Adopting SSAE 18 for SOC 1 reports

Similar documents
Multi-factor authentication enrollment guide for Deloitte client or business partner user

ISAE 3402 and SSAE 16 (replacing SAS 70) Reinforcing confidence through demonstration of effective controls

MFA Enrollment Guide. Multi-Factor Authentication (MFA) Enrollment guide STAGE Environment

ISACA Cincinnati Chapter March Meeting

The New Healthcare Economy is rising up

PREPARING FOR SOC CHANGES. AN ARMANINO WHITE PAPER By Liam Collins, Partner-In-Charge, SOC Audit Practice

SOC 2 examinations and SOC for Cybersecurity examinations: Understanding the key distinctions

SOC Reporting / SSAE 18 Update July, 2017

A SERVICE ORGANIZATION S GUIDE SOC 1, 2, & 3 REPORTS

Cyber Security is it a boardroom issue?

Transitioning from SAS 70 to SSAE 16

Retirement of SAS 70 and a new generation of Service Organization Control (SOC) Reports

#DeloitteInnovation: In-Time Uncover the Potential of SAP HANA

SAS 70 SOC 1 SOC 2 SOC 3. Type 1 Type 2

C22: SAS 70 Practices and Developments Todd Bishop, PricewaterhouseCoopers

Achieving third-party reporting proficiency with SOC 2+

Making trust evident Reporting on controls at Service Organizations

SSAE 18 & new SOC approach to compliance. Moderator Name: Patricio Garcia Managing Partner ControlCase Attestation Services

#DeloitteInnovation: In-Time How efficiently do you use your SAP HANA?

Real estate predictions 2017 What changes lie ahead?

International Auditing and Assurance Standards Board (IAASB) International Federation of Accountants 545 Fifth Avenue, 14 th Floor New York, NY 10017

Achieving effective risk management and continuous compliance with Deloitte and SAP

Mastering SOC-1 Attestation Reports Under SSAE 16: Auditing Service Organizations Controls in the Cloud

WHICH SOC REPORT IS RIGHT FOR YOUR CLIENT?

Audit Considerations Relating to an Entity Using a Service Organization

Creating your own payment card Joost Kremers MSc CEH

Error! No text of specified style in document.

From Dabbling to Doing The Age of the Intuitive Enterprise

SAS 70 & SSAE 16: Changes & Impact on Credit Unions. Agenda

Evaluating SOC Reports and NEW Reporting Requirements

SOC for cybersecurity

Protection of clients information in the age of IT ECBA Spring Conference Prague 2017 Jan Balatka, Analytic & Forensic Technology

The Future of IT Internal Controls Automation: A Game Changer. January Risk Advisory

Deloitte Discovery Caribbean & Bermuda Countries Guide

Spread your wings Professional qualifications and development at Deloitte. What impact will you make? careers.deloitte.com

Customer Breach Support A Deloitte managed service. Notifying, supporting and protecting your customers through a data breach

Preface. Operations within the EU. Serving the EU customers. Third parties operating in the EU

CFOs in a new global environment Sandy Cockrell, Deloitte

SOC Updates: Understanding SOC for Cybersecurity and SSAE 18. May 23, 2017

Are we breached? Deloitte's Cyber Threat Hunting

CSF to Support SOC 2 Repor(ng

Within our recommendations for editorial changes, additions are noted in bold underline and deletions in strike-through.

Emerging Technologies The risks they pose to your organisations

Cyber Espionage A proactive approach to cyber security

GDPR Privacy Webinar. Prioritizing Your Path towards GDPR Compliance Annika Sponselee and Nicole Vreeman 28 February 2018

Risk Advisory Academy Training Brochure

Service Organization Control (SOC) Reports: What they are and what to do with them MARCH 21, 2017

Autobot - IoT enabled security. For Private circulation only October Risk Advisory

SERVICE ORGANIZATION CONTROL (SOC) REPORTS: WHAT ARE THEY?

ADVANCED AUDIT AND ASSURANCE

SOC Reports The 2017 Update: What s new, What s not, and What you should be doing with the SOC Reports you receive! Presented by Jeff Pershing

Period from October 1, 2013 to September 30, 2014

Spiros Angelopoulos Principal Solutions Architect ForgeRock. Debi Mohanty Senior Manager Deloitte & Touche LLP

Vulnerability Management. June Risk Advisory

Headline Verdana Bold

Cybersecurity Fortification Initiative (CFI) infrastructure whitepaper

Plan a Pragmatic Approach to the new EU Data Privacy Regulation

Deloitte Forensic Caribbean & Bermuda Countries Guide

Demonstrating data privacy for GDPR and beyond

Weighing in on the Benefits of a SAS 70 Audit for Third Party Administrators

The value of visibility. Cybersecurity risk management examination

IT Attestation in the Cloud Era

California ISO Audit Results for 2011 SSAE 16 & Looking Forward for 2012 December 15, 2011

Privacy and Data Protection Draft Personal Data Protection Bill 2018: A Summary. For Private Circulation Only August 2018.

Deloitte Foundation/FSA Faculty Consortium ASC 606 Implementation: SAB 74 Disclosures and First Quarter Adoption Rob Moynihan and Amy Park May 18,

Information for entity management. April 2018

Independent Accountant s Report

Addressing Cybersecurity Risk

The U.S. CPA License

ISACA Survey Results. 27 April Ms. Nancy M. Morris, Secretary Securities and Exchange Commission 100 F Street NE Washington, DC

Re: Exposure Draft Proposed ISAE 3402 on Assurance Reports on Controls at a Third Party Service Organization

Building and Testing an Effective Incident Response Plan

INTERNATIONAL STANDARD ON AUDITING 505 EXTERNAL CONFIRMATIONS CONTENTS

Anticipating the wider business impact of a cyber breach in the health care industry

Testers vs Writers: Pen tests Quality in Assurance Projects. 10 November Defcamp7

Global Mobile Consumer Survey, US Edition Overview of results

Institute of Certified Forensic Accountants. Certificate in Internal Auditing

Understanding and Evaluating Service Organization Controls (SOC) Reports

The impact of digital transformation on industries

CIPP/E CIPT. Data Protection Technologist (DPT) Training Bundle Official IAPP Training and Certification

HOMEPAGE. Start here to find content via search Login, register, or subscribe. Quick links to content

International Standard on Auditing (Ireland) 505 External Confirmations

26 February Office of the Secretary Public Company Accounting Oversight Board 1666 K Street, NW Washington, DC

Hong Kong Institute of Certified Public Accountants Practising Certificate ("PC") Business Assurance

BENEFITS of MEMBERSHIP FOR YOUR INSTITUTION

The HIPAA Security & Privacy Rule How Municipalities Can Prepare for Compliance

SAS 70 revised. ISAE 3402 will focus on financial reporting control procedures. Compact_ IT Advisory 41. Introduction

SOC Lessons Learned and Reporting Changes

Exploring Emerging Cyber Attest Requirements

COBIT 5 With COSO 2013

Deloitte Audit and Assurance Tools

International Standard on Auditing (UK) 505

Cyber Risk and Networked Medical Devices

Credit Union Service Organization Compliance

Issue for Consideration: Appropriateness of the Drafting of Paragraph A17

The Quest to Measure Strength of Function for Authenticators: SOFA, So Good

Cybersecurity and the role of internal audit An urgent call to action

MassMEDIC s 21st Annual Conference

ISO/IEC INTERNATIONAL STANDARD

13.f Toronto Catholic District School Board's IT Strategic Review - Draft Executive Summary (Refer 8b)

Transcription:

Adopting SSAE 18 for SOC 1 reports

Overview Since its adoption in 2011, service auditor reports issued in accordance with SSAE 16 have become increasingly common in the marketplace. In April 2016, the Auditing Standards Board issued SSAE No. 18, Attestation Standards: Clarification and Recodification, which seeks to clarify the requirements and provide application guidance for performing and reporting on examinations, reviews, and agreed-upon procedure engagements (attestation engagements). This document focuses on the impact of SSAE 18 on SOC 1 examinations and the re-codified attestation standards, specifically AT-C Section 105 and AT-C Section 205, which are common concepts across all attestation and examination engagements and AT-C Section 320, Reporting on an examination of controls at a service organization Relevant to User Entities Internal Control over Financial Reporting. The updated attestation standards emphasize the requirement for service organizations to understand, consider, and demonstrate oversight of service providers they use that are relevant to a user entity s financial reporting (subservice organizations). It highlights the importance for a service auditor to evaluate whether information provided by the service organization is sufficiently reliable for the service auditor s purposes; the requirement for service auditors to evaluate the relationship between risks of material misstatement and controls; and the requirement to design audit procedures in response to assessed level of risk of material misstatement. Monitoring the effectiveness of controls at subservice organizations The updated standards emphasizes that the service organization s description of the system and scope of services should include controls performed by management to monitor the effectiveness of controls at the subservice organizations. Oversight of subservice organizations relevant to the description of the system may be demonstrated through: Controls that monitor services provided by the subservice organizations, such as reviewing and reconciling output reports, periodic meetings, site visits, etc. Review of SOC 1 reports of the subservice organizations Direct testing of controls at the subservice organization Monitoring of external communications and customer complaints relevant to the service organization Impact: The description of the system should reflect the controls performed by management to demonstrate oversight over subservice organizations. Service auditors test procedures will test the effectiveness of such controls performed by management. Identifying complementary subservice organization controls SSAE 18 introduces the concept of Complementary Subservice Organization Controls (CSOCs) which represents controls that management of the service organization expects will be implemented by the subservice organizations and are necessary to achieve the control objectives stated in management s Description of the System, when the carve-out method of reporting has been used. Impact: When using the carve-out method to report on subservice organizations, the service auditor s scope and opinion will reflect that the control objectives specified by the service organization can be achieved only if the CSOCs assumed in the design of controls were suitably designed and operating effectively along with the related controls at the service organization. Similar considerations will be reflected in the written assertion by management and the management representation letter that the description does not extend to the controls and control objectives of subservice organizations. Changes are effective for service auditors reports dated on or after May 1, 2017. Early adoption is permitted. SOC 1 reports will be prepared in accordance with the American Institute of Certified Public Accountants (AICPA) Statement on Standards for Attestation Engagements (SSAE) No. 18, Attestation Standards: Clarification and Recodification. These changes will be applicable to service auditor reports currently issued under SSAE 16 and reports issued under both SSAE 16 and ISAE 3402 standards. To meet these requirements, we anticipate that the description of the system will include a sub-section for CSOCs to provide transparency over the services provided by the subservice organizations. This will be relevant for users consideration in evaluating the effectiveness of the control objectives defined in the scope of the report. Clarification of complementary user entity control considerations Complementary user entity control considerations (CUECCs) within a SOC 1 report are controls and procedures that a user entity of the report should design, implement, and place in operation. The updated standards clarify that the CUECCs should only include those controls and procedures that are relevant to achieve the control objectives within the service organization s report. Impact: Service organizations should assess the CUECCs in the report to determine if they are relevant to the achievement of the control objectives described in the report. Service organizations could consider including a mapping of the CUECCs to the control objectives as a leading practice.

Evaluating reliability of information produced by the service organization The revised standard requires that the auditor evaluate whether the information provided by the service organization is sufficiently reliable for the service auditor s purposes. This implies that the service auditor will have to obtain evidence about the accuracy and completeness of the information received during the examination and will have to evaluate whether that information is sufficiently precise and detailed. Examples of information produced by the service organization that could be commonly used by the auditor include population lists, exceptions reports, transaction reconciliations, and user access lists. Re-codified AT-C sections applicable to SOC 1 reporting under SSAE 18 Impact: The auditor needs to establish accuracy and completeness and reliability of data through: Routine test procedures performed as part of the examination Testing of controls over the preparation and maintenance of such data Additional targeted procedures as determined by the service auditor The auditor s test of controls in the report will describe the procedures performed to confirm accuracy and completeness of the data. Assessing the risk of material misstatement SSAE 18 defines risk of material misstatement as the risk that the subject matter is not in accordance with (or based on) the criteria in all material respects, or that the assertion is not fairly stated in all material respects. The updated standards place emphasis on the service auditor to consider risks and likely sources of misstatement, including those related to fraud at planning or during the course of the examination. They should also consider the impact of any subsequent events to assess the risk of material misstatement. Impact: The service auditor will obtain internal audit and regulatory reports and work with management to understand the likelihood of material misstatement. Based on the assessed level of risk of material misstatement, the service auditor will design and perform procedures whose nature, timing, and extent are based on and responsive to the assessed level of risk of material misstatement. Next steps Your service auditor will be able to provide insights related to the impact of SSAE 18, and communication with them should be a key part of planning for your next examination. Prior relevant attestation standard section under SSAE 16 Relevant attestation sections under SSAE 18 and after recodification AT-C Section 105 Concepts common to all attestation engagements AT Section 801: Reporting on controls at a service organization AT-C Section 205 Examination engagements AT-C Section 320: Reporting on an examination of controls at a service organization relevant to user entities' internal control over financial reporting Contact us: Laurent Berliner Partner Risk Advisory Leader +352 45145 2328 lberliner@deloitte.lu Martin Flaunet Partner Banking Leader +352 451 452 334 mflaunet@deloitte.lu

Roland Bastin Partner Risk Advisory +352 451 452 213 rbastin@deloitte.lu Michael Blaise +352 45145 2562 mblaise@deloitte.lu Jerome Sosnoswki +352 45145 4353 jsosnowski@deloitte.lu Laurent de la Vaissiere +352 45145 2010 ldelavaissiere@deloitte.lu Arnaud Barosi Director Risk Advisory +352 45145 2875 abarosi@deloitte.lu Sophie Binninger Senior Manager Risk Advisory +352 45145 3463 sbinninger@deloitte.lu

Deloitte is a multidisciplinary service organization which is subject to certain regulatory and professional restrictions on the types of services we can provide to our clients, particularly where an audit relationship exists, as independence issues and other conflicts of interest may arise. Any services we commit to deliver to you will comply fully with applicable restrictions. This communication contains general information only, and none of Deloitte Touche Tohmatsu Limited, its member firms, or their related entities (collectively, the Deloitte network ) is, by means of this communication, rendering professional advice or services. Before making any decision or taking any action that may affect your finances or your business, you should consult a qualified professional adviser. No entity in the Deloitte network shall be responsible for any loss whatsoever sustained by any person who relies on this communication. About Deloitte Touche Tohmatsu Limited: Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee ( DTTL ), its network of member firms, and their related entities. DTTL and each of its member firms are legally separate and independent entities. DTTL (also referred to as Deloitte Global ) does not provide services to clients. Please see www.deloitte.com/about for a more detailed description of DTTL and its member firms. Deloitte provides audit, consulting, financial advisory, risk advisory, tax and related services to public and private clients spanning multiple industries. Deloitte serves four out of five Fortune Global 500 companies through a globally connected network of member firms in more than 150 countries bringing world-class capabilities, insights, and high-quality service to address clients most complex business challenges. To learn more about how Deloitte s approximately 245,000 professionals make an impact that matters, please connect with us on Facebook, LinkedIn, or Twitter. 2017. For information, contact Deloitte Touche Tohmatsu Limited

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback