable the service organization to share a general use report that would be relevant to current and prospective customers or as a marketing tool to demonstrate that they have appropriate controls in place to mitigate risks related to security, privacy, etc. HOW TO IDENTIFY THE SOC REPORT THAT IS RIGHT FOR YOU Will the report be used by your customers and their auditors to plan and perform an audit or integrated audit of your customer s financial statements? Will the report used by your customers as part of their compliance with the Sarbanes Oxley Act or similar law or regulation? Will the report be used by your customers or stakeholders to gain confidence and place trust in a service organization s systems? Yes SOC 1 Report Yes SOC 1 Report Yes SOC 2 or 3 Report 2 22

23 HOW TO IDENTIFY THE SOC REPORT THAT IS RIGHT FOR YOU Do you need to make the report generally available or seal? Yes SOC 3 Report Do your customers have the need for and ability to understand the details of the processing and controls at a service organization, the tests performed by the service auditor and results of those tests? Yes SOC 2 Report No SOC 3 Report New Requirement for Written Assertion A new requirement in SSAE 16 that was not included in SAS 70 is the requirement for the service auditor to obtain a written assertion from management of the service organization about the fairness of the presentation of the description of the service organization s system and about the suitability of the design and, in a type 2 engagement, the operating effectiveness of the controls. That assertion will either accompany the service auditor s report or be included in the description of the service organization s system. 3 23

24 4 24

25 Comparison of SOC 1, SOC 2 and SOC 3 Reports 1 SOC 1 Reports SOC 2 Reports SOC 3 Report Under what professional standard is the engagement performed? SSAE No. 16, Reporting on Controls at a Service Organization AICPA Guide, Applying SSAE No. 16, Reporting on Controls at a Service Organization AT 101, Attestation Engagements AICPA Guide, Reporting on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy AT 101, Attestation Engagements AICPA Technical Practice Aid, Trust Services Principles, Criteria, and Illustrations (TSP Section 100) What is the subject matter of the engagement? Controls at a service organization relevant to user entities internal control over financial reporting. Controls at a service organization relevant to security, availability, processing integrity confidentiality, or privacy. Controls at a service organization relevant to security, availability, processing integrity, confidentiality, or privacy If the report addresses the privacy principle, the service organization s compliance with the commitments in its statement of privacy practices If the report addresses the privacy principle, the service organization s compliance with the commitments in its statement of privacy practices 1 Source: American Institute of Certified Public Accountants, Comparision%20of%20SOC%201-3.doc April 15,

26 SOC 1 Reports SOC 2 Reports SOC 3 Report What is the purpose of the report? To provide information to the auditor of a user entity s financial statements about controls at a service organization that may be relevant to a user entity s internal control over financial reporting. It enables the user auditor to perform risk assessment procedures, and if a type 2 report is provided, to assess the risk of material misstatement of financial statement assertions affected by the service organization s processing. To provide management of a service organization, user entities and other specified parties with information and a CPA s opinion about controls at the service organization that may affect user entities security, availability, processing integrity, confidentiality or privacy. A type 2 report that addresses the privacy principle, also provides a CPA s opinion about the service organization s compliance with the commitments in its statement of privacy practices To provide interested parties with a CPA s opinion about controls at the service organization that may affect user entities security, availability, processing integrity, confidentiality, or privacy. A report that addresses the privacy principle, also provides a CPA s opinion about the service organization s compliance with the commitments in its privacy notice. 2 26

27 SOC 1 Reports SOC 2 Reports SOC 3 Report What are the components of the report? A description of the service organization s system. A service auditor s report that contains an opinion on the fairness of the presentation of the description of the service organization s system, the suitability of the design of the controls, and in a type 2 report, the operating effectiveness of the controls. A description of the service organization s system. A service auditor s report that contains an opinion on the fairness of the presentation of the description of the service organization s system, the suitability of the design of the controls, and in a type 2 report, the operating effectiveness of the controls. A service auditor s report on whether the entity maintained effective controls over its system as it relates to the principle being reported on i.e., security, availability, processing integrity, confidentiality, or privacy, based on the applicable trust services criteria. If the report addresses the privacy principle, the service auditor s opinion on whether the service organization complied with the commitments in its statement of privacy practices If the report addresses the privacy principle the service auditor s opinion on whether the service organization complied with the commitments in its statement of privacy practices In a type 2 report, a description of the service auditor s tests of the controls and the results of the tests. In a type 2 report, a description of the service auditor s tests of controls and the results of the tests. In a type 2 report that addresses the privacy principle, a description of the service auditor s tests of the service organization s compliance with the commitments in its statement of privacy practices, and the results of those tests 3 27

28 SOC 1 Reports SOC 2 Reports SOC 3 Report Who are the intended users of the report? Auditor s of the user entity s financial statements, management of the user entities, and management of the service organization. Parties that are knowledgeable about the nature of the service provided by the service organization Anyone how the service organization s system interacts with user entities, subservice organizations, and other parties internal control and its limitations the criteria and how controls address those criteria 4 28

29 Understanding How Users Would Make Use of a SOC2 Report By Audrey Katcher, RubinBrown LLP for the Trust/Data Integrity Task Force 1 This document provides guidance to users of a SOC 2 report on the factors they should consider when evaluating the relationship of the controls being reported on in the SOC 2 report to their environment. Definitions Service organization. An organization or segment of an organization that provides services to User Entities, which are likely to be relevant to those User Entities controls over its system relevant to security, availability, processing integrity, confidentiality, or privacy. Service auditor. A practitioner who reports on controls over its system relevant to security, availability, processing integrity, confidentiality, or privacy at a service organization. SOC 2 report. A report on a service organization s controls over its system relevant to security, availability, processing integrity, confidentiality, or privacy. User entity. An entity that uses a service organization. This entity may be a user of the services provided by the service organization. Constituents in the User Entity include management such as those with finance, internal audit, compliance, IT or other security and privacy responsibilities. For example, an IT department within a user organization may rely on the service organization for system availability. Introduction A User Entity who relies on a service organization that processes, maintains, or stores information for the User Entity needs to understand and monitor the systems being relied upon for such services in order to: assess stewardship or accountability assess the entity s ability to comply with certain aspects of laws and regulations, for example, the Health Insurance Portability and Accountability Act (HIPAA), contractual responsibilities, and commitments to stakeholders assess the integrity of the information provided assess regulatory the activities of the entity 1 Source: American Institute of Certified Public Accountants, SOC2%20USER%20Document.doc, April 15,

30 User Entity Responsibility Introduction Management of a User Entity is responsible for assessing and addressing the risks faced by the User Entity. When a User Entity engages a service organization to perform key processes or functions for it, the entity exposes itself to additional risks related to the service organization s system. Although management of a User Entity can delegate tasks or functions to a service organization, the responsibility for those tasks and the service organization provides cannot be delegated. Management of the User Entity is usually held responsible by those charged with governance (for example, the board of directors), customers, shareholders, regulators and other affected parties for establishing effective internal control over outsourced functions. To assess and address the risks associated with an outsourced service, management of the User Entity needs information about the service organization s controls over the system through which the services are delivered. Processing (performance of tasks or functions) at the service organization should enable operational integrity which is consistent with the User Entity s control environment. When assessing controls at a service organization that may be relevant to and affect the services provided to User Entities, management of a User Entity may ask the service organization for a SOC 2 report on the design and operating effectiveness of controls over the service organization s system that may be relevant to the security, availability, or processing integrity of the system, or the confidentiality, or privacy of the information processed for User Entities. This report addresses risks and opportunities of IT-enabled systems and privacy programs beyond the controls necessary for financial reporting. The User Entity Approach A User Entity approach for evaluating the service organization s operational integrity and compliance and the use of a SOC 2 report typically should be as follows: 1. Assess the Risk 2. Understand the Service Organization 3. Understand the SOC 2 Report 4. Understand Complementary User Entity Controls This approach is achieved through User Entity internal procedures and interaction with service organization. After evaluating the service organization, the User Entity may decide to implement and monitor service level agreements, perform tests at the service organization or rely on the testing performed by an independent party. 30 2

31 Assess Risk The significance and relevancy of the operational and compliance reliance the User Entity has on the performance of tasks and functions at the service organization should be assessed. This assessment includes consideration of the types of services performed by the service organization, nature of the service organization relationship, and degree of interaction with the service organization. Other considerations relate to understanding what processing is happening at the following levels: application, data, management, networking, storage and physical. Since the nature of relationships will vary (between service organization and User Entity) there is no uniform or one-size-fits-all approach to managing this risk or certifying the service organization. Taking a risk based approach for the User Entity reliance is necessary. The types of services provided may vary widely, and the need to assess which gaps are applicable to the User Entity environment is a key first step. This should consider the core aspects of the processing that the User Entity needs controlled: security, availability, processing integrity, confidentiality, and/or privacy of the User Entity s information. Once the significance and relevancy of the services are determined, the User Entity should understand the Policies, Communications, Procedures and Monitoring being performed at the service organization to support the security, availability, processing integrity, confidentiality, and/or privacy of User Entity information. Use of a third party (a service organization) not only expands the risk beyond the boundaries of the User Entity organization, it also requires a User Entity to consider how risks have changed due to outsourcing. Changing how the service is delivered (through a third party service organization rather than through an internal department) changes the characteristics of risk. Examples of such risks are: increased portability of information virtualization of the storage of information architecture that is more flexible (storage, processing, virtual networks) dynamic allocation of resources increased sharing of IT resource dependency on others for availability of information (for example, to support investigations). An expansion of risk, leads to an increased need for trust in the service organization processing. When evaluating the risks which affect the trust, the following criteria are important: Security, Availability, Processing Integrity, Confidentiality, or Privacy. The following example questions (not an all inclusive list) may help assess the operational and compliance risks a User Entity should consider: What risk is of concern as it relates to the service organization services? Is there concern related to processing being adequately designed / operating effectively to achieve operational and compliance objectives? 31 3

32 Is assurance needed regarding other internal controls and/or security of the outsourced operations? What data, application, transaction processing is being performed by a service organization? What is the risk related to adherence to other performance/contractual expectations? How is information protected? What policies, procedures, communications and monitoring support the security, confidentiality and privacy of information being processed? How is information available? What policies, procedures, communications and monitoring support the availability and processing integrity of information being processed? How do the operational and compliance controls at the service organization compare to existing User Entity controls? What documentation on how the environment and services are assessed for risk and controls is available to the User Entity? What is the separation of compliance responsibilities between the service organization and the User Entity? Understand the Service Organization The Service Organization may perform control processes relevant to the User Entity controls which are intended to mitigate risks related to security, availability, processing integrity, confidentiality, and/or privacy and are intended to assist management of a User Entity in carrying out its responsibility for monitoring the services it receives, including the operating effectiveness of a service organization s controls over those services. The User Entity should understand the reliance on services provided (including the nature of the relationships and degree of interaction). Examples of services provided by service organizations. Cloud computing. Providing on-demand network access to a shared pool of configurable computing resources, for example, networks, servers, storage, applications, and services. Logical security management. Managing access to networks and computing systems for User Entities, for example, granting access to a system and preventing, or detecting and mitigating system intrusion. Financial services customer accounting. Processing financial transactions on behalf of customers of a bank or investment company. Examples are processing customer securities transactions, maintaining customer account records, providing customer transaction confirmations and statements, and providing related customer services through the web. Contact center for customer service. Providing customers of User Entities with on-line or telephonic post sales support and service management. Examples of these services are warranty inquiries and processing, trouble shooting, and responding to customer complaints. Sales force automation. Providing and maintaining software to automate business tasks for User Entities that have a sales force. Examples of such tasks are order processing, information sharing, order tracking, contact management, customer management, sales forecast analysis, and employee performance evaluation. 32 4

33 Health care claims management and processing. Providing medical providers, employers, and insured parties of employers with systems that securely and confidentially support the processing of medical records and related health insurance claims. Understand the report The User Entity should understand the SOC 2 report coverage of the environment in support of User Entity processing. The User Entity should understand whether: the services relevant to the User Entity are included. there is a clear system description. the controls are relevant, with consideration of planned reliance on the operational and compliance controls, and the relationship to complementary User Entity activities. the report covers a period of time or a point in time and whether that time period is relevant to the User Entity s coverage needs. There is contiguous coverage between reports. There should also be consideration of the level of change and the cyclical nature of processing within the system as well as historical information about the system. It is important to understand the delineated boundaries of the system under examinations for trust services principles and criteria of security, availability, processing integrity, confidentiality and/or privacy. Knowing these boundaries help the user organization understand the control coverage over the processing relevant to their environment. A reliable system is one that is capable of operating without material error, fault, or failure during a specified period in a specified environment. The SOC 2 report may provide a report on systems reliability that addresses the trust services principles and criteria of security, availability, processing integrity and/or privacy. These criteria are used to evaluate whether a system is reliable. If the weaknesses result in procedures the user cannot rely upon, the User Entity should determine the response to weaknesses identified in the SOC 2 report. The User Entity response may include performing tests of controls at the service organization or further identifying mitigating or complementary controls at the User Entity which are relevant. Understand Complementary User Entity Controls In many cases, the control objectives stated in the service organizations description of controls cannot be achieved by the service organization alone because their achievement requires that User Entities implement certain controls (complementary User Entity controls). The User Entity should evaluate the performance of their User Entity controls. Report use restriction The need for restriction on the use of a SOC 2 report may result from a number of circumstances, including the purpose of the report, the criteria used in preparation of the subject matter, the extent to which the procedures performed are known or understood, and the potential for the report to be misunderstood when taken out of the context in which it was intended to be used. (per paragraph.79 of AT section101). 33 5

34 SOC 2 reports have the potential to be misunderstood when taken out of the context in which they were intended to be used. Accordingly the following paragraphs describe the knowledge a potential user of the report should have and identifies the report users who are most likely to have such knowledge A report on controls at a service organization relevant to security, availability, processing integrity, confidentiality, or privacy is intended to provide User Entities with information about the fairness of the presentation of management s description of the service organization s system, the suitability of the design and in a type 2 report, the operating effectiveness of the controls included in the description. Because the report may be misunderstood when taken out of the context in which it was intended to be used, the service auditor should restrict the use of the report to parties that are knowledgeable about the nature of the service provided by the service organization how the service organization s system interacts with User Entities, subservice organizations, and other parties internal control and its limitations control objectives, the risks that may threaten the achievement of control objectives, and how controls address those risks Report users who are most likely to have such knowledge include management of the User Entities, practitioners evaluating or reporting on controls at a User Entity, independent auditors of the User Entities, regulators, and others performing services related to controls at the service organization, such as a service auditor reporting on controls at a User Entity that is also a service provider to other User Entities. Other This document is not intended to provide guidance to: management of a User Entity in assessing a service organization s controls that are likely to be relevant to a User Entity s internal control over financial reporting auditors of User Entities (user auditors) in planning and performing an audit of a User Entity s financial statements. 34 6

35 Document Display Page 33 of 45 10/26/2010.A66 Examples of elements of modified service auditor's reports are presented in appendix B. Other Communication Responsibilities (Ref: par..58).a67 Actions that a service auditor may take when he or she becomes aware of noncompliance with laws and regulations, fraud, or uncorrected errors at the service organization (after giving additional consideration to instances in which the service organization has not appropriately communicated this information to affected user entities, and the service organization is unwilling to do so) include the following: Obtaining legal advice about the consequences of different courses of action Communicating with those charged with governance of the service organization Disclaiming an opinion, modifying the service auditor's opinion, or adding an emphasis paragraph Communicating with third parties, for example, a regulator, when required to do so Withdrawing from the engagement Appendix A Illustrative Service Auditor's Reports.A68 The following illustrative reports are for guidance only and are not intended to be exhaustive or applicable to all situations. Example 1: Type 2 Service Auditor's Report Independent Service Auditor's Report on a Description of a Service Organization's System and the Suitability of the Design and Operating Effectiveness of Controls To: XYZ Service Organization Scope We have examined XYZ Service Organization's description of its [type or name of] system for processing user entities' transactions [or identification of the function performed by the system] throughout the period [date] to [date] (description) and the suitability of the design and operating effectiveness of controls to achieve the related control objectives stated in the description. Service organization's responsibilities On page XX of the description, XYZ Service Organization has provided an assertion about the fairness of the presentation of the description and suitability of the design and operating effectiveness of the controls to achieve the related control objectives stated in the description. XYZ Service Organization is responsible for preparing the description and for the assertion, including the completeness, accuracy, and method of presentation of the description and the assertion, providing the services covered by the description, specifying the control objectives and stating them in the description, identifying the risks that threaten the achievement of the control objectives, selecting the criteria, and designing, implementing, and documenting controls to achieve the related control objectives stated in the description. Service auditor's responsibilities Our responsibility is to express an opinion on the fairness of the presentation of the description and on the suitability of the design and operating effectiveness of the controls to achieve the related control objectives stated in the description, based on our examination. We conducted our examination in accordance with attestation standards established by the American Institute of Certified Public Accountants. Those standards require that we plan and perform our examination to obtain reasonable assurance about whether, in all material respects, the description is fairly presented and the controls were suitably designed and operating effectively to achieve the related control objectives stated in the description throughout the period [date] to 35

36 Document Display Page 34 of 45 10/26/2010 [date]. An examination of a description of a service organization's system and the suitability of the design and operating effectiveness of the service organization's controls to achieve the related control objectives stated in the description involves performing procedures to obtain evidence about the fairness of the presentation of the description and the suitability of the design and operating effectiveness of those controls to achieve the related control objectives stated in the description. Our procedures included assessing the risks that the description is not fairly presented and that the controls were not suitably designed or operating effectively to achieve the related control objectives stated in the description. Our procedures also included testing the operating effectiveness of those controls that we consider necessary to provide reasonable assurance that the related control objectives stated in the description were achieved. An examination engagement of this type also includes evaluating the overall presentation of the description and the suitability of the control objectives stated therein, and the suitability of the criteria specified by the service organization and described at page [aa]. We believe that the evidence we obtained is sufficient and appropriate to provide a reasonable basis for our opinion. Inherent limitations Because of their nature, controls at a service organization may not prevent, or detect and correct, all errors or omissions in processing or reporting transactions [or identification of the function performed by the system]. Also, the projection to the future of any evaluation of the fairness of the presentation of the description, or conclusions about the suitability of the design or operating effectiveness of the controls to achieve the related control objectives is subject to the risk that controls at a service organization may become inadequate or fail. Opinion In our opinion, in all material respects, based on the criteria described in XYZ Service Organization's assertion on page [aa], a. the description fairly presents the [type or name of] system that was designed and implemented throughout the period [date] to [date]. b. the controls related to the control objectives stated in the description were suitably designed to provide reasonable assurance that the control objectives would be achieved if the controls operated effectively throughout the period [date] to [date]. c. the controls tested, which were those necessary to provide reasonable assurance that the control objectives stated in the description were achieved, operated effectively throughout the period [date] to [date]. Description of tests of controls The specific controls tested and the nature, timing, and results of those tests are listed on pages [yy zz]. Restricted use This report, including the description of tests of controls and results thereof on pages [yy zz], is intended solely for the information and use of XYZ Service Organization, user entities of XYZ Service Organization's [type or name of] system during some or all of the period [date] to [date], and the independent auditors of such user entities, who have a sufficient understanding to consider it, along with other information including information about controls implemented by user entities themselves, when assessing the risks of material misstatements of user entities' financial statements. This report is not intended to be and should not be used by anyone other than these specified parties. [Service auditor's signature] [Date of the service auditor's report] 36

37 Document Display Page 35 of 45 10/26/2010 [Service auditor's city and state] Following is a modification of the scope paragraph in a type 2 service auditor's report if the description refers to the need for complementary user entity controls. (New language is shown in boldface italics): We have examined XYZ Service Organization's description of its [type or name of] system for processing user entities' transactions [or identification of the function performed by the system] throughout the period [date] to [date] (description) and the suitability of the design and operating effectiveness of controls to achieve the related control objectives stated in the description. The description indicates that certain control objectives specified in the description can be achieved only if complementary user entity controls contemplated in the design of XYZ Service Organization's controls are suitably designed and operating effectively, along with related controls at the service organization. We have not evaluated the suitability of the design or operating effectiveness of such complementary user entity controls. Following is a modification of the applicable subparagraphs of the opinion paragraph of a type 2 service auditor's report if the application of complementary user entity controls is necessary to achieve the related control objectives stated in the description of the service organization's system (New language is shown in boldface italics): b. The controls related to the control objectives stated in the description were suitably designed to provide reasonable assurance that those control objectives would be achieved if the controls operated effectively throughout the period [date] to [date] and user entities applied the complementary user entity controls contemplated in the design of XYZ Service Organization's controls throughout the period [date] to [date]. c. The controls tested, which together with the complementary user entity controls referred to in the scope paragraph of this report, if operating effectively, were those necessary to provide reasonable assurance that the control objectives stated in the description were achieved, operated effectively throughout the period [date] to [date]. Following is a modification of the paragraph that describes the responsibilities of management of the service organization for use in a type 2 service auditor's report when the control objectives have been specified by an outside party. (New language is shown in boldface italics): On page XX of the description, XYZ Service Organization has provided an assertion about the fairness of the presentation of the description and suitability of the design and operating effectiveness of the controls to achieve the related control objectives stated in the description. XYZ Service Organization is responsible for preparing the description and for its assertion], including the completeness, accuracy, and method of presentation of the description and assertion, providing the services covered by the description, selecting the criteria, and designing, implementing, and documenting controls to achieve the related control objectives stated in the description. The control objectives have been specified by [name of party specifying the control objectives] and are stated on page [aa] of the description. Example 2: Type 1 Service Auditor's Report Independent Service Auditor's Report on a Description of a Service Organization's System and the Suitability of the Design of Controls To: XYZ Service Organization Scope We have examined XYZ Service Organization's description of its [type or name of] system for processing user entities' transactions [or identification of the function performed by the system] as of [date], and the suitability of the design of controls to achieve the related control objectives stated in the description. 37

38 Document Display Page 36 of 45 10/26/2010 Service organization's responsibilities On page XX of the description, XYZ Service Organization has provided an assertion about the fairness of the presentation of the description and suitability of the design of the controls to achieve the related controls objectives stated in the description. XYZ Service Organization is responsible for preparing the description and for its assertion, including the completeness, accuracy, and method of presentation of the description and the assertion, providing the services covered by the description, specifying the control objectives and stating them in the description, identifying the risks that threaten the achievement of the control objectives, selecting the criteria, and designing, implementing, and documenting controls to achieve the related control objectives stated in the description. Service auditor's responsibilities Our responsibility is to express an opinion on the fairness of the presentation of the description and on the suitability of the design of the controls to achieve the related control objectives stated in the description, based on our examination. We conducted our examination in accordance with attestation standards established by the American Institute of Certified Public Accountants. Those standards require that we plan and perform our examination to obtain reasonable assurance, in all material respects, about whether the description is fairly presented and the controls were suitably designed to achieve the related control objectives stated in the description as of [date]. An examination of a description of a service organization's system and the suitability of the design of the service organization's controls to achieve the related control objectives stated in the description involves performing procedures to obtain evidence about the fairness of the presentation of the description of the system and the suitability of the design of the controls to achieve the related control objectives stated in the description. Our procedures included assessing the risks that the description is not fairly presented and that the controls were not suitably designed to achieve the related control objectives stated in the description. An examination engagement of this type also includes evaluating the overall presentation of the description and the suitability of the control objectives stated therein, and the suitability of the criteria specified by the service organization and described at page [aa]. We did not perform any procedures regarding the operating effectiveness of the controls stated in the description and, accordingly, do not express an opinion thereon. We believe that the evidence we obtained is sufficient and appropriate to provide a reasonable basis for our opinion. Inherent limitations Because of their nature, controls at a service organization may not prevent, or detect and correct, all errors or omissions in processing or reporting transactions [or identification of the function performed by the system]. The projection to the future of any evaluation of the fairness of the presentation of the description, or any conclusions about the suitability of the design of the controls to achieve the related control objectives is subject to the risk that controls at a service organization may become ineffective or fail. Opinion In our opinion, in all material respects, based on the criteria described in XYZ Service Organization's assertion, a. the description fairly presents the [type or name of] system that was designed and implemented as of [date], and b. the controls related to the control objectives stated in the description were suitably designed to provide reasonable assurance that the control objectives would be achieved if the controls operated effectively as of [date]. 38

Retirement of SAS 70 and a new generation of Service Organization Control (SOC) Reports

Retirement of SAS 70 and a new generation of Service Organization Control (SOC) Reports new generation of Service Organization Control (SOC) Reports Presented by: Nina Currigan, KPMG Advisory Manager Karen Krebsbach, Ernst & Young Advisory Manager With you today Nina Currigan Advisory Manager

More information

Audit Considerations Relating to an Entity Using a Service Organization

Audit Considerations Relating to an Entity Using a Service Organization An Entity Using a Service Organization 355 AU-C Section 402 Audit Considerations Relating to an Entity Using a Service Organization Source: SAS No. 122; SAS No. 128; SAS No. 130. Effective for audits of

More information

SOC 2 examinations and SOC for Cybersecurity examinations: Understanding the key distinctions

SOC 2 examinations and SOC for Cybersecurity examinations: Understanding the key distinctions SOC 2 examinations and SOC for Cybersecurity examinations: Understanding the key distinctions DISCLAIMER: The contents of this publication do not necessarily reflect the position or opinion of the American

More information

Service Organization Control (SOC) Reports: What they are and what to do with them MARCH 21, 2017

Service Organization Control (SOC) Reports: What they are and what to do with them MARCH 21, 2017 Service Organization Control (SOC) Reports: What they are and what to do with them MARCH 21, 2017 Presenter Colin Wallace, CPA/CFF, CFE, CIA, CISA Partner Colin has provided management consulting and internal

More information

Within our recommendations for editorial changes, additions are noted in bold underline and deletions in strike-through.

Within our recommendations for editorial changes, additions are noted in bold underline and deletions in strike-through. 1633 Broadway New York, NY 10019-6754 Mr. Jim Sylph Executive Director, Professional Standards International Federation of Accountants 545 Fifth Avenue, 14th Floor New York, NY 10017 Dear Mr. Sylph: We

More information

PREPARING FOR SOC CHANGES. AN ARMANINO WHITE PAPER By Liam Collins, Partner-In-Charge, SOC Audit Practice

PREPARING FOR SOC CHANGES. AN ARMANINO WHITE PAPER By Liam Collins, Partner-In-Charge, SOC Audit Practice PREPARING FOR SOC CHANGES AN ARMANINO WHITE PAPER By Liam Collins, Partner-In-Charge, SOC Audit Practice On May 1, 2017, SSAE 18 went into effect and superseded SSAE 16. The following information is here

More information

ISACA Cincinnati Chapter March Meeting

ISACA Cincinnati Chapter March Meeting ISACA Cincinnati Chapter March Meeting Recent and Proposed Changes to SOC Reports Impacting Service and User Organizations. March 3, 2015 Presenters: Sayontan Basu-Mallick Lori Johnson Agenda SOCR Overview

More information

Making trust evident Reporting on controls at Service Organizations

Making trust evident Reporting on controls at Service Organizations www.pwc.com Making trust evident Reporting on controls at Service Organizations 1 Does this picture look familiar to you? User Entity A User Entity B User Entity C Introduction and background Many entities

More information

C22: SAS 70 Practices and Developments Todd Bishop, PricewaterhouseCoopers

C22: SAS 70 Practices and Developments Todd Bishop, PricewaterhouseCoopers C22: SAS 70 Practices and Developments Todd Bishop, PricewaterhouseCoopers SAS No. 70 Practices & Developments Todd Bishop Director, Risk Assurance Services, PricewaterhouseCoopers Agenda SAS 70 Background

More information

SOC Reporting / SSAE 18 Update July, 2017

SOC Reporting / SSAE 18 Update July, 2017 SOC Reporting / SSAE 18 Update July, 2017 Agenda SOC Refresher Overview of SSAE 18 Changes to SOC 1 Changes to SOC 2 Quiz / Questions Various Types of SOC Reports SOC for Service Organizations (http://www.aicpa.org/soc4so)

More information

Transitioning from SAS 70 to SSAE 16

Transitioning from SAS 70 to SSAE 16 Industry Webinar Series SAS 70 ENDS EXIT TO SSAE 16 Transitioning from SAS 70 to SSAE 16 How Does This Apply to Your Organization? Cindy Boyle, Partner Rodney Walsh, Director BKD IT Risk Services Agenda

More information

Understanding and Evaluating Service Organization Controls (SOC) Reports

Understanding and Evaluating Service Organization Controls (SOC) Reports Understanding and Evaluating Service Organization Controls (SOC) Reports Kevin Sear, CPA, CIA, CISA, CFE, CGMA Agenda 1. Why are SOC reports important? 2. Understanding the new SOC-1, SOC-2, and SOC-3

More information

SERVICE ORGANIZATION CONTROL (SOC) REPORTS: WHAT ARE THEY?

SERVICE ORGANIZATION CONTROL (SOC) REPORTS: WHAT ARE THEY? WHITE PAPER SERVICE ORGANIZATION CONTROL (SOC) REPORTS: WHAT ARE THEY? JEFF COOK DIRECTOR CPA, CITP, CIPT, CISA North America Europe 877.224.8077 info@coalfire.com coalfire.com TABLE OF CONTENTS Summary...

More information

Exploring Emerging Cyber Attest Requirements

Exploring Emerging Cyber Attest Requirements Exploring Emerging Cyber Attest Requirements With a focus on SOC for Cybersecurity ( Cyber Attest ) Introductions and Overview Audrey Katcher Partner, RubinBrown LLP AICPA volunteer: AICPA SOC2 Guide Working

More information

Information for entity management. April 2018

Information for entity management. April 2018 Information for entity management April 2018 Note to readers: The purpose of this document is to assist management with understanding the cybersecurity risk management examination that can be performed

More information

Period from October 1, 2013 to September 30, 2014

Period from October 1, 2013 to September 30, 2014 Assurance Report on Controls Placed in Operation and Tests of Operating Effectiveness ISAE 3402 Type 2 Period from October 1, 2013 to September 30, 2014 Frankfurt/Main Table of Contents SECTION I Independent

More information

WHICH SOC REPORT IS RIGHT FOR YOUR CLIENT?

WHICH SOC REPORT IS RIGHT FOR YOUR CLIENT? CPAs & ADVISORS STRATEGIC ALLIANCE WEBINAR SERIES WHICH SOC REPORT IS RIGHT FOR YOUR CLIENT? June 20, 2017 Cindy Boyle TO RECEIVE CPE CREDIT Participate in entire webinar Answer polls when they are provided

More information

SSAE 18 & new SOC approach to compliance. Moderator Name: Patricio Garcia Managing Partner ControlCase Attestation Services

SSAE 18 & new SOC approach to compliance. Moderator Name: Patricio Garcia Managing Partner ControlCase Attestation Services SSAE 18 & new SOC approach to compliance Moderator Name: Patricio Garcia Managing Partner ControlCase Attestation Services Agenda 1. SSAE 18 overview 2. SOC 2 + 3. 2017 Trust Services Criteria SSAE 18

More information

Evaluating SOC Reports and NEW Reporting Requirements

Evaluating SOC Reports and NEW Reporting Requirements Evaluating SOC Reports and NEW Reporting Requirements ISACA Kris Lonborg, EY Partner Maria Avedissian, EY Senior Manager September 12, 2013 Agenda Evaluating SOC reports Recent changes made to the SOC1

More information

SOC Reports The 2017 Update: What s new, What s not, and What you should be doing with the SOC Reports you receive! Presented by Jeff Pershing

SOC Reports The 2017 Update: What s new, What s not, and What you should be doing with the SOC Reports you receive! Presented by Jeff Pershing SOC Reports The 2017 Update What s new, What s not, and What you should be doing with the SOC Reports you receive! presented to Northeast Ohio ISACA Thursday, April 20, 2017 Jeff Pershing, CISA, CISM,

More information

International Auditing and Assurance Standards Board (IAASB) International Federation of Accountants 545 Fifth Avenue, 14 th Floor New York, NY 10017

International Auditing and Assurance Standards Board (IAASB) International Federation of Accountants 545 Fifth Avenue, 14 th Floor New York, NY 10017 3701 Algonquin Road, Suite 1010 Telephone: 847.253.1545 Rolling Meadows, Illinois 60008, USA Facsimile: 847.253.1443 Web Sites: www.isaca.org and www.itgi.org 25 April 2008 International Auditing and Assurance

More information

SAS 70 & SSAE 16: Changes & Impact on Credit Unions. Agenda

SAS 70 & SSAE 16: Changes & Impact on Credit Unions. Agenda SAS 70 & SSAE 16: Changes & Impact on Credit Unions John Mason CISM, CISA, CGEIT, CFE SingerLewak LLP October 19, 2010 Agenda Statement on Auditing Standards (SAS) 70 background Background & purpose Types

More information

SOC for cybersecurity

SOC for cybersecurity April 2018 SOC for cybersecurity a backgrounder Acknowledgments Special thanks to Francette Bueno, Senior Manager, Advisory Services, Ernst & Young LLP and Chris K. Halterman, Executive Director, Advisory

More information

Mastering SOC-1 Attestation Reports Under SSAE 16: Auditing Service Organizations Controls in the Cloud

Mastering SOC-1 Attestation Reports Under SSAE 16: Auditing Service Organizations Controls in the Cloud FOR LIVE POGRAM ONLY Mastering SOC-1 Attestation Reports Under SSAE 16: Auditing Service Organizations Controls in the Cloud TUESDAY, AUGUST 9, 2016, 1:00-2:50 pm Eastern IMPORTANT INFORMATION FOR THE

More information

A SERVICE ORGANIZATION S GUIDE SOC 1, 2, & 3 REPORTS

A SERVICE ORGANIZATION S GUIDE SOC 1, 2, & 3 REPORTS A SERVICE ORGANIZATION S GUIDE SOC 1, 2, & 3 REPORTS Introduction If you re a growing service organization, whether a technology provider, financial services corporation, healthcare company, or professional

More information

CSF to Support SOC 2 Repor(ng

CSF to Support SOC 2 Repor(ng CSF to Support SOC 2 Repor(ng Ken Vander Wal, CPA, CISA, HCISPP Chief Compliance Officer, HITRUST * ken.vanderwal@hitrustalliance.net Agenda Introduction to SOC Reporting SOC 2 and HITRUST CSF AICPA and

More information

The SOC 2 Compliance Handbook:

The SOC 2 Compliance Handbook: The SOC 2 Compliance Handbook: Your guide to SOC 2 Audit Success The SOC 2 Compliance Handbook Page 2 Table of Contents Abstract 3 Why am I being asked about SOC Compliance? 4 What s the difference between

More information

Adopting SSAE 18 for SOC 1 reports

Adopting SSAE 18 for SOC 1 reports Adopting SSAE 18 for SOC 1 reports Overview Since its adoption in 2011, service auditor reports issued in accordance with SSAE 16 have become increasingly common in the marketplace. In April 2016, the

More information

International Standard on Auditing (Ireland) 505 External Confirmations

International Standard on Auditing (Ireland) 505 External Confirmations International Standard on Auditing (Ireland) 505 External Confirmations MISSION To contribute to Ireland having a strong regulatory environment in which to do business by supervising and promoting high

More information

INTERNATIONAL STANDARD ON AUDITING 505 EXTERNAL CONFIRMATIONS CONTENTS

INTERNATIONAL STANDARD ON AUDITING 505 EXTERNAL CONFIRMATIONS CONTENTS INTERNATIONAL STANDARD ON AUDITING 505 EXTERNAL CONFIRMATIONS (Effective for audits of financial statements for periods beginning on or after December 15, 2009) CONTENTS Paragraph Introduction Scope of

More information

LIST OF SUBSTANTIVE CHANGES AND ADDITIONS. PPC's Guide to Audits of Local Governments. Thirty first Edition (February 2016)

LIST OF SUBSTANTIVE CHANGES AND ADDITIONS. PPC's Guide to Audits of Local Governments. Thirty first Edition (February 2016) Route To: Partners Managers Staff File LIST OF SUBSTANTIVE CHANGES AND ADDITIONS PPC's Guide to Audits of Local Governments Thirty first Edition (February 2016) Highlights of This Edition The following

More information

SAS 70 Audit Concepts. and Benefits JAYACHANDRAN.B,CISA,CISM. August 2010

SAS 70 Audit Concepts. and Benefits JAYACHANDRAN.B,CISA,CISM. August 2010 JAYACHANDRAN.B,CISA,CISM jb@esecurityaudit.com August 2010 SAS 70 Audit Concepts and Benefits Agenda Compliance requirements Overview Business Environment IT Governance and Compliance Management Vendor

More information

Weighing in on the Benefits of a SAS 70 Audit for Third Party Administrators

Weighing in on the Benefits of a SAS 70 Audit for Third Party Administrators Weighing in on the Benefits of a SAS 70 Audit for Third Party Administrators With increasing oversight and growing demands for industry regulations, third party assurance has never been under a keener

More information

EXTERNAL CONFIRMATIONS SRI LANKA AUDITING STANDARD 505 EXTERNAL CONFIRMATIONS

EXTERNAL CONFIRMATIONS SRI LANKA AUDITING STANDARD 505 EXTERNAL CONFIRMATIONS SRI LANKA STANDARD 505 EXTERNAL CONFIRMATIONS (Effective for audits of financial statements for periods beginning on or after 01 January 2014) CONTENTS Paragraph Introduction Scope of this SLAuS... 1 External

More information

ADVANCED AUDIT AND ASSURANCE

ADVANCED AUDIT AND ASSURANCE ADVANCED AUDIT AND ASSURANCE CPA PROGRAM SUBJECT OUTLINE The Advanced Audit and Assurance subject provides a body of knowledge for you to understand the nature and diversity of audit and assurance engagements.

More information

International Standard on Auditing (UK) 505

International Standard on Auditing (UK) 505 Standard Audit and Assurance Financial Reporting Council July 2017 International Standard on Auditing (UK) 505 External Confi rmations The FRC s mission is to promote transparency and integrity in business.

More information

26 February Office of the Secretary Public Company Accounting Oversight Board 1666 K Street, NW Washington, DC

26 February Office of the Secretary Public Company Accounting Oversight Board 1666 K Street, NW Washington, DC 3701 Algonquin Road, Suite 1010 Telephone: 847.253.1545 Rolling Meadows, Illinois 60008, USA Facsimile: 847.253.1443 Web Sites: www.isaca.org and www.itgi.org 26 February 2007 Office of the Secretary Public

More information

SAS70 Type II Reports Use and Interpretation for SOX

SAS70 Type II Reports Use and Interpretation for SOX SAS70 Type II Reports Use and Interpretation for SOX November 19, 2007 Presented by: Erin Erickson, Senior Manager Enterprise Governance and Brenda Karl, Director Technology Risk Management Agenda Background

More information

SOC Updates: Understanding SOC for Cybersecurity and SSAE 18. May 23, 2017

SOC Updates: Understanding SOC for Cybersecurity and SSAE 18. May 23, 2017 SOC Updates: Understanding SOC for Cybersecurity and SSAE 18 May 23, 2017 Baker Tilly refers to Baker Tilly Virchow Krause, LLP, an independently owned and managed member of Baker Tilly International.

More information

Auditing and Monitoring for HIPAA Compliance. HCCA COMPLIANCE INSTITUTE 2003 April, Presented by: Suzie Draper Sheryl Vacca, CHC

Auditing and Monitoring for HIPAA Compliance. HCCA COMPLIANCE INSTITUTE 2003 April, Presented by: Suzie Draper Sheryl Vacca, CHC Auditing and Monitoring for HIPAA Compliance HCCA COMPLIANCE INSTITUTE 2003 April, 2003 Presented by: Suzie Draper Sheryl Vacca, CHC 1 The Elements of Corporate Compliance Program There are seven key elements

More information

SOC 3 for Security and Availability

SOC 3 for Security and Availability SOC 3 for Security and Availability Independent Practioner s Trust Services Report For the Period October 1, 2015 through September 30, 2016 Independent SOC 3 Report for the Security and Availability Trust

More information

Achieving third-party reporting proficiency with SOC 2+

Achieving third-party reporting proficiency with SOC 2+ Achieving third-party reporting proficiency with SOC 2+ Achieving third-party reporting proficiency with SOC 2+ Today s organizations do business within a broad ecosystem. Customers, partners, agents,

More information

IT Attestation in the Cloud Era

IT Attestation in the Cloud Era IT Attestation in the Cloud Era The need for increased assurance over outsourced operations/ controls April 2013 Symeon Kalamatianos M.Sc., CISA, CISM Senior Manager, IT Risk Consulting Contents Introduction

More information

ISAE 3402 and SSAE 16 (replacing SAS 70) Reinforcing confidence through demonstration of effective controls

ISAE 3402 and SSAE 16 (replacing SAS 70) Reinforcing confidence through demonstration of effective controls ISAE 3402 and SSAE 16 (replacing SAS 70) Reinforcing confidence through demonstration of effective controls ISAE 3402 and SSAE 16 defined Overview of service organisation control reports Service organisation

More information

Studio Guggino and Newtonpartner S.r.l. a team of professionals at the service of your Company

Studio Guggino and Newtonpartner S.r.l. a team of professionals at the service of your Company Studio Guggino and Newtonpartner S.r.l. a team of professionals at the service of your Company To get where the others fail, we have to achieve even higher goals www.sas70.it MISSION Our Mission consists

More information

Re: Exposure Draft Proposed ISAE 3402 on Assurance Reports on Controls at a Third Party Service Organization

Re: Exposure Draft Proposed ISAE 3402 on Assurance Reports on Controls at a Third Party Service Organization Date Le Président Fédération Avenue d Auderghem 22-28 des Experts 1040 Bruxelles 31 May 2008 Comptables Tél. 32 (0) 2 285 40 85 Européens Fax: 32 (0) 2 231 11 12 AISBL E-mail: secretariat@fee.be Mr. Jim

More information

Auditing IT General Controls

Auditing IT General Controls Auditing IT General Controls Amanthi Pendegraft and Nadine Yassine September 27, 2017 Agenda Introduction and Objectives IT Audit Fundamentals IT General Controls Overview Access to Programs and Data Program

More information

Minimum Requirements For The Operation of Management System Certification Bodies

Minimum Requirements For The Operation of Management System Certification Bodies ETHIOPIAN NATIONAL ACCREDITATION OFFICE Minimum Requirements For The Operation of Management System Certification Bodies April 2011 Page 1 of 11 No. Content Page 1. Introduction 2 2. Scope 2 3. Definitions

More information

Internal Audit Report. Electronic Bidding and Contract Letting TxDOT Office of Internal Audit

Internal Audit Report. Electronic Bidding and Contract Letting TxDOT Office of Internal Audit Internal Audit Report Electronic Bidding and Contract Letting TxDOT Office of Internal Audit Objective Review of process controls and service delivery of the TxDOT electronic bidding process. Opinion Based

More information

The HIPAA Security & Privacy Rule How Municipalities Can Prepare for Compliance

The HIPAA Security & Privacy Rule How Municipalities Can Prepare for Compliance The HIPAA Security & Privacy Rule How Municipalities Can Prepare for Compliance Russell L. Jones Partner Health Sciences Sector Deloitte & Touche LLP Security & Privacy IMLA 2013 Annual Conference San

More information

Webtrends Inc. Service Organization Controls (SOC) 3 SM Report on the SaaS Solutions Services System Relevant to Security

Webtrends Inc. Service Organization Controls (SOC) 3 SM Report on the SaaS Solutions Services System Relevant to Security Webtrends Inc. Service Organization Controls (SOC) 3 SM Report on the SaaS Solutions Services System Relevant to Security For the Period January 1, 2016 through June 30, 2016 SOC 3 SM SOC 3 is a service

More information

Application for Certification

Application for Certification Application for Certification Requirements to Become a Certified Information Security Manager To become a Certified Information Security Manager (CISM), an applicant must: 1. Score a passing grade on the

More information

Error! No text of specified style in document.

Error! No text of specified style in document. Error! No text of specified style in document. Error! Use the Home tab to apply Section title to the text that you want to appear here. CFD Independent Auditor Report on CFD Allocation Round 2 4 September

More information

AUTOTASK ENDPOINT BACKUP (AEB) SECURITY ARCHITECTURE GUIDE

AUTOTASK ENDPOINT BACKUP (AEB) SECURITY ARCHITECTURE GUIDE AUTOTASK ENDPOINT BACKUP (AEB) SECURITY ARCHITECTURE GUIDE Table of Contents Dedicated Geo-Redundant Data Center Infrastructure 02 SSAE 16 / SAS 70 and SOC2 Audits 03 Logical Access Security 03 Dedicated

More information

COBIT 5 With COSO 2013

COBIT 5 With COSO 2013 Integrating COBIT 5 With COSO 2013 Stephen Head Senior Manager, IT Risk Advisory Services 1 Our Time This Evening Importance of Governance COBIT 5 Overview COSO Overview Mapping These Frameworks Stakeholder

More information

The value of visibility. Cybersecurity risk management examination

The value of visibility. Cybersecurity risk management examination The value of visibility Cybersecurity risk management examination Welcome to the "new normal" Cyberattacks are inevitable. In fact, it s no longer a question of if a breach will occur but when. Cybercriminals

More information

Independent Accountant s Report

Independent Accountant s Report Tel: 314-889-1100 Fax: 314-889-1101 www.bdo.com 101 South Hanley Road, Suite 800 St. Louis, MO 63105 Independent Accountant s Report To the Management of Visa U.S.A. Inc. ( Visa ): We have examined Visa

More information

DATA PROCESSING TERMS

DATA PROCESSING TERMS DATA PROCESSING TERMS Safetica Technologies s.r.o. These Data Processing Terms (hereinafter the Terms ) govern the rights and obligations between the Software User (hereinafter the User ) and Safetica

More information

UWC International Data Protection Policy

UWC International Data Protection Policy UWC International Data Protection Policy 1. Introduction This policy sets out UWC International s organisational approach to data protection. UWC International is committed to protecting the privacy of

More information

Audit Report. The Prince s Trust. 27 September 2017

Audit Report. The Prince s Trust. 27 September 2017 Audit Report The Prince s Trust 27 September 2017 Contents 1 Background 1 1.1 Scope 1 1.2 Audit Report and Action Plan Timescales 2 1.3 Summary of Audit Issues and Recommendations 3 1.4 Risk Rating of

More information

SOC Lessons Learned and Reporting Changes

SOC Lessons Learned and Reporting Changes SOC Lessons Learned and Reporting Changes Dec. 16, 2014 Your Presenters Today Arshad Ahmed, CISA, CISSP, CPA Leader of SOC and Technology Risk Services for Crowe Rod Smith, CISA, CPA Thought Leader for

More information

HITRUST CSF: One Framework

HITRUST CSF: One Framework HITRUST CSF: One Framework Leveraging the HITRUST CSF to Support ISO, HIPAA, & NIST Implementation and Compliance, and SSAE 16 SOC Reporting Dr. Bryan Cline, CISSP-ISSEP, CISM, CISA, CCSFP, HCISPP Senior

More information

Learning Objectives. External confirmations procedures as per SA330 and SA 500 requirements

Learning Objectives. External confirmations procedures as per SA330 and SA 500 requirements CA. Sudhir Sharma 1 Learning Objectives 1 2 3 4 External confirmations procedures as per SA330 and SA 500 requirements Management s refusal to allow auditor to send confirmation requests Results of the

More information

Checklist According to ISO IEC 17065:2012 for bodies certifying products, process and services

Checklist According to ISO IEC 17065:2012 for bodies certifying products, process and services Name of Certifying Body Address of Certifying Body Case number Date of assessment With several locations Yes No Assessed locations: (Name)/Address: (Name)/Address: (Name)/Address: Assessed area (technical

More information

The HITRUST CSF. A Revolutionary Way to Protect Electronic Health Information

The HITRUST CSF. A Revolutionary Way to Protect Electronic Health Information The HITRUST CSF A Revolutionary Way to Protect Electronic Health Information June 2015 The HITRUST CSF 2 Organizations in the healthcare industry are under immense pressure to improve quality, reduce complexity,

More information

Credit Union Service Organization Compliance

Credit Union Service Organization Compliance Credit Union Service Organization Compliance How do SOC reporting and PCI requirements affect your overall compliance strategy? May 15 2012 Your Speakers Dennis Lavin Credit Union Assurance Partner Moderator

More information

SAS 70 revised. ISAE 3402 will focus on financial reporting control procedures. Compact_ IT Advisory 41. Introduction

SAS 70 revised. ISAE 3402 will focus on financial reporting control procedures. Compact_ IT Advisory 41. Introduction Compact_ IT Advisory 41 SAS 70 revised ISAE 3402 will focus on financial reporting control procedures Jaap van Beek and Marco Francken J.J. van Beek is a partner at KPMG IT Advisory. He has over twenty-years

More information

Submission to the International Integrated Reporting Council regarding the Consultation Draft of the International Integrated Reporting Framework

Submission to the International Integrated Reporting Council regarding the Consultation Draft of the International Integrated Reporting Framework Submission to the International Integrated Reporting Council regarding the Consultation Draft of the International Integrated Reporting Framework JULY 2013 Business Council of Australia July 2013 1 About

More information

REPORT OF INDEPENDENT CERTIFIED PUBLIC ACCOUNTANTS

REPORT OF INDEPENDENT CERTIFIED PUBLIC ACCOUNTANTS REPORT OF INDEPENDENT CERTIFIED PUBLIC ACCOUNTANTS To the Management of Internet Security Research Group: Scope We have examined the assertion by the management of the Internet Security Research Group

More information

New York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines

New York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines New York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines New York Department of Financial Services ( DFS ) Regulation 23 NYCRR 500 requires that entities

More information

Subject: Kier Group plc Data Protection Policy

Subject: Kier Group plc Data Protection Policy Kier Group plc Data Protection Policy Subject: Kier Group plc Data Protection Policy Author: Compliance Document type: Policy Authorised by: Kier General Counsel & Company Secretary Version 3 Effective

More information

IS Audit and Assurance Guideline 2001 Audit Charter

IS Audit and Assurance Guideline 2001 Audit Charter IS Audit and Assurance Guideline 2001 Audit Charter The specialised nature of information systems (IS) audit and assurance and the skills necessary to perform such engagements require standards that apply

More information

Data Processing Agreement for Oracle Cloud Services

Data Processing Agreement for Oracle Cloud Services Data Processing Agreement for Oracle Cloud Services Version January 12, 2018 1. Scope, Order of Precedence and Term 1.1 This data processing agreement (the Data Processing Agreement ) applies to Oracle

More information

HPE DATA PRIVACY AND SECURITY

HPE DATA PRIVACY AND SECURITY ARUBA, a Hewlett Packard Enterprise company, product services ( Services ) This Data Privacy and Security Agreement ("DPSA") Schedule governs the privacy and security of Personal Data by HPE in connection

More information

Office Properties Income Trust Privacy Notice Last Updated: February 1, 2019

Office Properties Income Trust Privacy Notice Last Updated: February 1, 2019 General Office Properties Income Trust Privacy Notice Last Updated: February 1, 2019 Office Properties Income Trust ( OPI ) is committed to your right to privacy and to keeping your personal information

More information

01.0 Policy Responsibilities and Oversight

01.0 Policy Responsibilities and Oversight Number 1.0 Policy Owner Information Security and Technology Policy Policy Responsibility & Oversight Effective 01/01/2014 Last Revision 12/30/2013 Department of Innovation and Technology 1. Policy Responsibilities

More information

Workday s Robust Privacy Program

Workday s Robust Privacy Program Workday s Robust Privacy Program Workday s Robust Privacy Program Introduction Workday is a leading provider of enterprise cloud applications for human resources and finance. Founded in 2005 by Dave Duffield

More information

California ISO Audit Results for 2011 SSAE 16 & Looking Forward for 2012 December 15, 2011

California ISO Audit Results for 2011 SSAE 16 & Looking Forward for 2012 December 15, 2011 www.pwc.com California ISO Audit Results for 2011 SSAE 16 & Looking Forward for 2012 December 15, 2011 Agenda SSAE 16 Background Results of Audit Scope of Audit Looking Forward Closing Thoughts Slide 1

More information

1 Privacy Statement INDEX

1 Privacy Statement INDEX INDEX 1 Privacy Statement Mphasis is committed to protecting the personal information of its customers, employees, suppliers, contractors and business associates. Personal information includes data related

More information

UNCONTROLLED IF PRINTED

UNCONTROLLED IF PRINTED 161Thorn Hill Road Warrendale, PA 15086-7527 1. Scope 2. Definitions PROGRAM DOCUMENT PD 1000 Issue Date: 19-Apr-2015 Revision Date: 26-May-2015 INDUSTRY MANAGED ACCREDITATION PROGRAM DOCUMENT Table of

More information

Public vs private cloud for regulated entities

Public vs private cloud for regulated entities Public vs private cloud for regulated entities DC2: Restricted use The cloud is for everyone but not for everything 2 Opportunity enabler DC2: Restricted use Flexibility SAAS Public Accessibility Agility

More information

USER CORPORATE RULES. These User Corporate Rules are available to Users at any time via a link accessible in the applicable Service Privacy Policy.

USER CORPORATE RULES. These User Corporate Rules are available to Users at any time via a link accessible in the applicable Service Privacy Policy. These User Corporate Rules are available to Users at any time via a link accessible in the applicable Service Privacy Policy. I. OBJECTIVE ebay s goal is to apply uniform, adequate and global data protection

More information

Privacy Statement. Your privacy and trust are important to us and this Privacy Statement ( Statement ) provides important information

Privacy Statement. Your privacy and trust are important to us and this Privacy Statement ( Statement ) provides important information Privacy Statement Introduction Your privacy and trust are important to us and this Privacy Statement ( Statement ) provides important information about how IT Support (UK) Ltd handle personal information.

More information

Data Protection. Code of Conduct for Cloud Infrastructure Service Providers

Data Protection. Code of Conduct for Cloud Infrastructure Service Providers Data Protection Code of Conduct for Cloud Infrastructure Service Providers 27 JANUARY 2017 Introduction... 3 1 Structure of the Code... 5 2 Purpose... 6 3 Scope... 7 4 Data Protection Requirements... 9

More information

IS Audit and Assurance Guideline 2002 Organisational Independence

IS Audit and Assurance Guideline 2002 Organisational Independence IS Audit and Assurance Guideline 2002 Organisational Independence The specialised nature of information systems (IS) audit and assurance and the skills necessary to perform such engagements require standards

More information

GOVERNANCE, RISK MANAGEMENT AND COMPLIANCE TRENDS BY FCPAK ERIC KIMANI

GOVERNANCE, RISK MANAGEMENT AND COMPLIANCE TRENDS BY FCPAK ERIC KIMANI GOVERNANCE, RISK MANAGEMENT AND COMPLIANCE TRENDS BY FCPAK ERIC KIMANI CONTENTS Overview Conceptual Definition Implementation of Strategic Risk Governance Success Factors Changing Internal Audit Roles

More information

MANUAL OF UNIVERSITY POLICIES PROCEDURES AND GUIDELINES. Applies to: faculty staff students student employees visitors contractors

MANUAL OF UNIVERSITY POLICIES PROCEDURES AND GUIDELINES. Applies to: faculty staff students student employees visitors contractors Page 1 of 6 Applies to: faculty staff students student employees visitors contractors Effective Date of This Revision: June 1, 2018 Contact for More Information: HIPAA Privacy Officer Board Policy Administrative

More information

"Charting the Course... Certified Information Systems Auditor (CISA) Course Summary

Charting the Course... Certified Information Systems Auditor (CISA) Course Summary Course Summary Description In this course, you will perform evaluations of organizational policies, procedures, and processes to ensure that an organization's information systems align with overall business

More information

Introduction to AWS GoldBase

Introduction to AWS GoldBase Introduction to AWS GoldBase A Solution to Automate Security, Compliance, and Governance in AWS October 2015 2015, Amazon Web Services, Inc. or its affiliates. All rights reserved. Notices This document

More information

5. The technology risk evaluation need only be updated when significant changes or upgrades to systems are implemented.

5. The technology risk evaluation need only be updated when significant changes or upgrades to systems are implemented. Annex to the Financial Services Businesses Handbook Using Technology in the Customer Due Diligence Process A.1. Technology Risk Evaluation 1. A financial services business must, prior to deciding whether

More information

Privacy Policy... 1 EU-U.S. Privacy Shield Policy... 2

Privacy Policy... 1 EU-U.S. Privacy Shield Policy... 2 Privacy Policy... 1 EU-U.S. Privacy Shield Policy... 2 Privacy Policy knows that your privacy is important to you. Below is our privacy policy for collecting, using, securing, protecting and sharing your

More information

NASD NOTICE TO MEMBERS 97-58

NASD NOTICE TO MEMBERS 97-58 NASD NOTICE TO MEMBERS 97-58 NASD Regulation Requests Comment On Proposed Interpretive Material 1031 Regarding Cold Calling Activity; Comment Period Expires October 31, 1997 Suggested Routing Senior Management

More information

GENERAL PRIVACY POLICY

GENERAL PRIVACY POLICY GENERAL PRIVACY POLICY Introduction The Australian Association of Consultant Pharmacy Pty Ltd (ACN 057 706 064) (the AACP) is committed to protecting the privacy of your personal information. This privacy

More information

Google Cloud & the General Data Protection Regulation (GDPR)

Google Cloud & the General Data Protection Regulation (GDPR) Google Cloud & the General Data Protection Regulation (GDPR) INTRODUCTION General Data Protection Regulation (GDPR) On 25 May 2018, the most significant piece of European data protection legislation to

More information

Checklist According to ISO IEC 17024:2012 for Certification Bodies for person

Checklist According to ISO IEC 17024:2012 for Certification Bodies for person Name of Certifying Body Address of Certifying Body Case number Date of assessment With several locations Yes No Assessed locations: (Name)/Address: (Name)/Address: (Name)/Address: Assessed area (technical

More information

Citation for published version (APA): Berthing, H. H. (2014). Vision for IT Audit Abstract from Nordic ISACA Conference 2014, Oslo, Norway.

Citation for published version (APA): Berthing, H. H. (2014). Vision for IT Audit Abstract from Nordic ISACA Conference 2014, Oslo, Norway. Aalborg Universitet Vision for IT Audit 2020 Berthing, Hans Henrik Aabenhus Publication date: 2014 Document Version Early version, also known as pre-print Link to publication from Aalborg University Citation

More information

Addressing Cybersecurity Risk

Addressing Cybersecurity Risk The CPA s Role in Addressing Cybersecurity Risk How the Auditing Profession Promotes Cybersecurity Resilience MAY 2017 Contents 1. EXECUTIVE SUMMARY 1 2. THE LANDSCAPE OF CYBERSECURITY RISK 3 The Need

More information

INNOVENT LEASING LIMITED. Privacy Notice

INNOVENT LEASING LIMITED. Privacy Notice INNOVENT LEASING LIMITED Privacy Notice Table of Contents Topic Page number KEY SUMMARY 2 ABOUT US AND THIS NOTICE 3 USEFUL WORDS AND PHRASES 4 WHAT INFORMATION DO WE COLLECT? 4 WHY DO WE PROCESS YOUR

More information

GDPR: A QUICK OVERVIEW

GDPR: A QUICK OVERVIEW GDPR: A QUICK OVERVIEW 2018 Get ready now. 29 June 2017 Presenters Charles Barley Director, Risk Advisory Services Charles Barley, Jr. is responsible for the delivery of governance, risk and compliance

More information

Within the meanings of applicable data protection law (in particular EU Regulation 2016/679, the GDPR ):

Within the meanings of applicable data protection law (in particular EU Regulation 2016/679, the GDPR ): Privacy Policy Introduction Ikano S.A. ( Ikano ) respects your privacy and is committed to protect your Personal Data by being compliant with this privacy policy ( Policy ). In addition to Ikano, this

More information