SOC Reports The 2017 Update: What s new, What s not, and What you should be doing with the SOC Reports you receive! Presented by Jeff Pershing

Similar documents
SOC Reporting / SSAE 18 Update July, 2017

Evaluating SOC Reports and NEW Reporting Requirements

ISACA Cincinnati Chapter March Meeting

WHICH SOC REPORT IS RIGHT FOR YOUR CLIENT?

Retirement of SAS 70 and a new generation of Service Organization Control (SOC) Reports

SAS 70 SOC 1 SOC 2 SOC 3. Type 1 Type 2

PREPARING FOR SOC CHANGES. AN ARMANINO WHITE PAPER By Liam Collins, Partner-In-Charge, SOC Audit Practice

A SERVICE ORGANIZATION S GUIDE SOC 1, 2, & 3 REPORTS

SSAE 18 & new SOC approach to compliance. Moderator Name: Patricio Garcia Managing Partner ControlCase Attestation Services

Mastering SOC-1 Attestation Reports Under SSAE 16: Auditing Service Organizations Controls in the Cloud

SERVICE ORGANIZATION CONTROL (SOC) REPORTS: WHAT ARE THEY?

C22: SAS 70 Practices and Developments Todd Bishop, PricewaterhouseCoopers

CSF to Support SOC 2 Repor(ng

Exploring Emerging Cyber Attest Requirements

Service Organization Control (SOC) Reports: What they are and what to do with them MARCH 21, 2017

SAS 70 & SSAE 16: Changes & Impact on Credit Unions. Agenda

SOC Updates: Understanding SOC for Cybersecurity and SSAE 18. May 23, 2017

SOC 2 examinations and SOC for Cybersecurity examinations: Understanding the key distinctions

Transitioning from SAS 70 to SSAE 16

Audit Considerations Relating to an Entity Using a Service Organization

International Auditing and Assurance Standards Board (IAASB) International Federation of Accountants 545 Fifth Avenue, 14 th Floor New York, NY 10017

IT Attestation in the Cloud Era

SOC Lessons Learned and Reporting Changes

Within our recommendations for editorial changes, additions are noted in bold underline and deletions in strike-through.

HITRUST CSF: One Framework

Re: Exposure Draft Proposed ISAE 3402 on Assurance Reports on Controls at a Third Party Service Organization

Understanding and Evaluating Service Organization Controls (SOC) Reports

Adopting SSAE 18 for SOC 1 reports

Information for entity management. April 2018

Making trust evident Reporting on controls at Service Organizations

Hong Kong Institute of Certified Public Accountants Practising Certificate ("PC") Business Assurance

The SOC 2 Compliance Handbook:

SOC for cybersecurity

Issue for Consideration: Appropriateness of the Drafting of Paragraph A17

SAS70 Type II Reports Use and Interpretation for SOX

HITRUST CSF Roadmap for 2018 and Beyond HITRUST Alliance.

SAS 70 revised. ISAE 3402 will focus on financial reporting control procedures. Compact_ IT Advisory 41. Introduction

Weighing in on the Benefits of a SAS 70 Audit for Third Party Administrators

26 February Office of the Secretary Public Company Accounting Oversight Board 1666 K Street, NW Washington, DC

SOC 3 for Security and Availability

Opportunities to Integrate Technology Into the Classroom. Presented by:

Achieving third-party reporting proficiency with SOC 2+

SAS 70 Audit Concepts. and Benefits JAYACHANDRAN.B,CISA,CISM. August 2010

Internal Audit Report. Electronic Bidding and Contract Letting TxDOT Office of Internal Audit

2018 HIPAA One All Rights Reserved. Beyond HIPAA Compliance to Certification

ADVANCED AUDIT AND ASSURANCE

ISA 800/805. Proposed changes to ISA 800/ 805 were limited in nature

Assurance through the ISO27002 Standard and the US NIST Cybersecurity Framework. Keith Price Principal Consultant

Robert Brammer. Senior Advisor to the Internet2 CEO Internet2 NET+ Security Assessment Forum. 8 April 2014

Table of Contents. Preface xvii PART ONE: FOUNDATIONS OF MODERN INTERNAL AUDITING

Performing a Vendor Security Review TCTC 2017 FALL EVENT PRESENTER: KATIE MCINTOSH

California ISO Audit Results for 2011 SSAE 16 & Looking Forward for 2012 December 15, 2011

ISACA Survey Results. 27 April Ms. Nancy M. Morris, Secretary Securities and Exchange Commission 100 F Street NE Washington, DC

Credit Union Service Organization Compliance

Request for Qualifications for Audit Services March 25, 2015

ISA 540 (Revised): Update. May 2018 ASB meeting Dan Montgomery May 17, 2018

Maryland Health Care Commission

Exposure Draft The Auditor s Responsibility to Consider Fraud in an Audit of Financial Statements

The HITRUST CSF. A Revolutionary Way to Protect Electronic Health Information

Vendor Management: SSAE 18. Presented by Joseph Kirkpatrick CISSP, CISA, CGEIT, CRISC, QSA Managing Partner

Peer Collaboration The Next Best Practice for Third Party Risk Management

Guide To Internal Auditing Iatf Store

Auditing IT General Controls

Google Cloud & the General Data Protection Regulation (GDPR)

FedRAMP: Understanding Agency and Cloud Provider Responsibilities

IS Audit and Assurance Guideline 2002 Organisational Independence

Cybersecurity & Privacy Enhancements

Webtrends Inc. Service Organization Controls (SOC) 3 SM Report on the SaaS Solutions Services System Relevant to Security

Global Specification Protocol for Organisations Certifying to an ISO Standard related to Market, Opinion and Social Research.

LIST OF SUBSTANTIVE CHANGES AND ADDITIONS. PPC's Guide to Audits of Local Governments. Thirty first Edition (February 2016)

Iso Controls Checklist File Type S

CA/Browser Forum Meeting

How to implement NIST Cybersecurity Framework using ISO WHITE PAPER. Copyright 2017 Advisera Expert Solutions Ltd. All rights reserved.

CLOUD COMPUTING APPLYING THIS NEW TECHNOLOGY TO YOUR PRACTICE

IS Audit and Assurance Guideline 2001 Audit Charter

Citation for published version (APA): Berthing, H. H. (2014). Vision for IT Audit Abstract from Nordic ISACA Conference 2014, Oslo, Norway.

Addressing Cybersecurity Risk

Model Approach to Efficient and Cost-Effective Third-Party Assurance

Studio Guggino and Newtonpartner S.r.l. a team of professionals at the service of your Company

IGNITING GROWTH. Why a SOC Report Makes All the Difference

CITP Examination Content Specification Outline

Does a SAS 70 Audit Leave you at Risk of a Security Exposure or Failure to Comply with FISMA?

The Accreditation and Verification Regulation - Verification report

TRAINING SEMINAR COURSE OUTLINE October

The value of visibility. Cybersecurity risk management examination

INTO THE CLOUD WHAT YOU NEED TO KNOW ABOUT ADOPTION AND ENSURING COMPLIANCE

NE HIMSS Vendor Risk. October 9, 2015 MEMBER OF PKF NORTH AMERICA, AN ASSOCIATION OF LEGALLY INDEPENDENT FIRMS

Cyber Security Reliability Standards CIP V5 Transition Guidance:

IT Security Evaluation and Certification Scheme Document

Public Safety Canada. Audit of the Business Continuity Planning Program

Action Plan Developed by The Iranian Institute of Certified Accountants (IICA) BACKGROUND NOTE ON ACTION PLANS

Mega International Commercial bank (Canada)

10/12/17. CPA Alberta Professional and Public Accounting Practice Varied Registration Model CPA FORUM NORTH OCTOBER 23 RD, 2017 JASPER, ALBERTA

Business Assurance for the 21st Century

BRING EXPERT TRAINING TO YOUR WORKPLACE.

IATF Transition Strategy Presenter: Mrs. Michelle Maxwell, IAOB

HITRUST Common Security Framework - Are you prepared?

10 Considerations for a Cloud Procurement. March 2017

Article II - Standards Section V - Continuing Education Requirements

Period from October 1, 2013 to September 30, 2014

Transcription:

SOC Reports The 2017 Update What s new, What s not, and What you should be doing with the SOC Reports you receive! presented to Northeast Ohio ISACA Thursday, April 20, 2017 Jeff Pershing, CISA, CISM, CISSP Principal, Pershing Consulting, LLC Introductions Slide 2 Page 1

Overview Brief history of reports on Service Organizations Overview of AT 101, SSAE 16/SOC 1, SOC 2, and SOC 3 Attestation Standards Updates / SSAE 18 Overview What s new with SOC Reports Trust Services Principles Overview and Updates What s new with SOC 2 User Auditor Requirements Lessons learned from the first years of SOC reporting Slide 3 Brief history of reports on Service Organizations Slide 4 Page 2

SAS70 In the beginning, the AICPA created the SAS70. The AICPA saw that the SAS70 was good and it was so. And then the AICPA rested... For nearly 20 years.... Okay, not quite... SAS78, SAS88, SAS94,... Until... He s dead, Jim... Leonard "Bones" McCoy Slide 5 Why the need for a SAS70 Report anyway? Computers give rise to EDP Electronic Data Processing Computers are very big and expensive (in the 60 s, 70 s, and 80 s) Okay, they re still expensive now... Let s share their use to be more efficient! This sounds like a business opportunity! Let s create a company to provide processing to several companies at once who can t afford their own (Can anyone say, cloud? ) Auditor: How do I know my financial calculations are correct and you have good internal controls? Service Provider: Trust us! Auditor: No, I will audit you. SAS55 says so. See you Monday. Here s my request list. Service Provider: Wait, I have hundreds of customers with auditors all saying the say thing! Slide 6 Page 3

Service Provider Audit Reports A Short History AICPA American Institute of Certified Public Accountants SAS - Statement on Auditing Standards SAS 55 Consideration of the Internal Control Structure in a Financial Statement Audit Released in 1988 Created death by auditing for service providers SAS70 Service Organizations Issued in 1992 as Reports on the Processing of Transactions by Service Organizations, effective for reports issued March 31, 1993 One report to meet the needs of multiple user auditors Amended by SAS 88 and renamed Service Organizations Slide 7 Service Provider Audit Reports A Short History (cont) SAS70 amended several times by subsequent SAS 1998 by SAS78 - Consideration of Internal Control in a Financial Statement Audit: An Amendment to Statement on Auditing Standards No. 55 1999 by SAS88 Title changed to Service Organizations 2002 by SAS94 - The Effect of Information Technology on the Auditor's Consideration of Internal Control in a Financial Statement Audit 2002 by SAS98 - Omnibus Statement on Auditing Standards-2002 Other minor adjustments ( conforming changes ) in 2006 by SAS105 & SAS106, and 2007 by SAS109 & SAS110 SAS70 was superseded by three Service Organization Control (SOC) reports - SOC 1, SOC 2 and SOC 3 - for reports issued on or after June 15, 2011 SOC Reports were based on Attestation Standard 101 (AT 101) Slide 8 Page 4

Why Change? SAS70 was abused - Intended for ICFR, but used for much more: To obtain assurance on controls regarding compliance and operations E.g. Hosted Data Centers providing no financial reporting relevant services SysTrust or AT 101 should have been used instead SAS70 grew in familiarity outside the auditing world (e.g. IT), but not necessarily well understood Are you SAS70 Certified? Slide 9 Why Change? (cont) ISAE 3402/SSAE16 (SOC1) for ICFR International Standard on Assurance Engagements (ISAE) 3402 issued in December of 2009 AICPA issued SSAE No. 16 shortly afterwards as a US Standard in alignment with ISAE 3402 Minor differences between the two Drafted to help correct misuses of the SAS70 SOC2 for matters other than ICFR Specifically, for Security, Availability, Processing Integrity, Confidentiality, and Privacy SOC3, similar to SOC2, but with a general use report All three based on AT101 (SSAE 16 became AT801) Slide 10 Page 5

Overview of AT 101, SSAE 16/SOC 1, SOC 2, and SOC 3 Slide 11 Attestation Standards Section 101 Section provides a framework for attestation engagements that are completed by practitioners SOC 1, SOC 2 and SOC 3 reports are completed in accordance with AT Section 101 The subject matter of an attest engagement may take many forms, for example: Physical characteristics (for example, narrative descriptions, square footage of facilities) Historical events (for example, the price of a market basket of goods on a certain date) Systems and processes (for example, internal control) Suitability and Availability of Criteria Subject matter must be capable of evaluation against criteria that are suitable and available to users Slide 12 Page 6

Attestation Standards SSAE = Statement on Standards for Attestation Engagements SSAE 10, issued in 2001, established: AT 101 - Attest Engagements AT 201 - Agreed-Upon Procedures Engagements AT 301 - Financial Forecasts and Projections AT 401 - Reporting on Pro Forma Financial Information AT 601 - Compliance Attestation AT 701 - Management's Discussion and Analysis Slide 13 Other SSAEs SSAE 11 - Attest Documentation Updated AT 101, 201, and 301 SSAE 12 - Amendment to Statement on Standards for Attestation Engagement No. 10, Attestation Standards: Revision and Recodification Updated AT 101 SSAE 13 - Defining Professional Requirements in Statements on Standards for Attestation Engagements Created AT 20: Defining Professional Requirements for SSAE Engagements SSAE 14 - SSAE Hierarchy Created AT 50: SSAE Hierarchy SSAE 15 - An Examination of an Entity s Internal Control Over Financial Reporting That Is Integrated With an Audit of Its Financial Statements Created AT 501 (issued in 2008) SSAE 17 - Reporting on Compiled Prospective Financial Statements When the Practitioner s Independence is Impaired Updated AT 301 Slide 14 Page 7

NOTE: - SAS 130 withdrew AT 501 SAS 130 An Audit of Internal Control Over Financial Reporting That Is Integrated With an Audit of Financial Statements (AICPA, Professional Standards, AU-C sec. 940) - Issued in October 2015 AICPA Auditing Standards Board (ASB) determined it is appropriate to move the content of AT section 501 from the attestation standards into generally accepted auditing standards (GAAS). The ASB will consider developing, at a later date, an attestation standard addressing examinations of internal control other than internal control over financial reporting that is integrated with an audit of financial statements. SAS No. 130 is effective for integrated audits for periods ending on or after December 15, 2016, at which time AT 501 will be withdrawn. Slide 15 What Changed moving from SAS to AT? Attestation Standard vs. Auditing Standard Management Assertion An assertion is any declaration or set of declarations about whether the subject matter is based on or in conformity with the criteria selected. Description of System vs. Controls Use of suitable criteria Suitability of design opinion Materiality SAS70: point in time SSAE 16(SOC 1)/SOC 2: entire period deviations (not exceptions) Use of Internal Audit Must identify testing by IA in the report Opinion Format Slide 16 Page 8

What is a System? TSP sec. 100 paragraph.01 defines a system as follows: A system is designed, implemented, and operated to achieve specific business objectives (for example, delivery of services, production of goods) in accordance with management-specified requirements. System components can be classified into the following five categories: Infrastructure. The physical structures, IT, and other hardware (for example, facilities, computers, equipment, mobile devices, and telecommunications networks). Software. The application programs and IT system software that supports application programs (operating systems, middleware, and utilities). People. The personnel involved in the governance, operation, and use of a system (developers, operators, entity users, vendor personnel, and managers). Processes. The automated and manual procedures. NOTE: SOC 2 Guide, par. 1.26a(ii)(4) uses Procedures rather than Processes Data. Transaction streams, files, databases, tables, and output used or processed by a system. Slide 17 SSAE 16 / SOC 1 SSAE 16 - Reporting on Controls at a Service Organization Created AT 801 As an attestation standard, it is built upon AT 101 Established requirements for attestation engagements to report on controls at organizations that provide services to user entities when those controls are likely to be relevant to user entities' internal control over financial reporting (ICFR) Effective for reports issued on or after June 15, 2011 SOC 1 Audit Guide released May 2011, updated May 2013, new update just released January 2017 Two report types: SOC 1 Type I = SSAE 16 Type I Report SOC 1 Type II = SSAE 16 Type II Report Branded by AICPA as a SOC 1 - Service Organization Control Report 1 AICPA now prefers SOC 1 vs. SSAE16 Slide 18 Page 9

SOC 2 Reports Reports on Controls at a Service Organization over Security, Availability, Processing Integrity, Confidentiality, or Privacy Can report again just one Principle, or any combination of the five SOC 2 Guide released May 2011, updated March 2012 and July 2015 new update expected soon Report format designed to match the SSAE 16 SOC 2 Type I SOC 2 Type II Criteria is prescribed: Must use TSP 100 - Trust Services Principles Slide 19 Similar to a SOC 2 SOC 3 Reports Uses TSP100 Trust Service Principles Primary Differences Does not contain a description of the practitioner s tests of controls and results of those tests Is a general use report rather than a restricted use report Unqualified Opinion allows use of SOC Seal (SysTrust for Service Organizations ) on Service Provider s website, if the Service Auditor is licensed by CPA Canada (formerly CICA) SOC 3 Guide was planned for release in Q4, 2014.... but we re still waiting... Slide 20 Page 10

Reports Comparison Slide 21 Attestation Standards Updates / SSAE 18 Overview Slide 22 Page 11

Attestation Clarity Project Designed to addressed concerns over the clarity, length, and complexity of Attestation Standards Objective: to make AT sections easier to read, understand and apply Redrafted standards utilizing clarity drafting conventions Resulted in SSAE 18 Attestation Standards: Clarification and Recodification Desire to converge with standards of the International Audit and Assurance Standards Board (IAASB) International Standard on Assurance Engagements (ISAE) 3000 (Revised), Assurance Engagements Other Than Audits or Reviews of Historical Financial Information served as the foundation for the common concepts, examination, and review sections of SSAE 18 Slide 23 Clarity Drafting Conventions SSAE 18 was drafted utilizing clarity drafting conventions, including: Establishing objectives for each AT-C section Including a definitions section, where relevant, in each AT-C section Separating requirements from application and other explanatory material Numbering application and other explanatory material paragraphs using an A- prefix and presenting them in a separate section that follows the requirements section Using formatting techniques, such as bulleted lists, to enhance readability Including, when appropriate, special considerations relevant to audits of smaller, less complex entities within the text of the AT-C section Including, when appropriate, special considerations relevant to examination, review, or agreed-upon procedures engagements for governmental entities within the text of the AT-C section The identifier AT-C is used to differentiate the sections of the clarified attestation standards ( AT-C" sections) from the sections of the attestation standards that are superseded by SSAE 18 ( AT sections) Slide 24 Page 12

SSAE 18 Supersedes SSAEs 10-17, except: SSAE 10, Chapter 7 (AT 701) - Management s Discussion and Analysis Renamed AT-C 395 SSAE 15 (AT 501 and 9501) - An Examination of an Entity s Internal Control Over Financial Reporting That Is Integrated With an Audit of Its Financial Statements, and related interpretation no. 1 However, SAS 130 withdrew AT 501 and related interpretations for integrated audits for periods ending on or after December 15, 2016 Effective for reports dated on or after May 1, 2017 Slide 25 AT-C Preface Contents of SSAE 18 AT-C Section 100 - Common Concepts AT-C Section 105 - Concepts Common to All Attestation Engagements AT-C Section 200 - Level of Service AT-C Section 205 - Examination Engagements AT-C Section 210 - Review Engagements AT-C Section 215 - Agreed Upon Procedures Engagements AT-C Section 300 - Subject Matter AT-C Section 305 - Prospective Financial Information AT-C Section 310 - Reporting on Pro Forma Financial Information AT-C Section 315 - Compliance Attestation AT-C Section 320 - Reporting on an Examination of Controls at a Service Organization Relevant to User Entities Internal Control Over Financial Reporting AT-C Section 395 - Management s Discussion and Analysis Slide 26 Page 13

What s New in SSAE 18? Separate discussion of review engagements AT 101 combined the discussion of examinations and reviews Required representation letters AT 101 allowed, but did not require, representation letters Risk assessment for examination engagements Requires obtaining a more in-depth understanding of the development of the subject matter than currently required in order to better identify the risks of material misstatement in an examination engagement Incorporation of detailed requirements Similar to SASs, specifies additional requirements (e.g. the need for an engagement letter, or the need to obtain written representations) Scope limitation imposed by the engaging party or the responsible party Now allows for a qualified opinion, not only disclaiming an opinion or withdrawing from the engagement Slide 27 Mapping AT to AT-C AT Sections Superseded by SSAE No. 18 AT-C Sections Designated by SSAE No. 18 AT Section Title AT-C Section Title 20 Defining Professional Requirements in Statements on Standards for Attestation Engagements 105 Concepts Common to All Attestation Engagements 50 SSAE Hierarchy 105 Concepts Common to All Attestation Engagements 101 Attest Engagements 105 Concepts Common to All Attestation Engagements 205 Examination Engagements 210 Review Engagements 201 Agreed-Upon Procedures Engagements 215 Agreed-Upon Procedures Engagements 301 Financial Forecasts and Projections 305 Prospective Financial Information 401 Reporting on Pro Forma Financial Information 310 Reporting on Pro Forma Financial Information 501 An Examination of an Entity's Internal Control Over Financial Reporting That Is Integrated With an Audit of Its Financial Statements Statement on Auditing Standards No. 130, An Audit of Internal Control Over Financial Reporting That Is Integrated With an Audit of Financial Statements, withdraws AT section 501 601 Compliance Attestation 315 Compliance Attestation 701 Management s Discussion and Analysis 395 Management s Discussion and Analysis 801 Reporting on Controls at a Service Organization 320 Reporting on an Examination of Controls at a Service Organization Relevant to User Entities Internal Control Over Financial Reporting Slide 28 Page 14

Mapping AT-C to AT AT-C Sections Designated by SSAE No. 18 AT Sections Superseded by SSAE No. 18 AT-C Section Title AT Section Title Preface Preface to the Attestation Standards Introduction Attestation Standards Introduction 100 Common Concepts 105 Concepts Common to All Attestation Engagements 20 Defining Professional Requirements in Statements on Standards for Attestation Engagements 50 SSAE Hierarchy 101 Attest Engagements 200 Level of Service 205 Examination Engagements 101 Attest Engagements 210 Review Engagements 215 Agreed-Upon Procedures Engagements 201 Agreed-Upon Procedures Engagements 300 Subject Matter 305 Prospective Financial Information 301 Financial Forecasts and Projections 310 Reporting on Pro Forma Financial Information 401 Reporting on Pro Forma Financial Information 315 Compliance Attestation 601 Compliance Attestation 320 Reporting on an Examination of Controls 801 Reporting on Controls at a Service Organization at a Service Organization Relevant to User Entities Internal Control Over Financial Reporting 395 Management s Discussion and Analysis 701 Management s Discussion and Analysis Slide 29 What s new with SOC Reports Slide 30 Page 15

SOC 2 + Additional Subject Matter Introduced in (approximately) 2015 Allows for addressing additional criteria, additional subject matter using additional suitable criteria, or both E.g. In addition to addressing the Security Principle, also address the HIPAA Security Rule Mappings created from 2014 version of the Trust Services Principle to: CSA Cloud Controls Matrix HITRUST CSF COBIT 5 COSO 2013 ISO 27001 NIST SP 800-53 R4 Slide 31 Underlying Standard has Changed SOC 1 Old Standard AT 801 (with attestation guidance provided by the SOC 1 Guide) New Standards AT-C 105, AT-C 205, AT-C 320 (and a brand new SOC 1 Guide!) SOC 2 / SOC 3 Old Standard AT 101 (with attestation guidance provided by the SOC 2 Guide issued in July 2015) New Standards AT-C 105, AT-C 205 (and the existing SOC 2 Guide) For all three SOC Reports, any dated on or after May 1, 2017, must follow the new AT-C standards (SSAE 18) Slide 32 Page 16

But that not all! SOC Report = Service Organization Control Report NO LONGER!!! SOC has been redefined to mean System and Organization Controls According to the AICPA: By redefining that acronym, the AICPA enables the introduction of new internal control examinations that may be performed (a) for other types of organizations, in addition to service organizations and (b) on either system-level or entity-level controls of such organizations. Slide 33 SOC Suite of Services SOC 1 SOC for Service Organizations: ICFR AT-C 320 (and AT-C 105 / AT-C 205) plus a new SOC 1 Guide SOC 2 SOC for Service Organizations: Trust Services Criteria AT-C 205 (and AT-C 105) plus existing SOC 2 Guide SOC 3 SOC for Service Organizations: Trust Services Criteria for General Use Report AT-C 205 (and AT-C 105) plus existing SOC 2 Guide SOC for Cybersecurity (coming soon!) AT-C 205 (and AT-C 105) plus forthcoming Guide Reporting on an Entity s Cybersecurity Risk Management Program and Controls SOC for vendor supply chains (planned for 2018) Slide 34 Page 17

SOC for Cybersecurity Called a Cybersecurity Examination, it will include: A description of the entity s cybersecurity risk management program An assessment of the effectiveness of the controls within that program to achieve the entity s cybersecurity objectives Management is responsible for selecting both the description criteria and the control criteria to be used in the engagement Proposed Description Criteria for Management s Description of the Entity s Cybersecurity Risk Management Program Issued 9/15/16; Comment period closed 12/5/16 Currently the only option for description criteria Proposed Revision of Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy Issued 9/15/16; Comment period closed 12/5/16 Includes updates to better address Cybersecurity risks Other cybersecurity control criteria may be used Slide 35 BREAK (?) Slide 36 Page 18

Trust Services Principles Overview and Updates Slide 37 The Trust Services Principles Security Availability Processing Integrity Confidentiality Privacy Slide 38 Page 19

Trust Service Principles (TSP) Revisions AICPA, Technical Practice Aids, TSP sec. 100 Originally released in 2006, then updated in 2009 Major Revision to TSP sec. 100 in March/April 2014 Removed significant redundancies in wording between the Principles Reorganized in a set Common Criteria applicable to all Principles, plus addition principle-specific criteria Criteria Common to All [Security, Availability, Processing Integrity, and Confidentiality] Principles 28 criteria statements Availability 3 more criteria statements Processing Integrity 6 more criteria statements Confidentiality 6 more criteria statements Mandatory adoption for reporting periods ending on or after Dec. 15, 2014 Privacy was updated separately Slide 39 2016 Revisions to the Trust Service Principles New version released mid-year 2016 Minor and clarifying updates to various criteria Two additional confidentiality criteria were added to address the retention and disposal of confidential information (total of 8 criteria statements now) Incorporated new criteria for Privacy to bring it back into TSP framework (removing the cross references to Generally Accepted Privacy Principles) Early adoption permitted, mandatory use beginning with reports ending on or after December 15, 2016 Slide 40 Page 20

Even more Trust Services Revisions! Proposed Revision of Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy Issued 9/15/16; Comment period closed 12/5/16 The proposed revision indicates these are expected to become mandatory by 6/15/2018 with early adoption permitted. However, a final version has not yet been issued. Significant Changes Renaming: trust services principles and criteria are now trust services criteria the five principles (security, availability, processing integrity, confidentiality, and privacy) are now trust services categories Aligns the Trust Services Criteria to the COSO 2013 Framework Includes updates to better address Cybersecurity risks Adds points of focus to all criteria (in a similar manner as COSO 2013) Slide 41 TSP Common Criteria Criteria Common to All [Security, Availability, Processing Integrity, and Confidentiality] Principles CC1.0 - Common Criteria Related to Organization and Management CC2.0 - Common Criteria Related to Communications CC3.0 - Common Criteria Related to Risk Management and Design and Implementation of Controls CC4.0 - Common Criteria Related to Monitoring of Controls CC5.0 - Common Criteria Related to Logical and Physical Access Controls CC6.0 - Common Criteria Related to System Operations CC7.0 - Common Criteria Related to Change Management Additional Criteria when reporting on Availability, Processing Integrity, or Confidentiality Slide 42 Page 21

What s new with SOC2 Slide 43 Contents of a SOC 2 Report Auditor s Report What Does It Cover: Fairness of Presentation of the Description Suitability of Design of the Controls Operating Effectiveness of Controls (Type 2 only) Criteria related to the auditor s evaluation Test of Controls and Results (Type 2 only) Whether carve out or inclusive was used Other Information from Service Organization (unaudited) Slide 44 Page 22

SOC 2 Guide Updated SOC 2 Guide Released July 1, 2015 Provides how-to guidance for service auditors performing examinations under AT section 101 Incorporates TSP sec. 100 updates from 2014 Updated guide expected in 2017(?) Other updates fall into two major categories Scoping Updates - Drive changes to the examination process Language Updates - Will be reflected in reporting deliverables Slide 45 Scoping Updates Non-Continuous exam periods Recommendation to either expand the period to cover the gap period or evaluate the potential effect of the excluded time period to users of the report [ref. par. 2.26] If addressing Confidentiality or Privacy System boundary must include information life cycle: collection, use, retention, disclosure, and disposal or anonymization of personal information [ref. par. 1.39 and 3.05] Monitoring of a Service Organization Regardless of subservice organization (carve-out or inclusive) approach, controls to monitor services provided by third parties should be included in the description. [ref. par. 1.26a(iv)(2) and 3.5] Slide 46 Page 23

Scoping Updates (cont) Complementary User Entity Controls (CUECs) and User Entity Responsibilities CUECs - Now emphasized as controls necessary to meet one or more criteria Otherwise, considered a User Entity Responsibility (new concept introduced in the current guide) User Entity Responsibilities are not required to be included in the system description. Ref. par. 3.32 through 3.37 Slide 47 Representation Letter Language Updates Additional representations by Management to the Service Auditor [ref. par. 3.151] Communications from regulators and others have been disclosed Acknowledge responsibility for the subject matter Effect of uncorrected misstatements are immaterial System Description Additional guidance to the service auditor on evaluating what fair presentation is [ref. par. 3.02] Slide 48 Page 24

Control Activities Language Updates (cont) Additional guidance to the service auditor on describing controls, including [ref. par. 3.07] What The subject matter to which the control applies Who The party responsible for performing the control How The nature of the activity performed, including sources of information used in performing the control When The frequency with which the control is performed or the timing of its occurrence Control Testing Conclusions Example wording for greatly clarity in particular situations Sampling Size, when there are deviations [ref. par. 4.09] Controls with no activity during the period [ref. par. 4.50] Slide 49 SOC 2 Guide - Other Useful Information Appendix C Illustrative Management Assertion and Related Service Auditor s Report Appendix D Illustrative Type 2 Service Organization Controls Report Appendix E Information for Management of a Service Organization Generally a restatement of Management s responsibilities from various other portions of the guide, but pulled together in one place, and in a more reader-friendly format and writing style. Slide 50 Page 25

SOC 2 Guide - Other Useful Information Appendix F Service Auditor Considerations in Performing SOC 2 or SOC 3 Engagements for Cloud Service Organizations (CSOs) Provides an overview of CSOs, deployment models, and challenges unique to CSOs and their impact on performing a SOC 2 / SOC 3 engagement Appendix H Additional Considerations for the Service Auditor Regarding the Trust Services Criteria Provides explanatory information on the seven Common Criteria categories and the additional criteria for Availability, Processing Integrity, and Confidentiality Adds additional context beyond the illustrative risk and controls provided in TSP sec. 100, Appendix B Slide 51 User Auditor Requirements Slide 52 Page 26

User Auditor Requirements Read the report!!! Does it cover the relevant services? Service Auditor s Opinion Unqualified? (Good) Qualified? (Not as good, but can be okay) Adverse? (Typically bad) Disclaim an opinion? (Typically very bad) Any deficiencies/deviations? If so, how does is affect the User Entity? SAS 122 / AU-C Section 402 - Audit Considerations Relating to an Entity Using a Service Organization Outlines various requirements for User Auditors when evaluating attestation reports Particularly important when evaluating in support of ICFR Slide 53 User Auditor Requirements (cont) Understand the Service Organization / Evaluate appropriateness of the report in support of the User Organization audit (Ref. AU-C 402 par..13-.14,.17) Service Auditor s Professional Competence Adequacy of Standards utilized Time period covered Sufficiency and appropriateness of the evidence provided for the understanding of the user entity's internal control Description of the system sufficient/understandable? Control Objectives/Criteria relevant, sufficient, understandable? Controls relevant, sufficient, understandable? Sufficiency and appropriateness of the tests of controls performed by the Service Auditor Evaluate complementary user entity controls for relevance, design and implementation Slide 54 Page 27

User Auditor Requirements (cont) Complementary User Entity Controls From AU-C 402, par..08: Controls that management of the service organization assumes, in the design of its service, will be implemented by user entities, and which, if necessary to achieve the control objectives stated in management's description of the service organization's system, are identified as such in that description. User auditor should determine which are relevant to the user entity audit, then evaluate the User Entity for design and implementation of those controls One way is to map Complementary User Entity Controls to User Entity Controls Slide 55 User Auditor Requirements (cont) What if the report is insufficient for the audit need? Contact the service organization, through the user entity, to obtain specific information Visit the service organization and perform procedures that will provide the necessary information about the relevant controls at the service organization Use another auditor to perform procedures that will provide the necessary information about the relevant controls at the service organization Refer to AU-C 402 par..12 for additional information Slide 56 Page 28

Common Issues / Lessons Learned SOC 1 SOC 2 Control Objectives included which are not relevant to ICFR System Descriptions insufficient to understand flow of transactions/processes Description of control insufficient to understand control activity Report only covers ITGC, but services provided include transaction or other information processing, etc. Description includes controls that have not been implemented. Descriptions of processes and related controls are incomplete and user unable to understand processing flow through system (who?, what?, where?, when?, how?) Applicable trust services criteria are intended to be met by controls at the subservice organization and description does not identify the controls expected to be implemented at a carved-out service organization Slide 57 Questions? Slide 58 Page 29

References and Sources: AICPA.org Links to all current SAS and SSAEs, including SSAE 18 (AT-C 105, AT-C 205, AT-C 320, etc.) http://www.aicpa.org/research/standards/auditattest/pages/sas.aspx http://www.aicpa.org/research/standards/auditattest/pages/ssae.aspx AICPA SOC Reports home page http://www.aicpa.org/interestareas/frc/assuranceadvisoryservices/pages/sorhome.aspx AICPA Guides, Alerts (available in a variety of formats for purchase), and Information SOC 1: http://www.aicpastore.com/ast/main/cpa2biz_primary/soc/prdovr~pc-0127910/pc-0127910.jsp SOC 2: http://www.aicpastore.com/ast/main/cpa2biz_primary/soc/prdovr~pc-0128210/pc-0128210.jsp SOC 2+: http://www.aicpa.org/interestareas/frc/assuranceadvisoryservices/pages/soc2additionalsubjectmatter.aspx Trust Services Principles and Criteria (2016) (download or online subscription): http://www.aicpastore.com/auditattest/topicspecificguidance/trust-services-principles-and-criteria/prdovr~pc-tspc13/pc-tspc13.jsp Proposed Trust Services Criteria Updates Exposure Draft http://www.aicpa.org/interestareas/frc/assuranceadvisoryservices/downloadabledocuments/exposuredrafts/asec_ed_rev_trust_services.pdf Mapping proposed criteria to existing (2016) criteria http://www.aicpa.org/interestareas/frc/assuranceadvisoryservices/downloadabledocuments/cybersecurity/mapping_proposed_tsc_current_tspc.pdf Cloud Security Alliance Position Paper on AICPA SOC Reports https://cloudsecurityalliance.org/research/collaborate/#_aicpa Brief History of all SAS with links to full text for many http://en.wikipedia.org/wiki/statements_on_auditing_standards_(united_states) AICPA Cybersecurity Resources AICPA Cybersecurity Initiative: http://www.aicpa.org/interestareas/frc/assuranceadvisoryservices/pages/aicpacybersecurityinitiative.aspx AICPA Cybersecurity Resource Center: http://www.aicpa.org/interestareas/frc/assuranceadvisoryservices/pages/cyber-security-resourcecenter.aspx Slide 59 Thank You! Jeff Pershing, CISA, CISM, CISSP Jeff@PershingConsulting.com Page 30

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback