1 Presented by: Chris Pembrook, CPA, MBA, CGAP, Cr.FA Frank Crawford, CPA Crawford & Associates, P.C. @fcrawfordcpa (twitter)

 SSAE 16 and SOC reporting 2

Standard for reporting on a service organization’s controls affecting user entities’ financial statements Misuse: “SAS 70 Certified” or “SAS 70 Compliant” Controls related to subject matter other than internal control over financial reporting Only for use by service organization management, existing user entities and their auditors

Marketplace demand for detailed report on controls on subject matter other than internal control over financial reporting Security Availability Processing integrity Confidentiality Privacy Cloud computing, outsourcing elevated issue

Split SAS 70 into two standards: one for service auditors (AT 801), the other for user auditors (AU-C 402) Recognized need for assessment of controls over security, availability, processing integrity, confidentiality and/or privacy Brought together all options for reporting on controls at service orgs Supported public interest by helping CPAs/service orgs correctly apply and use the standards

3 reports to help service organizations demonstrate reliability CPA, client determine proper engagement for market need SOC logo for service org’s marketing, websites Information on SOC reports: aicpa.org/soc

Trust Services Principles and Criteria

 Report on controls at a service organization relevant to a user entity’s internal control over financial reporting  Engagement performed under: ◦ AT 801, Attestation Engagements ◦ AICPA Guide, Reporting on Controls at a Service Organization Relevant to User Entities’ Internal Control Over Financial Reporting  Contents of report package: ◦ Description of service organization’s system ◦ CPA’s opinion on fairness of description, suitability of design, operating effectiveness of controls

 Both report on the fairness of the presentation of management’s description of the service organization’s system, and… ◦ Type 1 also reports on the suitability of the design of the controls to achieve the related control objectives included in the description as of a specified date ◦ Type 2 also reports on the suitability of the design and operating effectiveness of the controls to achieve the related control objectives included in the description throughout a specified period

 Acceptance & Continuance ◦ Service Auditor is capable and competent to perform the engagement ◦ SA preliminary knowledge indicates that:  Criteria to be used will be suitable and available to user auditors and entities  SA will have access to sufficient appropriate evidence  Scope and description of SO system will not be so limited that they are not useful to user entities and auditors ◦ Management agrees to the terms of engagement and accepts responsibility for:  Preparing description of SO’s system and its assertions  Having a reasonable basis for its assertions  Selecting criteria to be used and stating them in the assertion  Specifying the control objectives 10

 Continued ◦ Identifying risk that threaten achievement of control objective and designing controls to ensure objectives will be achieved ◦ Providing service auditor:  Access to information relevant to description and assertions of the SO system  Unrestricted access to personnel deemed necessary to obtain evidence relevant to the engagement  Written representations at conclusion of engagement. 11

 Service auditor must obtain written assertion from service organization’s management about the fairness of the presentation of the description of the service organization’s system and about the suitability of the design  For type 2 engagements, operating effectiveness of the controls must be included in assertion  Assertion will either accompany service auditor’s report or be included in description of service organization’s system  Refusal to provide assertion represents a scope limitation

 Access whether management has used suitable criteria in: ◦ Preparing description of SO’s system ◦ Evaluating whether controls were suitably designed to achieve objectives  Type 2 report also whether they are effective throughout period covered  Obtain an understanding of the SO’s system 13

 Obtain evidence regarding description of the SO’s system ◦ Control objectives are reasonable ◦ Controls identified by management were implemented ◦ Complimentary user controls are adequately described ◦ Services performed by subservice organizations are adequately described  Obtain evidence regarding design of controls 14

 Design and perform test of controls ◦ Ensure control was applied ◦ Consistency with which it was applied ◦ By whom or by what means it was applied  If sampling is applied follow AU-C 530  Evaluate any deviations to determine if rate is acceptable of if additional testing is needed  Materiality  Use of Internal Auditors  Obtain Written Representation  Inquire of subsequent invents 15

 Report on controls at a service organization relevant to one or more of the following: security, availability, processing integrity, confidentiality and/or privacy  Engagement performed under: ◦ AT 101, Attestation Engagements ◦ AICPA Guide, Reporting on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality or Privacy (SOC 2®)  Contents of report package same as SOC 1

 SOC 2 reports are not bound to financial reporting and can be far reaching.  Service Auditor and Management must agree to the subject matter – “Est. Boundaries” ◦ Infrastructure. The physical and hardware components of a system (facilities, equipment, and networks) ◦ Software. The programs and operating software of a system (systems, applications, and utilities) ◦ People. The personnel involved in the operation and use of a system (developers, operators, users, and managers) ◦ Procedures. The automated and manual procedures involved in the operation of a system ◦ Data. The information used and supported by a system (transaction streams, files, databases, and tables) 17

 Services that may have a SOC 2 report: ◦ Customer support ◦ Sales force automation ◦ Health care claims management and processing ◦ Enterprise IT outsourcing ◦ Managed Security ◦ Cloud Computing 18

 Similar Requirements of SOC 1 ◦ Acceptance & Continuance ◦ Written assertions & representation ◦ Evaluating Evidence  Design/implemented and effective ◦ Materiality ◦ Use of Internal Audit 19

 SOC 2 reports use Trust Service Principles and criteria, specific requirements developed by AICPA and CICA. ◦ TSP Domain PrinciplePrinciple Security The system is protected against unauthorized access (both physical and logical) AvailabilityThe system is available for operation and use as committed or agreed. Confidentiality Information designated as confidential is protected as committed or agreed. Processing IntegritySystem processing is complete, accurate, timely, and authorized. Privacy Personal information is collected, used, retained, disclosed, and destroyed in conformity with the commitments in the entity’s privacy notice and with criteria set forth in generally accepted privacy principles (GAPP)

 The system is protected against unauthorized access (both physical and logical) : ◦ IT security policy ◦ Security awareness and communication ◦ Risk assessment ◦ Logical access ◦ Physical access ◦ Environmental controls ◦ Security monitoring ◦ User authentication ◦ Personnel security ◦ Change management ◦ Monitoring / compliance 21

 The system is available for operation and use as committed or agreed. ◦ Availability policy ◦ Backup and restoration ◦ Incident Management ◦ Disaster recovery ◦ Security ◦ Change Management 22

 Information designated as confidential is protected as committed or agreed. ◦ Confidentiality policy ◦ Confidentiality of inputs ◦ Confidentiality of data processing ◦ Confidentiality of outputs ◦ Information disclosures ◦ Incident Management 23

 System processing is complete, accurate, timely, and authorized. ◦ System processing integrity policies ◦ Completeness, accuracy, timeliness, and authorization of inputs, system processing, and outputs ◦ Information tracing from source to disposition ◦ Availability ◦ Monitoring 24

 Personal information is collected, used, retained, disclosed, and destroyed in conformity with the commitments in the entity’s privacy notice and with criteria set forth in generally accepted privacy principles (GAPP) ◦ Privacy Policies ◦ Risk Assessment ◦ Choice and consent ◦ Use and retention ◦ Access ◦ Disclosure to third parties ◦ Security (logical & physical) ◦ Monitoring and enforcement 25

 Both report on management’s description of a service organization’s system, and … ◦ Type 1 also reports on suitability of design of controls ◦ Type 2 also reports on suitability of design and operating effectiveness of controls

 Trust Services Report for Service Organizations  Engagement performed under: ◦ AT 101, Attestation Engagements ◦ AICPA TPA, Trust Services Principles, Criteria and Illustrations  Contents of report package: ◦ CPA’s opinion on whether entity maintained effective controls over its system

28

29 Report ComponentsSOC 1SOC 2SOC 3 Opinion Letter  Management Assertions (System Description)  Detailed Description of the System  Control Objective and Controls  TSP Criteria and Controls  * Test of Controls and Results (Type 2)  Optional additional information 

30

31 Will report be used by service users and their auditors to plan/perform an audit of their financial statements? Yes SOC 1 Report Will report be used by service users and/or stakeholders to gain confidence and place trust in a service organization’s system? YesSOC 2 or SOC 3 Report Does the report need to be made generally available or is a seal needed? YesSOC 3 Report

 Guidance for the auditor of the financial statements in which an entity uses a “Service Organization” ◦ AU-C Section 315 “Understanding the Entity Its Environment & Assessing the RMM”  Requires the User Auditor to gain understanding of the entity’s internal control to sufficiently assess RMM ◦ AU-C Section 402 “Audit Considerations Relating to an Entity Using a Service Organization” 32

 Service Organization: Organization or segment of an organization the provides services to user entities that are relevant to the user entities’ internal control over financial reporting.  Examples of Service Organizations: ◦ Health Insurance Company – Process claims for self-insured health plans ◦ Trust departments of banks ◦ Custodians for investments ◦ Depository institutions that service loans for others ◦ Outsourcing of Payroll, Utility billing, etc. 33

 A S.O. services are part of the user’s information system/process if the services affect any of the following: ◦ Significant classes of transactions that are significant to the user entity's financial statement ◦ The procedures or supporting records in which transactions are initiated, authorized, recorded, processed, transferred to the general ledger, and reported in the financial statements ◦ Financial reporting process used to prepare the financial statements and disclosures ◦ Controls surrounding journal entries 34

 Services that are limited to processing an entity's transactions that are specifically authorized by the entity. ◦ Bank – only processing checking account transactions ◦ Broker – processing transactions when user entity retains responsibility for authorizing transactions and maintaining accountability.  Also not applicable to proprietary financial interest in another entity “equity interest”: ◦ Partnership, corporation, joint venture 35

 If unable to gain understanding through the user entity the auditor should obtain the understanding by performing one or more of the following: ◦ Obtain and read a SOC 1 type 1 or 2 report ◦ Contacting the service organization, through the user entity, to obtain specific information ◦ Visiting the service organization and performing procedures that will provide the necessary information about the relevant controls at the service organization ◦ Using another auditor to perform procedures that will provide the necessary information about the relevant controls at the service organization 36

 Auditor should be satisfied by in regards to the sufficiency and appropriateness of the type 1 or 2 report by: ◦ The service auditor’s professional competence & independence ◦ Adequacy of the standards under which the type 1 or type 2 was issued  If report is evidence of understanding of internal controls: ◦ Evaluate date of report is appropriate (either type 1 or 2) for purpose ◦ Evaluate sufficiently and appropriateness of evidence provided ◦ Determine whether complementary user entity controls are relevant in addressing RMM relating to relevant assertions 37

 Auditor may deem it necessary to test controls, if it is necessary the auditor should perform one or more of the following: ◦ Obtain and read a SOC 1 type 2 report ◦ Perform test of controls at the service organization ◦ Use another auditor to perform test of controls on behalf of user auditor ◦ What if they have only had a type 1 report performed? 38

 User auditor should determine if the report provides appropriate audit evidence regarding effectiveness of controls to support the user auditors risk assessment by: ◦ Evaluating the period of the report is appropriate for the user auditor ◦ Determine if complimentary user entity controls identified by the SO are relevant in addressing RMM for the relevant assertions  If so obtain understanding of the whether they are designed/implemented and if so test effectiveness 39

 Continued ◦ Evaluate adequacy of time period covered by test of controls and time elapsed since such tests ◦ Evaluate test performed and results, ensure they provide sufficient appropriate audit evidence to support user auditor’s risk assessment and the relevant assertions of the user entities financial statements  Evaluate any deviations/modified opinion in the service auditor’s type 2 report  What if they type 2 report doesn’t cover the entire reporting period of the financial statements? 40

 User auditor should inquire of user entity management the following in regards to the service organization: ◦ Fraud ◦ Noncompliance with laws & regulations ◦ Uncorrected misstatements  If any above identified user auditor should evaluate the effect of the nature, timing, & extent of the user auditor’s further audit procedures including user auditor conclusions and user auditor’s report 41

 User auditor should modify user auditor’s report if unable to obtain appropriate audit evidence regarding service provided by SO relevant to the financial statements  User auditor should not refer to the work of a service auditor in the user auditor’s report containing an unmodified opinion  If modified opinion and reference to work of service auditor is relevant to understanding modification, user auditor should indicate the reference does not diminish the user auditor’s responsibility for the opinion 42