SOC Reporting / SSAE 18 Update July, 2017

Similar documents
PREPARING FOR SOC CHANGES. AN ARMANINO WHITE PAPER By Liam Collins, Partner-In-Charge, SOC Audit Practice

SSAE 18 & new SOC approach to compliance. Moderator Name: Patricio Garcia Managing Partner ControlCase Attestation Services

SOC Updates: Understanding SOC for Cybersecurity and SSAE 18. May 23, 2017

WHICH SOC REPORT IS RIGHT FOR YOUR CLIENT?

Transitioning from SAS 70 to SSAE 16

Retirement of SAS 70 and a new generation of Service Organization Control (SOC) Reports

Evaluating SOC Reports and NEW Reporting Requirements

SOC Reports The 2017 Update: What s new, What s not, and What you should be doing with the SOC Reports you receive! Presented by Jeff Pershing

ISACA Cincinnati Chapter March Meeting

SAS 70 & SSAE 16: Changes & Impact on Credit Unions. Agenda

C22: SAS 70 Practices and Developments Todd Bishop, PricewaterhouseCoopers

The SOC 2 Compliance Handbook:

A SERVICE ORGANIZATION S GUIDE SOC 1, 2, & 3 REPORTS

SAS 70 SOC 1 SOC 2 SOC 3. Type 1 Type 2

Understanding and Evaluating Service Organization Controls (SOC) Reports

SOC 2 examinations and SOC for Cybersecurity examinations: Understanding the key distinctions

Making trust evident Reporting on controls at Service Organizations

Adopting SSAE 18 for SOC 1 reports

SERVICE ORGANIZATION CONTROL (SOC) REPORTS: WHAT ARE THEY?

IT Attestation in the Cloud Era

CSF to Support SOC 2 Repor(ng

Exploring Emerging Cyber Attest Requirements

Mastering SOC-1 Attestation Reports Under SSAE 16: Auditing Service Organizations Controls in the Cloud

Information for entity management. April 2018

SOC Lessons Learned and Reporting Changes

Service Organization Control (SOC) Reports: What they are and what to do with them MARCH 21, 2017

Weighing in on the Benefits of a SAS 70 Audit for Third Party Administrators

SAS 70 Audit Concepts. and Benefits JAYACHANDRAN.B,CISA,CISM. August 2010

NE HIMSS Vendor Risk. October 9, 2015 MEMBER OF PKF NORTH AMERICA, AN ASSOCIATION OF LEGALLY INDEPENDENT FIRMS

Audit Considerations Relating to an Entity Using a Service Organization

SOC for cybersecurity

IGNITING GROWTH. Why a SOC Report Makes All the Difference

HITRUST CSF Roadmap for 2018 and Beyond HITRUST Alliance.

Auditing IT General Controls

SAS70 Type II Reports Use and Interpretation for SOX

Addressing Cybersecurity Risk

Table of Contents. Preface xvii PART ONE: FOUNDATIONS OF MODERN INTERNAL AUDITING

International Auditing and Assurance Standards Board (IAASB) International Federation of Accountants 545 Fifth Avenue, 14 th Floor New York, NY 10017

Achieving third-party reporting proficiency with SOC 2+

Re: Exposure Draft Proposed ISAE 3402 on Assurance Reports on Controls at a Third Party Service Organization

Internal Audit Report. Electronic Bidding and Contract Letting TxDOT Office of Internal Audit

California ISO Audit Results for 2011 SSAE 16 & Looking Forward for 2012 December 15, 2011

ADVANCED AUDIT AND ASSURANCE

DHG presenter. August 17, Addressing the Evolving Cybersecurity Landscape. DHG Birmingham CPE Seminar 1

University of Pittsburgh Security Assessment Questionnaire (v1.7)

Cybersecurity The Evolving Landscape

Studio Guggino and Newtonpartner S.r.l. a team of professionals at the service of your Company

26 February Office of the Secretary Public Company Accounting Oversight Board 1666 K Street, NW Washington, DC

Within our recommendations for editorial changes, additions are noted in bold underline and deletions in strike-through.

SECURITY & PRIVACY DOCUMENTATION

Credit Union Service Organization Compliance

What are SSAE 16 Reports and How do I Use Them to Support my Audit and A-123 Compliance? Presentation to ASMC PDI May 29, 2015

ISAE 3402 and SSAE 16 (replacing SAS 70) Reinforcing confidence through demonstration of effective controls

SOC-2 Requirement Solution Brief. EventTracker 8815 Centre Park Drive, Columbia MD SOC-2

LBI Public Information. Please consider the impact to the environment before printing this.

Achilles System Certification (ASC) from GE Digital

Internet of Things. Internet of Everything. Presented By: Louis McNeil Tom Costin

HITRUST CSF: One Framework

COBIT 5 With COSO 2013

QuickBooks Online Security White Paper July 2017

Approved 10/15/2015. IDEF Baseline Functional Requirements v1.0

New York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines

Illustrative cybersecurity risk management report. April 2018

2018 HIPAA One All Rights Reserved. Beyond HIPAA Compliance to Certification

"Charting the Course... Certified Information Systems Auditor (CISA) Course Summary

Information Technology General Control Review

POSTMARKET MANAGEMENT OF CYBERSECURITY IN MEDICAL DEVICES FINAL GUIDANCE MARCH 29, TH ANNUAL MEDICAL DEVICE QUALITY CONGRESS

Workday s Robust Privacy Program

The Common Controls Framework BY ADOBE

Managing Privacy Risk & Compliance in Financial Services. Brett Hamilton Advisory Solutions Consultant ServiceNow

Period from October 1, 2013 to September 30, 2014

CITP Examination Content Specification Outline

ETNO Reflection Document on the EC Proposal for a Directive on Network and Information Security (NIS Directive)

INFORMATION SECURITY. One line heading. > One line subheading. A briefing on the information security controls at Computershare

Chapter 8: SDLC Reviews and Audit Learning objectives Introduction Role of IS Auditor in SDLC

The value of visibility. Cybersecurity risk management examination

IT General Controls and Why We Need Them -Dennis McLaughlin, CISA (Cyber AIT) Dennis McLaughlin - Cyber AIT 1

HIPAA Compliance Assessment Module

TARGET2-SECURITIES INFORMATION SECURITY REQUIREMENTS

Checklist: Credit Union Information Security and Privacy Policies

Predstavenie štandardu ISO/IEC 27005

Aligning Your Organization s Business Units to Achieve a Cohesive Cybersecurity Strategy

Exam Requirements v4.1

ISA 800/805. Proposed changes to ISA 800/ 805 were limited in nature

PCI Compliance Assessment Module with Inspector

Independent Assurance Statement

Network Instruments white paper

_isms_27001_fnd_en_sample_set01_v2, Group A

ISACA CISA Review Course CHAPTER 1 THE IS AUDIT PROCESS

3/13/2015. COSO Revised: Implications for Compliance and Ethics Programs. Session Agenda. The COSO Framework

AUTHORITY FOR ELECTRICITY REGULATION

01.0 Policy Responsibilities and Oversight

Public Safety Canada. Audit of the Business Continuity Planning Program

Locking Down the Cloud Security is Not a Myth

EXAMINATION [The sum of points equals to 100]

Webtrends Inc. Service Organization Controls (SOC) 3 SM Report on the SaaS Solutions Services System Relevant to Security

Contents. Process flow diagrams and other documentation

SOC 3 for Security and Availability

Florida Government Finance Officers Association. Staying Secure when Transforming to a Digital Government

REPORT OF INDEPENDENT CERTIFIED PUBLIC ACCOUNTANTS

Transcription:

SOC Reporting / SSAE 18 Update July, 2017

Agenda SOC Refresher Overview of SSAE 18 Changes to SOC 1 Changes to SOC 2 Quiz / Questions

Various Types of SOC Reports SOC for Service Organizations (http://www.aicpa.org/soc4so) SOC 1 SOC for Service Organizations: Internal Controls Over Financial Reporting (ICFR) SOC 2 SOC for Service Organizations: Trust Services Criteria (TSC) SOC 2+ for Service Organizations: TSC + Other Suitable Criteria SOC 3 SOC for Service Organizations: Trust Services Criteria (TSC) for General Use Report Type 1 (report of the design of controls as of a point in time) and Type 2 (report of the design and operational effectiveness over a period of time) formats remain unchanged.

Who are SOC reports intended for? SOC 1 reports Management of the service organization, user entities, and the auditors of the user entities financial statements or internal control over financial reporting SOC 2 / SOC 3 reports User entities and prospective user entities who have sufficient knowledge of the subject matter and services provided Coming soon: SOC for Cybersecurity SOC for Vendor Supply Chains

Which SOC Report is right for my Organization? Considerations when determining the relevant SOC for service organizations report The nature of the service organization, system(s), service(s) provided, and relationship with subservice organizations Relevance to user entities ICFR Fulfilling vendor management requests User entity service-level requirements Regulatory or industry compliance

Parts of a SOC Report Section I Auditor s Opinion Section II Service Organization Assertion Section III Narrative Description of the System / environment Section IV Matrix of controls, tests of controls, and results of testing Section V Other information provided by the Service Organization (additional services, responses to control exceptions, etc.). Unaudited.

SOC Report Types Upcoming Changes SOC 2 SSAE18 AT-C 320 (effective 5/1/17) Restricted Use Report (Type I or II report) Purpose: Report of a Service Organizations Controls relevant to the user s Internal Controls over Financial Reporting SSAE18 - AT-C 105 Aligns with COSO (effective 12/15/18) Generally a Restricted Use Report (Type I or II report) Purpose: Reports on controls related to compliance or operations Trust Services Principles & Criteria SSAE18 - AT-C 105 A Aligns with COSO (effective 12/15/18) General Use Report Purpose: Reports on controls related to compliance or operations

SOC for Service Organizations

SSAE 18 Overview SSAE = Statements on Standards for Attestation Engagements SSAE 18 supersedes all existing attestation standards (SSAEs 10-14, 16-17) Restructure the Attest Standards AT-C 105: Concepts for All Attestation Engagements AT-C 205: Examination Engagements AT-C 215: Agreed-Upon Procedures Engagements AT-C 320: Reporting on an Examination of Controls at a Service Organization Relevant to User Entities Internal Controls Over Financial Reporting SSAE 18 governs both SOC 1 and SOC 2 Reports

SSAE 18 Changes (applies to both SOC 1 and SOC 2 Reports) Changes are effective for all reports dated on or after May 1, 2017 Subservice Organizations (clarification of Vendor vs. Subservice organization): Requirement for the service organization to implement controls to monitor the effectiveness of internal controls at all subservice organizations Complementary subservice organization controls (CSOC) Auditor is required to obtain an understanding of the subject matter and identify and assess the risk of material misstatement AND perform procedures in response to identified risks A requirement for the Auditor to read the reports of the internal audit function and regulatory examinations that relate to the services provided to user entities and the scope of the engagement.

SSAE 18 Changes (applies to both SOC 1 and SOC 2 Reports) As part of collecting and assessing evidence, practitioners need to evaluate the reliability, completeness, and accuracy of information produced by the entity (IPE) Complementary user entity controls are limited to controls that are necessary to achieve the control objectives stated in management s description of the service organization s system. SOC 1 reports are called SOC 1 reports (not SSAE16 reports)

SSAE 18 Changes Changes are effective for all reports dated on or after May 1, 2017 Subservice Organizations (clarification of Vendor vs. Subservice organization): Requirement for the service organization to implement controls to monitor the effectiveness of internal controls at all subservice organizations Complementary subservice organization controls (CSOC) Auditor is required to obtain an understanding of the subject matter and identify and assess the risk of material misstatement AND perform procedures in response to identified risks A requirement for the Auditor to read the reports of the internal audit function and regulatory examinations that relate to the services provided to user entities and the scope of the engagement.

Subservice Organizations Differentiate between Vendor and Subservice Provider (all Subservice Providers are vendors, but not all vendors are Subservice Providers) Would the controls performed by the subservice organization be included if they were performed by the service organization? Are the controls relevant to achieving the controls objectives (SOC 1) or criteria (SOC 2)? AWS (Subservice Provider) Vendors Iron Mountain (Vendor) NetSuite (Subservice Provider)

Subservice Organizations New requirement for the service organization to implement controls to monitor the effectiveness of internal controls at all subservice organizations. This is more than just gathering SOC reports from your subservice providers, and giving them to your auditor as evidence. There needs to be a process to monitor the controls at the subservice organization. A SOC report would need to be reviewed and analyzed, and this review needs to be documented. Complementary subservice organization controls (CSOC) is a new term. Similar to CUEC s, the CSOC s should be explicitly identified and separately documented in the SOC report. Subservice providers can be treated in a SOC report using the Inclusive or Carve-out Method. Inclusive auditor tests the controls, and subservice organization provides an assertion, and signs a representation letter. Carve-out The subservice organization is excluded, but is still identified in the report. CSOC s are identified.

SSAE 18 Changes Changes are effective for all reports dated on or after May 1, 2017 Subservice Organizations (clarification of Vendor vs. Subservice organization): Requirement for the service organization to implement controls to monitor the effectiveness of internal controls at all subservice organizations Complementary subservice organization controls (CSOC) Auditor is required to obtain an understanding of the subject matter and identify and assess the risk of material misstatement AND perform procedures in response to identified risks A requirement for the Auditor to read the reports of the internal audit function and regulatory examinations that relate to the services provided to user entities and the scope of the engagement.

Risk Assessment / Materiality This is a step to be executed and documented by the Auditor (requiring information / evidence from the assessed entity). Questions that the Auditor will evaluate: Is the subject matter (description of the system) not fairly presented? Does it provide sufficient information? Are the controls suitably designed to achieve the control objectives (SOC 1) or criteria (SOC 2)? Was the correct SOC report type (SOC 1 or SOC 2) selected? Are the control objectives specified (SOC 1) or the categories and criteria selected (SOC 2) by the service organization management appropriate for the circumstances? Materiality in the context of a SOC report primarily relates to qualitative factors

SSAE 18 Changes As part of collecting and assessing evidence, practitioners need to evaluate the reliability, completeness, and accuracy of information produced by the entity (IPE) Complementary user entity controls are limited to controls that are necessary to achieve the control objectives stated in management s description of the service organization s system. SOC 1 reports are called SOC 1 reports (not SSAE16 reports)

IPE IPE = information produced by the entity. Could be populations, screenshots, reports, other evidence, etc. For those familiar with Sarbanes-Oxley (SOX), we are moving closer to that method of IPE / evidence validation. The auditor is now required to document how that validated IPE. Optionally can include this as test procedures in the SOC report. What are acceptable methods for meeting this new IPE requirement? Observe populations being created Re-validate that a population can be generated again with the same results. Observe screenshots being taken There is quite a bit of subjectivity here

SSAE 18 Changes As part of collecting and assessing evidence, practitioners need to evaluate the reliability, completeness, and accuracy of information produced by the entity (IPE) Complementary user entity controls are limited to controls that are necessary to achieve the control objectives stated in management s description of the service organization s system. SOC 1 reports are called SOC 1 reports (not SSAE16 reports)

Complementary User Entity Controls (CUEC s) CUEC s are listed separately in the SOC report. They list controls that the customer is responsible for. In some cases, these lists go far beyond the scope of the customer responsibility. CUEC s are now limited to controls that are necessary to achieve the controls stated in management s description of the service organization s system Examples of appropriate and inappropriate CUEC s: Appropriate Customer are responsible for creating new user accounts, and setting password parameters for new users in the XX Application. Inappropriate Customers are responsible for the accuracy of all payroll calculations.

Performed by the Service Organization Controls Performed by Customers (CUEC) Performed by Subservice Org (CSOC) Control Type Responsible Customer are responsible for creating new user accounts, and setting password parameters for new users in the XX Application. Application code changes are authorized and tested prior to migration to production. Production servers are physically protected from unauthorized access via badge readers. CUEC Standard CSOC Customer Service Organization Subservice Organization

SOC 2 Specific Changes Changes are effective for audit periods ending on or after December 15, 2018 Until then, service organizations can choose to early adopt, or continue with current TSP. Trust Services Principles & Criteria (TSP) being renamed to Trust Services Criteria (TSC). The Principles are being renamed to Categories. The Common Criteria (28) are being remapped to the COSO 2013 Framework plus some additional criteria for a total of 33 Common Criteria. The Additional Categories have been further reduced. The illustrative risks / controls have been replaced with points of focus. There is a proposed Cybersecurity Standard with 31 criteria (no current estimated release or effective date)

SOC2 Principles OLD A SOC2 Report is based upon the below five Trust Principles. A report must include the Security Principle (Common Criteria), and may include any or all of the additional principles. Each principle contains criteria which must be met as part of the SOC2 audit. Security Availability Confidentiality Processing Integrity Privacy The system is protected against unauthorized access, use, or modification. The system is available for operation and use as committed or agreed. Information designated as confidential is protected as committed or agreed. System processing is complete, valid, accurate, timely, and authorized This principle addresses the system s collection, use, retention, disclosure, and disposal of PII in accordance with commitments and system requirements. 28 required (common) criteria 3 additional criteria 8 additional criteria 6 additional criteria 20 additional criteria Common Criteria Framework

SOC2 Categories (Required for reports with audit periods ending after 12/15/2018) A SOC2 Report is based upon the below five Categories. A report must include the Security Category (Common Criteria), and may include any or all of the additional categories. Each category contains criteria which must be met as part of the SOC2 audit. Security Availability Confidentiality Processing Integrity Privacy The system is protected against unauthorized access, use, or modification. The system is available for operation and use as committed or agreed. Information designated as confidential is protected as committed or agreed. System processing is complete, valid, accurate, timely, and authorized This principle addresses the system s collection, use, retention, disclosure, and disposal of PII in accordance with commitments and system requirements. 33 required (common) criteria 3 additional criteria 2 additional criteria (was 8) 5 additional criteria (was 6) 18 additional criteria (was 20) Common Criteria Framework

SOC 2 New Common Criteria Adds eight new common criteria related to the alignment with COSO principles: CC1.2 Board oversight CC2.1 Use of information to support internal control CC3.1 Sufficiency and clarity of the entity s objectives CC3.4 Identification and assessment of changes CC5.3 Controls deployed through formal policies and procedures CC7.1 Procedures to identify new vulnerabilities CC9.1 Business disruption risk mitigation CC9.2 Vendor and business risk management

SOC 2 Modifications to Confidentiality Criteria Modifies confidentiality criteria to streamline into the relevant common criteria: Moves C1.1 (Protect information throughout system changes) to CC8.1 (Formal change management process) Moves C1.2 (Controls to protect against unauthorized access) to CC6.1 (Logical access and authentication controls) Moves C1.3 (Controls over access from outside the system boundary) to CC6.6 (Logical access controls to protect against external threats) Moves C1.4 and C1.5 (Third party and vendor confidentiality commitments) to CC9.2 (Vendor and business party management) Moves C1.6 (System changes are communicated to external users and third parties) to CC2.2 and CC2.3 (Communication to internal and external users)

SOC 2 Modifications to Privacy Criteria Modifies privacy criteria to streamline into the relevant common criteria: Moves P1.2 (Privacy commitment communications) to CC2.3 (Communication to external users) Moves P6.5 and P6.6 (Compliance with commitments periodically assessed) to CC9.2 (Risk mitigation and assessment)

Criteria Mapping TSP mapped to the new TSC (excel sheet)

New TSC Statistics Principle Number of Criteria Points of Focus Common Criteria 33 197 Availability 3 15 Processing Integrity 5 18 Confidentiality 2 8 Privacy (organized in eight categories) 18 59 How many controls does this equate to?? Total 61 297

Quiz Who is responsible for designing and implementing the controls? Who is responsible for validating that the controls are properly designed? Who is responsible in a SOC 2 scenario for mapping the criteria to the controls at the service organization? Who is responsible for the assertion? Who documents that IPE was accurately provided? Who is responsible for determining whether to use the inclusive or carve-out method for a subservice organization? Who is responsible for determining which report to pursue (SOC 1 or SOC 2)?

Quiz (continued) Can IT general controls (access, change management, etc.) be included in a SOC 1 report? Who is responsible to write the system description (section III of the SOC report)? Can availability controls be included in a SOC 1 report? Can transaction processing controls be included in a SOC 2 report? Is it possible to fail a SOC audit? What is a scope limitation? What is a SOC 2 + Report?

Questions?

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback