Using DoD SSAE 16/18 Service Organization Control (SOC) Reports (to Support Your Audit and A-123 Compliance)

Similar documents
What are SSAE 16 Reports and How do I Use Them to Support my Audit and A-123 Compliance? Presentation to ASMC PDI May 29, 2015

ISACA Cincinnati Chapter March Meeting

Workshop 71: Is Your Financial System Ready? An Overview of Effective Federal Information System Controls Audit Manual (FISCAM) Assessments

Mastering SOC-1 Attestation Reports Under SSAE 16: Auditing Service Organizations Controls in the Cloud

Service Organization Control (SOC) Reports: What they are and what to do with them MARCH 21, 2017

Understanding and Evaluating Service Organization Controls (SOC) Reports

Audit Considerations Relating to an Entity Using a Service Organization

Why UID? LeAntha Sumpter May 11, 2005

C22: SAS 70 Practices and Developments Todd Bishop, PricewaterhouseCoopers

Auditing IT General Controls

SOC Reporting / SSAE 18 Update July, 2017

Federal Data Center Consolidation Initiative (FDCCI) Workshop I: Initial Data Center Consolidation Plan

IT Attestation in the Cloud Era

Federal Data Center Consolidation Initiative (FDCCI) Workshop III: Final Data Center Consolidation Plan

Council, 8 February 2017 Information Technology Report Executive summary and recommendations

Making trust evident Reporting on controls at Service Organizations

SAS 70 & SSAE 16: Changes & Impact on Credit Unions. Agenda

Special Actions Security Office (SASO)

Billing and Collection Agent Report For period ending January 31, To FCC Contract Oversight Sub-Committee. February 11, 2019

PREPARING FOR SOC CHANGES. AN ARMANINO WHITE PAPER By Liam Collins, Partner-In-Charge, SOC Audit Practice

Evaluating SOC Reports and NEW Reporting Requirements

PeopleSoft Finance Access and Security Audit

Compliance Enforcement Initiative

Weighing in on the Benefits of a SAS 70 Audit for Third Party Administrators

REPORT 2015/149 INTERNAL AUDIT DIVISION

SAS70 Type II Reports Use and Interpretation for SOX

LIST OF SUBSTANTIVE CHANGES AND ADDITIONS. PPC's Guide to Audits of Local Governments. Thirty first Edition (February 2016)

A SERVICE ORGANIZATION S GUIDE SOC 1, 2, & 3 REPORTS

ISO STANDARD IMPLEMENTATION AND TECHNOLOGY CONSOLIDATION

Miscellaneous Payment

DoD Environmental Security Technology Certification Program (ESTCP) Tim Tetreault DoD August 15, 2017

Powered by TCPDF (

WHICH SOC REPORT IS RIGHT FOR YOUR CLIENT?

Service Management. What an Acquisition Practitioner Needs to Know. Karen Gomez Defense Information Systems Agency Mission Support Division

Does a SAS 70 Audit Leave you at Risk of a Security Exposure or Failure to Comply with FISMA?

Adopting SSAE 18 for SOC 1 reports

CONTROLS OVER ELECTRONIC DOCUMENT MANAGEMENT. Report No. D April 16, Office of the Inspector General Department of Defense

Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure

California ISO Audit Results for 2011 SSAE 16 & Looking Forward for 2012 December 15, 2011

SAS 70 SOC 1 SOC 2 SOC 3. Type 1 Type 2

FedRAMP: Understanding Agency and Cloud Provider Responsibilities

Metropolitan Washington Airports Authority PROCUREMENT AND CONTRACTS DEPT. AMENDMENT OF SOLICITATION

Transitioning from SAS 70 to SSAE 16

Article II - Standards Section V - Continuing Education Requirements

NYDFS Cybersecurity Regulations

T&E Workforce Development

Internal Audit Report. Electronic Bidding and Contract Letting TxDOT Office of Internal Audit

National Defense University and IRMC. National Defense University

Retirement of SAS 70 and a new generation of Service Organization Control (SOC) Reports

Information Technology Services. Informational Report for the Board of Trustees October 11, 2017 Prepared effective August 31, 2017

The date when this policy is posted to the online Company Policy Manual and communicated to all business lines: December 14, 2012

OSC Guidance and Training for Internal Audit and Internal Control Practitioners. Tina Kim John Buyce

6/5/ Michael Hojnicki Chief of Technology and Administrative Services

ISACA MANILA CHAPTER CALENDAR OF ACTIVITIES

New York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines

10 Considerations for a Cloud Procurement. March 2017

LEADING WITH GRC. Common Controls Framework. Sundar Venkat, Sr. Director Technology Compliance Salesforce

ISACA MANILA CHAPTER CALENDAR OF ACTIVITIES

CitiManager Alerts

2018 CALENDAR OF ACTIVITIES

REPORT 2015/186 INTERNAL AUDIT DIVISION

UNIQUE IDENTIFICATION (UID) Unique Identification (UID) of Items

SSAE 18 & new SOC approach to compliance. Moderator Name: Patricio Garcia Managing Partner ControlCase Attestation Services

Dan Lobb CRISC Lisa Gable CISM Katie Friebus

NAC Institutional Committee Meeting

MyInvoice. Defense Finance and Accounting Service. Devona Mathis DFAS Columbus Customer Care Office October 24, Integrity - Service - Innovation

DHS Overview of Sustainability and Environmental Programs. Dr. Teresa R. Pohlman Executive Director, Sustainability and Environmental Programs

FiXs - Federated and Secure Identity Management in Operation

Safeguarding unclassified controlled technical information (UCTI)

Hong Kong Institute of Certified Public Accountants Practising Certificate ("PC") Business Assurance

COUNTY OF RIVERSIDE ENTERPRISE SOLUTIONS FOR PROPERTY TAXATION

Solutions Technology, Inc. (STI) Corporate Capability Brief

MHBE Compliance Program SECOND QUARTER FY 2019 REPORT. TO MHBE BOARD OF TRUSTEES January 22, 2019

About GSA changes to IPAC data fields for Local Telecom Service and WITS customers

Section One of the Order: The Cybersecurity of Federal Networks.

SUBJECT: PRESTO operating agreement renewal update. Committee of the Whole. Transit Department. Recommendation: Purpose: Page 1 of Report TR-01-17

Defense Hotline Allegations Concerning Contractor-Invoiced Travel for U.S. Army Corps of Engineers' Contracts W912DY-10-D-0014 and W912DY-10-D-0024

Best Practices in CIS Implementation. TECO s CRB Implementation

IT Auditing and IT Fraud Detection

Cover Slide. Third Party Risk and the Role of the Cyber Security/IT Risk Officer. Robert Satchmo Anderson

City of Portland Audit: Follow-Up on Compliance with Payment Card Industry Data Security Standard BY ALEXANDRA FERCAK SENIOR MANAGEMENT AUDITOR

Department of Defense Fiscal Year (FY) 2014 IT President's Budget Request Defense Media Activity Overview

QUIACLE TECHNOLOGY SOLUTIONS, INC. CLOUD SERVICES MANAGED SECURITY SERVICES

Information System Security

Ten Innovative Financial Services Applications Powered by Data Virtualization

Chapter 2 Introduction to Transaction Processing

Instructions for Gaining Access to PMRT

DEFENSE SECURITY SERVICE PRIVACY IMPACT ASSESSMENT GUIDANCE AND TEMPLATE

AMC MINI-PDI. March 2, 2017 Mr. Anson Smith UNCLASSIFIED 1 AMERICA S ARMY: THE STRENGTH OF THE NATION

June 2012 First Data PCI RAPID COMPLY SM Solution

The U.S. Manufacturing Extension Partnership - MEP

Florida PALM Project Update Agenda

Request MyBiz+ Update MySupervisor Assistance Employee User Guide (for AF, AR, NV, DLA and WHS)

SOC Updates: Understanding SOC for Cybersecurity and SSAE 18. May 23, 2017

Oracle Buys Automated Applications Controls Leader LogicalApps

1Q17 RESULTS M AY / 2017

Proposed Increase In Rates In Water, Sewer and Reclaimed. June 9, 2009

COMPUTERIZATION. Bilateral Screening Chapter 29 Customs Union Presentation by the Republic of Serbia Brussels, 3-4 June 2014

STRENGTHENING THE CYBERSECURITY OF FEDERAL NETWORKS AND CRITICAL INFRASTRUCTURE

Council, 26 March Information Technology Report. Executive summary and recommendations. Introduction

Transcription:

Office of the Under Secretary of Defense (Comptroller) Office of the Deputy Chief Financial Officer Using DoD SSAE 16/18 Service Organization Control (SOC) Reports (to Support Your Audit and A-123 Compliance) American Society of Military Comptrollers (ASMC) PDI June 2, 2017 James Davila Accountant, FIAR Directorate, Office of the Deputy Chief Financial Officer, OUSD(C) Bradley Keith Director PwC Public Sector, LLP

Discussion Topics Using DoD SSAE 16/18 Service Organization Control (SOC) Reports 1) Service Organization Relationships Key Concepts End-to-End Process Relationships Service Organization Identification 2) Addressing Service Organization Controls Available Options Available SOC 1 Reports Relevant SOC 1 Reports 3) Using the Service Organization Controls Report Desired Outcomes SOC 1 Report Sections Areas for Consideration CUECs and CSOCs Reliability of Data (and Reports) Common Evaluation Pitfalls Reporting / User Entity Responsibilities 4) OUSD(C) FIAR Support and Available Resources 2

Service Organization Relationships Key Concepts

End to End Business Process Parts of audit relevant Reporting Entity business process are performed by one or more Third Parties. Reporting Entity Initiate / Execute Initiate / Execute Third Party Financial Statements The Reporting Entity is responsible for internal controls over financial reporting. 4

End to End Business Process It is critical to determine which Third Parties meet the definition of a Service Organization for A-123 and audit purposes (and which do not). Service Providers Vendors Third Parties Working Capital Funds Service Organizations Trading Partners What is the specific nature of the relationship (i.e., who does what)? 5

End to End Business Process AU-C 402: Audit Considerations Relating to an Entity Using a Service Organization.A7 The significance of the controls at the service organization to the user entity's internal control also depends on the degree of interaction between the service organization's activities and those of the user entity. The degree of interaction refers to the extent to which a user entity is able to and elects to implement effective controls over the processing performed by the service organization. For example, a high degree of interaction exists between the activities of the user entity and those at the service organization when the user entity authorizes transactions and the service organization processes and accounts for those transactions. In these circumstances, it may be practicable for the user entity to implement effective controls over those transactions. On the other hand, when the service organization initiates or initially records, processes, and accounts for the user entity's transactions, a lower degree of interaction exists between the two organizations. In these circumstances, the user entity may be unable to, or may elect not to, implement effective controls over these transactions at the user entity and may rely on controls at the service organization. Who Does What? Initiates Executes / Internally Records Accounting Processing? and? and? The Financial Statement Auditor will follow the Auditing Standards 6

End to End Business Process Why is this so important? If a Service Organization relationship / dependency exists. The Reporting Entity must address Service Organization (and Sub-service Organization) controls for OMB Circular A-123 (Appendix A) / ICOFR. Third Parties Service Providers Working Capital Funds Vendors Service Organizations The Reporting Entity financial statement auditor will also need to address the Service Organization (and Sub-service Organization) controls in financial statement audits and examinations. Trading Partners Service Organization Controls? You and / or your auditor can t ignore / assume what happens inside the Black Box. 7

End to End Business Process Reporting / User Entities User Auditors Service Organizations Sub-Service Organizations If a Service Organization relationship exists, all of the pieces need to fit. Roles and responsibilities must be aligned. 8

Addressing Service Organization Controls

Addressing Service Organization Controls How do I do this? There are a few options. Compliance with OMB Circular A-123 (Appendix A) / ICOFR Reporting Entity team documents and tests Service Organization controls. Reporting Entity obtains controls documentation and testing performed by Service Organization management and reviews for adequacy. Reporting Entity team or Service Organization management addresses gaps. Reporting Entity obtains / reviews Service Organization Controls (SOC 1) Reports on the design and operating effectiveness of internal controls over financial reporting at Service Organizations (and Sub-service Organizations). Service Organization Controls? Financial Statement Audit (must comply with audit independence requirements) Reporting Entity financial statement auditors (User Auditor) documents and tests Service Organization controls. Reporting Entity financial statement auditors (User Auditor) obtains / reviews Service Organization Controls (SOC 1) Reports on the design and operating effectiveness of internal controls over financial reporting at Service Organizations (and Sub-service Organizations). It is very inefficient for each / every Reporting Entity and their auditor to redundantly test Service Organization controls versus relying on the SOC 1 Reports. 10

Addressing Service Organization Controls How do I do this? What SOC 1 reports are available? 2018 U.S. Army GFEBS FY 2018+ DFAS FBWT Treasury Reconciliation 2017 U.S. Army Conventional Munitions 2016 Compensation Benefit & Payment 2016 2017 DFAS Vendor Pay (OWCP) Bill Processing 2016 Citigroup Technology Infrastructure (CTI) 2016 Treasury Admin Resource Center 2016 Treasury Invest & Borrowings 2016 27 Treasury Funds Management FY 2018 FY 2017 2016 2016 Total Systems Services Elavon, Inc. 2016 Retail Payment Processing 2016 DFAS FBWT Treasury Distribution 2016 DLA SOIDC FY 2016 2015 US Bank AXOL 2015 DISA (ATAAPS) 2015 DMDC DTS FY 2015 2014 2014 2014 2014 2014 DFAS Contract Pay DCMA Contract Pay DFAS Financial Reporting DLA irapt DLA DAI FY 2014 2013 2013 2013 2013 DFAS Standard Disbursing DMDC DCPDS US Bank SYNCADA DFAS Military Pay 2013 DLA DAAS FY 2013 Legend 2012 AT&L / DLA DPAS 2005 2005 DISA (EIS) DFAS Civilian Pay Unqualified / Unmodified Opinion Qualified / Modified Opinion TBD 0 FY 2012 FY 2005 Significant progress has been achieved but much remains to be done. 11

Addressing Service Organization Controls How do I do this? What SOC 1 reports are available? DoD SSAE 16/18s as of May 2017 SSAE 16/18 FY 2014 FY 2015 FY 2016 FY 2017 Service Provider Assessable Unit System(s) Included IPA Firm FY 14 Opinion Reporting Period IPA Firm FY 15 Opinion Reporting Period SSAE 16 for FY 16? IPA Firm FY 16 Opinion Reporting Period Report Issuance Date / Expected Issuance Date SSAE 16 for FY 17? IPA Firm FY 17 Opinion Projected Reporting Period for FY 17 Expected Report Issuance Date Civilian Pay DCPS KPMG Unmodified Oct 2013 - Jun 2014 KPMG Unmodified Oct 2014 - Jun 2015 Yes KPMG Unmodified Oct 2015 - Jun 2016 Aug 12, 2016 Yes KPMG TBD Oct 2016 - Jun 2017 Aug 15, 2017 Military Pay DJMS-AC, DJMS-RC, DMO (Web) KPMG Unmodified Oct 2013 - Jun 2014 KPMG Modified Oct 2014 - Jun 2015 Yes KPMG Modified Oct 2015 - Jun 2016 Aug 17, 2016 Yes KPMG TBD Oct 2016 - Jun 2017 Aug 17,2017 ADS, ADS IPAC MegaWizard 22 MicroApps: DFAS Standard Disbursing Service DD 2657 Statement of Accountability, State Tax Access Database, State Tax Microsoft Excel workbook, Post Certification Validation Tracking Workbook, GTN_Month_YR Excel Workbook, DJMSwkstmmyy excel workbook, Defense Civilian Payroll System (DCPS) Tracking Spreadsheet, 8522 IPAC Tracking Workbook (Excel), SSN 8522 ACH Spreadsheet, MMYYYY Batch Tracker, 6102 Voucher Workbook (Excel), Cleveland Consolidated Workbook (Excel), 2657 Workbook (Excel), E&C Reconciliation Workbook (Excel), DIT Tracker Workbook (Excel), IPAC Tracking Workbook (Excel), Kansas City Central Site IPAC Wizard (Access) KPMG Unmodified Oct 2013 - Jun 2014 KPMG Unmodified Oct 2014 - Jun 2015 Yes KPMG Unmodified Oct 2015 - Jun 2016 Aug 15, 2016 Yes KPMG TBD Oct 2016 - Jun 2017 Aug 15, 2017 Contract Pay Vendor Pay MOCAS, EAS, EUD (APVM / PPVM), SCRT, BAM ERMP OnePay, CAPS-W, CAPS-W Data Center, ODS, DCD/DCW, STARS, BAM, APVM GT Unmodified Nov 2013 - Apr 2014 GT Unmodified Oct 2014 - Jun 2015 Yes GT Unmodified Oct 2015 - Jun 2016 Aug 15, 2016 Yes GT TBD Oct 2016 - Jun 2017 Aug 15, 2017 NA NA NA NA NA NA No NA NA NA NA Yes GT TBD Feb 2017 - Jul 2017 Sep 15, 2017 FBWT - Transaction Distribution DCAS, SAMS NA NA NA NA NA NA Yes KPMG Modified Mar 2016 - Sep 2016 Nov 14, 2016 Yes KPMG TBD Oct 2016 - Jun 2017 Aug 15, 2017 FBWT - Treasury Reconciliation DRRT, CMR NA NA NA NA NA NA No NA NA NA NA No NA NA NA NA DDRS (AFS, B, DCM), 8 MicroApps: Financial Reporting NWCF Trading Partner DB, Eliminator, MOCAS Data Call, Data Call Validation Tool, OMB Max Recon, Inventory Control, Employee Benefits, Buyer & Seller Side Elimations Kearney Modified Mar 2014 - Nov 2014 Kearney Modified Dec 2014 - Jul 2015 Yes Kearney Modified Oct 2015 - Jul 2016 Sept 15, 2016 Yes Kearney TBD Oct 2016 - Jul 2017 Sept 15, 2017 GT = Grant Thornton PwC - Price Waterhouse Coopers Kearney = Kearney & Company WACO= Williams Adley & Co. E&Y = Ernst & Young CBH = Cherry, Bekaert & Holland RMA = RMA Associates RESJ = Robins, Eskew, Smith & Jordan Multiple SOC 1s are underway or planned. 12

Addressing Service Organization Controls How do I do this? What SOC 1 reports are available? DoD SSAE 16/18s as of May 2017 SSAE 16/18 FY 2014 FY 2015 FY 2016 FY 2017 Service Provider Assessable Unit System(s) Included IPA Firm FY 14 Opinion Reporting Period IPA Firm FY 15 Opinion Reporting Period SSAE 16 for FY 16? IPA Firm FY 16 Opinion Reporting Period Report Issuance Date / Expected Issuance Date SSAE 16 for FY 17? IPA Firm FY 17 Opinion Projected Reporting Period for FY 17 Expected Report Issuance Date DMDC Defense Civilian Personnel Data System (DCPDS) DCPDS PwC Modified Oct 2013 - Jun 2014 KPMG Unmodified Oct 2014 - Jun 2015 Yes KPMG Unmodified Oct 2015 - Jun 2016 Aug 15, 2016 Yes KPMG TBD Oct 2016 - Jun 2017 Aug 15, 2017 Defense Travel System (DTS) DTS N/A N/A N/A WACO Modified Oct 2014 - Jun 2015 Yes WACO Modified Oct 2015 - Jun 2016 Sep 08, 2016 Yes KPMG TBD Oct 2016 - Jun 2017 Aug 15, 2017 DCMA Contract Pay MOCAS, etools GT Modified Feb 2014 - Oct 2014 GT Modified Feb 2015 - Sept 2015 Yes GT Modified Jan 2016 - June 2016 Aug 15, 2016 Yes GT TBD Oct 2016 - Jun 2017 Aug 15,2017 Wide Area Work Flow - Invoices Receipt Acceptance and Property Transfer (WAWF - irapt) irapt RMA Modified Mar 2014 - Aug 2014 WACO Modified Oct 2014 - Jun 2015 Yes GT Modified Oct 2015 - Jun 2016 Aug 15, 2016 Yes RMA TBD Oct 2016 - Jun 2017 Aug 15, 2017 Defense Agency Initiative (DAI) DAI WACO Modified Jan 2014 - Jun 2014 WACO Unmodified Oct 2014 - Jun 2015 Yes GT Modified Oct 2015 - Jun 2016 Aug 15, 2016 Yes RMA TBD Oct 2016 - Jun 2017 Aug 15, 2017 DLA Defense Automatic Addressing System (DAAS) DAAS E&Y Modified Sep 2013 - Feb 2014 WACO Modified Oct 2014 - Jun 2015 Yes GT Modified Oct 2015 - Jun 2016 Aug 15, 2016 Yes RMA TBD Oct 2016 - Jun 2017 Aug 15, 2017 Service Owned Items in DLA Custody (SOIDC) DSS NA NA NA NA NA NA Yes Kearney Modified Jan 2016 - Sept 2016 Apr 28, 2017 No NA NA NA NA Defense Property Accountability System (DPAS) DPAS CBH Unmodified Oct 2013 - Jun 2014 CBH Unmodified Jul 2014 - Jun 2015 Yes CBH Unmodified Oct 2015 - Jun 2016 Aug 26, 2016 Yes CBH TBD Oct 2016 - Jun 2017 Aug 15, 2017 Operations Center (FY 15-16 Scope) Mechanicsburg, Ogden, Oklahoma City, Montgomery KPMG Unmodified Oct 2013 - Jun 2014 E&Y Unmodified Oct 2014 - Jun 2015 Yes E&Y Unmodified Oct 2015 - Jun 2016 15-Aug-16 Yes E&Y TBD Oct 2016 - Jun 2017 Aug 15, 2017 DISA Automated Time Attendance and Production System (ATAAPS) ATAAPS N/A N/A N/A E&Y Modified Oct 2014 - Jun 2015 Yes E&Y Modified Oct 2015 - Jun 2016 15-Aug-16 Yes E&Y TBD Oct 2016 - Jun 2017 Aug 15, 2017 Conventional Ammunition LMP, WARS-NT, SAAS-MOD Yes KPMG TBD Oct 2016 - Mar 2017 TBD U.S. Army General Fund Enetrprise Business System (GFEBS) GFEBS No NA NA NA NA Corporate Payment Systems (CPS) U.S. Bank Freight Payment Transaction Procerssing System Syncada E&Y Unmodified Oct 2013 - Sept 2014 E&Y Unmodified Oct 2014 - Sept 2015 Yes E&Y Unmodified Oct 2015 - Jul 2016 Sept 19,2016 Yes E&Y TBD Aug 2016 - Jul 2017 Sept 15, 2017 Total Systems Services (TSYS), Subservice Org to CPS, for credit management processing TS1 & TS2 Yes KPMG Unmodified Jan 2016 - Sep 2016 Oct 31, 2016 Yes KPMG TBD Jan 2017 - Sep 2017 Oct 2017 U.S. Bancorp Elavon, Inc., Subservice Org to CPS, for daily processing services related to carrier billing Merchant Processing System (MPS) Yes E&Y Unmodified Nov 2015 - Oct 2016 Dec 19, 2016 Yes E&Y TBD Nov 2016 - Oct 2017 Dec 2016 Retail Payment Processing (RPS), Subservice Org to CPS, for processing check, electronic payments & research payment discrepancies Integrated Card System, Triad, ACAPS, Falcon, SeQual, CASPER, CME, SAR, CA Web Viewer, IVR, ARMS Yes E&Y Unmodified Nov 2015 - Oct 2016 Dec 19, 2016 Yes E&Y TBD Nov 2016 - Oct 2017 Dec 2016 Commercial Card Transaction Processing System (ELAN) Access Online, SeQual, Corporate Payments Mgt Information System (CPMIS), Automated Credit Application Processing System (ACAPS) N/A N/A N/A E&Y Unmodified Nov 2014 - Oct 2015 Yes E&Y Unmodified Nov 2015 - Oct 2016 Dec 15, 2016 Yes E&Y TBD Nov 2016 - Oct 2017 Dec 15, 2017 Multiple SOC 1s are underway or planned. 13

Addressing Service Organization Controls How do I do this? What SOC 1 reports are available? DoD SSAE 16/18s as of May 2017 SSAE 16/18 FY 2014 FY 2015 FY 2016 FY 2017 Service Provider Assessable Unit System(s) Included IPA Firm FY 14 Opinion Reporting Period IPA Firm FY 15 Opinion Reporting Period SSAE 16 for FY 16? IPA Firm FY 16 Opinion Reporting Period Report Issuance Date / Expected Issuance Date SSAE 16 for FY 17? IPA Firm FY 17 Opinion Projected Reporting Period for FY 17 Expected Report Issuance Date Compensation Benefit & Payment for Medical Services for Federal Civilian Employees U.S. Department of Labor Integrated Federal Employees' Compensation System (ifecs) Office of the Assistant Secretary for Administration and Management (OASAM) General Support System (GSS) Yes KPMG Unmodified Oct 2015 - Jun 2016 Rec'd Oct 13 2016 Yes KPMG TBD Oct 2015 - Jun 2016 Early Sept Office of Workers' Compensation Program (OWCP) Bill Processing / Central Bill Processing System Central Bill Processing System Yes RESJ Unmodified Oct 2015 - Mar 2016 Rec'd Oct 13 2016 Yes RESJ TBD Oct 2015 - Mar 2016 Early Sept Travel Card Mainframe Systems Include: IBM z/os, Unisys ClearPath Citi Citigroup Technology Infrastructure (CTI), Global Information Security (GIS), Global Identity Admin (GIDA) Midrange include: Stratus, Nonstop Tandem, & IBM series and various types of physical & virtual UNIX, Linux Windows operating systems) Yes KPMG Unmodified Jan 2016 - Sep 2016 Rec'd Jan 26, 2017 Yes KPMG TBD Jan 2017 - Sep 2017 Dec 2017 U.S. Treasury Oracle Federal Financials (Oracle) & Discoverer Admin Resource Accounting, Budgeting, Reporting, Travel, Procurement, Systems Support & Platform Services Feeder Systems: PRISM, IPP, CGE, movelinq & E- Payroll to Oracle Reporting (EOR). ARC provides Yes KPMG Unmodified Jul 2015 - Jun 2016 Sep 1, 2016 Yes KPMG TBD Jul 2016 - Jun 2017 Sep 2017 Center application admin of feeder systems. U.S. Treasury Federal Investment Transactions for Government Securities InvestOne Accounting System & FedInvest Subsystem Yes KPMG Unmodified Aug 2015 - Jul 2016 Sep 23, 2016 Yes KPMG TBD Aug 2016 - Jul 2017 Sep 2017 Investments & Borrowings U.S. Treasury Management & Accounting Services for Select Gov't Trust Funds, Treasury managed accounts, accounts Funds of Treasury's Office of the Asst Sec for Int'l Affairs Management InvestOne Accounting System & FedInvest Subsystem Yes KPMG Unmodified Aug 2015 - Jul 2016 Sep 23, 2016 Yes KPMG TBD Aug 2016 - Jul 2017 Sep 2017 Multiple SOC 1s are underway or planned. 14

Addressing Service Organization Controls How do I do this? Which SOC 1s do I need? Projected FY 2017 SSAE 18 Distribution List to DoD Components (Based on Components' Responses) As of Jan 27, 2017 DFAS - Service Provider DLA - Service Provider AT&L - Service Provider DoDHRA DMDC - Service Provider DCMA - Service Provider DISA - Service Provider Standard Disbursing Services Military Pay Financial Reporting Civilian Pay No. DoD Component Tier (ADS) (DJMS & DMO) (DDRS) (DCPS) Contract Pay Vendor Pay Fund Balance with Treasury - Wide Area Work Flow - Invoices Receipt Corporate Payment Systems - Freight (MOCAS, EAS, EUD (CAPSW, OnePay, ODS, Transaction Distribution Defense Automatic Addressing System Defense Agency Initiative Service Owned Items in DLA Custody - SOIDC Defense Property Accountability System Commercial Credit Card Processing System Defense Civilian Personnel Data System Defense Travel System Acceptance and Property Transfer Payments System (APVM/PPVM), SCRT, BAM- DCD/DCW, STARS, CAPSW Data Defesne Cash Accountability System (DAAS) (DAI) Distribution Standard System (DSS) (DPAS) (Access Online) (DCPDS) (DTS) (WAWF - irapt) (Syncada) ERMP) Center, BAM-ERMP, APVM) (DCAS) Contract Pay (MOCAS) Automated Time Attendance and Production System Enterprise Computing Service (ATAAPS) 1 Air Force GF 1 2 Air Force WCF 1 3 Army GF 1 4 Army WCF 1 5 Navy GF & WCF 1 6 USACE 1 7 USMC GF & WCF 1 8 DIA (Defense Intelligence Agency) 2 9 NGA (National Geospatial-Intelligence Agency) 2 10 NRO (National Reconnaissance Office) 2 11 NSA (National Security Agency) 2 See Note Below 12 DCAA 2 13 DeCA (GF & WCF) 2 14 DFAS (as reporting entity) 2 15 DHA-CRM 2 16 DHA (FOD, NCR, Comptroller) 2 17 SMA-Army 2 18 SMA-Navy 2 19 SMA-USAF 2 20 DISA (GF & WCF) 2 21 DLA (GF, WCF & Strategic Materials) 2 22 USSOCOM 2 23 USTRANSCOM 2 USTRANSCOM reviewing USTRANSCOM reviewing USTRANSCOM reviewing 24 USUHS 2 25 CBDP 3 26 DARPA 3 27 DCMA 3 28 DoDEA 3 29 DSCA 3 30 DTRA 3 31 MDA 3 32 Office of Chairman of JCS 3 33 WHS 3 34 DAU 4 35 DHRA 4 36 DLSA 4 37 DMA (Defense Media Activity) 4 38 DMEA (Defense Micro-Electronics Activity) 4 39 DoDIG 4 40 DPMO / DPAA (Def POW/MIA Accounting Agency) 4 41 DSS 4 42 DTIC 4 43 DTSA 4 44 NDU 4 45 OEA 4 46 AT&L DPAS (as a service provider) N/A 47 DCMA Contract Pay (as a service provider) N/A DFAS (Std Disb, Mil Pay, Fin Rpting, Civ Pay, Contract 48 N/A Pay, FBWT-DCAS (as a service provider) 49 DLA (irapt, DAI & DAAS) (as a service provider) N/A 50 DISA ATAAPS (as a service provider) N/A 51 DMDC DTS (as a service provider) N/A User Entities are responsible for report distribution within their organizations. 15

Addressing Service Organization Controls How do I do this? Which SOC 1s do I need? DISA Subservice Organizations Other (DoD) Other (Non-DoD) Service Organization - SOC 1 (expected FY 17) DISA Enterprise Services (ES) DISA Joint Interoperability Test Command (JITC) DFAS Accounting Operations Directorate Defense Finance and Accounting Service (DFAS) DFAS (ATAAPS) DFAS (DCPS) Defense Logistics Agency (DLA) Defense Contract Management Agency (DCMA) Defense Manpower Data Center (DMDC) Federal Retirement Thrift Investment Board (FRTIB) Total System Services, Inc. (TSYS) Elavon, Inc. Carpathia (Hosting Facility Contractor) Convergys Corporation U.S. Bank Retail Payment Solutions (RPS) U.S. Bank National Retail Lockbox Xerox Verizon First Federal Sprint and SunGard Edgeweb DFAS - Civilian Pay X X X DFAS - Military Pay X X X X DFAS - Standard Disbursing X X DFAS - Contract Pay X X X DFAS - Vendor Pay* DFAS FBWT - Transaction Distribution X X DFAS FBWT - Treasury Reconciliation* DFAS - Financial Reporting X DMDC - Defense Civilian Personnel Data System (DCPDS) DMDC - Defense Travel System (DTS) X DCMA - Contract Pay X DLA - Invoice Receipt Acceptance and Property Transfer (irapt) X X DLA - Defense Agency Initiative (DAI) X X DLA - Defense Automatic Addressing System (DAAS) DLA - Service Owned Items in DLA Custody (SOIDC) DLA - Defense Property Accountability System (DPAS) X X DISA - Enterprise Services (Hosting) DISA - Automated Time & Attendance Production System (ATAAPS) X X X U.S. Bancorp - Freight Payment Transaction Processing X X X U.S. Bancorp - Commercial Card Transaction Processing System X X X X U.S Department of Labor Integrated Federal Employees' Compensation System. X X X X X (Relates to Federal Employees' Compensation Act (FECA)) Expected FY 17 Subservice Organizations updates / changes are probable. 16

Addressing Service Organization Controls How do I do this? Which SOC 1s do I need? Civilian Pay SOC 1 Page 41 - DISA ES provides the physical hosting and administration of DCPS. Specific functions / responsibilities include: - Maintenance of the hardware and system software supporting DCPS. - Protection of computer platforms and resident software and data from unauthorized physical access and environmental hazards. - Administration of logical access to ACF 2. - Performance of certain computer operations activities for the mainframe platforms supporting DCPS, including monitoring of processing, and resolution of any deviations from the pre-defined processing schedule. - Administration of data transmission utilities and monitoring of data transmissions to and from the mainframe platforms supporting DCPS. - Performance of uptime monitoring and assistance with the resolution of availability issues related to DCPS. - System software, application, and data backup and recovery. Civilian Pay FY 16 SOC 1 Family DISA Enterprise Services Defense Civilian Personnel Data System (DCPDS) DAI / ATAAPS Time & Attendance DFAS Civilian Payroll (DCPS) DFAS Standardized Disbursing (ADS) DFAS FBWT Transaction Distribution (DCAS) Civilian Pay SOC 1 Page 41 - DCPDS is and HR information support system for maintaining civilian personnel data in the DoD. DCPDS is used to provide HR / personnel support such as applicant ratings, employee appointments, reassignments, and promotions. Civilian Pay SOC 1 Page 29 - Some user entities send their T&A data into DCPS using batch files generated from separate, userentity operated T&A systems. Civilian Pay SOC 1 Page 33 - The DD 592 file is sent to ADS for processing by Disbursing Operations and to the Defense Cash Accountability System (DCAS) for use in downstream reconciliations and financial reporting. - Check and EFT Payment Files: On a bi-weekly basis, DCPS produces check and EFT payment files interfaced to ADS for disbursement to user entity civilian employees. Note: The DLA DAAS SOC 1 may also be applicable for those entities routing interface files through this system. SOC 1 reports may point you / your auditor where to go. Follow the End-to-End Process. 17

Using the Service Organization Controls Report

How do I use the SOC 1 report? Desired Outcomes Reporting / User Entity What are we trying to achieve? Unqualified / Unmodified SOC 1 Opinions (performed under the examination standards SSAE 18, AT-C 105, AT-C 205, AT-C 320) Controls Reliance User Entities Place Reliance on the SOC 1 Reports (following A-123 Appendix A / ICOFR requirements) User Auditors Place Reliance on the SOC 1 Reports (as allowed by the auditing standards ex., AU-C 402) An Unqualified SOC 1 does not automatically result in User Auditor reliance. 19

How do I use the SOC 1 report? Desired Outcomes The User Auditor s ability to rely on internal controls directly affects audit and audit support costs Level of Controls Reliance Auditor Sample Sizes High Internal Controls Reliance Optimum for a large financial statement audit Minimum Sample Sizes Some Internal Controls Reliance Sufficient for a financial statement audit Reduced Sample Sizes No Internal Controls Reliance Inefficient and Unsustainable Maximum Sample Sizes 10s to 100s of thousands of sample items across DoD An Unqualified SOC 1 does not automatically result in User Auditor reliance. 20

How do I use the SOC 1 report? SOC 1 Report Structure A SOC 1 Report typically includes the following sections: Section 1 Independent Service Auditor s Report Section 2 Assertion Provided by Management of the Service Organization Section 3 Description of the Service Organization, including an overview of relevant operations and applications Complementary User Entity Controls (CUECs) Subservice Organizations and Complementary Subservice Organization Controls CSOCs Section 4 Service Organization s Control Objectives and Related Controls (Control Objectives, Controls, and Test of Operating Effectiveness) Section 5 Other Information Provided by Service Organization Management (UNAUDITED) Read the report and assess the impact on your risk of financial misstatement. 21

How do I use the SOC 1 report? Areas for Consideration 1 Service auditor competency 6 Evaluation of relevant controls 2 Scope exclusions 7 Reliability of data 3 Carve-outs 8 Results of tests CUECs 4 9 Opinion 5 CSOCs 10 Gap Periods Your auditor will consider these. So should you. 22

How do I use the SOC 1 report? What are CUECs and CSOCs Example DFAS Control Objective: Controls provide reasonable assurance that logical access to DCPS programs and data is restricted to authorized users. CSOCs (SSAE 18) DFAS controls were designed assuming certain controls were in place at the Subservice Organization (DISA). These assumptions will now be included in Management s Description for each Subservice Organization. Some basis is needed for the assumptions and DFAS is responsible for monitoring Sub-service providers. DFAS Controls Designed & Operating Effectively CUECs (SAS 70, SSAE 16, and SSAE 18) DFAS controls were designed assuming certain controls were in place at the customer (Reporting Entity). These assumptions have been and will continue to be included in Management s Description. Some basis is needed for the assumptions but DFAS is not responsible for monitoring customers. DISA Controls User Entity Controls Appropriate controls need to be in place at the Reporting Entity, Service Organization(s), and Sub-service Organization(s) to achieve the Control Objective. 23

How do I use the SOC 1 report? What are CUECs and CSOCs Reporting / User Entities Controls Controls CUECs (SSAE 16 & 18) DFAS controls were designed assuming certain controls were in place at the customer (Reporting Entity). CUECs DFAS Civilian Pay Service SOC 1 Controls Reporting Entity / User Auditors Controls CSOCs CUECs (SSAE 16 & 18) DISA controls were designed assuming certain controls were in place at the customer (DFAS). CSOCs (SSAE 18) DFAS controls were designed assuming certain controls were in place at the Subservice Organization (DISA). CUECs Controls DISA Hosting Services SOC 1 Appropriate controls need to be in place at the Reporting Entity, Service Organization(s), and Sub-service Organization(s) to achieve the Control Objective. 24

How do I use the SOC 1 report? Reliability of Data (and Reports) Background: The clarified standards require the service auditor to evaluate whether system generated information is sufficiently reliable for the service auditor s purposes by obtaining evidence about its accuracy and completeness and evaluating whether the information is sufficiently precise and detailed. They also require the service auditors and the service organization to validate system generated information and reports by detailing how they are generated, who prepares such reports and ensuring the requisite level of detail in such reports. Effectiveness of controls depends in part on the controls over the accuracy and completeness of the system-generated data or reports. Classes of system generated information: The following are the types of data that should be evaluated as part of the SOC 1 attestation: Information used in the execution of controls within the SOC 1 report. Information provided by the service organization to the service auditor to perform testing of controls. Information provided to the user entity. User Entities should understand what reports are being generated by the Service Organization and then confirm whether those reports are included in the SOC 1. 25

How do I use the SOC 1 report? Reliability of Data (and Reports) Translation: 1. Reports / data that are relied upon by the Service Organization to perform controls in their SOC 1 (e.g., user access list, reconciliation reports, spreadsheets, etc.) 2. Reports / data that are used by the Service Auditor to perform SOC 1 testing (e.g., user access listings, transaction populations). 3. Reports / data that are provided to the User Entity and are relied upon in your financial reporting (e.g., reporting package, external outputs). User Entities should understand what reports are being generated by the Service Organization and then confirm whether those reports are included in the SOC 1. 26

How do I use the SOC 1 report? Common Evaluation Pitfalls Certain applications, interface programs used by some user entities might not be included in the scope of the report and / or important IT controls may be scoped out. The report may be directed at only a limited number of user entities or the coverage is only for certain locations. Relevant reports from the Service Organization may not be included within the scope of the procedures performed by the Service Auditor. All exceptions (not just those within qualified objectives) are not considered for relevance and impact to the User Entity. Subservice Organization SOC 1 reports are not obtained and reviewed. Reporting / User Entities Service Organizations User Auditors Sub-Service Organizations Your auditor will consider these. So should you. 27

Reporting Entity Responsibilities for Service Organization Controls Establish MOUs that clearly identify who is responsible for what. 1. Identify all Service Organizations (Service Providers) that impact the Reporting Entity s internal controls over financial reporting. 2. Document an understanding of the Service Providers impact on the Reporting Entity s Financial Reporting and Associated Risks. 3. Document the Reporting Entity s Understanding of Service Provider Controls in Place to Mitigate Financial Reporting Risks. 4. Evaluate the Design and Operating Effectiveness of Service Provider Controls in Place to Mitigate Financial Reporting Risks. 5. Address Complementary User Entity Controls (CUECs) Identified by the Service Provider (i.e., implement effective controls within the Reporting Entity). D O C U M E M T 6. Establish Regular Communications with Service Providers to Monitor Performance and Identify Events that may Impact Internal Controls Over Financial Reporting. Attend and actively participate in the Service Provider Working Group meetings. 28

Reporting Entity Responsibilities for Service Organization Controls Other Important Responsibilities Update the FIAR System Database (FSD) to reflect changes. At a minimum, this should be completed to support the bi-annual FIAR Plan Status Report. Notify OUSD(C) FIAR of needed SOC 1s Notify OUSD(C) FIAR if points of contact for SOC 1 distribution have changed. Distribute SOC 1 reports within your own organization, in a timely manner, to all personnel who need them. Communication Protocols Must be Established and Maintained 29

OUSD(C) FIAR Support and Available Resources

OUSD(C) FIAR Support & Available Resources OUSD(C) FIAR Support Activities Service Provider Working Group Meetings (January, May, and August) Dates / timing requested by User Auditor s performing financial statement audits. Updates provided on SOC 1 scope changes, CUEC changes, status of NFRs, progress on current SOC 1s, etc. IPA Roundtable Meetings Periodic meetings with GAO, DOD IG, and IPA firms performing financial statement audits, audit readiness examinations, and SOC 1 engagements to solicit input on SOC 1 report usability and other audit relevant topics. CUEC Workshops Nine separate workshops were conducted covering audit relevant SOC 1 reports. Included participants from User/Reporting Entities and Service Organizations. MILSTRIP workshops with DLA and customer entities. Detailed walkthroughs of multiple MILSTRIP buy / sell scenarios. Focus on financial statement audit impacting roles and responsibilities. User / Reporting Entity participation is essential. 31

OUSD(C) FIAR Support & Available Resources Available Resources SOC 1 Improvement Policy Memo Deputy Chief Financial Officer Policy Memo Issued in February 2016 Identified Ten Required Changes to SOC 1 Reports 1. SOC 1 Reports to be Issued by August 15 th of each year. 2. Nine Month Attestation Period (October 1 June 30). 3. Bridge Letters to be Issued by October 8 th of each year. 4. CUECs to be Aligned to Control Objectives 5. Describe Service Provider Controls in Place to Monitor Subservice Providers and Identify Service Provider Controls in Place to Address Subservice Provider CUECs. 6. Establish an Interim Milestone of April 30 th to Obtain Service Auditor Feedback. 7. Identify Key Inputs and Management s Rationale / Approach. 8. Identify Edit Checks and Management s Rationale / Approach. 9. Identify Interfaces and Management s Rationale / Approach. 10. Identify Outputs and Management s Rationale / Approach. http://comptroller.defense.gov/fiar/fiarguidance/tools_tips_workproducts.aspx#policymemo Action has been taken on IPA feedback and status updates provided. 32

OUSD(C) FIAR Support & Available Resources Available Resources SSAE 18 Policy Memo Memo was sent to Service Organizations for comment and addresses the following key points: 1. Service Organizations to meet with their IPA(s) to establish an understanding of SSAE 18 impact by January 13, 2017. 2. Service Organization to validate the reliability of key output reports / data. 3. Service Organizations to document Complementary Subservice Organization Controls (CSOCs), their basis for assuming the CSOC is in place at the Subservice Organization, and the associated monitoring controls in place at the Service Organization. 4. Service Organizations to communicate of CSOCs to Subservice Organizations by January 23, 2017. 5. Provides a deadline for Subservice Organizations to inform Service Organizations that they do not plan to have controls in place to address the CSOCs. 6. Provides a deadline for Subservice Organizations to provide corrective plans to Service Organizations for those instances where remediation is needed to put controls in place to address the CSOCs.. http://comptroller.defense.gov/fiar/fiarguidance/tools_tips_workproducts.aspx#policymemo Input was solicited from IPAs performing financial statement audits and SOC 1 engagements. 33

OUSD(C) FIAR Support & Available Resources Available Resources FIAR Systems Database Home Page System Owner Data Entry System User Data Entry http://comptroller.defense.gov/fiar/fiarguidance/tools_tips_workproducts.aspx#fiartoolaccess Important to make timely updates to support FIAR Plan Status Report and responses to ad-hoc requests. 34

OUSD(C) FIAR Support & Available Resources Available Resources CUECs OUSD(C) maintains and has distributed the following: An Excel file containing all CUECs from all relevant SOC 1 reports (with additions, deletions, changes from the prior year highlighted Baseline control descriptions that can be customized to address CUECs. Test plans for the Baseline controls. If you have questions or needs, please ask! 35

OUSD(C) FIAR Support & Available Resources Available Resources Service Organization Vs. Trading Partner Assessment & CSOCs Auditing Standards based Service Organization vs. Trading Partner Assessment Template Complementary Subservice Organization Controls (CSOCs) Identification Template http://comptroller.defense.gov/fiar/fiarguidance/tools_tips_workproducts.aspx#supplementalguidance If you have questions or needs, please ask! 36

OUSD(C) FIAR Support & Available Resources Available Resources Contact Information James Davila Accountant, FIAR Directorate, Office of the Deputy Chief Financial Officer, OUSD(C) james.r.davila2.civ@mail.mil (703) 571-1654 Bradley Keith Director, PwC Public Sector, LLP bradley.d.keith.ctr@mail.mil (571) 256-2693 bradley.keith@us.pwc.com (703) 918-3564 If you have questions or needs, please ask! 37

Questions

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback