What are SSAE 16 Reports and How do I Use Them to Support my Audit and A-123 Compliance? Presentation to ASMC PDI May 29, 2015

Similar documents
Using DoD SSAE 16/18 Service Organization Control (SOC) Reports (to Support Your Audit and A-123 Compliance)

C22: SAS 70 Practices and Developments Todd Bishop, PricewaterhouseCoopers

Audit Considerations Relating to an Entity Using a Service Organization

Understanding and Evaluating Service Organization Controls (SOC) Reports

Making trust evident Reporting on controls at Service Organizations

PREPARING FOR SOC CHANGES. AN ARMANINO WHITE PAPER By Liam Collins, Partner-In-Charge, SOC Audit Practice

Transitioning from SAS 70 to SSAE 16

SOC Reporting / SSAE 18 Update July, 2017

Service Organization Control (SOC) Reports: What they are and what to do with them MARCH 21, 2017

LIST OF SUBSTANTIVE CHANGES AND ADDITIONS. PPC's Guide to Audits of Local Governments. Thirty first Edition (February 2016)

Evaluating SOC Reports and NEW Reporting Requirements

Internal Audit Report. Electronic Bidding and Contract Letting TxDOT Office of Internal Audit

Mastering SOC-1 Attestation Reports Under SSAE 16: Auditing Service Organizations Controls in the Cloud

Workshop 71: Is Your Financial System Ready? An Overview of Effective Federal Information System Controls Audit Manual (FISCAM) Assessments

SAS70 Type II Reports Use and Interpretation for SOX

Hong Kong Institute of Certified Public Accountants Practising Certificate ("PC") Business Assurance

SAS 70 SOC 1 SOC 2 SOC 3. Type 1 Type 2

Weighing in on the Benefits of a SAS 70 Audit for Third Party Administrators

ISACA Cincinnati Chapter March Meeting

IT Attestation in the Cloud Era

International Standard on Auditing (Ireland) 505 External Confirmations

New York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines

RISK ASSESSMENTS AND INTERNAL CONTROL CIS CHARACTERISTICS AND CONSIDERATIONS CONTENTS

Council, 8 February 2017 Information Technology Report Executive summary and recommendations

Special Actions Security Office (SASO)

INTERNATIONAL STANDARD ON AUDITING 505 EXTERNAL CONFIRMATIONS CONTENTS

Does a SAS 70 Audit Leave you at Risk of a Security Exposure or Failure to Comply with FISMA?

A SERVICE ORGANIZATION S GUIDE SOC 1, 2, & 3 REPORTS

Within our recommendations for editorial changes, additions are noted in bold underline and deletions in strike-through.

SSAE 18 & new SOC approach to compliance. Moderator Name: Patricio Garcia Managing Partner ControlCase Attestation Services

EXTERNAL CONFIRMATIONS SRI LANKA AUDITING STANDARD 505 EXTERNAL CONFIRMATIONS

WHICH SOC REPORT IS RIGHT FOR YOUR CLIENT?

REPORT 2015/149 INTERNAL AUDIT DIVISION

FedRAMP: Understanding Agency and Cloud Provider Responsibilities

Data Processing Agreement for Oracle Cloud Services

NYDFS Cybersecurity Regulations: What do they mean? What is their impact?

SAS 70 & SSAE 16: Changes & Impact on Credit Unions. Agenda

SUBJECT: Training Policy-04 Defense Finance and Accounting Service Civilian Certifications, and Related Expenses

Battery Program Management Document

Retirement of SAS 70 and a new generation of Service Organization Control (SOC) Reports

International Standard on Auditing (UK) 505

* - Note: complete submissions are to be submitted at least two weeks before any deadline to ensure timely closure.

GDPR AMC SAAS AND HOSTED MODULES. UK version. AMC Consult A/S June 26, 2018 Version 1.10

June 2012 First Data PCI RAPID COMPLY SM Solution

Solutions Technology, Inc. (STI) Corporate Capability Brief

IATF Transition Strategy Presenter: Mrs. Michelle Maxwell, IAOB

CASA External Peer Review Program Guidelines. Table of Contents

OFFICE OF INTERNAL AUDIT Information Technology (IT) Audit Plan

Miscellaneous Payment

State of Florida Enterprise

ATTACHMENT SAF/FM POLICY ON REIMBURSEMENT OF EXPENSES TO OBTAIN/ MAINTAIN PROFESSIONAL CREDENTIALS (REVISED Apr 2015)

NEW YORK CYBERSECURITY REGULATION COMPLIANCE GUIDE

26 February Office of the Secretary Public Company Accounting Oversight Board 1666 K Street, NW Washington, DC

REVIEW OF MANAGEMENT AND OVERSIGHT OF THE INTEGRATED BUSINESS MANAGEMENT SYSTEM (IBMS) January 16, 2009

Information for entity management. April 2018

CERTIFICATION BODY (CB) APPROVAL REQUIREMENTS FOR THE IFFO RESPONSIBLE SUPPLY (IFFO RS) AUDITS AND CERTIFICATION

Audit Report. Chartered Management Institute (CMI)

Adopting SSAE 18 for SOC 1 reports

Subject: University Information Technology Resource Security Policy: OUTDATED

SERVICE ORGANIZATION CONTROL (SOC) REPORTS: WHAT ARE THEY?

Payment Card Industry (PCI) 3-D Secure (PCI 3DS) Qualification Requirements for 3DS Assessors

CSF to Support SOC 2 Repor(ng

REPORT 2015/010 INTERNAL AUDIT DIVISION

APPROVAL SHEET PROCEDURE INFORMATION SECURITY MANAGEMENT SYSTEM CERTIFICATION. PT. TÜV NORD Indonesia PS - TNI 001 Rev.05

October Broward County Government Human Services Department. Community Partnerships Division FY2015 Provider Information

DFARS Cyber Rule Considerations For Contractors In 2018

IATF Transition Strategy Presenter: Cherie Reiche, IAOB

CYBER SECURITY BRIEF. Presented By: Curt Parkinson DCMA

NY DFS Cybersecurity Regulations August 8, 2017

NYDFS Cybersecurity Regulations

ISO STANDARD IMPLEMENTATION AND TECHNOLOGY CONSOLIDATION

Description of the certification procedure MS - ISO 9001, MS - ISO 14001, MS - ISO/TS and MS BS OHSAS 18001, MS - ISO 45001, MS - ISO 50001

MHBE Compliance Program SECOND QUARTER FY 2019 REPORT. TO MHBE BOARD OF TRUSTEES January 22, 2019

Request for Qualifications for Audit Services March 25, 2015

Google Cloud & the General Data Protection Regulation (GDPR)

Welcome To The. Broward County Human Services Department. Community Partnerships Division FY2016 Provider Information Workshop

IBM Managed Security Services - Vulnerability Scanning

Studio Guggino and Newtonpartner S.r.l. a team of professionals at the service of your Company

Billing and Collection Agent Report For period ending January 31, To FCC Contract Oversight Sub-Committee. February 11, 2019

SAS 70 Audit Concepts. and Benefits JAYACHANDRAN.B,CISA,CISM. August 2010

INFORMATION ASSURANCE DIRECTORATE

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire A and Attestation of Compliance

Audit Absolutes DHS/USCG Perspectives. Jeff Bobich DHS Director of Financial Management Mark Rose USCG Comptroller 10 March 2016

Chapter 10. Administration

AUDIT OF ICT STRATEGY IMPLEMENTATION

Birmingham Community Healthcare NHS Foundation Trust. 2017/17 Data Security and Protection Requirements March 2018

Virginia Commonwealth University School of Medicine Information Security Standard

INTERNAL AUDIT DIVISION REPORT 2017/037

REPORT 2015/186 INTERNAL AUDIT DIVISION

SME License Order Working Group Update - Webinar #3 Call in number:

"Charting the Course... Certified Information Systems Auditor (CISA) Course Summary

Data Processing Agreement

MNsure Privacy Program Strategic Plan FY

Solution Pack. Managed Services Virtual Private Cloud Security Features Selections and Prerequisites

SAC PA Security Frameworks - FISMA and NIST

SOC Reports The 2017 Update: What s new, What s not, and What you should be doing with the SOC Reports you receive! Presented by Jeff Pershing

This document/guide contains dated material; always check the ASMC website for the most recent information, policies, and other information.

Defense Hotline Allegations Concerning Contractor-Invoiced Travel for U.S. Army Corps of Engineers' Contracts W912DY-10-D-0014 and W912DY-10-D-0024

National Defense University and IRMC. National Defense University

Personnel Certification Program

Transcription:

What are SSAE 16 Reports and How do I Use Them to Support my Audit and A-123 Compliance? Presentation to ASMC PDI May 29, 2015

Agenda Internal Controls Over Financial Reporting - Internal Control Definition - Management s Responsibility Gaining Comfort Over Service Organization Controls - OMB Circular A-123 (Appendix A) Requirements - Financial Statement Audit Requirements Using SSAE 16 Reports - Background and Purpose of the SSAE 16 Report - DoD Service Organizations and SSAE 16 Reports - Structure of the Report - Subservice Organizations - Evaluation of CUEC s - Exceptions, Responses, and Other Considerations Questions 2

Internal Controls Over Financial Reporting

Internal Control: Definition Internal control is a process effected by an entity s oversight body, management, and other personnel that provides reasonable assurance that the objectives of an entity will be achieved. An internal control system is a continuous built-in component of operations, effected by people, that provides reasonable assurance, not absolute assurance, that an entity s objectives will be achieved. These objectives and related risks can be broadly classified into one or more of the following three categories. Operations - Effectiveness and efficiency of operations Compliance - Compliance with applicable laws and regulations Reporting - Reliability of reporting for internal and external use The GAO Green Book (GAO-14-704G) defines the standards for internal control in the federal government. 4

Internal Control: Management s Responsibility Oversight Body - The oversight body is responsible for overseeing the strategic direction of the entity and obligations related to the accountability of the entity. This includes overseeing management s design, implementation, and operation of an internal control system. Management - Management is directly responsible for all activities of an entity, including the design, implementation, and operating effectiveness of an entity s internal control system. Personnel - Personnel help management design, implement, and operate an internal control system and are responsible for reporting issues noted in the entity s operations, reporting, or compliance objectives. External auditors and the office of the inspector general (OIG), if applicable, are not considered a part of an entity s internal control system. FMFIA requires federal executive branch entities to establish internal control in accordance with these (GAO Green Book) standards. 5

Internal Control: Management s Responsibility Service Organizations Management may engage external parties to perform certain operational processes for the entity, such as accounting and payroll processing, security services, or health care claims processing. For the purpose of the Green Book, these external parties are referred to as Service Organizations. Therefore, management needs to understand the controls each Service Organization has designed, has implemented, and operates for the assigned operational process and how the Service Organization s internal control system impacts the entity s internal control system. If controls performed by the Service Organization are necessary for the entity to achieve its objectives and address risks related to the assigned operational process, the entity s internal controls may include Complementary User Entity Controls (CUECs) identified by the service organization or its auditors that are necessary to achieve the service organization s control objectives. Management retains responsibility for the performance of processes assigned to Service Organizations. 6

Internal Control: Management s Responsibility Reporting Entity Service Provider(s) Service Level Agreements (SLAs) Memos of Understanding (MOUs) Communicate, Communicate, Communicate We can t assume the other organization has it covered. 7

Gaining Comfort Over Service Organization Controls

Gaining Comfort: A-123 Requirements Evaluating Controls of Cross-Servicing Providers and Service Organizations When evaluating the controls in place at cross-servicing providers or Service Organizations, the Senior Assessment Team should determine the extent of procedures needed, which may include: A. User Organizations Test the Controls Performing tests of the entity s controls over the activities of the cross-servicing organization or service organization (e.g., re-performance of selected items processed by the cross-servicing organization or service organization, or reconciling output reports with source documents); or Performing tests of controls at the cross-servicing organization or Service Organization; or B. Service Organization Controls Report Obtaining a service auditor s report on controls placed in operation and tests of operating effectiveness (e.g., Type II SSAE 16 report) or a report on the application of agreed-upon procedures that describes the relevant tests of controls. Test it yourself or obtain an opinion from an independent auditor. 9

Gaining Comfort: Audit Requirements OMB Bulletin 14-02 (Effective October 21, 2013) Supersedes the provisions in OMB Bulletin 07-04, Audit Requirements for Federal Financial Statements, and OMB Technical Bulletin 08-24, Technical Amendments to OMB Bulletin 07-04, Audit Requirements for Federal Financial Statements. In addition to the requirements set forth in AU-C 402, Audit Considerations Relating to an Entity Using a Service Organization, for those Service Organization controls that are relevant to the audit and have been suitably designed and implemented, service organizations must: A. Allow user auditors to perform tests of controls at the Service Organization; or B. Provide its user organizations with an audit report (referred to as a type 2 report) on whether: (1) management's description of the Service Organization's system fairly presents the Service Organization's system that was designed and implemented throughout the specified period, (2) internal controls were suitably designed to achieve the specified objectives and implemented throughout the specified period, and (3) the controls that were tested were operating effectively to provide reasonable assurance that the related control objectives were met during the period specified; or Each financial statement auditor tests themselves or obtain an SSAE 16 (SOC 1 Type II) opinion. 10

Background and Purpose

What is an SSAE 16 Report? A Statement on Standards for Attestation Engagements No. 16 (SSAE 16) is an independent third party report identifying the control structure, policies, and procedures of a service organization. An SSAE 16 is internationally recognized as an industry standard in providing user organizations and their auditors comfort surrounding the service organization s internal controls. Management s report on internal control, describing the control environment, risk assessment, control activities, information, and communication and monitoring. SSAE 16 reports are also referred to as AT 801 and SOC 1 reports. Recognized standard for providing user organizations and their auditors comfort relating to Service Organization Controls. 12

What are the Key Benefits? A SSAE 16 report may eliminate or significantly reduce the requirement for the company s auditor to do additional testing of a service provider s controls. An auditor to auditor communication which provides reliance to support the financial statement audit at user organizations. A reduction in service organization audit hours and business interruption by user organization auditors. A SSAE 16 shows a demonstration of proactive control and the ability to highlight controls over new/enhanced products or services. The degree to which redundant testing may be reduced is influenced by the scope and period covered by the SSAE 16. 13

Using SSAE 16 Reports

Overview Provides management and user entities with an opinion on: - Fair presentation of the system description, - Controls related to the control objectives are suitably designed, & - Controls related to the control objectives are operating effectively. Report covers controls relevant to user entity s financial statements DFAS Civilian Pay Army DFAS Standardized Disbursing Defense Civilian Personnel Data System DISA Automated Time & Attendance Production System DISA Enterprise Computing Services SSAE 16 Report(s) Navy Air Force USMC Other Defense Organizations SSAE 16 reports minimize redundant testing of Service Organization controls by user entities and their auditors. 15

DoD Service Providers and SSAE 16 Reports Current DoD SSAE 16s Updated April 13, 2015 Assertion Status FY 2014 FY 2015 FY 2016 Service Provider Assessable Unit System(s) Included FY 14 Opinion Current Reporting Period or Projected SSAE 16 for FY 15? Projected Reporting Period for FY 15 Expected Report Issuance Date SSAE 16 for FY 16? Projected Reporting Period for FY 16 Expected Report Issuance Date Civilian Pay DCPS Unmodified Oct 2013 - Jun 2014 Yes Oct 2014 - Jun 2015 Aug 14, 2015 Yes Oct 2015 - Jun 2016 Aug 12, 2016 Military Pay DJMS-AC, DJMS-RC, DMO (Legacy), DMO (Web) Unmodified Oct 2013 - Jun 2014 Yes Oct 2014 - Jun 2015 Aug 17, 2015 Yes Oct 2015 - Jun 2016 Aug 17, 2016 Standard Disbursing Service ADS, ADS IPAC MegaWizard, 22 MicroApps Unmodified Oct 2013 - Jun 2014 Yes Oct 2014 - Jun 2015 Aug 14, 2015 Yes Oct 2015 - Jun 2016 Aug 12, 2016 DFAS Contract Pay MOCAS, EAS, EUD (APVM / PPVM), SCRT, BAM ERMP Unmodified Nov 2013 - Apr 2014 Yes Oct 2014 - Jun 2015 Aug 14 2015 Yes Oct 2015 - Jun 2016 Aug 15, 2016 Financial Reporting DDRS (AFS, B, DCM), 8 MicroApps Modified Mar 2014 - Nov 2014 Yes Dec 2014 - Jul 2015 Sept 15, 2015 Yes Oct 2015 - Jul 2016 Sept 15, 2016 Fund Balance With Treasury (DCAS) DCAS N/A N/A No N/A N/A Yes Jan 2016 - Jun 2016 Aug 15, 2016 Fund Balance With Treasury (DRRT) DRRT, 1 MicroApp N/A N/A No N/A N/A Yes Jan 2016 - Jun 2016 Aug 15, 2016 DCPAS Defense Civilian Personnel Data System (DCPDS) DCPDS Modified Oct 2013 - Jun 2014 Yes Oct 2014 - Jun 2015 Aug 15 Yes Oct 2015 - Jun 2016 Aug 15 DCMA Contract Pay MOCAS, etools Modified Feb 2014 - Oct 2014 Yes Feb 2015 - Jul 2015 Sept 15 Yes Oct 2015 - Jun 2016 Aug 15 The Department has a number of SSAE 16 examinations underway and has received several unmodified opinions. 16

DoD Service Providers and SSAE 16 Reports Current DoD SSAE 16s Updated April 13, 2015 Assertion Status FY 2014 FY 2015 FY 2016 Service Provider Assessable Unit System(s) Included FY 14 Opinion Current Reporting Period or Projected SSAE 16 for FY 15? Projected Reporting Period for FY 15 Expected Report Issuance Date SSAE 16 for FY 16? Projected Reporting Period for FY 16 Expected Report Issuance Date Wide Area Work Flow - Invoices Receipt Acceptance and Property Transfer (WAWF irapt Modified Mar 2014 - Aug 2014 Yes Oct 2014 - Jun 2015 Sept 15 Yes Oct 2015 - Jun 2016 Aug 15 - irapt) DLA Defense Agency Initiative (DAI) DAI Modified Jan 2014 - Jun 2014 Yes Oct 2014 - Jun 2015 Sept 15 Yes Oct 2015 - Jun 2016 Aug 15 Defense Automatic Addressing System (DAAS) DAAS Modified Sep 2013 - Feb 2014 Yes Oct 2014 - Jun 2015 Sept 15 Yes Oct 2015 - Jun 2016 Aug 15 Defense Travel System (DTS) DTS N/A N/A Yes Oct 2014 - Jun 2015 Sept 15 Yes Oct 2015 - Jun 2016 Aug 15 MilDeps Owned Items in DLA Custody DSS N/A N/A No N/A N/A Yes Oct 2015 - June 2016 Aug 15 Enterprise Information Services (FY14 Scope) Mechanicsburg, Ogden, Oklahoma City Unmodified Oct 2013 - Jun 2014 N/A N/A N/A N/A N/A N/A DISA Enterprise Computing Services (FY 15-16 Scope) Mechanicsburg, Ogden, Oklahoma City, Montgomery N/A N/A Yes Oct 2014 - Jun 2015 Jul 31 Yes Oct 2015 - Jun 2016 Jul 31 AT&L U.S. Bancorp Automated Time Attendance and Production System (ATAAPS) Defense Property Accountability System (DPAS) Corporate Payment Systems U.S. Bank Freight Payment Transaction Procerssing System ATAAPS N/A N/A Yes Oct 2014 - Jun 2015 Jul 31 Yes Oct 2015 - Jun 2016 Jul 31 DPAS Unmodified Oct 2013 - Jun 2014 Yes Jul 2014 - Jun 2015 Aug 15 Yes Jul 2015 - Jun 2016 Aug 15 Syncada Unmodified Oct 2013 - Sept 2014 Yes Oct 2014 - Sept 2015 Nov 15 Yes Oct 2015 - Sept 2016 Nov 16 The Department has a number of SSAE 16 examinations underway and has received several unmodified opinions. 17

DoD Service Providers and SSAE 16 Reports Fiscal 2014 Fiscal 2015 Fiscal 2016 2013 2014 2015 2016 Attestation / Audit Sept. Oct. Nov. Dec. Jan. Feb. Mar. Apr. May Jun. Jul. Aug. Sept. Oct. Nov. Dec. Jan. Feb. Mar. Apr. May Jun. Jul. Aug. Sept. Oct. Nov. Dec. Jan. Feb. Mar. Apr. May Jun. Jul. Aug. Sept. ODO Examination Period ODO FS Audit Period SSAE 16s DFAS - Civilian Pay UNMODIFIED OPINION DFAS - Military Pay DFAS - Disbursing DFAS - Contract Pay UNMODIFIED OPINION UNMODIFIED OPINION UNMODIFIED OPINION DFAS - Financial Reporting MODIFIED OPINION DFAS - FBWT (DCAS) NO SSAE 16 GAP Period DFAS - FBWT (DRRT) NO SSAE 16 GAP Period DCPAS - DCPDS MODIFIED OPINION DCMA - Contract Pay MODIFIED OPINION DLA - irapt (WAWF) MODIFIED OPINION DLA - DAI MODIFIED OPINION DLA - DAAS MODIFIED OPINION DLA - DTS DLA - SOIDC NO SSAE 16 AT&L - DPAS UNMODIFIED OPINION US Bank - SYNCADA UNMODIFIED OPINION DISA - ATAAPS DISA - ESD UNMODIFIED OPINION SSAE 16 reports will continue to be obtained in subsequent fiscal years. 18

Structure of the Report

What are the Key Terms? Key Terms Control Objective Control Activity Operating Effectiveness Service Auditor Definitions Statements intended to provide reasonable assurance regarding the achievement of objectives in the following categories: (1) reliability of financial reporting, (2) effectiveness and efficiency of operations, and (3) compliance with applicable laws and regulations. Policies and procedures at a service organization that may affect a user organization s internal control structure and the assertions in its financial statements. How a control is applied, the consistency with which it is applied, and by whom it is applied. Testing is performed by the service auditor to validate the operating effectiveness of key controls. The auditor who reports on the processing of transactions by a service organization. Service Organization The entity (or segment of an entity) that provides services to the user organization. User Organization The entity that has engaged a service organization and whose financial statements are being audited. The Service Auditor performs the SSAE 16 for the Service Organization. 20

Report Breakdown Section 1 Section 2 Section 3 Section 4 Section 5 Report of Independent Auditor Opinion on the design and operating effectiveness of controls and their ability to meet the control objective. Management s Assertion A written assertion by management of the service organization about the service organization s system that was designed, implemented, and operated effectively throughout the specified period. Service organization s description of systems The description of controls should contain aspects of the service organization s control environment, risk assessment, information and communication, monitoring of controls, and control activities that may impact the services provided to user organizations. This section may also include control objectives and related controls, description of information technology systems and controls narratives and user controls. Service organizations control objectives and related controls and independent service auditors test of controls and results of tests This section lists out the control objectives, control activities, types of tests performed by the independent auditor, and results of the tests performed by the independent auditor. Other information provided by the service organization Additional information which the service organization may desire to include in the report, which are not included within the scope of the audit opinion (e.g., business continuity / disaster recovery planning). Section 4 provides detailed information regarding the controls in place at the Service Organization and results of testing. 21

Types of Tests Inquiry - Inquire of appropriate personnel to obtain knowledge and additional information regarding the control and corroborating evidence of the control. (Usually employed to validate non-key or low risk controls). Observation - Observe the flow of transactions through the system, observe personnel performing day to day functions and applying controls, and review relevant documents and records as necessary. Inspection - Inspect a sample of documents and records which indicate or evidence the performance of controls. Reperformance - Test a sample of transactions and other items through re-performance of the control or processing application (e.g., ITF, CAATs). The degree of testing is significantly more rigorous than required by internal certification and accreditation. 22

Audit Opinions Unqualified opinion - Ideal result: States that the control system is fairly presented and designed as well as operating effectively - Achieved by having adequate controls in place and having no or minimal control exceptions found in testing Qualified opinion - States that, except for the effects of the matter(s) to which the qualification relates, the control system is fairly presented and designed as well as operating effectively - Can be triggered by lacking efficient controls or by having multiple control exceptions An unqualified opinion doesn t mean no action is required and a qualified opinion doesn t mean all hope is lost. 23

Audit Opinions (continued) Adverse opinion - States that the report does not present fairly the control system. Disclaimer opinion - States that the auditor does not express an opinion. Emphasis of Matter - Typically is used to inform user that a control did not operate during the period and therefore, the control objective cannot be achieved. - Also used to provide information about a subsequent event or other matter that does not result in qualification but needs to be disclosed to the user. Disclaimers or Adverse opinions have the most severe impact on Service Organization control reliance. 24

Subservice Organizations

Definitions Subservice Organization - A service organization used by another service organization to perform some of the services provided to user entities that are relevant to those user entities' internal control over financial reporting. Vendor and Other Service Providers - Similar to subservice organizations, but they are not required to achieve any of the control objectives. We should consider the degree of interaction as well as the nature and materiality of the transactions processed by the service organization and the subservice organizations to determine the significance of the service organization's and subservice organization's controls to the user entity's controls. If we determine that the services provided by the subservice organization are relevant, we should obtain the subservice organization s SOC 1 report and evaluate it in the same manner that we evaluated the service organization's SOC 1 report. Subservice Organization controls must also be considered. 26

Examples of Subservice Organizations DFAS, DLA, DCMA, AT&L, use the services of DISA (Enterprise Computing Services) for application hosting. The description includes only the controls and related control objectives of the Service Organizations and exclude the control objectives and related controls of DISA Enterprise Computing Services. Auditors examination did not extend to controls of DISA Enterprise Computing Services. Subservice Organization reliance is pervasive in DoD. 27

Evaluation of CUECs

Complementary User Entity Controls (CUECs) A service provided by the service organization may be designed with the assumption that certain controls will be implemented by the user entity. For example, the service may be designed with the assumption that the user entity will have controls in place for authorizing the transactions before they are sent to the service organization for processing. We should determine whether the complementary user entity controls identified by the services organization are relevant in addressing the risk of material misstatement relating to the relevant assertions in the financial statements and, if so, obtain an understanding of whether the user entity has designed and implemented such controls. User auditor is responsible for testing controls related to CUEC s that are in place at the user organization CUECs can impact reliance on the SSAE 16 report. 29

Examples DFAS - FEDERAL CIVILIAN PAY SERVICE Domain Payroll Related Data/File Maintenance and Input: Personnel Actions Control Objective 8 - Controls provide reasonable assurance that payroll data, including personnel and payroll adjustments, is received from authorized sources, and is input into DCPS completely, accurately, and timely. Payroll Related Data/File Maintenance and Input: Personnel Actions Control Objective 8 - Controls provide reasonable assurance that payroll data, including personnel and payroll adjustments, is received from authorized sources, and is input into DCPS completely, accurately, and timely. Payroll Related Data/File Maintenance and Input: Personnel Actions Control Objective 8 - Controls provide reasonable assurance that payroll data, including personnel and payroll adjustments, is received from authorized sources, and is input into DCPS completely, accurately, and timely. Payroll Related Data/File Maintenance and Input: Personnel Actions Control Objective 8 - Controls provide reasonable assurance that payroll data, including personnel and payroll adjustments, is received from authorized sources, and is input into DCPS completely, accurately, and timely. User Entity Controls All changes to the DCPS MER are approved by appropriate user entity management before submission for payroll processing. If a pseudo Social Security Number (SSN) is created, it has been authorized by appropriate user entity management and, if necessary, is accurately tied to a primary and valid SSN. All personnel actions are properly authorized and completely and accurately entered into DCPS or the interfacing system by the user entity HROs on a timely basis. The user entity HRO ensures employees that have no future payroll payment have submitted the proper notification to DCPS to stop payroll payment in a timely manner. Applicable to Reporting Entity Description of User Entity Control(s) (or Justification of Non-Applicability) Significant attention has been placed on identifying the CUECs. 30

Examples (continued) DFAS Financial Reporting Unless otherwise specified, DDRS refers to DDRS-B, DDRS-AFS, and DDRS-DCM. DFAS - Financial Reporting SSAE16 COMPLEMENTARY USER ENTITY CONTROLS SUMMARY Red Text = DFAS Responsibility Orange Text = Dual Responsibility Black Text - Entity Responsibility Reference # Domain User Entity Controls Responsible Party (DFAS or Reporting Entity) User Entity Control Considerations Relevant to Financial Reporting and/or DDRS Comments Proposed new wording* KSDs Recommended to address CUEC 1 Access Controls Reporting entity new Financial Reporting CUEC Logical access to computer terminals and/or other computer devices, used to access DDRS, which are located at and/or administered by user entities, is restricted to authorized user entity staff. 1. System Authorization Access Request form (e.g., DD 2875) authorizing network access 2. Common Access Card authorization 3. Policies and procedures relating to user access, computer issuance, and CACs. 4. Listing of system users and their privileges 2 Access Controls Reporting Entity new Financial Reporting CUEC Physical access to workstations and/or other computer devices used to access DDRS that are located at and/or administered by user entities is restricted to authorized user entity staff. 1. System Authorization Access Request form (e.g., DD 2875) authorizing network access 2. Common Access Card authorization 3. Policies and procedures relating to user access, computer issuance, and CACs. 4. Listing of system users and their privileges 3 Security Management User entity is responsible to ensure their staff received appropriate security awareness training (Control Objective 1) Reporting Entity Revised CUEC wording User entity staff receives appropriate security awareness training. 1. Listing of user entity employees and training record 2. Listing of system users and their privileges 3. Policies and procedures relating to user access, computer issuance, and CACs. 4. Policies and procedures relating to security training 4 Security Management User entity is responsible to ensure that requests for DDRS user accounts are submitted only for those staff appropriately approved to receive access. (Control Objective 1) Reporting Entity Revised CUEC wording User entity staff access to DDRS has been duly authorized by an appropriate member of user entity management. 1. Policies and procedures relating to user access, computer issuance, and CACs. 2. Listing of system users and their privileges 3. DD 2875's 4. List of authorized approvers/submitters Efforts have been made to solicit user entity input. 31

Exceptions, Responses, and Other Considerations

Responding to Exceptions Identified in SSAE 16 Reports Auditee Understand the risk and how it may be mitigated. 33

Other Considerations Management s (Service Organization s) response Management s response to the identified exception(s) is often included in the unaudited section of the report, which means that the auditor did not test or verify that the information provided by management is accurate. The user entity and their auditor can use management s response to assist in determining the status of exceptions / remediation, but simply referencing management s response is typically not sufficient. Additional testing may be required by the user entity and their auditor. 34

Other Considerations GAP Period The Service Organization and Service Auditor must balance the competing needs of maximizing the period covered versus delivering the SSAE 16 report in time for it to be useful to the user entities and their auditors. Fiscal 2014 Fiscal 2015 Fiscal 2016 2013 2014 2015 2016 Attestation / Audit Sept. Oct. Nov. Dec. Jan. Feb. Mar. Apr. May Jun. Jul. Aug. Sept. Oct. Nov. Dec. Jan. Feb. Mar. Apr. May Jun. Jul. Aug. Sept. Oct. Nov. Dec. Jan. Feb. Mar. Apr. May Jun. Jul. Aug. Sept. ODO Examination Period ODO FS Audit Period SSAE 16s DFAS - Civilian Pay UNMODIFIED OPINION DFAS - Military Pay DFAS - Disbursing DFAS - Contract Pay UNMODIFIED OPINION UNMODIFIED OPINION UNMODIFIED OPINION DFAS - Financial Reporting MODIFIED OPINION DFAS - FBWT (DCAS) NO SSAE 16 GAP Period DFAS - FBWT (DRRT) NO SSAE 16 GAP Period DCPAS - DCPDS MODIFIED OPINION DCMA - Contract Pay MODIFIED OPINION DLA - irapt (WAWF) MODIFIED OPINION DLA - DAI MODIFIED OPINION DLA - DAAS MODIFIED OPINION DLA - DTS DLA - SOIDC NO SSAE 16 AT&L - DPAS UNMODIFIED OPINION US Bank - SYNCADA UNMODIFIED OPINION DISA - ATAAPS DISA - ESD UNMODIFIED OPINION 35

Other Considerations GAP Period As a result, SSAE 16 reports do not typically cover all twelve months of the fiscal year resulting in a gap period. The user entities and their auditors will need to perform some additional procedures to obtain comfort Service Organization controls continued to operate effectively during this period. It is typical for user entities and their auditors to obtain some comfort for the gap period by requesting a Bridge Letter but this alone may not be sufficient. Additional testing may be required by the user entity and their auditor. 36

Questions

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback