ISACA Cincinnati Chapter March Meeting

Similar documents
Evaluating SOC Reports and NEW Reporting Requirements

Retirement of SAS 70 and a new generation of Service Organization Control (SOC) Reports

SOC Reporting / SSAE 18 Update July, 2017

C22: SAS 70 Practices and Developments Todd Bishop, PricewaterhouseCoopers

Service Organization Control (SOC) Reports: What they are and what to do with them MARCH 21, 2017

Demonstrating data privacy for GDPR and beyond

PREPARING FOR SOC CHANGES. AN ARMANINO WHITE PAPER By Liam Collins, Partner-In-Charge, SOC Audit Practice

EY s data privacy service offering

SOC 2 examinations and SOC for Cybersecurity examinations: Understanding the key distinctions

SAS 70 & SSAE 16: Changes & Impact on Credit Unions. Agenda

Making trust evident Reporting on controls at Service Organizations

Adopting SSAE 18 for SOC 1 reports

Transitioning from SAS 70 to SSAE 16

SAS 70 SOC 1 SOC 2 SOC 3. Type 1 Type 2

SOC for cybersecurity

A SERVICE ORGANIZATION S GUIDE SOC 1, 2, & 3 REPORTS

Safeguarding unclassified controlled technical information (UCTI)

WHICH SOC REPORT IS RIGHT FOR YOUR CLIENT?

Audit Considerations Relating to an Entity Using a Service Organization

Protecting your data. EY s approach to data privacy and information security

SOC Reports The 2017 Update: What s new, What s not, and What you should be doing with the SOC Reports you receive! Presented by Jeff Pershing

IT Attestation in the Cloud Era

SSAE 18 & new SOC approach to compliance. Moderator Name: Patricio Garcia Managing Partner ControlCase Attestation Services

Introduction. When it comes to GDPR compliance, is OK for now enough? Minds made for protecting financial services

SERVICE ORGANIZATION CONTROL (SOC) REPORTS: WHAT ARE THEY?

Exploring Emerging Cyber Attest Requirements

SAS 70 Audit Concepts. and Benefits JAYACHANDRAN.B,CISA,CISM. August 2010

SOC Lessons Learned and Reporting Changes

Information for entity management. April 2018

Mastering SOC-1 Attestation Reports Under SSAE 16: Auditing Service Organizations Controls in the Cloud

Understanding and Evaluating Service Organization Controls (SOC) Reports

Step 1: Open browser to navigate to the data science challenge home page

COBIT 5 With COSO 2013

Big data privacy in Australia

CSF to Support SOC 2 Repor(ng

Achieving third-party reporting proficiency with SOC 2+

California ISO Audit Results for 2011 SSAE 16 & Looking Forward for 2012 December 15, 2011

SOC 3 for Security and Availability

Citation for published version (APA): Berthing, H. H. (2014). Vision for IT Audit Abstract from Nordic ISACA Conference 2014, Oslo, Norway.

HITRUST CSF: One Framework

IGNITING GROWTH. Why a SOC Report Makes All the Difference

The SOC 2 Compliance Handbook:

SAS 70 revised. ISAE 3402 will focus on financial reporting control procedures. Compact_ IT Advisory 41. Introduction

Canada Highlights. Cybersecurity: Do you know which protective measures will make your company cyber resilient?

SOC Updates: Understanding SOC for Cybersecurity and SSAE 18. May 23, 2017

What s new in EY Atlas. November 2018

Auditing IT General Controls

International Auditing and Assurance Standards Board (IAASB) International Federation of Accountants 545 Fifth Avenue, 14 th Floor New York, NY 10017

EY s Data Privacy Services. January 2019

Forensic analysis with leading technology: the intelligent connection Fraud Investigation & Dispute Services

INTO THE CLOUD WHAT YOU NEED TO KNOW ABOUT ADOPTION AND ENSURING COMPLIANCE

Tax News Update: Global Edition (GTNU) User Guide

SAS70 Type II Reports Use and Interpretation for SOX

Workday s Robust Privacy Program

Studio Guggino and Newtonpartner S.r.l. a team of professionals at the service of your Company

Article II - Standards Section V - Continuing Education Requirements

2018 HIPAA One All Rights Reserved. Beyond HIPAA Compliance to Certification

ADVANCED AUDIT AND ASSURANCE

Hong Kong Institute of Certified Public Accountants Practising Certificate ("PC") Business Assurance

Within our recommendations for editorial changes, additions are noted in bold underline and deletions in strike-through.

Google Cloud & the General Data Protection Regulation (GDPR)

26 February Office of the Secretary Public Company Accounting Oversight Board 1666 K Street, NW Washington, DC

Does a SAS 70 Audit Leave you at Risk of a Security Exposure or Failure to Comply with FISMA?

Robert Brammer. Senior Advisor to the Internet2 CEO Internet2 NET+ Security Assessment Forum. 8 April 2014

Quality Management Systems (ISO 9001:2015 and ISO 29001) Lead Auditor training (EY/IMSA Q03)

HIPAA Privacy, Security and Breach Notification

Cyber Security in M&A. Joshua Stone, CIA, CFE, CISA

EY Training. Project Management Professional PMP. Exam preparatory course. 30 September 4 October 2018

Credit Union Service Organization Compliance

The value of visibility. Cybersecurity risk management examination

BENEFITS of MEMBERSHIP FOR YOUR INSTITUTION

REPORT 2015/149 INTERNAL AUDIT DIVISION

Performing a Vendor Security Review TCTC 2017 FALL EVENT PRESENTER: KATIE MCINTOSH

Cyber Risks in the Boardroom Conference

Cybersecurity requirements for financial services companies

ISAE 3402 and SSAE 16 (replacing SAS 70) Reinforcing confidence through demonstration of effective controls

Project Management Professional PMP. Exam preparatory course

Testers vs Writers: Pen tests Quality in Assurance Projects. 10 November Defcamp7

WHITE PAPER. Title. Managed Services for SAS Technology

Weighing in on the Benefits of a SAS 70 Audit for Third Party Administrators

The HIPAA Security & Privacy Rule How Municipalities Can Prepare for Compliance

Internal Audit Report. Electronic Bidding and Contract Letting TxDOT Office of Internal Audit

Information Technology Security Plan Policies, Controls, and Procedures Identify Governance ID.GV

FedRAMP: Understanding Agency and Cloud Provider Responsibilities

CIP Cyber Security Configuration Change Management and Vulnerability Assessments

IT Audit Process. Prof. Mike Romeu. January 30, IT Audit Process. Prof. Mike Romeu

Business Assurance for the 21st Century

Embedded SIM Study. September 2015 update

Cyber Security Reliability Standards CIP V5 Transition Guidance:

The HITRUST CSF. A Revolutionary Way to Protect Electronic Health Information

Error! No text of specified style in document.

Article I - Administrative Bylaws Section IV - Coordinator Assignments

How to avoid storms in the cloud. The Australian experience and global trends

Introduction to AWS GoldBase

Global Specification Protocol for Organisations Certifying to an ISO Standard related to Market, Opinion and Social Research.

UNCONTROLLED IF PRINTED

HITRUST CSF Roadmap for 2018 and Beyond HITRUST Alliance.

EY Norwegian Cloud Maturity Survey Current and planned adoption of cloud services

IS Audit and Assurance Guideline 2002 Organisational Independence

REPORT 2015/186 INTERNAL AUDIT DIVISION

Transcription:

ISACA Cincinnati Chapter March Meeting Recent and Proposed Changes to SOC Reports Impacting Service and User Organizations. March 3, 2015 Presenters: Sayontan Basu-Mallick Lori Johnson

Agenda SOCR Overview Difference between SOC1, SOC2 and SOC3 Changing SOCR Community Update to ISAE 3402 Changes to the AICPA attestation standards SOC 2 Trust Principal Update SOC 2 Plus Updates from an user organization perspective Independence Page 1

SOCR Overview

SOC 1 elements System People Processes Applications Infrastructure User entities financial statement assertions Risk assessment Controls System description Services provided Procedures Accounting records Significant events Entity-level controls Reporting User control considerations Control objectives Reasonable basis for management asserting controls were consistently applied Existing testing/ validation On-going monitoring Limited additional testing Management s written assertion Service auditor s report Page 3

SOC 1, SOC 2 or SOC 3? Other Page 4

SOC 1, SOC 2 or SOC 3? Who will use the communication? User s areas of interest? User s business Purpose? What criteria will the report measure against? Conclude on report type and distribution method? Direct consumer User entity Business Partner Management/ BOD User service organization Regulator Other Controls relevant to financial audits Security Availability Processing integrity Confidentiality Regulatory/ self regulatory Contractual compliance Meet audit needs Governance/ risk management Vendor management Regulatory compliance Contractual compliance Internal report management confidence Enhance trust regarding service Financial statement assertions Industry standards Contractually specified Regulatory requirements Other SOC 1 SOC 2 SOC 3 Agreed upon procedures AT 101, AT 601 Findings and recommendations (internal-use, no assurance provided) Privacy Other Other Page 5

SOC 2 and SOC 3 SOC 2 - Provides information about internal control at the service organization related to the Trust Services Principles - security, availability, processing integrity, confidentiality, or privacy (restricted use) SOC 3 - Provides information about the service organization s achievement of the Trust Services criteria related to security, availability, processing integrity, confidentiality, or privacy (general use) Page 6

A Service Provider Perspective Source: 2014 EY Service Organization Controls Reporting Survey Results Page 7

Changing SOCR Community

We are in the midst of significant changes for SOCR Alerts, changes, and guidance PCAOB Staff Audit Practice Alert #11 Timeline October 2013 (published) ISAE 3402 international guidance update December 15, 2015 (effective date) AT 801 US guidance update Updated Trust Services Principles and Criteria December 2015 or later (anticipated effective date) December 15, 2014 (effective date) Page 9

Changing Standards and Guidance New and Pending Guidance PCAOB Staff Audit Practice Alert No. 11 SOC 2 Guide Winter 2014 SOC 3 Guide Winter 2014/2015 Revised AICPA attestation standards, including AT 801 2014 Trust Services Privacy currently under revision Exposure provided in June 2014 Effective 2015 Page 10

PCAOB SAPA 11 observations other observations While the PCAOB has not directly focused on the quality of SOC 1 reports, many reports may not be deemed sufficient if subject to the scrutiny given to other audit documentation. Alert 11 identifies areas for specific improvement. Roll-forward of controls Obtain sufficient evidence to update the results of testing of controls from an interim date to year-end Using the work of others Sufficiently perform procedures regarding the use of the work of others Evaluating control deficiencies If a deviation exists and we conclude a control is not effective, do the remaining controls address the identified risks? Sufficiently evaluate identified control deficiencies Page 11

Update to ISAE 3402

Update to ISAE 3402 Updated ISAE3000 and ISAE3402 Released in December 2013 - effective for reports dated on or after 15 December 2015 Most changes are technical reporting matters that will not be visible to the service provider ISAE3402 now a supplement to ISAE 3000 rather than a stand-alone standard Management s Assertion now Management s Statement Requirement that the service auditor s report contain a statement that the service auditor applies ISQC (International Standard on Quality Control) 1 Requirement that that the service auditor s report contain a statement that the service auditor complies with independence and other IESBA (International Ethics Standards Board for Accountants) code requirements Page 13

Significant changes (continued) Concept of engagement partner introduced Where required, has the appropriate authority from a professional, legal or regulatory body Engagement quality control review Risk-based approach Page 14

Changes to the AICPA attestation standards

Proposed changes to the AICPA attestation standards, including SOC 1 The AICPA Attestation Standards (published in the Statements on Standards for Attestation engagements or SSAEs) establish requirements for examining, reviewing, and applying agreedupon procedures to subject matter other than financial statements The Auditing Standards Board (ASB) is undertaking significant effort to improve the clarity and quality of the attestation standards The revised standards are expected to be finalized during the 4 th quarter 2015 Anticipated effective date is reports with an opinion date on or after May 1, 2017 Page 16

Summary of key changes for SOC 1 (AT 801) Changes to description Inclusion of complementary subservice organization controls when carve-out method is used Disclosure of monitoring controls over subservice organizations Sufficiency of descriptions of controls Descriptions of reports Definition of subservice organization still being discussed Definition of complementary user entity controls still being discussed Page 17

Summary of key changes for SOC 1 (continued) Changes in auditor responsibilities Clarifying the use of a risk-based approach to the service auditor s examination Understanding the internal audit function and reading all relevant reports Identification of the risk of material misstatement and evaluation of whether the description meets the needs of user auditors Evaluating control objectives and performing separate identification of the risks that threaten the achievement of the control objectives Excessive use of the work of internal audit still being discussed Page 18

Changes to the attestation standards Many similarities with revisions to ISAE 3000 Engagement partner Engagement risk-based approach Engagement quality control review Intended to be self-contained minimal reference to US auditing standards Page 19

Subservice organization challenge ISA 402/AU-C 402 If the user auditor plans to use a type 1 or a type 2 report that excludes the services provided by a subservice organization and those services are relevant to the audit of the user entity s financial statements, the user auditor shall apply the requirements of this ISA with respect to the services provided by the subservice organization. PCAOB inspections have identified failure to perform procedures on carved-out subservice organizations as an issue. User auditors are expressing greater concern over carved-out subservice organizations. Page 20

Subservice organizations - Issues in inclusive and carved-out reports Inclusive reports Subservice organizations are often reluctant to participate Provide services to multiple primary service organizations Contractual concerns Coordination of testing Carve-out reports No contractual relationship between users and subservice organization Report period Timing of report availability User organizations can monitor primary service providers, usually cannot monitor subservice organizations Users need to tie the subservice organization CUECs to controls at the primary service organization Page 21

Analysis of monitoring Understand user-entity financial statement assertions Identify control objectives Identify risks that threaten the achievement of the control objectives Identify the risks that are directly addressed by controls at the subservice organization Identify monitoring/reporting and other evidence that the controls at the subservice organization are functioning as designed Consider testing Page 22

Subservice organizations Resolving issues SOC 1 guide encourages description of monitoring controls even when carving-out Monitoring may be sufficient to make controls at vendor not relevant to users Examples of effective monitoring controls: Colocation Facility Controls: Physical access and environment Monitoring controls: physical access approvals, periodic evaluations Securities Pricing Services Controls: Valuation of investments Monitoring controls: Pricing comparison Page 23

Carved-out subservice organization CUECs Identifies risks that threaten the achievement of the control objectives Includes risks that arise from using a subservice organization Usually will include risk that subservice organization CUECs need to address If a SOC 1 report is not available from the subservice organization, consider manuals, contracts or other communications from the subservice organization Page 24

SOC2 Trust Principal Update

SOC reporting trends Current State Which of the following areas are seeing an increased interest / demand for independent assurance from your clients? Processes not related to financial transaction (e.g., customer management) 20% Regulatory Compliance (e.g., Financial Market Supervisory Authority) 67% Cloud Services 22% SOC2 Elements Data Integrity 59% Availability / business continuity 71% Data Privacy 59% Source: 2014 EY Service Organization Controls Reporting Survey Results Page 26

The 2014 Trust Services principles and criteria Issued January 2014 Effective for periods ending on or after December 15, 2014, but early adoption encouraged Established by the Assurance Services Executive Committee (ASEC) of the AICPA Consolidates the common criteria across the Trust Services principles, security, availability, processing integrity, and confidentiality Page 27

The 2014 Trust Services principles and criteria SOC 2 principles and criteria PRINCIPLES CRITERIA Organization Communications Risk management Monitoring Access controls System operations Change Management Security Availability Processing Integrity Confidentiality X X X X X X X X X X X X X X X X X X X X X X X X X X X X Page 28

The 2014 Trust Services principles and criteria principles Established by the Assurance Services Executive Committee (ASEC) of the AICPA: Security: The system is protected against unauthorized access, use, or modification. Availability: The system is available for operation and use as committed or agreed. Processing integrity: System processing is complete, valid, accurate, timely, and authorized. Confidentiality: Information designated as confidential is protected as committed or agreed; Privacy: Addresses the system s collection, use, retention, disclosure, and disposal of personal information Page 29

SOC 2 expected 2015 changes Updated for 2014 Trust Service criteria Increased guidance to service auditors on how to plan and perform an engagement Sufficiency of description Suitability of design of controls Guidance by trust services grouping Principle Controls that did not operate during the period User entity responsibilities vs. complementary user entity controls Subservice organizations Page 30

New SOC 2 reporting opportunities SOC 2 reporting options Report Level of effort Opinion SOC 2 Baseline Standard opinion SOC 2 with a mapping to another framework SOC 2 Plus Not likely to require additional controls outside of Trust Services Principles Controls required to align to Trust Services Principles and the selected framework(s) Standard opinion Standard opinion plus an opinion on the selected framework(s) Page 31

New SOC 2 reporting opportunities (continued) Common frameworks requested by our clients and their stakeholders: Framework Mapping to SOC 2 available SOC 2 Plus possible Other Attestation report ISO 27001 4 4 ISO Certification Cyber Security for Critical Infrastructure 4 4 NIST 800-53 R4 In progress HIPAA 4 4 PCI 4 Cloud Security Alliance Cloud Control Matrix 4 4 FISMA Federal Risk and Authorization Management Program (FedRAMP) AT101 AT101 in progress Page 32

Multi-framework SOC2 Reporting

Updates from an user organization perspective

A User Organization Perspective Source: 2014 EY Service Organization Controls Reporting Survey Results Page 35

A User Organization Perspective (5) User auditor viewpoint on SOC report AICPA SOC 1 Guide 3.40 states that The degree of detail included in the description (SOC 1) generally is equivalent to the degree of detail a user auditor would need if the user entity were performing the outsourced services themselves This applies to all aspects of the SOC 1 report Auditor opinion Management assertion Description Evaluation of Carved out sub service providers Identified deficiencies Wording of controls Wording and results of testing Page 36

A User Organization Perspective (6) User auditor viewpoint on SOC report The description should be documented as if the user entity were performing the outsourced service Clear description of the process flow consider a flowchart Identification of key process owners, inputs, outputs, reports Control objectives related to financial statement and IT risks Description of relationship with carved out subservice providers, including the affected control objectives Increased level of detail provided in the test procedures and results section When describing controls Of the auditor s tests and results Identified deviations Page 37

Recent changes/trends that impact user organizations and user auditors Sufficiency of coverage provided by the Type 2 SOC report The PCAOB is increasingly questioning reliance on SOC reports when the SOC report does not cover an adequate period of the company s audit period. Adequacy is determined based on period covered in the SOC report, the nature of services provided, the risk of impacted accounts at the user organization, among other factors. Use of SOC 2 reports in support of financial statement audit This is becoming more acceptable where transaction processing and reporting services are not performed and the system description and controls can be adequately represented in a SOC 2 report. Page 38

Independence update

Independence update SEC matters Reports included in SEC filings or prepared to meet an SEC requirement (e.g., custody rule) bookkeeping services has been interpreted to include word processing and printing services and are prohibited Single user reports SEC has taken the position that a EY audit client user entity should not use an EY prepared single user SOC 1 report as it s basis for SOx assessment. Page 40

Questions?

EY Assurance Tax Transactions Advisory About EY EY is a global leader in assurance, tax, transaction and advisory services. The insights and quality services we deliver help build trust and confidence in the capital markets and in economies the world over. We develop outstanding leaders who team to deliver on our promises to all of our stakeholders. In so doing, we play a critical role in building a better working world for our people, for our clients and for our communities. EY refers to the global organization, and may refer to one or more, of the member firms of Ernst & Young Global Limited, each of which is a separate legal entity. Ernst & Young Global Limited, a UK company limited by guarantee, does not provide services to clients. For more information about our organization, please visit ey.com. Ernst & Young LLP is a client-serving member firm of Ernst & Young Global Limited operating in the US. 2014 Ernst & Young LLP. All Rights Reserved. 1405-1254075 ED None This material has been prepared for general informational purposes only and is not intended to be relied upon as accounting, tax, or other professional advice. Please refer to your advisors for specific advice. ey.com

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback