Service Organization Control Reports What Have We Learned? Chris Bruhn DIRECTOR, IT RISK SERVICES, BKD, LLP SAS 70 ENDS EXIT TO SSAE 16.

Slides:



Advertisements
Similar presentations
Assurance Services Independent professional services that “improve the quality of information, or its context, for decision makers” Assurance service encompass.
Advertisements

29e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 29 th INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY.
Additional Assurance Services: Other Information
Internal Control–Integrated Framework
Understanding Audit Reports
SOC 2 Reports – A Third Party Risk Management Tool for Cloud Providers
SERVICE ORGANIZATION CONTROL REPORTS SM Formerly SAS 70 Reports.
March 6, 2012 SOC Reporting: What is New in the Audit Guides?
Chapter 20 Additional Assurance Services: Other Information
Other Assurance & Attestation Services By David N. Ricchiute
GAO Standards Brian M. Leighton Virginia Department of Motor Vehicles.
Third Party Reporting © 2008 Ernst & Young LLP. All rights reserved. For Internal Use Within EY Only; Not for Distribution to Clients. Third Party Reporting.
Standards for Internal Control in the Government Going Green Standards for Internal Control in the Federal Government 1.
©2006 Prentice Hall Business Publishing, Auditing 11/e, Arens/Beasley/Elder Other Assurance Services Chapter 25.
CSE 4482, 2009 Session 21 Personal Information Protection and Electronic Documents Act Payment Card Industry standard Web Trust Sys Trust.
©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley Other Assurance Services Chapter 24.
Auditing A Risk-Based Approach To Conducting A Quality Audit
18- 1 © 2006 The McGraw-Hill Companies, Inc., All Rights Reserved. Chapter 18 Integrated Audits of Internal Control (For Public Companies Under Sarbanes-Oxley.
Information Systems Controls for System Reliability -Information Security-
Internal Auditing and Outsourcing
Navigating Guidance Changes for Service Organization Control (SOC) Reports NSAA 2011 Annual Conference Deloitte & Touche LLP June 16, 2011.
SOC1 vs. SOC2 vs. SOC3 Source: ryServices/Pages/AICPASOC3Report.aspx.
Auditing Internal Control over Financial Reporting
Service Organization Control (SOC) Reporting Options and Information
Transitioning to the COSO 2013 Update.  Released on May 14, 2013  Designed to build upon the foundation of the 1992 Framework  Will supersede the 1992.
PwC Internal Control Reports: Facts, Myths and Best Practices FIRMA National Risk Management Training Conference – San Francisco, CA Wednesday March 31,
New Auditing Standards Laurie Ball, CPA Swenson Advisors, LLP (Murrieta) Audit Director Accounting Day May 12, 2008.
Chapter 07 Internal Control McGraw-Hill/IrwinCopyright © 2014 by The McGraw-Hill Companies, Inc. All rights reserved.
Chapter Three IT Risks and Controls.
Page 1 Internal Audit Outsourcing The Moss Adams Approach to Internal Audit Outsourcing Proposed SOX 404 Changes.
Considering Internal Control
Internal Control in a Financial Statement Audit
WebTrust SM/TM Principles and Criteria for Certification Authorities CA Trust Jeff
Chapter 7 Auditing Internal Control over Financial Reporting McGraw-Hill/Irwin ©2008 The McGraw-Hill Companies, All Rights Reserved.
Assurance Report on Controls at Service Organizations SAE 3402
Secure e-Business Chartered Accountants of Canada Comptables agréés du Canada Overview of WebTrust TM.
Copyright © 2015 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education.
Copyright © 2013 by The McGraw-Hill Companies, Inc. All rights reserved.McGraw-Hill/Irwin.
Chapter 20 Additional Assurance Services: Other Information McGraw-Hill/IrwinCopyright © 2014 by The McGraw-Hill Companies, Inc. All rights reserved.
McGraw-Hill/Irwin Copyright © 2013 by The McGraw-Hill Companies, Inc. All rights reserved.
Copyright © 2006 by The McGraw-Hill Companies, Inc. All rights reserved. McGraw-Hill/Irwin 7-1 Chapter Seven Auditing Internal Control over Financial Reporting.
Service Organization Controls (SOC) Overview Shared Assessment Member Forum Presentation April 10, 2012.
Acumen insight ideas attention reach expertise depth agility talent SAS 70 – Readiness Kick-off Presented by Rod Walsh.
McGraw-Hill/Irwin © The McGraw-Hill Companies 2010 Auditing Internal Control over Financial Reporting Chapter Seven.
Business Processes and Risks
Internal/External Audit Corporate Governance part 5.
©2012 Prentice Hall Business Publishing, Auditing 14/e, Arens/Elder/Beasley Section 404 Audits of Internal Control and Control Risk Chapter.
Internal Audit Section. Authorized in Section , Florida Statutes Section , Florida Statutes (F.S.), authorizes the Inspector General to review.
Audit Reports Chapter 3. Audit Reports What is an audit report? Different reporting guidelines exist depending on the type of company upon which the auditor.
©©2012 Pearson Education, Auditing 14/e, Arens/Elder/Beasley Considering Internal Control Chapter 10.
SAS No. 70, Service Organizations A standard for reporting on a service organization’s controls affecting user entities' financial statements. Only for.
Copyright © 2014 Pearson Education, Inc. Publishing as Prentice Hall. Chapter
©2005 Prentice Hall Business Publishing, Auditing and Assurance Services 10/e, Arens/Elder/Beasley Other Assurance Services Chapter 25.
1 Presented by: Chris Pembrook, CPA, MBA, CGAP, Cr.FA Frank Crawford, CPA Crawford & Associates, P.C.
Chapter 6 Internal Control in a Financial Statement Audit McGraw-Hill/IrwinCopyright © 2012 by The McGraw-Hill Companies, Inc. All rights reserved.
Jeff Markert, KPMG LLP June 11, 2014
Parts of standard unmodified opinion audit report
Chapter 3 Audit Reports.
Service Organization Control (SOC)
Chapter 20 Additional Assurance Services: Other Information
Other Assurance Services
SSAE18 Language: SOC1s, CUECs, and CSOCs… Oh My!
Jessica Thompson, KPMG Managing Director,
Other Assurance Services
Other Assurance Services
Chapter 20 Additional Assurance Services: Other Information
Chapter 20 Additional Assurance Services: Other Information
Canadian Auditing Standards (CAS)
SOFE CDS – Monday, July 16th, 2018
Presentation transcript:

Service Organization Control Reports What Have We Learned? Chris Bruhn DIRECTOR, IT RISK SERVICES, BKD, LLP SAS 70 ENDS EXIT TO SSAE 16

Agenda What are Service Organization Control (SOC) Reports? Reading a Report Experiences – SOC1 (SSAE 16) Experiences – SOC 2 & SOC 3 Current Developments Questions / Discussion

SOC Report: Key Terms Service Organization – provider of services that may impact a risk to a user’s financial reporting, or that pose a business or compliance risk Service auditor – a CPA who examines and reports on controls at a service organization Users and User Auditor – clients of service organization and their financial auditors  May need assurance regarding controls over ICFR (SOC1) or security, availability, processing integrity, confidentiality or privacy (SOC2) By the way…  No such thing as SOC “certified”

Service Organization Control Reports SAS 70 ENDS EXIT TO SSAE 16

Service Organization Control Reports SOC 1SOC 2SOC 3 PurposeReport on controls relevant to user entities ICFR 1 Report on controls related to compliance and operations Use of ReportRestricted 2 Restricted 3 General Report DetailIncludes Testing Detail Type 1 or Type 2 Includes Testing Detail Type 1 or Type 2 No Testing Detail AICPA Interpretive Guidance & Reporting Vehicle SSAE 16, AICPA Guide AT 101, AICPA Trust Services Principles, AICPA Guide AT 101, AICPA Trust Services Principles TSP Internal Control Over Financial Reporting 2 Service Organization Management, Users, Users Auditor 3 Service Organization Management, Users, Knowledgeable Parties

SOC Report: Two Types Type 1  Auditor’s opinion includes: fairness of presentation of management’s description of the service organization’s system, and; The suitability of design of controls  As of a point in time May be useful when: Organization is new An understanding system and controls is needed Recently made significant changes Insufficient time or history to perform Type 2

SOC Report: Two Types Type 2  Auditor’s opinion covers the same as Type1 plus: operating effectiveness of key controls  Covers a period of time Changes must be captured in the description and control testing  A detailed description of service auditor’s tests of controls and results

Reading a Report

SOC Report Content Section I  Auditor Opinion Section II  Management Assertion  Description of the system (Narrative)  Complementary User Entity Control Considerations (CUEC’s) Section III  Control Objectives, Control Activities, and results of testing for Type 2  And for SOC 2 – mapping of organization’s controls to applicable trust services principle criteria Section IV  Other – unaudited information

Report Components: Auditor’s Opinion Auditor’s Opinion  Qualified (Modified) Concept of materiality is not applicable when auditor reports results of testing  References to subservice organizations Inclusive or Exclusive  Complementary User Entity Controls (CUEC’s)  Auditor is in the role of providing assurance regarding management’s assertions

Report Components: Management Assertion Management’s Assertion states*  System fairly represented  System suitably designed and implemented  The related controls activities were suitably designed to achieve the stated control objectives  That the control activities are operating effectively throughout the report period (Type 2 only) *The auditor opinion attests to these statements. Subservice Organizations Inclusive or Exclusive

Report Components: Management Assertion The report will reference that management is responsible for:  Preparing the system description  Providing the stated services  Specifying the control objectives  Identifying the risks  Selecting and stating the criteria for their assertion (e.g. monitoring activities)  Designing, implementing and documenting controls that are suitably designed and operating effectively

Report Components: System Description SSAE 16 requires a description of the system Components common to Descriptions  Organizational Overview  Types of Services covered  COSO Risk Categories  Specified Control objectives and related control activities  Complementary user entity controls (CUEC’s)

Report Components: Control Description Control Objectives  Organization / scope of objectives  Sufficiency of service process areas compared to services utilized  Completeness for your purpose Control Activities  Completeness  Description of testing  Results / exceptions  Impact of exceptions on your services

Report Components Other Information  Period of coverage  Other unaudited information relevant to user Management responses to opinion modifications or testing exceptions Glossary BCP / DR executive overview Organizational information Subsequent events

SOC 1 – Experiences and Key Issues

Using a SOC1 Report  Understand scope of assertion and description Unique service lines or applications Sub-service organizations (inclusive vs. exclusive)  Can I place reliance on the report? Is the scope of the report in-line with related services impacting financial reporting? Are objectives and controls appropriate for the financial reporting risks associated with services? Are User Controls in place?

Key Issues: Supporting Control Design Risk Assessment Supporting Control Design Services Provided Assessment of risks to services leads to: Control Objectives Assessment of risk to control objective leads to: Control Activities

Key Issues: Supporting Control Design Types of Control Objectives  Entity  IT General Controls  Business Process  Regulatory or customer defined Risk Assertions defined  ICFR (complete, accurate, timely, valuation, etc.)  Trust Services Principles

Key Issues: Design of Control Activities Completeness of activities to address risks to control objective Specificity of activities  Controls vs. processes  Specific  Testable Identifying and maintaining supporting documentation Relating user entity control considerations

SOC 2 –Experiences and Key Issues

SOC 2 Reporting TSP Criteria  Security (Common Criteria): The system is protected against unauthorized access, use, or modification  Availability: The system is available for operation and use as committed or agreed.  Processing Integrity: System processing is complete, valid, accurate, timely, and authorized.  Confidentiality: Information designated as confidential is protected as committed or agreed.  Privacy: System’s collection, use, retention, disclosure, and disposal of personal information in conformity with the commitments in the entity’s privacy notice and with criteria set forth in generally accepted privacy principles (GAPP) issued by the AICPA and Canadian Institute of Chartered Accountants

Unique SOC 2 Key Issues Most Issues the same as SSAE 16 Identification of applicable Trust Service Principles / Criteria Major issue was overlap of criteria –addressed with TSP update effective 12/15/14 New SOC 2 & 3 audit guide issued June 2015  More guidance on identifying expectations at subservice organization

Unique SOC 2 Key Issues Narrative  Discussion of key TSP criteria managed by subservice organizations  Identification of reliance on relevant subservice organizations controls for achieving key TSP criteria Report  Display of control activities supporting selected TSP criteria

Reporting to Multiple Audiences Multiple reports scenarios  SOC 1 and SOC 2 Services impacting ICFR of user and other services with trust services principles concerns  SOC 2 and SOC 3 Services not impacting ICFR and need to use beyond current userssuch as marketing to prospects  SOC 1 and SOC 3 Services impacting ICFR of user and other services with trust services principles concerns or marketing needs Note – must be separate reports

Unique SOC 3 Considerations Public report Very abbreviated report – essentially a “SOC 2 light” Assertion and Opinion only opine on:  Suitability of design  Operating effectiveness of controls  Not on system description Description is brief and does not include the detail as a SOC 2 No longer has a required seal  There is a SOC logo that an organization can display from AICPA  Must register and have a report within the last year

Unique SOC 3 Requirements Essentially must do SOC 2 in order to issue a SOC 3  SOC 2 report must have an unqualified opinion  Must cover at least a 2 month period Currently cannot issue a SOC 3 unqualified opinion if  There are carved out subservice organizations in the SOC 2  There are significant complementary user-entity controls necessary to achieve the applicable trust services principles’ criteria

Current Developments SOC2 Plus  Cloud Security Alliance  HITRUST  Additional considerations for the future Privacy TSP exposure draft out now for comment

Questions / Discussion

Thank you for attending. Learn more at bkd.com FOR MORE INFORMATION // For a complete list of our offices and subsidiaries, visit bkd.com or contact: Chris Bruhn, CPA, CISA, CITP // Director //