Service Organization Control (SOC) Reports: What they are and what to do with them MARCH 21, 2017

Similar documents
Retirement of SAS 70 and a new generation of Service Organization Control (SOC) Reports

SAS 70 & SSAE 16: Changes & Impact on Credit Unions. Agenda

ISACA Cincinnati Chapter March Meeting

SAS 70 SOC 1 SOC 2 SOC 3. Type 1 Type 2

C22: SAS 70 Practices and Developments Todd Bishop, PricewaterhouseCoopers

Evaluating SOC Reports and NEW Reporting Requirements

Understanding and Evaluating Service Organization Controls (SOC) Reports

Making trust evident Reporting on controls at Service Organizations

Transitioning from SAS 70 to SSAE 16

Mastering SOC-1 Attestation Reports Under SSAE 16: Auditing Service Organizations Controls in the Cloud

IT Attestation in the Cloud Era

SERVICE ORGANIZATION CONTROL (SOC) REPORTS: WHAT ARE THEY?

Auditing IT General Controls

A SERVICE ORGANIZATION S GUIDE SOC 1, 2, & 3 REPORTS

Audit Considerations Relating to an Entity Using a Service Organization

Exploring Emerging Cyber Attest Requirements

The SOC 2 Compliance Handbook:

WHICH SOC REPORT IS RIGHT FOR YOUR CLIENT?

Weighing in on the Benefits of a SAS 70 Audit for Third Party Administrators

SSAE 18 & new SOC approach to compliance. Moderator Name: Patricio Garcia Managing Partner ControlCase Attestation Services

SOC Reporting / SSAE 18 Update July, 2017

PREPARING FOR SOC CHANGES. AN ARMANINO WHITE PAPER By Liam Collins, Partner-In-Charge, SOC Audit Practice

SOC 2 examinations and SOC for Cybersecurity examinations: Understanding the key distinctions

CSF to Support SOC 2 Repor(ng

SOC Reports The 2017 Update: What s new, What s not, and What you should be doing with the SOC Reports you receive! Presented by Jeff Pershing

Information for entity management. April 2018

California ISO Audit Results for 2011 SSAE 16 & Looking Forward for 2012 December 15, 2011

SOC for cybersecurity

Internal Audit Report. Electronic Bidding and Contract Letting TxDOT Office of Internal Audit

Credit Union Service Organization Compliance

SAS 70 Audit Concepts. and Benefits JAYACHANDRAN.B,CISA,CISM. August 2010

SAS70 Type II Reports Use and Interpretation for SOX

International Auditing and Assurance Standards Board (IAASB) International Federation of Accountants 545 Fifth Avenue, 14 th Floor New York, NY 10017

SOC Updates: Understanding SOC for Cybersecurity and SSAE 18. May 23, 2017

2018 HIPAA One All Rights Reserved. Beyond HIPAA Compliance to Certification

Google Cloud & the General Data Protection Regulation (GDPR)

Adopting SSAE 18 for SOC 1 reports

Cyber Security in M&A. Joshua Stone, CIA, CFE, CISA

SOC Lessons Learned and Reporting Changes

Studio Guggino and Newtonpartner S.r.l. a team of professionals at the service of your Company

"Charting the Course... Certified Information Systems Auditor (CISA) Course Summary

ADVANCED AUDIT AND ASSURANCE

LIST OF SUBSTANTIVE CHANGES AND ADDITIONS. PPC's Guide to Audits of Local Governments. Thirty first Edition (February 2016)

ISAE 3402 and SSAE 16 (replacing SAS 70) Reinforcing confidence through demonstration of effective controls

No IT Audit Staff? How to Hack an IT Audit. Presenters. Mark Bednarz, Partner-In-Charge, Risk Advisory PKF O Connor Davies, LLP

Webtrends Inc. Service Organization Controls (SOC) 3 SM Report on the SaaS Solutions Services System Relevant to Security

Achieving third-party reporting proficiency with SOC 2+

IGNITING GROWTH. Why a SOC Report Makes All the Difference

CITADEL INFORMATION GROUP, INC.

Background of the North America Top Technology Initiatives Survey

GDPR: A QUICK OVERVIEW

EXAM PREPARATION GUIDE

ISO/IEC INTERNATIONAL STANDARD

Workday s Robust Privacy Program

Error! No text of specified style in document.

SAS 70 revised. ISAE 3402 will focus on financial reporting control procedures. Compact_ IT Advisory 41. Introduction

Assessment and Compliance with Sarbanes-Oxley (SOX) Requirements DataGuardZ Whitepaper

The Minimum IT Controls to Assess in a Financial Audit (Part II)

Chapter 8: SDLC Reviews and Audit Learning objectives Introduction Role of IS Auditor in SDLC

The value of visibility. Cybersecurity risk management examination

NE HIMSS Vendor Risk. October 9, 2015 MEMBER OF PKF NORTH AMERICA, AN ASSOCIATION OF LEGALLY INDEPENDENT FIRMS

Does a SAS 70 Audit Leave you at Risk of a Security Exposure or Failure to Comply with FISMA?

SOC-2 Requirement Solution Brief. EventTracker 8815 Centre Park Drive, Columbia MD SOC-2

Testers vs Writers: Pen tests Quality in Assurance Projects. 10 November Defcamp7

Business Continuity Planning

HITRUST CSF: One Framework

NYDFS Cybersecurity Regulations: What do they mean? What is their impact?

EXAM PREPARATION GUIDE

26 February Office of the Secretary Public Company Accounting Oversight Board 1666 K Street, NW Washington, DC

Within our recommendations for editorial changes, additions are noted in bold underline and deletions in strike-through.

CITP Examination Content Specification Outline

SOC 3 for Security and Availability

New York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines

Independent Accountants Report. Utrecht, 28 January To the Management of GBO.Overheid:

CLOUD COMPUTING APPLYING THIS NEW TECHNOLOGY TO YOUR PRACTICE

Chapter 18 SaskPower Managing the Risk of Cyber Incidents 1.0 MAIN POINTS

Information Technology General Control Review

Application for Certification

Institute of Certified Forensic Accountants. Certificate in Internal Auditing

Protecting your data. EY s approach to data privacy and information security

IT Audit Process Prof. Liang Yao Week Two IT Audit Function

Disaster Recovery Planning: Is Your Plan in Place? Presented by: Steve Shofner, CISA, CGEIT

CYBER INSURANCE: MANAGING THE RISK

EXAM PREPARATION GUIDE

Information Security Policy

Public vs private cloud for regulated entities

Period from October 1, 2013 to September 30, 2014

ISO 27001:2013 certification

Addressing Cybersecurity Risk

Lahore University of Management Sciences. ACCT 250 Auditing Spring Semester 2018

EXAM PREPARATION GUIDE

EY s data privacy service offering

Business Assurance for the 21st Century

BENEFITS of MEMBERSHIP FOR YOUR INSTITUTION

REPORT 2015/149 INTERNAL AUDIT DIVISION

BHConsulting. Your trusted cybersecurity partner

FRAUD-RELATED INTERNAL CONTROLS

Safeguarding unclassified controlled technical information (UCTI)

Public Safety Canada. Audit of the Business Continuity Planning Program

Evolve Your Security Operations Strategy To Account For Cloud

Transcription:

Service Organization Control (SOC) Reports: What they are and what to do with them MARCH 21, 2017

Presenter Colin Wallace, CPA/CFF, CFE, CIA, CISA Partner Colin has provided management consulting and internal audit services to public, private, government, and not-for-profit organizations since 2002. He has organized and performed financial, operational, and compliance audits throughout the United States and abroad, and has worked on all aspects of the internal audit process including planning, analysis, reporting, and project management. Colin has led numerous fraud investigations involving misappropriation and misuse of company assets, the Foreign Corrupt Practices Act, and management override of internal controls. In addition, he has managed significant SOC examination and SOX 404 assessment projects from initial implementation to final reporting. Colin is an active member of the firm s Technology, Communications and Media Group and is a leader of the firm s forensic and investigative services team. He currently serves as the quality control practice leader for the Business Risk Group.

Presenter Kim Koch, CPA Partner Kim has practiced public accounting since 2001 and has over 15 years of experience in conducting SOC audits, financial statement and compliance audits, attestation examinations, and internal control assessments. Kim serves clients in a variety of industries including technology companies, publicly traded entities, private businesses, third party administrators, and government agencies. She regularly presents continuing professional education sessions internally and externally including topics related to SOC 1, SOC 2, and SOC 3 reporting. Kim is on the team that develops the firm s tools for SOC audits and also regularly reviews the AICPA s proposed changes to SOC requirements.

OBJECTIVES Understand the importance of a SOC report Recognize the differences between SOC 1, 2, and 3 reports List items that are and aren t covered in SOC reports Analyze the scope of your provider s report Assess the impact of complementary user entity controls and internal control exceptions Work with an auditor or management to evaluate and complement their service providers controls 4

Increases exposure to risk SOC REPORTS & MITIGATING RISK Simple questionnaires and contractual clauses are inadequate Need for vendor management and vendor due diligence Rise in outsourcing tasks and functions to service providers 5

OVERVIEW Historical with SAS 70 SAS 70 Reporting New with SSAE 16 SOC 1 Internal Controls Over Financial Reporting New with AT101 SOC 2 Trust Services Principles (Detailed Reporting) SOC 3 Trust Services Principles (Summary Reporting) 6

DEFINITIONS SOC 1 Report o A report on Controls at a Service Organization which are relevant to the user entities internal control over financial reporting. SOC 2 Report o Report on Controls at a Service Organization related to compliance or operations and based on Trust Services Principles and Criteria. Principles covered include Security, Availability, Processing Integrity, Confidentiality and/or Privacy. SOC 3 Report o A SOC 3 report is a general-use report that provides only the auditor s report on whether the system achieved the Trust Services Criteria without including a description of tests and results or opinion on the description of the system. 7

SOC COMPARISON: REPORTING OPTIONS Summary SOC 1 SOC 2 SOC 3 Detailed report for users, auditors and specified parties Detailed reports for users and auditors Summary report that can be more generally distributed Applicability Focused on financial reporting risks and controls specified by the service provider Most applicable when the service provider performs financial transactions processing or supports transaction processing systems Focused on the Trust Services Principles: o Security o Availability o Confidentiality o Processing Integrity o Privacy Applicable to a broad variety of systems 8

SOC COMPARISON: SCOPE SOC 1 SOC 2 / SOC 3 Required focus Internal control over financial reporting Compliance or operational controls Define scope and systems Control domains covered Level of standardization Classes of transactions Procedures for processing and reporting transactions Accounting records of the systems Handling of significant events and conditions other than transactions Report preparation for users Other aspects relevant to processing and reporting user transactions Transaction processing controls Supporting information technology general controls Control objectives are defined by the service provider and may vary depending on the type of service provided. Infrastructure Software Procedures People Data Security Availability Confidentiality Processing Integrity Privacy Principles are selected by the service provider Specific predefined criteria are used rather than control objectives 9

SOC COMPARISON: REPORT STRUCTURE SOC 1 SOC 2 SOC 3 Auditor s Opinion Auditor s Opinion Auditor s Opinion Management Assertion Management Assertion Management Assertion Assertion System Description (including controls) Assertion System Description (including controls) Assertion System Description (including controls) Control Objectives Criteria Criteria (referenced) Control Activities Control Activities Test of Operating Effectiveness* Test of Operating Effectiveness* Results of Tests* Results of Tests* Other Information (if applicable) *Note: Only applicable for Type II reports. Other Information (if applicable) 10

SOC COMPARISON: REPORT TYPES Type I Type II SOC Reports SOC 1 SOC 2 SOC 1 SOC 2 Coverage Point in time Period of time Assessment Design Design Operating Effectiveness Results of Tests 11

INTERNATIONAL REPORTING ISAE 3402 SSAE 16 (SOC 1) United States CICA 5970 Canada AAF 01/06 United Kingdom HKCPA 860.2 HK/China AUS 810 Australia Others 12

WHY ARE SOC REPORTS IMPORTANT? Services outsourced to service organizations are relevant to the audit when these services and related controls are part of the entity s information system which is relevant to financial reporting. When reliance is placed on controls at service organizations and their sub-service providers, it is important to obtain and review SOC reports covering a sufficient portion of the audit period. 13

WHY DO WE REVIEW SOC REPORTS? New Hire Information Employee Termination Payroll Register Payroll Journal Entries Other Employee Masterfile Changes Financial Statements 14

PCAOB OBSERVATIONS Reliance on service organizations was not identified or not properly documented. Sub-service organizations that were scoped out of the report were not addressed. Complementary-entity user controls were not sufficiently tested or not properly linked to the test of controls. Update procedures were not properly performed or documented when the auditor s report did not sufficiently cover the entire audit period. Control exceptions identified by the service provider were not evaluated to determine the sufficiency of audit procedures. 15

HOW ARE SOC REPORTS EVALUATED? Inventory Assess Identify Test and Conclude Description Inventory existing outsourced vendor relationships to determine whether third-party assurance may be required Assess the key financial reporting risks associated with significant outsourced vendors Identify in-scope service organizations Identify relevant reports that have been obtained and determine appropriateness Identify any additional reports or documents needed to complete the assessment (e.g., bridge letter, Management s discussion with the service provider, etc.) Assess the adequacy of the SOC report scope Perform review procedures to evaluate the operational effectiveness of controls relied upon at the service organization 16

STRUCTURE AND CONTENTS OF SOC 1/SOC 2 REPORTS The structure and contents of SOC 1 and SOC 2 reports generally follows the below list: o Independent service auditor s report (opinion) o Management s written assertion o Service organization s description of the system o Complementary user entity controls o Control objectives (SOC 1)/Criteria (SOC 2), control activities and control tests performed (Type II reports) o Supplemental information from the service organization When performing an evaluation of an SOC report, management should identify and evaluate each section of the report 17

INDEPENDENT SERVICE AUDITOR S REPORT This section describes the scope of the examination and provides the service auditor s opinion on: o Management s presentation of its system of internal control. o The suitability of the design of the system. o Opinion on the operating effectiveness of the controls (Type II reports only). It generally includes the following sections: o Scope o Service Organization s Responsibilities o Service Auditor s Responsibilities o Inherent Limitations o Opinion o Description of Test of Controls o Restricted Use 18

REVIEWING INDEPENDENT SERVICE AUDITOR S REPORT Verify that the report coverage is adequate. If the coverage is insufficient and/or the report date does not coincide with the client s year-end, verify how Management was able to gain acceptance of the coverage exceptions. Verify the type of report issued and determine whether it is appropriate for use (e.g., SOC 1 vs. SOC 2, and Type I vs. Type II). Verify whether service providers are being used by the service organization and determine whether the service auditor s evaluation included sub-service providers. Determine the type of opinion issued (i.e., modified vs. unmodified). 19

MANAGEMENT S WRITTEN ASSERTION Management s assertions may be in a separate section of the report or included in the section containing the description of the system. Management s written assertions cover the following: o The fair presentation of the description of the system o The suitability of the design of controls and verification that they were implemented as of a specific date (Type I) or throughout the period (Type II) o The operating effectiveness of the controls throughout the period (Type II) o The relevant changes to the system throughout the period (Type II) 20

REVIEWING MANAGEMENT S WRITTEN ASSERTION Verify that Management s written assertions in this section mirror the service auditor s opinion. Verify that there are no qualifications in the assertions/modifications in the language (i.e., use of except for or other exclusionary language). Verify that there are no omissions in description criteria outlined by the AICPA relative to the services provided. 21

SERVICE ORGANIZATION S DESCRIPTION OF THE SYSTEM This section includes the service organization s explanation of the system and generally includes a description of the following: o Services provided o Description of entity-level controls relating to the control environment, risk assessment processes, monitoring activities and information and communication processes o Procedures by which services are provided and transactions are accounted for, and related accounting records o Significant events other than transactions o Report preparation processes o Control objectives and related control activities o Complementary user entity controls o Description of sub-service provider controls 22

REVIEWING SERVICE ORGANIZATION S DESCRIPTION OF THE SYSTEM Verify that the services provided are consistent with the services received. Understand if there are any significant events that impact the services relied upon. 23

COMPLEMENTARY USER ENTITY CONTROLS Complementary user entity controls (CUECs) are controls which the service organization assumes will be in place at user entities. Identifies the roles, responsibilities and obligations of the user entity to ensure achievement of the control objectives identified in the report. Also known as user organization control, complementary customer controls, or other similar names or phrases. 24

REVIEWING COMPLEMENTARY USER ENTITY CONTROLS Identify and evaluate all CEUCs that are relevant (i.e., those which directly impact financial reporting risk[s]). For IT-related CEUCs, communicate with the IT team and consider the Company s responsibilities in areas of change management, security and operations. For all in-scope CEUCs, ensure that the CEUC is appropriately mapped to key controls and that the design and operating effectiveness of those controls have been tested. 25

CONTROL OBJECTIVES, CONTROL ACTIVITIES AND TESTS PERFORMED Presents the control objectives and related control activities performed by the service organization Presents the test procedures performed and the results of control testing performed by the service auditors Shows the exceptions or deviations noted by the service auditors Shows Management s response to the exceptions noted 26

REVIEWING CONTROL OBJECTIVES, CONTROL ACTIVITIES AND TESTS PERFORMED Consider performing a self-assessment of the service auditors test adequacy of the test procedures performed. Review the responses provided by the service organization and determine whether the responses are satisfactory. Management may also consider discussing the nature of the exceptions with the service auditors. Evaluate all relevant exceptions, which include: Exceptions relevant to control objectives that mitigate the financial reporting risks. Exceptions related to Information Technology General Controls (ITGCs) supporting relevant applications that mitigate the financial reporting risks. 27

SUB-SERVICE ORGANIZATIONS A third-party provider used by the primary service providers to outsource processes and controls. They can be part of transaction processing (e.g., claims processing) or the IT environment (e.g., data center hosting). They are identified by the service organization in their assertion and by the service auditor in their opinion. 28

REVIEWING SUB-SERVICE ORGANIZATIONS Evaluation of internal controls should include the impact of all identified sub-service providers. Assess the impact of sub-service providers to the Company s internal control over financial reporting. Identify and evaluate all sub-service providers used by in-scope service organizations as part of the SOC review procedures. For in-scope sub-service providers, formally document the review of the sub-service providers SOC report, if applicable. 29

ASSESSING SOC COVERAGE To rely on SOC reports for SOX 404, the report must generally cover at least the first nine months of the audit period. Obtain a bridge letter if there is a gap between the SOC report date and the Company s year-end date. Review the bridge letters and evaluate the impact of changes in the service organizations controls, if any. If the report coverage is less than nine months and/or there is a gap larger than three months, Management must document how it became comfortable with the small coverage period and/or gap in the reporting period. 30

SSAE 16 T0 SSAE 18 Naming convention Vendor management Complementary subservice organization controls Service auditor risk assessment 31

Questions? Colin Wallace colin.wallace@mossadams.com (503) 478-2185 Kim Koch kim.koch@mossadams.com (206) 302-6425 The material appearing in this presentation is for informational purposes only and is not legal or accounting advice. Communication of this information is not intended to create, and receipt does not constitute, a legal relationship, including, but not limited to, an accountant-client relationship. Although these materials may have been prepared by professionals, they should not be used as a substitute for professional services. If legal, accounting, or other professional advice is required, the services of a professional should be sought.

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback