Evaluating SOC Reports and NEW Reporting Requirements

Similar documents
ISACA Cincinnati Chapter March Meeting

Retirement of SAS 70 and a new generation of Service Organization Control (SOC) Reports

SOC Reporting / SSAE 18 Update July, 2017

Service Organization Control (SOC) Reports: What they are and what to do with them MARCH 21, 2017

WHICH SOC REPORT IS RIGHT FOR YOUR CLIENT?

Transitioning from SAS 70 to SSAE 16

SOC Reports The 2017 Update: What s new, What s not, and What you should be doing with the SOC Reports you receive! Presented by Jeff Pershing

A SERVICE ORGANIZATION S GUIDE SOC 1, 2, & 3 REPORTS

SOC 2 examinations and SOC for Cybersecurity examinations: Understanding the key distinctions

IT Attestation in the Cloud Era

PREPARING FOR SOC CHANGES. AN ARMANINO WHITE PAPER By Liam Collins, Partner-In-Charge, SOC Audit Practice

SAS 70 SOC 1 SOC 2 SOC 3. Type 1 Type 2

Mastering SOC-1 Attestation Reports Under SSAE 16: Auditing Service Organizations Controls in the Cloud

SAS 70 & SSAE 16: Changes & Impact on Credit Unions. Agenda

Making trust evident Reporting on controls at Service Organizations

SSAE 18 & new SOC approach to compliance. Moderator Name: Patricio Garcia Managing Partner ControlCase Attestation Services

Understanding and Evaluating Service Organization Controls (SOC) Reports

C22: SAS 70 Practices and Developments Todd Bishop, PricewaterhouseCoopers

Audit Considerations Relating to an Entity Using a Service Organization

CSF to Support SOC 2 Repor(ng

Re: Exposure Draft Proposed ISAE 3402 on Assurance Reports on Controls at a Third Party Service Organization

Within our recommendations for editorial changes, additions are noted in bold underline and deletions in strike-through.

Information for entity management. April 2018

Auditing IT General Controls

SOC Updates: Understanding SOC for Cybersecurity and SSAE 18. May 23, 2017

SOC Lessons Learned and Reporting Changes

Adopting SSAE 18 for SOC 1 reports

SERVICE ORGANIZATION CONTROL (SOC) REPORTS: WHAT ARE THEY?

Weighing in on the Benefits of a SAS 70 Audit for Third Party Administrators

The SOC 2 Compliance Handbook:

SOC for cybersecurity

SAS 70 Audit Concepts. and Benefits JAYACHANDRAN.B,CISA,CISM. August 2010

ISA 800/805. Proposed changes to ISA 800/ 805 were limited in nature

NE HIMSS Vendor Risk. October 9, 2015 MEMBER OF PKF NORTH AMERICA, AN ASSOCIATION OF LEGALLY INDEPENDENT FIRMS

Exploring Emerging Cyber Attest Requirements

Submission to the International Integrated Reporting Council regarding the Consultation Draft of the International Integrated Reporting Framework

SAS70 Type II Reports Use and Interpretation for SOX

SAS 70 revised. ISAE 3402 will focus on financial reporting control procedures. Compact_ IT Advisory 41. Introduction

Credit Union Service Organization Compliance

Workday s Robust Privacy Program

26 February Office of the Secretary Public Company Accounting Oversight Board 1666 K Street, NW Washington, DC

Studio Guggino and Newtonpartner S.r.l. a team of professionals at the service of your Company

Optimising cloud security, trust and transparency

HITRUST CSF: One Framework

Exposure Draft The Auditor s Responsibility to Consider Fraud in an Audit of Financial Statements

Regulatory Notice 14-39

Hong Kong Institute of Certified Public Accountants Practising Certificate ("PC") Business Assurance

Citation for published version (APA): Berthing, H. H. (2014). Vision for IT Audit Abstract from Nordic ISACA Conference 2014, Oslo, Norway.

COBIT 5 With COSO 2013

Demonstrating data privacy for GDPR and beyond

IS Audit and Assurance Guideline 2001 Audit Charter

IGNITING GROWTH. Why a SOC Report Makes All the Difference

What are SSAE 16 Reports and How do I Use Them to Support my Audit and A-123 Compliance? Presentation to ASMC PDI May 29, 2015

The HIPAA Security & Privacy Rule How Municipalities Can Prepare for Compliance

NASD NOTICE TO MEMBERS 97-58

Internal Audit Report. Electronic Bidding and Contract Letting TxDOT Office of Internal Audit

SOC-2 Requirement Solution Brief. EventTracker 8815 Centre Park Drive, Columbia MD SOC-2

INTERNATIONAL STANDARD ON AUDITING 505 EXTERNAL CONFIRMATIONS CONTENTS

Global Specification Protocol for Organisations Certifying to an ISO Standard related to Market, Opinion and Social Research.

International Standard on Auditing (UK) 505

California ISO Audit Results for 2011 SSAE 16 & Looking Forward for 2012 December 15, 2011

LIST OF SUBSTANTIVE CHANGES AND ADDITIONS. PPC's Guide to Audits of Local Governments. Thirty first Edition (February 2016)

OFFICE OF INTERNAL AUDIT Information Technology (IT) Audit Plan

Achieving third-party reporting proficiency with SOC 2+

International Auditing and Assurance Standards Board (IAASB) International Federation of Accountants 545 Fifth Avenue, 14 th Floor New York, NY 10017

Error! No text of specified style in document.

Data Use and Reciprocal Support Agreement (DURSA) Overview

International Standard on Auditing (Ireland) 505 External Confirmations

HIPAA Privacy, Security and Breach Notification

HSCIC Audit of Data Sharing Activities:

Office Properties Income Trust Privacy Notice Last Updated: February 1, 2019

Google Cloud & the General Data Protection Regulation (GDPR)

Testers vs Writers: Pen tests Quality in Assurance Projects. 10 November Defcamp7

Set and Mobile Alert Messaging

HITRUST CSF Roadmap for 2018 and Beyond HITRUST Alliance.

CANADIAN TIRE PRIVACY CHARTER

REPORT 2015/149 INTERNAL AUDIT DIVISION

2018 HIPAA One All Rights Reserved. Beyond HIPAA Compliance to Certification

John Snare Chair Standards Australia Committee IT/12/4

Policy for Accrediting Assessment Bodies Operating within the Cradle to Cradle Certified Product Certification Scheme. Version 1.2

Addressing Cybersecurity Risk

HIPAA Compliance: What it is, what it means, and what to do about it. Adam Carlson, Security Solutions Consultant Intapp

Reviewed by ADM(RS) in accordance with the Access to Information Act. Information UNCLASSIFIED.

Business Assurance for the 21st Century

THE POWER OF TECH-SAVVY BOARDS:

Secure Messaging Mobile App Privacy Policy. Privacy Policy Highlights

SOC 3 for Security and Availability

IS Audit and Assurance Guideline 2002 Organisational Independence

Contents. Process flow diagrams and other documentation

Canadian Anti-Spam Legislation (CASL) Campaign and Database Compliance Checklist

Request for Qualifications for Audit Services March 25, 2015

Audit Report. The Chartered Institute of Personnel and Development (CIPD)

COSO Enterprise Risk Management

Clarity on Cyber Security. Media conference 29 May 2018

Audit Report. The Prince s Trust. 27 September 2017

ISACA CISA Review Course CHAPTER 1 THE IS AUDIT PROCESS

"Charting the Course... Certified Information Systems Auditor (CISA) Course Summary

Protecting your data. EY s approach to data privacy and information security

Audit Report. Mineral Products Qualifications Council (MPQC) 31 March 2014

Employee Security Awareness Training Program

Transcription:

Evaluating SOC Reports and NEW Reporting Requirements ISACA Kris Lonborg, EY Partner Maria Avedissian, EY Senior Manager September 12, 2013

Agenda Evaluating SOC reports Recent changes made to the SOC1 Audit Guide Highlights of the recent Audit Risk Alert. User auditor implications of these changes Page 2

Role of SOC Reports Page 3

Role of SOC reports A Service Organization Controls 1 (SOC 1 or SSAE 16) report is designed to help a user entity evaluate the impact of controls at a service organization on its internal control over financial reporting. A SOC 2 report is designed to help a user entity evaluate the impact of controls at a service organization relative to many of the other risks of outsourcing. Page 4

Independent assurance options to enhance service organization communications to its stakeholders Report type Intended users Subject matter /format Distribution limitations SOC 1 Intl: ISAE 3402 US: SSAE 16 SOC 2 Intl: ISAE 3000 US: AT101 Auditor s of the user entity s financial statements Management of the user entities Management of the service organization Management of the user entities Management of the service organization. Other relevant parties that require assurance over the subject matter. For example: Business partners Regulators Employees Type 1 or Type 2 Long -form report Description of controls and systems Tests performed and results of testing SOC1 look-alike report : Long -form report Description of controls /systems Tests performed & results Controls at a service organization relevant to security, availability, processing integrity, confidentiality, or privacy. Organization reports controls in place to meet prescribed principles/criteria Type 1 or Type 2 SOC 3 Same as SOC 2 Short-form report Limited description of controls/systems Agreed-upon procedures Internal-use Named business partners No description of controls/systems Report includes only results of specific tests performed and findings Restricted to current customers May be shared with prospective customers if third-party access letter is obtained Not intended for investors or other prospective users Restricted to users with sufficient knowledge e.g., current and prospective customers, business partners, regulators, employees No restrictions e.g., mass distribution, website, current & prospective customers Restricted to internal and/or named parties Page 5

Trust services principles for SOC2 & SOC3 Security The system is protected against unauthorized access (both physical and logical). Availability The system is available for operation and use as committed or agreed. Processing integrity System processing is complete, accurate, timely, and authorized. Confidentiality Information designated as confidential is protected as committed or agreed. Privacy Personal information is collected, used, retained, disclosed, and disposed of in conformity with the commitments in the entity s privacy notice and with criteria set forth in Generally Accepted Privacy Principles GAPP issued by the AICPA and Canadian Institute of Chartered Accountants. Page 6

SOC 1, SOC 2, SOC 3 comparison System Processing Integrity Security Availability Confidentiality Privacy Scope of SOC1 (SSAE 16) Scope of SOC 2 and SOC 3 (Trust Services Criteria) Testing Description Opinion Assertion Testing Description Opinion Assertion Short Desc Opinion Assertion SOC 1 SOC 2 SOC 3 Users: User entity controller User entity SOX department User auditor Users: User entity security User entity compliance User entity vendor management Regulators Prospective user entities Users: General public Page 7

Evaluating SOC Reports Page 8

Evaluating the scope Internal Audit very frequently leads this effort Services, systems, locations covered Does it cover the areas of concern? Does it cover all of the processes outsourced to each vendor? What is missing? Control objectives (SOC 1) or principles (SOC 2) Map to areas of concern Match to contractual requirements Evaluate completeness, accuracy, timeliness, etc. Page 9

Evaluating control objectives when using a SOC 1 report Identify information/reports that flow to the financial statements Identify financial statement assertions impacted by the information identified Evaluate control objectives Underlying process control objectives Include disclosures Electronic audit evidence Page 10

Evaluating the description Start with the results/outputs Page 11 Identification of key reports and data feeds Accuracy of reports Work backward Description of process Key controls Inputs and outputs in the flow of transactions Does it meet the company s compliance requirements? Is it at the right depth? Special considerations regarding processing integrity in a SOC 2 What is missing? What strikes you as curious?

Evaluating the controls Are they what is expected? Map to your risks Map to known risk models Map to contractual requirements Are they described in sufficient detail to permit you to separately evaluate their design? What processes, technologies, services are missing or are not described fully? Page 12

Complementary User Entity Controls (CUECs) Are they relevant to internal control or a protection mechanism for the service organization/auditor? Do they really describe what you should be doing? Is it consistent with documentation/contracts, etc.? Have you implemented them? Have you evaluated their operation and documented it for your financial auditor? Page 13

Management s assertion What is the coverage period? Does it meet your needs? Are the criteria complete? Any subservice organizations? If so are they carved-out or included? Anything unusual? Page 14

Service auditor s report What standard is used? Who is this firm? Where was it issued? Any carve-out or unusual items noted in the scope description? Any qualifications? For SOC 2 reports, are there any opinions on subject matter other than internal control (e.g., compliance)? Any inconsistencies with professional standards or unusual items? Page 15

Service auditor s test and results Are the tests described in a way that lets you understand the nature of what was performed? Are they the right test for the control? Responsive to the control What would our financial auditor have done Are any deviations described sufficiently to permit the evaluation of the impact? What is the service organization management s response? Have there been any other communications on the issue? Page 16

Current State of SOC Reporting Things are Changing Page 17

Environment drivers PCAOB findings/observations Coverage period insufficient Lack of integration of SOC reports into the audit Lack of detail in the report especially related to electronic audit evidence and how controls directly relate to financial statement assertions Users taking a closer look at reports Timeliness of receipt of report by users New SOC 1 Guide issued June 2013 AICPA Audit Risk Alert (ARA) for users issued July 2013 Page 18

SOC 1 Audit Guide Changes Detail of description of the system Consider flowcharts Example of appropriate control objectives Sub-service organizations Complementary user entity controls Controls do not operate during the period No forward looking management responses to deviations Indirect user entities IT-only reports Page 19 Presentation title

Subservice organizations Significant additions to guidance on determining whether a vendor is a subservice organization (3.14) Guidance on the whether treatment as a subservice organization is needed (3.34) Inclusive method Guidance on assertions of inclusive subservice organizations (3.21) Controls at an inclusive subservice organization presented separately from those of service organization (3.29) User auditors must apply new rules in effect 15 December 2012 on reliance upon SOC1 reports (and includes carved-out subservicers) May need to obtain SSO report Page 20

Subservice organizations Carve-out method For carved-out reports, primary service organization is strongly encouraged to identify (name) the subservice organization (3.26) Description contains sufficient information for user to identify the information needed from subservice organization (3.30) Controls at primary service organization include monitoring of subservice organization (3.31) When a primary service organization has a carved-out subservice organization, the primary service organization is encouraged to clearly document how it addresses subservice organization CUECs (3.32) When control objectives listed are partially achieved by subservice organization controls, describe those controls at the subservice organization that are necessary to complete the loop.(3.71) Page 21

Complementary User Entity Controls Make sure that the CUECs align with the control objectives Service organization should challenge their current CUECs for completeness and appropriateness Preference is now to include CUECs in the actual control / test matrix rather than a separate listing in the description of the system Page 22

Controls not operating during the period When controls do not operate during the period (4.120-4.126) May be able to be tested through other controls Amendments to assertion/opinion are necessary if not tested through other controls Amend assertion to disclose the facts and circumstances Amend service auditor s report scope and add emphasis of a matter paragraph Service organization may provide additional information in Section 5 which is unaudited and if so is covered by the service auditor s disclaimer paragraph Page 23

Testing Deviations Page 24

Testing Deviations changes If management s responses to deviations in tests of controls are included in the description of the service organization s system (rather than in the section containing information that is not covered by the service auditor s report), such responses usually are included in the portion of the description that describes the controls and related control objectives. (same as before) In that case, the service auditor should determine through inquiries in combination with other procedures whether there is evidence supporting the action described in the response. (new) If the response includes forward-looking information, such as future plans to implement controls or to address deviations, such information should be included in the section Other Information Provided by the Service Organization. (new) Page 25

Management s Responses - Conclusion The service auditor needs to validate the current response as part of their procedures. Management no longer permitted to include forwardlooking responses in Section IV. Can add such forward-looking information to unaudited section of the report (auditor also adds disclaimer language to the opinion). Page 26

Indirect user entities AICPA defined new term: indirect user entity a user entity of a service organization is also considered a user entity of the service organization s subservice organization if controls at the subservice organization are relevant to the user entity s internal control over financial reporting. In such case, the user entity is referred to as an indirect or downstream user entity of the subservice organization. Consequently, an indirect or downstream user entity may be included in the group to whom use of the service auditor s report is restricted. Page 27

Determining an indirect user entity Whether the service provided by the subservice organization is relevant to the potential indirect user entity s internal control over financial reporting: The significance of the services provided by the subservice organization to the potential indirect user entity The nature and materiality of the transactions processed or accounts or financial reporting processes affected by the subservice organization s services The degree of interaction between the activities of the subservice organization and those of the service organization Whether the primary service organization implements effective user entity controls and monitoring that are sufficient for the indirect user entity and therefore negate the need for the subservice organization s type 1 or type 2 report Page 28

IT Only Reports General IT controls only reports are no longer appropriate if the main service being provided is transaction processing. These reports should include transaction processing since it is significant to the user entity s financial statement assertion or move to a SOC 2. General IT controls only reports are still appropriate if IT hosting services are the only service that is being purchased. Page 29

ARA Identified Report Issues Management s description does not address the services provided ITGCs only when service is not infrastructure outsourcing Does not describe the procedures and flow Does not describe financial statement accounts affected / electronic audit evidence and reports used or generated in the flow of transactions Deviation in opinion language from standard Clarity of disclaimed or adverse opinion Description is insufficient for user auditor needs Design or operation of controls are not sufficient for the particular needs of client Page 30

ARA Guidance - User auditor actions in response to report issues Request a new report Obtain additional evidence from the user entity Obtain additional representations regarding completeness and accuracy of the description Visit the service organization and perform procedures Request the service organization to engage service auditor to perform additional procedures Page 31

Changes - SOC 2 Guide / Trust Services Criteria Trust Services criteria to be updated in response to identified concerns: Duplicate criteria Clarify wording Add example risks and illustrative controls Increase consistency with ISO/NIST Additional focus on organizational risk management 2013 -Anticipated exposure draft of updated Trust Services Criteria Anticipated to be effective for reports in 2014 Page 32 Presentation title

Questions?

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback