WHICH SOC REPORT IS RIGHT FOR YOUR CLIENT?

Similar documents
SOC Reporting / SSAE 18 Update July, 2017

Transitioning from SAS 70 to SSAE 16

SSAE 18 & new SOC approach to compliance. Moderator Name: Patricio Garcia Managing Partner ControlCase Attestation Services

Retirement of SAS 70 and a new generation of Service Organization Control (SOC) Reports

SOC Updates: Understanding SOC for Cybersecurity and SSAE 18. May 23, 2017

SOC Reports The 2017 Update: What s new, What s not, and What you should be doing with the SOC Reports you receive! Presented by Jeff Pershing

To Receive CPE Credit

The SOC 2 Compliance Handbook:

Evaluating SOC Reports and NEW Reporting Requirements

A SERVICE ORGANIZATION S GUIDE SOC 1, 2, & 3 REPORTS

SOC 2 examinations and SOC for Cybersecurity examinations: Understanding the key distinctions

Exploring Emerging Cyber Attest Requirements

ISACA Cincinnati Chapter March Meeting

SAS 70 & SSAE 16: Changes & Impact on Credit Unions. Agenda

SAS 70 SOC 1 SOC 2 SOC 3. Type 1 Type 2

Using Excel with Dynamics GP

Mastering SOC-1 Attestation Reports Under SSAE 16: Auditing Service Organizations Controls in the Cloud

PREPARING FOR SOC CHANGES. AN ARMANINO WHITE PAPER By Liam Collins, Partner-In-Charge, SOC Audit Practice

CSF to Support SOC 2 Repor(ng

IT Attestation in the Cloud Era

SERVICE ORGANIZATION CONTROL (SOC) REPORTS: WHAT ARE THEY?

To Receive CPE Credit

To Receive CPE Credit

Understanding and Evaluating Service Organization Controls (SOC) Reports

SOC Lessons Learned and Reporting Changes

SOC for cybersecurity

Service Organization Control (SOC) Reports: What they are and what to do with them MARCH 21, 2017

C22: SAS 70 Practices and Developments Todd Bishop, PricewaterhouseCoopers

Adopting SSAE 18 for SOC 1 reports

Payment Card Industry (PCI) Compliance

HITRUST CSF Roadmap for 2018 and Beyond HITRUST Alliance.

QUESTIONS AND ANSWERS ABOUT THE NEW EDUCATION FRAMEWORK FOR PEER REVIEWERS

Information for entity management. April 2018

Credit Union Service Organization Compliance

Pivoting Your Data. How Pivot Tables Can Help You Analyze Data. To Receive CPE Credit 1/18/2019. Individuals. Groups

BENEFITS of MEMBERSHIP FOR YOUR INSTITUTION

IGNITING GROWTH. Why a SOC Report Makes All the Difference

Making trust evident Reporting on controls at Service Organizations

NE HIMSS Vendor Risk. October 9, 2015 MEMBER OF PKF NORTH AMERICA, AN ASSOCIATION OF LEGALLY INDEPENDENT FIRMS

CITP Credential handbook

Internal Audit Report. Electronic Bidding and Contract Letting TxDOT Office of Internal Audit

CPE Frequently Asked Questions

Administrative Directive No. 4: 2011 Continuing Professional Education Requirements for All Certification Programs

CPE Frequently Asked Questions

Achieving third-party reporting proficiency with SOC 2+

4/5/2017. April 5, 2017 CYBER-RISK: WHAT MANAGEMENT & BOARDS NEED TO KNOW

Draft Model Rules for Continuing Professional Education (CPE)

Citation for published version (APA): Berthing, H. H. (2014). Vision for IT Audit Abstract from Nordic ISACA Conference 2014, Oslo, Norway.

Auditing IT General Controls

PECB Certified ISO Lead Auditor. Master the Audit of Occupational Health and Safety Management System (OHSMS) based on ISO 45001

Studio Guggino and Newtonpartner S.r.l. a team of professionals at the service of your Company

Maintenance of Competency; Continuing Professional Education (CPE)

Webtrends Inc. Service Organization Controls (SOC) 3 SM Report on the SaaS Solutions Services System Relevant to Security

Optimising cloud security, trust and transparency

California ISO Audit Results for 2011 SSAE 16 & Looking Forward for 2012 December 15, 2011

Audit Considerations Relating to an Entity Using a Service Organization

Opportunities to Integrate Technology Into the Classroom. Presented by:

The value of visibility. Cybersecurity risk management examination

As an IIA certified professional, the member is responsible for ensuring that the CPD information reported is accurate.

CASA External Peer Review Program Guidelines. Table of Contents

SOC 3 for Security and Availability

Weighing in on the Benefits of a SAS 70 Audit for Third Party Administrators

EXAM PREPARATION GUIDE

Oregon Board of Accountancy WHAT YOU NEED TO KNOW

EXAM PREPARATION GUIDE

Oregon Board of Accountancy

EXAM PREPARATION GUIDE

EXAM PREPARATION GUIDE

Auditing the Cloud. Paul Engle CISA, CIA

Background of the North America Top Technology Initiatives Survey

Application Kit. A guide to the AICPA Certified Information Technology Professional credential

Learning with the IIA Refreshing the profession: The New Internal Auditor. Jan Olivier 6 February 2019

Trend Micro Professional Services Partner Program

Article II - Standards Section V - Continuing Education Requirements

Memphis Chapter. President s Message. This annual event is designed to provide students with a

Audit and Assurance Overview

Global Specification Protocol for Organisations Certifying to an ISO Standard related to Market, Opinion and Social Research.

Continuing Professional Education Policy: Requirements for Certification and Qualification Programs. (formerly known as Administrative Directive #4)

INCREASE YOUR CHANCES OF PASSING THE CIA EXAM

Performing a Vendor Security Review TCTC 2017 FALL EVENT PRESENTER: KATIE MCINTOSH

HITRUST CSF: One Framework

DHG presenter. August 17, Addressing the Evolving Cybersecurity Landscape. DHG Birmingham CPE Seminar 1

Cyber Security in M&A. Joshua Stone, CIA, CFE, CISA

Addressing Cybersecurity Risk

Master the Audit of Information Security Management Systems (ISMS) based on ISO/IEC 27001

Information Security Officer (ISO) Education

INTO THE CLOUD WHAT YOU NEED TO KNOW ABOUT ADOPTION AND ENSURING COMPLIANCE

2018 HIPAA One All Rights Reserved. Beyond HIPAA Compliance to Certification

Chain of Custody Policy. July, 2015

EXAM PREPARATION GUIDE

2017 PORT SECURITY SEMINAR & EXPO. ISACA/CISM Information Security Management Training for Security Directors/Managers

EXAM PREPARATION GUIDE

Continuing Professional Education Policy

International Auditing and Assurance Standards Board (IAASB) International Federation of Accountants 545 Fifth Avenue, 14 th Floor New York, NY 10017

CPD ACTIVITY GUIDELINES AND REQUIREMENTS

SAS 70 Audit Concepts. and Benefits JAYACHANDRAN.B,CISA,CISM. August 2010

Ethics for Virginia CPAs

PECB Certified ISO/IEC Lead Auditor

APPENDIX B STATEMENT ON STANDARDS FOR CONTINUING PROFESSIONAL EDUCATION (CPE) PROGRAMS

10/12/17. CPA Alberta Professional and Public Accounting Practice Varied Registration Model CPA FORUM NORTH OCTOBER 23 RD, 2017 JASPER, ALBERTA

Transcription:

CPAs & ADVISORS STRATEGIC ALLIANCE WEBINAR SERIES WHICH SOC REPORT IS RIGHT FOR YOUR CLIENT? June 20, 2017 Cindy Boyle TO RECEIVE CPE CREDIT Participate in entire webinar Answer polls when they are provided If you are viewing this webinar in a group Complete group attendance form with Title & date of live webinar Your company name Your printed name, signature & email address All group attendance sheets must be submitted to training@bkd.com within 24 hours of live webinar Answer polls when they are provided If all eligibility requirements are met, each participant will be emailed their CPE certificates within 15 business days of live webinar 1

Jason Jobgen Director Alliance Services Cindy Boyle Partner IT Risk Services 2

AGENDA Common Terminology Types of Reports Recent Changes Questions? 3

COMMON TERMINOLOGY Service organization performs services outsourced by companies/auditee Service auditor CPA who examines & reports on controls at a service organization used in lieu or practitioner Users typically considered clients of service organization User auditor CPA who performs an audit on the users financial statements COMMON TERMINOLOGY SOC service organization control reports but AICPA moving to system & organization control reports Broader category of SOC suite of services SOC 2 + Will include additional attestations 4

WHAT ARE SERVICE ORGANIZATIONS? Service organization provider of services that may impact a risk to a user s financial reporting or that poses a business or compliance risk Services such as Cloud computing (SaaS, IaaS, PaaS) Managed security providers AR /AP/Payroll/Tax outsourcing Core financial IT system processing or hosting Customer support Health care claims management & processing TYPES OF REPORTS 5

PRIMARY TYPES OF REPORTS SOC 1 SOC 2 SOC 3 Controls affect user entities Financial statement ICFR Compliance & operations Compliance & operations Use of report Restricted Restricted General AICPA interpretive guidance & reporting vehicle SSAE No. 18 which includes AT-C section 320, AICPA Guide SSAE No. 18 which includes AT-C section 105 & AT-C section 205, AICPA Guide TSP section 100, AICPA, 2017 Trust Services Criteria SSAE No. 18 which includes AT-C section 105 & AT-C section 205,TSP section 100 AICPA, 2017 Trust Services Criteria Information obtained from AICPA.org PRIMARY TYPES OF REPORTS Contents of the report SOC 1 SOC 2 SOC 3 Description of service organization s system Management s written assertion Service auditor s report Type 2 includes a description of tests of controls & results of the tests Description of service organization s system Management s written assertion Service auditor s report Type 2 includes a description of tests of controls & results of the tests Service auditor s opinion on whether the entity maintained effective controls over its system Information obtained from AICPA.org 6

SOC 2 REPORTING Trust Services Principles (TSP) criteria Security (common criteria): system is protected against unauthorized access, use or modification Availability: system is available for operation & use as committed or agreed Processing Integrity: system processing is complete, valid, accurate, timely & authorized SOC 2 REPORTING Trust Services Principles (TSP) criteria Confidentiality: information designated as confidential is protected as committed or agreed Privacy: system s collection, use, retention, disclosure & disposal of personal information in conformity with the commitments in the entity s privacy notice & with criteria set forth in generally accepted privacy principles issued by AICPA & Canadian Institute of Chartered Accountants 7

SOC 3 REPORTING Public report Very abbreviated report essentially a SOC 2 light Assertion & opinion only on Suitability of design Operating effectiveness of controls Not on system description SOC 3 REPORTING No longer has a required seal There is a SOC logo that an organization can display from AICPA Essentially must do SOC 2 in order to issue a SOC 3 SOC 2 report must have an unqualified opinion Must cover at least a two-month period 8

SOC 3 REPORTING Currently cannot issue a SOC 3 unqualified opinion if There are carved out subservice organizations in the SOC 2 There are significant complementary user-entity controls necessary to achieve the applicable trust services principles criteria TWO SUB-TYPES OF SOC 1 & SOC 2 REPORTS 9

SUBTYPES OF REPORTS TYPE 1 Reports on fairness of presentation of management s description of the service organization s system Suitability of design of controls Point in time reporting May be useful when Organization is new Understanding system & controls is needed Recently made significant changes Insufficient time or history to perform Type 2 SUBTYPES OF REPORTS TYPE 2 Same as Type 1, plus Reports on fairness of presentation, suitability of design & operating effectiveness Includes a description of service auditor s tests of controls & results Covers a period of time 10

REPORTING TO MULTIPLE AUDIENCES Multiple reports scenarios SOC 1 & SOC 2 Services impacting ICFR of user & other services with TSP concerns SOC 2 & SOC 3 Services not impacting ICFR & need to use beyond current users such as marketing to prospects SOC 1 & SOC 3 Services impacting ICFR of user & other services with TSP concerns or marketing needs Note must be separate reports RECENT CHANGES SSAE 18 SOC for Cybersecurity Engagements 11

RECENT CHANGES SSAE 18 Subservice organizations Significant changes to service organization management responsibility Service auditor changes SUBSERVICE ORGANIZATIONS Introduces complimentary subservice organization controls (CSOC) Service organization must identify risks that subservice organization controls are not in place Service auditor must consider CSOC as part of risk assessment process & assess how management addressed the risks 12

SIGNIFICANT CHANGES TO SERVICE ORGANIZATION MANAGEMENT RESPONSIBILITY Previously, service auditor identified risks; now they are to obtain an understanding of how management identified risks Previously, service auditor was to determine which controls were necessary; now they are to understand which controls are necessary Emphasizes service organization management s responsibility for the narrative, objectives & controls SERVICE AUDITOR CHANGES Service auditor is now required to understand internal audit s role in the service organizations system Must obtain evidence of the accuracy & completeness of information like populations Service auditor must more clearly define intended users of the report 13

RECENT CHANGES SOC FOR CYBERSECURITY ENGAGEMENTS AICPA Guide June 1, 2017 Reporting on an Entity s Cybersecurity Risk Management Program & Controls In a cybersecurity risk management examination, the practitioner opines on: (a) management s description of the entity s cybersecurity risk management program & (b) effectiveness of controls within that program to achieve entity s cybersecurity objectives Examination results in issuance of a general use cybersecurity report designed to meet the needs of a variety of potential users UNDER DEVELOPMENT: SOC FOR VENDOR SUPPLY CHAINS An internal controls report on a vendor s manufacturing processes for customers of manufacturers & distributors to better understand the cybersecurity risk in their supply chains 14

PEER REVIEW SOC EXAMS ARE NOW REQUIRED SELECTIONS 15

BKD, LLP is registered with the National Association of State Boards of Accountancy (NASBA) as a sponsor of continuing professional education on the National Registry of CPE Sponsors. State boards of accountancy have final authority on the acceptance of individual courses for CPE credit. Complaints regarding registered sponsors may be submitted to the National Registry of CPE Sponsors through its website: www.nasbaregistry.org. The information contained in these slides is presented by professionals for your information only. Applying specific information to your situation requires careful consideration of facts & circumstances. Consult your BKD advisor before acting on any matters covered herein or in these seminars. CPE CREDIT CPE credit may be awarded upon verification of participant attendance For questions, concerns or comments regarding CPE credit, please email the BKD Learning & Development Department at training@bkd.com 16

THANK YOU FOR MORE INFORMATION // For a complete list of our offices & subsidiaries, visit bkd.com or contact: Cindy Boyle, CPA, CIA, CITP, CISA // Partner cboyle@bkd.com // 501.372.1040 17

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback