Service Organization Control Reports What Have We Learned? Chris Bruhn DIRECTOR, IT RISK SERVICES, BKD, LLP SAS 70 ENDS EXIT TO SSAE 16

Agenda What are Service Organization Control (SOC) Reports? Reading a Report Experiences – SOC1 (SSAE 16) Experiences – SOC 2 & SOC 3 Current Developments Questions / Discussion

SOC Report: Key Terms Service Organization – provider of services that may impact a risk to a user’s financial reporting, or that pose a business or compliance risk Service auditor – a CPA who examines and reports on controls at a service organization Users and User Auditor – clients of service organization and their financial auditors  May need assurance regarding controls over ICFR (SOC1) or security, availability, processing integrity, confidentiality or privacy (SOC2) By the way…  No such thing as SOC “certified”

Service Organization Control Reports SAS 70 ENDS EXIT TO SSAE 16

Service Organization Control Reports SOC 1SOC 2SOC 3 PurposeReport on controls relevant to user entities ICFR 1 Report on controls related to compliance and operations Use of ReportRestricted 2 Restricted 3 General Report DetailIncludes Testing Detail Type 1 or Type 2 Includes Testing Detail Type 1 or Type 2 No Testing Detail AICPA Interpretive Guidance & Reporting Vehicle SSAE 16, AICPA Guide AT 101, AICPA Trust Services Principles, AICPA Guide AT 101, AICPA Trust Services Principles TSP Internal Control Over Financial Reporting 2 Service Organization Management, Users, Users Auditor 3 Service Organization Management, Users, Knowledgeable Parties

SOC Report: Two Types Type 1  Auditor’s opinion includes: fairness of presentation of management’s description of the service organization’s system, and; The suitability of design of controls  As of a point in time May be useful when: Organization is new An understanding system and controls is needed Recently made significant changes Insufficient time or history to perform Type 2

SOC Report: Two Types Type 2  Auditor’s opinion covers the same as Type1 plus: operating effectiveness of key controls  Covers a period of time Changes must be captured in the description and control testing  A detailed description of service auditor’s tests of controls and results

Reading a Report

SOC Report Content Section I  Auditor Opinion Section II  Management Assertion  Description of the system (Narrative)  Complementary User Entity Control Considerations (CUEC’s) Section III  Control Objectives, Control Activities, and results of testing for Type 2  And for SOC 2 – mapping of organization’s controls to applicable trust services principle criteria Section IV  Other – unaudited information

Report Components: Auditor’s Opinion Auditor’s Opinion  Qualified (Modified) Concept of materiality is not applicable when auditor reports results of testing  References to subservice organizations Inclusive or Exclusive  Complementary User Entity Controls (CUEC’s)  Auditor is in the role of providing assurance regarding management’s assertions

Report Components: Management Assertion Management’s Assertion states*  System fairly represented  System suitably designed and implemented  The related controls activities were suitably designed to achieve the stated control objectives  That the control activities are operating effectively throughout the report period (Type 2 only) *The auditor opinion attests to these statements. Subservice Organizations Inclusive or Exclusive

Report Components: Management Assertion The report will reference that management is responsible for:  Preparing the system description  Providing the stated services  Specifying the control objectives  Identifying the risks  Selecting and stating the criteria for their assertion (e.g. monitoring activities)  Designing, implementing and documenting controls that are suitably designed and operating effectively

Report Components: System Description SSAE 16 requires a description of the system Components common to Descriptions  Organizational Overview  Types of Services covered  COSO Risk Categories  Specified Control objectives and related control activities  Complementary user entity controls (CUEC’s)

Report Components: Control Description Control Objectives  Organization / scope of objectives  Sufficiency of service process areas compared to services utilized  Completeness for your purpose Control Activities  Completeness  Description of testing  Results / exceptions  Impact of exceptions on your services

Report Components Other Information  Period of coverage  Other unaudited information relevant to user Management responses to opinion modifications or testing exceptions Glossary BCP / DR executive overview Organizational information Subsequent events

SOC 1 – Experiences and Key Issues

Using a SOC1 Report  Understand scope of assertion and description Unique service lines or applications Sub-service organizations (inclusive vs. exclusive)  Can I place reliance on the report? Is the scope of the report in-line with related services impacting financial reporting? Are objectives and controls appropriate for the financial reporting risks associated with services? Are User Controls in place?

Key Issues: Supporting Control Design Risk Assessment Supporting Control Design Services Provided Assessment of risks to services leads to: Control Objectives Assessment of risk to control objective leads to: Control Activities

Key Issues: Supporting Control Design Types of Control Objectives  Entity  IT General Controls  Business Process  Regulatory or customer defined Risk Assertions defined  ICFR (complete, accurate, timely, valuation, etc.)  Trust Services Principles

Key Issues: Design of Control Activities Completeness of activities to address risks to control objective Specificity of activities  Controls vs. processes  Specific  Testable Identifying and maintaining supporting documentation Relating user entity control considerations

SOC 2 –Experiences and Key Issues

SOC 2 Reporting TSP Criteria  Security (Common Criteria): The system is protected against unauthorized access, use, or modification  Availability: The system is available for operation and use as committed or agreed.  Processing Integrity: System processing is complete, valid, accurate, timely, and authorized.  Confidentiality: Information designated as confidential is protected as committed or agreed.  Privacy: System’s collection, use, retention, disclosure, and disposal of personal information in conformity with the commitments in the entity’s privacy notice and with criteria set forth in generally accepted privacy principles (GAPP) issued by the AICPA and Canadian Institute of Chartered Accountants

Unique SOC 2 Key Issues Most Issues the same as SSAE 16 Identification of applicable Trust Service Principles / Criteria Major issue was overlap of criteria –addressed with TSP update effective 12/15/14 New SOC 2 & 3 audit guide issued June 2015  More guidance on identifying expectations at subservice organization

Unique SOC 2 Key Issues Narrative  Discussion of key TSP criteria managed by subservice organizations  Identification of reliance on relevant subservice organizations controls for achieving key TSP criteria Report  Display of control activities supporting selected TSP criteria

Reporting to Multiple Audiences Multiple reports scenarios  SOC 1 and SOC 2 Services impacting ICFR of user and other services with trust services principles concerns  SOC 2 and SOC 3 Services not impacting ICFR and need to use beyond current userssuch as marketing to prospects  SOC 1 and SOC 3 Services impacting ICFR of user and other services with trust services principles concerns or marketing needs Note – must be separate reports

Unique SOC 3 Considerations Public report Very abbreviated report – essentially a “SOC 2 light” Assertion and Opinion only opine on:  Suitability of design  Operating effectiveness of controls  Not on system description Description is brief and does not include the detail as a SOC 2 No longer has a required seal  There is a SOC logo that an organization can display from AICPA  Must register and have a report within the last year

Unique SOC 3 Requirements Essentially must do SOC 2 in order to issue a SOC 3  SOC 2 report must have an unqualified opinion  Must cover at least a 2 month period Currently cannot issue a SOC 3 unqualified opinion if  There are carved out subservice organizations in the SOC 2  There are significant complementary user-entity controls necessary to achieve the applicable trust services principles’ criteria

Current Developments SOC2 Plus  Cloud Security Alliance  HITRUST  Additional considerations for the future Privacy TSP exposure draft out now for comment

Questions / Discussion

Thank you for attending. Learn more at bkd.com FOR MORE INFORMATION // For a complete list of our offices and subsidiaries, visit bkd.com or contact: Chris Bruhn, CPA, CISA, CITP // Director //