SSAE 18 & new SOC approach to compliance. Moderator Name: Patricio Garcia Managing Partner ControlCase Attestation Services

Similar documents
SOC Reporting / SSAE 18 Update July, 2017

WHICH SOC REPORT IS RIGHT FOR YOUR CLIENT?

PREPARING FOR SOC CHANGES. AN ARMANINO WHITE PAPER By Liam Collins, Partner-In-Charge, SOC Audit Practice

Retirement of SAS 70 and a new generation of Service Organization Control (SOC) Reports

Exploring Emerging Cyber Attest Requirements

SOC 2 examinations and SOC for Cybersecurity examinations: Understanding the key distinctions

Transitioning from SAS 70 to SSAE 16

SOC Updates: Understanding SOC for Cybersecurity and SSAE 18. May 23, 2017

The SOC 2 Compliance Handbook:

Information for entity management. April 2018

SOC Reports The 2017 Update: What s new, What s not, and What you should be doing with the SOC Reports you receive! Presented by Jeff Pershing

ISACA Cincinnati Chapter March Meeting

SAS 70 SOC 1 SOC 2 SOC 3. Type 1 Type 2

A SERVICE ORGANIZATION S GUIDE SOC 1, 2, & 3 REPORTS

Understanding and Evaluating Service Organization Controls (SOC) Reports

CSF to Support SOC 2 Repor(ng

SAS 70 & SSAE 16: Changes & Impact on Credit Unions. Agenda

SERVICE ORGANIZATION CONTROL (SOC) REPORTS: WHAT ARE THEY?

SOC for cybersecurity

Adopting SSAE 18 for SOC 1 reports

Evaluating SOC Reports and NEW Reporting Requirements

SOC-2 Requirement Solution Brief. EventTracker 8815 Centre Park Drive, Columbia MD SOC-2

Addressing Cybersecurity Risk

NE HIMSS Vendor Risk. October 9, 2015 MEMBER OF PKF NORTH AMERICA, AN ASSOCIATION OF LEGALLY INDEPENDENT FIRMS

3/13/2015. COSO Revised: Implications for Compliance and Ethics Programs. Session Agenda. The COSO Framework

SOC Lessons Learned and Reporting Changes

HITRUST CSF Roadmap for 2018 and Beyond HITRUST Alliance.

Service Organization Control (SOC) Reports: What they are and what to do with them MARCH 21, 2017

Does a SAS 70 Audit Leave you at Risk of a Security Exposure or Failure to Comply with FISMA?

Performing a Vendor Security Review TCTC 2017 FALL EVENT PRESENTER: KATIE MCINTOSH

Vendor Management: SSAE 18. Presented by Joseph Kirkpatrick CISSP, CISA, CGEIT, CRISC, QSA Managing Partner

INTO THE CLOUD WHAT YOU NEED TO KNOW ABOUT ADOPTION AND ENSURING COMPLIANCE

Achieving third-party reporting proficiency with SOC 2+

C22: SAS 70 Practices and Developments Todd Bishop, PricewaterhouseCoopers

Mastering SOC-1 Attestation Reports Under SSAE 16: Auditing Service Organizations Controls in the Cloud

IT Attestation in the Cloud Era

Audit Considerations Relating to an Entity Using a Service Organization

Optimising cloud security, trust and transparency

HITRUST CSF: One Framework

SOC 3 for Security and Availability

2018 HIPAA One All Rights Reserved. Beyond HIPAA Compliance to Certification

Table of Contents. Preface xvii PART ONE: FOUNDATIONS OF MODERN INTERNAL AUDITING

SAS 70 Audit Concepts. and Benefits JAYACHANDRAN.B,CISA,CISM. August 2010

Model Approach to Efficient and Cost-Effective Third-Party Assurance

IGNITING GROWTH. Why a SOC Report Makes All the Difference

Credit Union Service Organization Compliance

Business Assurance for the 21st Century

The HITRUST CSF. A Revolutionary Way to Protect Electronic Health Information

Cybersecurity and Data Protection Developments

Welcome ControlCase Conference. Kishor Vaswani, CEO

WHITE PAPER. Title. Managed Services for SAS Technology

Internal Audit Report. Electronic Bidding and Contract Letting TxDOT Office of Internal Audit

COBIT 5 With COSO 2013

Citation for published version (APA): Berthing, H. H. (2014). Vision for IT Audit Abstract from Nordic ISACA Conference 2014, Oslo, Norway.

Public Safety Canada. Audit of the Business Continuity Planning Program

Making trust evident Reporting on controls at Service Organizations

IT Governance ISO/IEC 27001:2013 ISMS Implementation. Service description. Protect Comply Thrive

"Charting the Course... Certified Information Systems Auditor (CISA) Course Summary

Security Information & Policies

Cyber Risk Program Maturity Assessment UNDERSTAND AND MANAGE YOUR ORGANIZATION S CYBER RISK.

DHG presenter. August 17, Addressing the Evolving Cybersecurity Landscape. DHG Birmingham CPE Seminar 1

Cybersecurity The Evolving Landscape

The value of visibility. Cybersecurity risk management examination

Protecting your data. EY s approach to data privacy and information security

SOLUTION BRIEF RSA ARCHER IT & SECURITY RISK MANAGEMENT

GETTING STARTED WITH THE SIG 2014: A RESPONDENT S GUIDE By Shared Assessments

ADVANCED AUDIT AND ASSURANCE

New York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines

RISK INTELLIGENCE Assurance and efficiency improvement through a robust Enterprise Risk Management approach

WECC Internal Controls Evaluation Process WECC Compliance Oversight Effective date: October 15, 2017

Testers vs Writers: Pen tests Quality in Assurance Projects. 10 November Defcamp7

Position Description IT Auditor

ISAE 3402 and SSAE 16 (replacing SAS 70) Reinforcing confidence through demonstration of effective controls

Achilles System Certification (ASC) from GE Digital

TAN Jenny Partner PwC Singapore

Illustrative cybersecurity risk management report. April 2018

Big data privacy in Australia

Automate sharing. Empower users. Retain control. Utilizes our purposebuilt cloud, not public shared clouds

Google Cloud & the General Data Protection Regulation (GDPR)

Webtrends Inc. Service Organization Controls (SOC) 3 SM Report on the SaaS Solutions Services System Relevant to Security

AUTOTASK ENDPOINT BACKUP (AEB) SECURITY ARCHITECTURE GUIDE

Opportunities to Integrate Technology Into the Classroom. Presented by:

SERVICE DESCRIPTION ISO Lex. Certifications

Securing the cloud ISACA Korea. Han Ther, Lee CISA, CISM, CISSP, CRISC, ITILF, MCSA

Managing Privacy Risk & Compliance in Financial Services. Brett Hamilton Advisory Solutions Consultant ServiceNow

Cyber Security in M&A. Joshua Stone, CIA, CFE, CISA

SERVICE ORGANIZATION CONTROL 3 REPORT

IT Audit Process. Prof. Mike Romeu. January 30, IT Audit Process. Prof. Mike Romeu

CLOUD COMPUTING APPLYING THIS NEW TECHNOLOGY TO YOUR PRACTICE

CYBERSECURITY RISK ASSESSMENT

Stephanie Zierten Associate Counsel Federal Reserve Bank of Boston

Cloud Security Alliance Quantum-safe Security Working Group

Avanade s Approach to Client Data Protection

Cybersecurity: Considerations for Internal Audit. Gina Gondron Senior Manager Frazier & Deeter Geek Week August 10, 2016

REPORT OF INDEPENDENT CERTIFIED PUBLIC ACCOUNTANTS

Accelerate GDPR compliance with the Microsoft Cloud

Peer Collaboration The Next Best Practice for Third Party Risk Management

SERVICE TRANSITION ITIL INTERMEDIATE TRAINING & CERTIFICATION

FDIC InTREx What Documentation Are You Expected to Have?

Aboriginal Affairs and Northern Development Canada. Internal Audit Report Summary. Audit of Information Technology Security.

Transcription:

SSAE 18 & new SOC approach to compliance Moderator Name: Patricio Garcia Managing Partner ControlCase Attestation Services

Agenda 1. SSAE 18 overview 2. SOC 2 + 3. 2017 Trust Services Criteria

SSAE 18 Overview SSAE 18 is the short name for Statement on Standards for Attestation Engagements No. 18. Establishes requirements and provide application guidance to auditors for performing and reporting on examination, review, and agreed-upon procedures engagements, including Service Organization Controls (SOC) attestations. SSAE 18 completely replaces SSAE 16 and many other SSAEs into a combined standard. SSAE 18 is NOT a certification. Neither was SSAE 16 or SAS 70 that preceded it.

TRANSITION EFFECTIVE MAY 2017 SSAE 16 AT - 101 COSO FRAMEWORK TRUST SERVICES PRINCIPLES SOC 1 REPORT SOC 2 AND 3 REPORTS SSAE18 ATC 105 COMMON CONCEPTS ATC 205 LEVELS OF SERVICE ATC 305 SUBJECT MATTER

Statement on Standards for Attestation Engagements 100 Common Concepts 105 Concepts Common to All Attestation Engagements 200 Levels of Service Examination Engagements reasonable assurance Review Engagements Limited assurance Agreed-Upon Procedures Engagements 300 Subject Matter Prospective Financial Information Reporting on Pro Forma Financial Information Compliance Attestation Reporting on an Examination of Controls at a Service Organization Relevant to User Entities Internal Control Over Financial Reporting (SOC1) Management Discussion and Analysis.

APPROACH TO COMPLIANCE SSAE18 ATC 105 COMMON CONCEPTS ATC 205 LEVELS OF SERVICE ENGAGEMENTS EXAMINATION SOC 2 AND 3 REPORTS TRUST SERVICES PRINCIPLES ATC 305 SUBJECT MATTER SOC 1 REPORT COSO FRAMEWORK SOC 2 + EXAMINATIONS

System and Organization Controls EXAMINATION SUBJECT MATTER SOC 2 - SOC for Service Organizations: Trust Services Criteria In accordance with SSAE 18 - AT-C section 205 SOC 1 Report on Controls at a Service Organization Relevant to User Entities Internal Control over Financial Reporting (ICFR) In accordance with SSAE 18 - AT-C section 320

KEY CHANGES RELATED TO SOC AUDITS THIRD PARTY AND VENDOR MANAGEMENT IDENTIFY ALL SUBSERVICE ORGANIZATIONS USED IN PROVIDING IN-SCOPE SERVICES INCLUDE A DESCRIPTION OF ANY SUBSERVICE ORGANIZATION CONTROLS - RELIES ON TO PROVIDE THE PRIMARY SERVICE TO ITS CUSTOMERS RISK ASSESSMENT ORGANIZATION KEY INTERNAL RISKS TRUST SERVICES PRINCIPLES ALIGNED WITH THE COSO INTERNAL CONTROL FRAMEWORK.

KEY CHANGES RELATED TO SOC REPORTS MONITORING CONTROLS SERVICE ORGANIZATION TO IMPLEMENT CONTROLS TO MONITOR THE EFECTIVENESS OF RELEVANT CONTROLS AT THE SERVICE ORGANIZATION SERVICE AUDITOR TO REPORT ON THE SERVICE ORGANIZATION IMPLEMENTED TO MONITOR THE RELEVANT CONTROLS AT THE SUBSERVICE ORGANIZATION Reviewing SOC reports of the subservice organization s system Periodic discussion with subservice organization personnel Regular site visits Testing controls at the subservice organization Monitoring external communications Reviewing and reconciling reports.

SOC 2 + A SOC 2 report, mapped to other Framework, may be crafted to reduce the number of customized reporting requests and be distributed to meet many requests by customers and other stakeholders. EI3PA EXPERIAN MICROSOFT SUPPLIER DATA PROTECTION REQUIREMENTS EI3PA CONTROLS MAPPED TO THE TSP SOC 2 Type I or II PRIVACY PRINCIPLE PLUS ADDITIONAL MICROSOFT REQUIREMENTS SOC for Cybersecurity Cybersecurity Risk Management Program assessment Nature of operations, nature of information at risk, program objectives Inherent risk, incident management, governance, risk management process

SOC 2 + CSA STAR SOC 2 CSA STAR Attestation Level Two (Third Party Assessment) CLOUD SECURITY ALLIANCE STAR Attestation builds on the key strengths of SOC 2 : Is a mature attest standard (it serves as the standard for SOC 2 and SOC 3 reporting ). Provides for robust reporting on the service provider s description of its system and on the service provider s controls, including a description of the service auditor s tests of controls. Evaluation over a period of time rather than a point in time Recognition with an AICPA Logo

TSC alignment to COSO 1. Emphasis on the Board of Directors and TOP Management commitment to integrity, ethical values and oversight related to entity s internal control. 2. Additional Information required to confirm personnel competence 3. Information and communication requests security training to technical and nontechnical system users 4. Risk Assessment not only related to IT, Development and Security operations. It should include in-scope service processing and operations. 5. Control Activities linked directly to the risk assessment process 6. Assess asset management effectiveness 7. Physical and access controls section provides additional guidance on different requirements (e.g. protection of encryption keys) 8. Change Management incorporates detailed requirements for detection, vulnerability management and incident management 9. Risk Mitigation 1. The entity identifies, selects, and develops risk mitigation activities for risks arising from potential business disruptions. 2. The entity assesses and manages risks associated with vendors and business partners.

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback