Mastering SOC-1 Attestation Reports Under SSAE 16: Auditing Service Organizations Controls in the Cloud

Similar documents
Service Organization Control (SOC) Reports: What they are and what to do with them MARCH 21, 2017

IT Attestation in the Cloud Era

Retirement of SAS 70 and a new generation of Service Organization Control (SOC) Reports

C22: SAS 70 Practices and Developments Todd Bishop, PricewaterhouseCoopers

WHICH SOC REPORT IS RIGHT FOR YOUR CLIENT?

ISACA Cincinnati Chapter March Meeting

A SERVICE ORGANIZATION S GUIDE SOC 1, 2, & 3 REPORTS

Transitioning from SAS 70 to SSAE 16

Evaluating SOC Reports and NEW Reporting Requirements

SOC 2 examinations and SOC for Cybersecurity examinations: Understanding the key distinctions

Auditing IT General Controls

SAS 70 SOC 1 SOC 2 SOC 3. Type 1 Type 2

Understanding and Evaluating Service Organization Controls (SOC) Reports

SOC Reporting / SSAE 18 Update July, 2017

PREPARING FOR SOC CHANGES. AN ARMANINO WHITE PAPER By Liam Collins, Partner-In-Charge, SOC Audit Practice

SOC Reports The 2017 Update: What s new, What s not, and What you should be doing with the SOC Reports you receive! Presented by Jeff Pershing

Adopting SSAE 18 for SOC 1 reports

Credit Union Service Organization Compliance

Making trust evident Reporting on controls at Service Organizations

SERVICE ORGANIZATION CONTROL (SOC) REPORTS: WHAT ARE THEY?

SSAE 18 & new SOC approach to compliance. Moderator Name: Patricio Garcia Managing Partner ControlCase Attestation Services

SAS 70 Audit Concepts. and Benefits JAYACHANDRAN.B,CISA,CISM. August 2010

SAS 70 & SSAE 16: Changes & Impact on Credit Unions. Agenda

CSF to Support SOC 2 Repor(ng

Audit Considerations Relating to an Entity Using a Service Organization

The SOC 2 Compliance Handbook:

Weighing in on the Benefits of a SAS 70 Audit for Third Party Administrators

Exploring Emerging Cyber Attest Requirements

Within our recommendations for editorial changes, additions are noted in bold underline and deletions in strike-through.

SOC for cybersecurity

Maintenance of Competency; Continuing Professional Education (CPE)

Cybersecurity The Evolving Landscape

Article II - Standards Section V - Continuing Education Requirements

International Auditing and Assurance Standards Board (IAASB) International Federation of Accountants 545 Fifth Avenue, 14 th Floor New York, NY 10017

The CPE hour is equal to 50 minutes. Credit is given in whole hours only; any fractional hours must be rounded down.

Achieving third-party reporting proficiency with SOC 2+

Testers vs Writers: Pen tests Quality in Assurance Projects. 10 November Defcamp7

Information for entity management. April 2018

BENEFITS of MEMBERSHIP FOR YOUR INSTITUTION

SAS70 Type II Reports Use and Interpretation for SOX

Studio Guggino and Newtonpartner S.r.l. a team of professionals at the service of your Company

IGNITING GROWTH. Why a SOC Report Makes All the Difference

The CPE hour is equal to 50 minutes. Credit is given in whole hours only; any fractional hours must be rounded down.

Integrating Information Security Protections In Supplier Agreements: Guidance for Business and Technology Counsel

SOC 3 for Security and Availability

Renewal Registration & CPE for CPAs in Iowa

PeopleSoft Finance Access and Security Audit

The Integrated Auditor: Becoming the Go-to Resource Your Company Needs APRIL 24, 2018

- A course outline or agenda, indicating what subjects were covered and how much time was spent on each subject.

Webtrends Inc. Service Organization Controls (SOC) 3 SM Report on the SaaS Solutions Services System Relevant to Security

SOC Updates: Understanding SOC for Cybersecurity and SSAE 18. May 23, 2017

IT Audit Process Prof. Liang Yao Week Two IT Audit Function

Maryland Health Care Commission

A sharper focus on internal controls

Internal Audit Report. Electronic Bidding and Contract Letting TxDOT Office of Internal Audit

DHG presenter. August 17, Addressing the Evolving Cybersecurity Landscape. DHG Birmingham CPE Seminar 1

HIPAA Privacy, Security and Breach Notification

SOC Lessons Learned and Reporting Changes

Chapter 18 SaskPower Managing the Risk of Cyber Incidents 1.0 MAIN POINTS

All other forms of social media are prohibited unless reviewed and approved prior to use by designated SFA Compliance Principal.

California ISO Audit Results for 2011 SSAE 16 & Looking Forward for 2012 December 15, 2011

GENERAL PRIVACY POLICY

Table of Contents. PCI Information Security Policy

ISACA Survey Results. 27 April Ms. Nancy M. Morris, Secretary Securities and Exchange Commission 100 F Street NE Washington, DC

ISAE 3402 and SSAE 16 (replacing SAS 70) Reinforcing confidence through demonstration of effective controls

CPE Frequently Asked Questions

New York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines

AUTOTASK ENDPOINT BACKUP (AEB) SECURITY ARCHITECTURE GUIDE

Memphis Chapter. President s Message. This annual event is designed to provide students with a

LIST OF SUBSTANTIVE CHANGES AND ADDITIONS. PPC's Guide to Audits of Local Governments. Thirty first Edition (February 2016)

Opportunities to Integrate Technology Into the Classroom. Presented by:

Is Your Compliance Strategy Putting Your Business at Risk?

Addressing Cybersecurity Risk

IBM Managed Security Services - Vulnerability Scanning

CPE Frequently Asked Questions

2018 HIPAA One All Rights Reserved. Beyond HIPAA Compliance to Certification

Background of the North America Top Technology Initiatives Survey

CPA Exam and Licensure Information and FAQs

SAS 70 revised. ISAE 3402 will focus on financial reporting control procedures. Compact_ IT Advisory 41. Introduction

Request for Qualifications for Audit Services March 25, 2015

A Global Look at IT Audit Best Practices

26 February Office of the Secretary Public Company Accounting Oversight Board 1666 K Street, NW Washington, DC

ITSM20F_Umang. Number: ITSM20F Passing Score: 800 Time Limit: 120 min File Version: 4.0. Exin ITSM20F

The value of visibility. Cybersecurity risk management examination

Oregon Board of Accountancy

Administrative Directive No. 4: 2011 Continuing Professional Education Requirements for All Certification Programs

What are SSAE 16 Reports and How do I Use Them to Support my Audit and A-123 Compliance? Presentation to ASMC PDI May 29, 2015

10/12/17. CPA Alberta Professional and Public Accounting Practice Varied Registration Model CPA FORUM NORTH OCTOBER 23 RD, 2017 JASPER, ALBERTA

KENYA SCHOOL OF GOVERNMENT EMPLOYMENT OPORTUNITY (EXTERNAL ADVERTISEMENT)

ADVANCED AUDIT AND ASSURANCE

INTO THE CLOUD WHAT YOU NEED TO KNOW ABOUT ADOPTION AND ENSURING COMPLIANCE

No IT Audit Staff? How to Hack an IT Audit. Presenters. Mark Bednarz, Partner-In-Charge, Risk Advisory PKF O Connor Davies, LLP

AND ASSURANCE AN INTEGRATED APPROACH SIXTEENTH EDITION GLOBAL EDITION

Auditing the Cloud. Paul Engle CISA, CIA

HITRUST CSF: One Framework

Google Cloud & the General Data Protection Regulation (GDPR)

HITRUST CSF Roadmap for 2018 and Beyond HITRUST Alliance.

Application for Certification

Present. 5th May - Chennai. Internal. auditing. today: Beginning Auditor Tools and Techniques. 6 CPE hours.

Public vs private cloud for regulated entities

Transcription:

FOR LIVE POGRAM ONLY Mastering SOC-1 Attestation Reports Under SSAE 16: Auditing Service Organizations Controls in the Cloud TUESDAY, AUGUST 9, 2016, 1:00-2:50 pm Eastern IMPORTANT INFORMATION FOR THE LIVE PROGRAM This program is approved for 2 CPE credit hours. To earn credit you must: Participate in the program on your own computer connection (no sharing) if you need to register additional people, please call customer service at 1-800-926-7926 x10 (or 404-881-1141 x10). Strafford accepts American Express, Visa, MasterCard, Discover. Listen on-line via your computer speakers. Respond to five prompts during the program plus a single verification code. You will have to write down only the final verification code on the attestation form, which will be emailed to registered attendees. To earn full credit, you must remain connected for the entire program. WHO TO CONTACT DURING THE LIVE PROGRAM For Additional Registrations: -Call Strafford Customer Service 1-800-926-7926 x10 (or 404-881-1141 x10) For Assistance During the Live Program: -On the web, use the chat box at the bottom left of the screen If you get disconnected during the program, you can simply log in using your original instructions and PIN.

Tips for Optimal Quality FOR LIVE PROGRAM ONLY Sound Quality When listening via your computer speakers, please note that the quality of your sound will vary depending on the speed and quality of your internet connection. If the sound quality is not satisfactory, please e-mail sound@straffordpub.com immediately so we can address the problem. Viewing Quality To maximize your screen, press the F11 key on your keyboard. To exit full screen, press the F11 key again.

Program Materials FOR LIVE PROGRAM ONLY If you have not printed the conference materials for this program, please complete the following steps: Click on the ^ symbol next to Conference Materials in the middle of the lefthand column on your screen. Click on the tab labeled Handouts that appears, and there you will see a PDF of the slides and the Official Record of Attendance for today's program. Double-click on the PDF and a separate page will open. Print the slides by clicking on the printer icon.

Mastering SOC-1 Attestation Reports Under SSAE 16 Aug. 9, 2016 Mitchell Evans, Director, Risk Consulting Barr Assurance & Advisory, Salt Lake City mevans@barradvisory.com Brad Thies, Principal, Risk Consulting Barr Assurance & Advisory, Kansas City, Kan. bthies@barradvisory.com Greg Ameden, CISA, Director of IT Assurance Services Hancock Askew & Co., Norcross, Ga. gameden@hancockaskew.com

Notice ANY TAX ADVICE IN THIS COMMUNICATION IS NOT INTENDED OR WRITTEN BY THE SPEAKERS FIRMS TO BE USED, AND CANNOT BE USED, BY A CLIENT OR ANY OTHER PERSON OR ENTITY FOR THE PURPOSE OF (i) AVOIDING PENALTIES THAT MAY BE IMPOSED ON ANY TAXPAYER OR (ii) PROMOTING, MARKETING OR RECOMMENDING TO ANOTHER PARTY ANY MATTERS ADDRESSED HEREIN. You (and your employees, representatives, or agents) may disclose to any and all persons, without limitation, the tax treatment or tax structure, or both, of any transaction described in the associated materials we provide to you, including, but not limited to, any tax opinions, memoranda, or other tax analyses contained in those materials. The information contained herein is of a general nature and based on authorities that are subject to change. Applicability of the information to specific situations should be determined through consultation with your tax adviser.

Presenters Greg Ameden, CISA Greg is the Director of IT Assurance Services for Hancock Askew and leads the firm s IT-related internal audit, risk advisory, and Service Organization Controls (SOC) reporting services. He has over 14 years of experience working in various information technology environments, starting in the IT field and then most recently 10 years at public accounting and advisory firms. Advising and assisting many organizations from a range of industries has enabled Greg to develop a deep understanding of business processes, operational control, and risk management principles. Brad Thies, CISA, CPA Brad is principal at Barr Assurance & Advisory Inc., a risk consulting firm that simplifies compliance in an ubiquitously connected world. He specializes in helping clients assess, design, and implement processes and controls to address evolving risks in business. Brad is a certified public accountant and a certified information system auditor with more than 10 years of experience in the industry. Mitch Evans, CISA Mitch is director at Barr Assurance & Advisory, Inc and previously worked in KPMG s advisory practice. He has performed numerous IT attestation engagements including Sarbanes Oxley (SOX) and Service Organization Controls (SOC1, SOC2, and SOC3) examinations for both small and large organizations. He specializes in engagements within the Technology, Healthcare, Finance, Banking, and Retail industries. He is also a Certified Information System Auditor (CISA). 6

Mastering SOC 1 Attestation Reports: Training Outline Uses and framework IT Considerations Testing and Sampling Guidance SOC 1 Reporting Special Considerations Additional Reporting Options and Use Cases 7

Uses and framework: Key Authoritative Guidance SAP 49 Reports on Internal Control (1971) SAS 30 Reporting on Internal Accounting Control (1980) (superseded by SSAE 2 (1993)) SAS 44 Special-Purpose Reports on Internal Accounting Control at Service Organizations (1982) SAS 53 Special Reports Applying Agreed-Upon Procedures to Specified Elements, Accounts, or Items of a Financial Statement (1981) SAS 70 Service Organizations (1992) SSAE 1 Attestation Standards (1986) SSAE 2 Reporting on an Entity's Internal Control Over Financial Reporting (1993) SSAE 4 Agreed-Upon Procedures Engagements (1995) (removed from the auditing standards by SAS 93 (2000)) Attestation Standards: Revision and Recodification (2001) SSAE SSAE 10 16 Reporting on Controls at a Service Organization (2010) Guide Reporting on Controls at a Service Organization Related to Security, Availability, Processing Integrity, Confidentiality or Privacy (SOC2 (SM)) (2011) Source: AICPA Understanding the Clarified Attestation Standards (New SSAE No. 18) 8

Uses and framework: Why is SSAE 16 often misused? Vendor SSAE 16 Compliant? 9

Uses and framework: SSAE 16 vs. International Standards Historically Now ISAE 3402 International SSAE 16 U.S.* ASAE 3402 Australia CSAE 3416 Canada Others *Note: SSAE 18 to take effect May 1, 2017 10

Uses and framework: How Standards are Used (SSAE 18 change) Common Concepts Level of Service Subject Matter Specific (if applicable) AT-C 105: Common Concepts AT-C 205: Examination Engagements AT-C 210: Review Engagements AT-C 215: Agreed- Upon Procedures Engagements AT-C 305: Prospectives AT-C 310: Pro formas AT-C 315: Compliance AT-C 395: MD&A AT-C 320: Service Organizations Source: AICPA s Understanding the Clarified Attestation Standards (New SSAE No. 18) 11

Uses and framework: SSAE 18 Update and SOC 1 Application ATs AT-Cs Sampling guidance now only in 205 Internal audit guidance now only in 205, reduced from guidance provided in AT801 Most written representation guidance in 205 but some in 320 Other accompanying information guidance in 205 Report dating guidance in 205 Source: AICPA s Understanding the Clarified Attestation Standards (New SSAE No. 18) Title of the report changed Complementary subservice organization controls Inclusive method, all applicable 104, 205 and 320 Consideration of internal audit function Changes to the wording of criteria requirements Description includes monitoring of subservice organizations Change in definition of CUEC Read applicable internal audit reports Evaluating the reliability of IPE Change to report contents 12

Uses and framework: SOC reporting overview Scope Report Summary Applicability Timing Internal control over financial reporting (ICOFR) SOC 1 Detailed report for users and their auditors Sometimes also referred to as an SSAE 16, AT 801 or ISAE 3402 report Detailed report for users, their auditors, and specified parties Operational controls SOC 2 SOC 3 Detailed report for user organizations, their auditors, and specified parties Short report that can be more generally distributed Focused on: Security Availability Confidentiality Processing Integrity Privacy. Applicable to a broad variety of systems such as managed services, cloud service providers, SaaS, and colocation systems. Period of time report (Type II) Point in time report (Type I) 13

Uses and framework: Type I versus Type II There are two variations of SOC reports (type 1 and type 2): A Type I Point in time report over the suitability of the design of controls A Type II Report over a specified period of time over the suitability of the design and operating effectiveness of controls 14

IT Considerations: System Components Description of the service organization s system, system includes five key components Infrastructure Software People Procedures Data The physical and hardware components of a system. The programs and operating software of a system. The personnel involved in the operation and use of a system. The programmed and manual procedures involved in the operation of a system. The information used and supported by a system. 15

IT considerations for audit and attest professionals in preparing SOC 1 reports IT General Controls need to consider control objectives for the following Information Security Logical access Physical access Listed in table 4-3 IT General Control Objectives and Risks That Threaten the Achievement of the Control Objectives of the AICPA SOC 1 guide 16

IT considerations for audit and attest professionals in preparing SOC 1 reports IT General Controls need to consider control objectives for the following Change Management Application Infrastructure Listed in table 4-3 IT General Control Objectives and Risks That Threaten the Achievement of the Control Objectives of the AICPA SOC 1 guide 17

IT considerations for audit and attest professionals in preparing SOC 1 reports IT General Controls need to consider control objectives for the following Computer Operations Application and system processing Data transmissions Data backup Listed in table 4-3 IT General Control Objectives and Risks That Threaten the Achievement of the Control Objectives of the AICPA SOC 1 guide 18

IT Considerations: Linkage to Business Process Controls IT General Controls Linkage to Business Process Controls Financial Statement Assertion #1 Financial Statement Assertion #2 Risk Point Risk Point Risk Point Manual Control Automated Control Manual with Automated Manual Control Automated Control Manual with Automated ITGC #1 ITGC #2 ITGC #3 ITGC #4 19

Testing and sampling guidance: Sampling Sampling The AICPA SOC Guide For tests of controls using sampling, the service auditor determines the tolerable rate of deviation and uses that rate to determine the number of items to be selected for a particular sample. The service auditor s selection of sample items should result in a sample that is representative of the population. All items in the population should have an opportunity to be selected. Random-based selection of items represents one means of obtaining such samples. AICPA Audit and Accounting Guides Audit Sampling Clarified (Updated as of March 1, 2014) Includes tables for sample size based on tolerable deviation rate 20

Testing and sampling guidance: Nature of Testing Nature of Tests of Controls Perform procedures in combination with inquiry to obtain evidence about: How the control was applied The consistency with which the control was applied By whom or by what means the control was applied Procedures the service auditor should perform in combination with inquiry to obtain evidence about the operating effectiveness of controls include Observation of the application of the control Inspection of documents, reports, or electronic files that contain evidence of the performance of the control Reperformance of the control 21

Testing and sampling guidance: Timing and Extent Type 1 or Type 2 Testing Type 1 point in time does not require sampling when performing the test of the controls. Type 2 test of controls, tests the effectiveness of controls for a period of time typically at least six months Identify the occurrence of the controls during the period and test a sample of the occurrences What six months should the report include? The period that the report covers should cover six months of the user entity's fiscal year. For the remaining six month period the service organization often will provide a bridge letter or gap letter Communicates if were any changes in their controls 22

Special Considerations: AICPA Peer Reviews Common Issues Service Organization Control (SOC) Reports Failure to obtain the experience and training required under SSAE 16 to properly complete a Service Organization Control Report Failure to include required elements in the report such as: Management assertions o Complementary user entity controls Carve outs Inclusion of all controls in control activity section Failure to have sufficient working paper support for information included in the report, such as lack of or poor documentation of: Procedures to assess the nature, timing, and extent of the procedures (specifically sampling methodology) Procedures to test carve outs Procedures to support the Other Information included in the report Examples of Matters in Peer Reviews Engagements with Year-Ends between 12/31/14 and 3/31/16 - AICPA Peer Review July 2016 23

Special Considerations: AICPA Peer Reviews Common Issues Failure to sufficient test controls, including: Failure to address the elements of the control, all IT general controls and change management controls Failure to document which controls at the service organization were necessary to achieve the control objectives stated in management's description of the service organization's system and assess whether those controls were suitably designed to achieve the control objectives Failure to document how sample sizes were selected Failure to coordinate the use of inquiry with other procedures Examples of Matters in Peer Reviews Engagements with Year-Ends between 12/31/14 and 3/31/16 - AICPA Peer Review July 2016 24

Special Considerations: Use and Evaluation of Internal Audit Direct Assistance: Competence and objectivity of the internal auditors Clear responsibilities, objectives, and timing of procedures Communication of all issues and AICPA standards Supervise, review, and evaluate Reliance/Re-performance: Risk based Competence and objectivity Internal audit supervision, review, and documentation expectations Sufficient evidence Ability to conclude from internal audit reporting 25

Key Control Activity Special Considerations: Management s Assertion Example approach by management: Sub- Assertion Owner Risk: Access by unauthorized individuals Monitoring Control: Quarterly Access Review individuals with access Assertion Owner Report Owner Control Objective: Logical Security Risk Owner Risk Owner Risk: Inappropriate access by authorized individuals Risk: Configurable access controls inconsistent with policy Monitoring Control: Quarterly Access Review privileges for authorized users Monitoring Control: Internal Audit Evaluation 26

Special Considerations: Subservice organization reporting When the service organization use a service provider they need to be identified in the SOC report There are two options: 1.Carve-out Method (most common) The description of the service organization s system identifies the nature of the services performed by the subservice organization but excludes from the description and from the scope of the engagement the subservice organization s relevant control objectives and related controls. Often the subservice organization will have a separate SOC report. 2.Inclusive Method The description of the service organization s system includes a description of the nature of the services provided by the subservice organization as well as the subservice organization s relevant control objectives and related controls. This results in a separate assertion and testing of the subservice organization 27

Additional Reporting Options: Case Study SOC1 Financial Reporting Controls Financial services Asset management and custodial services Healthcare claims processing Payroll processing Payment processing Cloud ERP service Data center co-location IT systems management SOC2/SOC3 Operational Controls Cloud-based services (SaaS, PaaS, IaaS) HR services Security services Email, collaboration and communications services Any service where customers primary concern is security, availability or privacy Source: KPMG Overview of SOC Reporting 28

SOC Report Knowledge Check Client has the need to make the report generally available (unrestricted distribution). Report is used by the service organization s customers and their auditors to plan and perform an audit or integrated audit or customer s statements SOC 1 Report audit of your customer s financial statements. Report is used by the service organization to report on compliance with regulations. Broker-dealer firm that buys and sells securities on its own on behalf of its customers 29

Questions? 30

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback