Service Organization Controls (SOC) Overview Shared Assessment Member Forum Presentation April 10, 2012.

Slides:



Advertisements
Similar presentations
Assurance Services Independent professional services that “improve the quality of information, or its context, for decision makers” Assurance service encompass.
Advertisements

29e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 29 th INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY.
Table of contents Overview of third-party assurance reporting AT 101, 201, and 601 reports SOC 1, 2, and 3 reports SOC 2 deep-dive.
Navigating Compliance Requirements DCM 6.2 Regs and Codes linford & co llp.
Audit and Assurance services
Dr. Mohamed A. Hamada Lecturer of Accounting Information Systems Advanced Auditing Lecture 1 Assurance and Attestation Services.
SERVICE ORGANIZATION CONTROL REPORTS SM Formerly SAS 70 Reports.
March 6, 2012 SOC Reporting: What is New in the Audit Guides?
Third Party Verification Requests The Letter of Comfort
PwC Advisory Services Asbestos: A way forward from financial uncertainty 14 June 2005.
The Advisers Act Custody Rule
Chapter 20 Additional Assurance Services: Other Information
American Institute of CPAs ® An Overview of the New Comprehensive Definition of Attest Gary McIntosh AICPA Co-Chair, Uniform Accountancy Act Committee.
Performing a Fiduciary Review of Trust Administration FIRMA April 2009 Independent Fiduciary Services ® Independent Fiduciary Services, Inc.  th.
Assurance Services and Auditing Research Chapter 8.
Chapter 21 Assurance, Attestation, and Internal Auditing Services Copyright © 2012 by The McGraw-Hill Companies, Inc. All rights reserved.McGraw-Hill/Irwin.
Assurance, Attestation, and Internal Auditing Services
BA 427 – Assurance and Attestation Services Lecture 18 The Types of Services Offered by Public Accounting Firms.
©2008 Prentice Hall Business Publishing, Auditing 12/e, Arens/Beasley/Elder The Demand for Audit and Other Assurance Services Chapter 1.
Third Party Reporting © 2008 Ernst & Young LLP. All rights reserved. For Internal Use Within EY Only; Not for Distribution to Clients. Third Party Reporting.
Module A1 Other Public Accounting Services ACCT 4080.
The Demand for Audit and Other Assurance Services Chapter 1.
©2006 Prentice Hall Business Publishing, Auditing 11/e, Arens/Beasley/Elder Other Assurance Services Chapter 25.
CSE 4482, 2009 Session 21 Personal Information Protection and Electronic Documents Act Payment Card Industry standard Web Trust Sys Trust.
©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley Other Assurance Services Chapter 24.
18- 1 © 2006 The McGraw-Hill Companies, Inc., All Rights Reserved. Chapter 18 Integrated Audits of Internal Control (For Public Companies Under Sarbanes-Oxley.
SAS No. 70 BADM 559 Jong Choi. Overview of SAS 70 Definition ▫SAS 70 helps service auditors to assess operational and technical controls of a service.
Internal Auditing and Outsourcing
Chapter Nine Conducting the IT Audit. Audit Standards AICPA — Statements of Auditing Standards (SASs) AICPA — Statements of Auditing Standards (SASs)
Navigating Guidance Changes for Service Organization Control (SOC) Reports NSAA 2011 Annual Conference Deloitte & Touche LLP June 16, 2011.
SOC1 vs. SOC2 vs. SOC3 Source: ryServices/Pages/AICPASOC3Report.aspx.
Service Organization Control (SOC) Reporting Options and Information
BA 427 – Assurance and Attestation Services Exam 2.
PwC Internal Control Reports: Facts, Myths and Best Practices FIRMA National Risk Management Training Conference – San Francisco, CA Wednesday March 31,
Chapter 1 Assurance Services. Need for Assurance Why do you need assurance? Potential bias in providing information. Remoteness between a user and the.
19-1 Copyright © 2016 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education.
Assurance Report on Controls at Service Organizations SAE 3402
Chapter 19 Additional Assurance Services: Historical Financial Information McGraw-Hill/Irwin Copyright © 2014 by The McGraw-Hill Companies, Inc. All rights.
Background on Developments Related to XBRL & Assurance Amy Pawlicki Director – Business Reporting, Assurance & Advisory Services and XBRL AICPA.
Copyright © 2015 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education.
©2010 Prentice Hall Business Publishing, Auditing 13/e, Arens//Elder/Beasley Other Assurance Services Chapter 25.
Copyright © 2007 Pearson Education Canada 1 Chapter 24: Assurance Services: Internal Auditing and Government Auditing.
[Hayes, Dassen, Schilder and Wallage, Principles of Auditing An Introduction to ISAs, edition 2.1] © Pearson Education Limited 2007 Slide 4.1 An Auditor’s.
1 Chapter Nine Conducting the IT Audit Lecture Outline Audit Standards IT Audit Life Cycle Four Main Types of IT Audits Using COBIT to Perform an Audit.
Copyright © 2013 by The McGraw-Hill Companies, Inc. All rights reserved.McGraw-Hill/Irwin.
Chapter 20 Additional Assurance Services: Other Information McGraw-Hill/IrwinCopyright © 2014 by The McGraw-Hill Companies, Inc. All rights reserved.
ISSAI 400 Compliance Auditing
McGraw-Hill/Irwin Copyright © 2013 by The McGraw-Hill Companies, Inc. All rights reserved.
FFT Business Meeting 2014 March Contact: Kevin Bromley Colin Campbell
Statement on Auditing Standards (SAS) No. 70, Service Organizations BADM 559 Final Project By: Kristina Morales.
©2010 Prentice Hall Business Publishing, Auditing 13/e, Arens/Elder/Beasley The Demand for Audit and Other Assurance Services Chapter 1.
ICAJ/PAB - Improving Compliance with International Standards on Auditing Planning an audit of financial statements 19 July 2014.
SAS No. 70, Service Organizations A standard for reporting on a service organization’s controls affecting user entities' financial statements. Only for.
©2005 Prentice Hall Business Publishing, Auditing and Assurance Services 10/e, Arens/Elder/Beasley Other Assurance Services Chapter 25.
Service Organization Control Reports What Have We Learned? Chris Bruhn DIRECTOR, IT RISK SERVICES, BKD, LLP SAS 70 ENDS EXIT TO SSAE 16.
Shared Services and Third Party Assurance: Panel May 19, 2016.
The Demand for Audit and Other Assurance Services
The Demand for Audit and Other Assurance Services
Session 11 Other Assurance Services
Part Five Other Assurance Services
Chapter 19 Additional Assurance Services: Historical Financial Information McGraw-Hill/Irwin Copyright © 2014 by The McGraw-Hill Companies, Inc. All rights.
Service Organization Control (SOC)
Chapter 20 Additional Assurance Services: Other Information
Other Assurance Services
Other Assurance Services
Other Assurance Services
Chapter 20 Additional Assurance Services: Other Information
Chapter 20 Additional Assurance Services: Other Information
SOFE CDS – Monday, July 16th, 2018
Presentation transcript:

Service Organization Controls (SOC) Overview Shared Assessment Member Forum Presentation April 10, 2012

Introduction Mark Cornish Mark is a Director in PwC’s Financial Services Assurance practice in Boston with over 13 years of domestic and international public accounting and professional services experience, primarily focusing on financial services, specifically the asset management and insurance industries. Mark possesses an extensive knowledge of financial services systems, processes and controls, and continues to assist clients with risk management, compliance and internal controls work. Mark has extensive experience developing, performing and reporting on service organization controls. Mark has served as the service organization controls reporting director for several global organizations and has covered areas such as fund accounting, custody, securities lending and application service providers, for example. Jeff Trent Jeff is a Director in PwC’s Financial Services Assurance practice in NY with over 15 years of experience working with clients to address a wide range of internal control, technology and operational risk related solutions. He has led the development of service organization / vendor management reporting solutions for PwC at Prime Brokers, Pricing Vendors, Card and Merchant Payment Services and has also provided audit and consulting services for technology and controls across various Financial Services clients. Jeff has served as the service organization controls reporting director in areas such as: prime brokerage, trade processing, securities clearing and settlement, investment advisory, trust and custody, pricing services, money transfer, insurance claims processing, credit card operations, merchant processing operations, lockbox payment and document processing.

Agenda 1.Types of Service Organization Control (SOC) Reports 2.Transition from SAS 70 to SSAE16 3.SOC2 4.SOC3 5.Customized Attestations 6.What attestation report should you request? 7.Q&A

Types of Service Organization Control (SOC) Reports New Standards & Reporting Options SOC1 (SSAE16) SOC2SOC3Custom Attestation AT 801 Restricted Use Report (Type I or II report) Reports on controls for F/S audits Underlying Standard Report Distribution Purpose AT 101 Generally a Restricted Use Report (Type I or II report) Reports on controls related to compliance or operations AT 101 General Use Report (with a public seal) Reports on controls related to compliance or operations Trust Services Principles & Criteria AT 101 Can be either Restricted or General Use Report on controls or results based on specified criteria

Transition from SAS 70 to SSAE 16 What is SSAE 16? Statement on Standards for Attestation Engagements No. 16 (SSAE 16)—and its global counterpart—International Standard for Assurance Engagements No (ISAE 3402)— provide the framework for service organizations that need to deliver consistent global reporting relating to internal controls over financial reporting (ICFR). The differences between SAS 70 and SSAE 16 are minimal. SAS 70 is an audit standard while SSAE 16 is an attest standard. A provision requiring a written assertion from the service organization’s management is the most notable difference between the two standards. The format of service auditor’s opinion has changed with SSAE 16. The new SSAE 16 standard became effective with periods ending on or after June 15, 2011.

SOC 2 – Reports on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality and Privacy SOC 2 report is very similar in structure to the SOC 1 report (Formerly SAS 70 report). The scope of the SOC 2 report is based on one or more of the AICPA Trust Services Principles and Criteria (TSPC): Security Availability Processing Integrity Confidentiality Privacy This report is intended for knowledgeable parties and stakeholders This report is restricted in use

SOC 2 - Case Study Issue A leading digital content distributor and supplier of content management, distribution and hosting solutions was struggling to respond to a user request for controls comfort. The organization was eager to meet the needs of this particular user, while also providing a level of comfort to other users that had not requested such comfort. The company understood the user was not asking specifically for an SSAE 16 report over their platform and was subsequently advised that an SSAE 16 report was not necessarily the best fit because it did not relate to internal controls over financial reporting. In working with the organization and utilizing a SOC 2 report, the differences between the reporting standards were highlighted. Action The company identified and documented controls over the system specific to the Processing Integrity Principle. Management's description of their system was examined and the design of controls evaluated to meet the criteria for the processing integrity principle set forth in Trust Services Principles section 100, Trust Services Principles, Criteria, and Illustrations for Security, Availability, Processing Integrity, Confidentiality, and Privacy (American Institute of Certified Public Accountants ("AICPA"), Technical Practice Aids) (applicable trust services criteria). Impact Rather than a using a traditional SSAE 16 report, the SOC 2 report provided greater alignment to what users are seeking comfort over (processing integrity, security) and can be used to provide greater transparency. This also assisted in reducing the volume of questions, and number of due diligence reviews performed by vendor management programs at their clients.

SOC 3 – Trust Services Report for Service Organization Although similar to the SOC 2 report, this report does not provide a detailed description of the service auditor’s tests and results Unlike the SOC 1 and SOC 2 reports the SOC 3 report is available to the general public Users of these reports may include business partners, consumers, regulators, banks, outsourcers and those using outsourced services. SOC 3 is an attestation report based on the same TSPCs as SOC 2. It is intended to meet the needs of users who want assurance of the controls at a service organization such as security, availability, process integrity, confidentiality and privacy. Historically, SOC 3 reports were named SysTrust or WebTrust

Customized Attestation When one of the three SOC based reports may not be the right fit, another option exists to provide comfort and assurance. Customized Attestations, based on the AT101 standard, are meant to allow for assurance reporting across a wide spectrum of different subject matter and is flexible enough to meet a wide variety of needs. A customized attestation can provide varying levels of assurance, and can potentially be unlimited in distribution to third parties. Customized attestations can provide opinions covering either controls or specific results. Requirements for customized attestations require suitable criteria, which must be: Objective, Measurable, Complete, and Relevant.

Which attestation report should you request? SOC 1 For users that have previously obtained a SAS 70 report from a service organization for an outsourced process related to internal controls over financial reporting. For independent assurance on controls over processes related to financial reporting that have been outsourced to a third party. For auditor-to-auditor communication.

Which attestation report should you request? (continued) SOC 2 For independent assurance on controls related to systems that do not impact financial reporting but may be relevant to controls over security, availability, processing integrity, confidentiality and /or privacy. For assurance over a system that has been outsourced which is of key operational importance. For providing management and/or the board of directors comfort over risks beyond financial reporting. For assurance over a third party data center or cloud computing company. For users that work in a highly regulated industry such as health care, utilities or financial reporting. For an outsourced provider that has had a recent data/security breach. For parties knowledgeable of the service organization.

Which attestation report should you request? (continued) SOC 3 For users that may not be knowledgeable of the service organization’s system and/or would rather have a summary report. For users that would like to view reports related to a third party service provider where they are not the service/user management or user auditor. For companies that do business online and want to obtain assurance or “seal of approval” over the privacy of the information provided to the third party. For business-to-business and business-to-consumer communication.

Which attestation report should you request? (continued) Customized Attestation For users that need transparency over non-financial reporting operations that are not covered in SOC2 or SOC3 For vendors supplying services where annual due diligence or oversight is required, and performed using a defined assessment framework, to confirm the existence and effectiveness of controls related to the services being provided For users that require a high level of assurance over customized subject matter and criteria outside of traditional technology related activities For organizations that may need assurance over results of activities and not necessarily controls For organizations that are not service organizations (traditional or otherwise) to provide a high level of comfort to relevant stakeholders For organizations that have a requirement to provide a high level of assurance to a regulator or other oversight body

Q & A Example questions: 1. What due diligence are you performing over your vendors to gain comfort over their operations (e.g. site visits, testing of certain processes/controls, etc.)? 2. Will SOC2 and SOC3 reporting assist with your oversight procedures for certain vendors? 3. Would a customized attestation address the need to performed detailed due diligence reviews and reduce potential cost?

© 2012 PricewaterhouseCoopers LLP. All rights reserved. In this document, “PwC” refers to PricewaterhouseCoopers LLP, which is a member firm of PricewaterhouseCoopers International Limited, each member firm of which is a separate legal entity. Contact Details Jeff Trent, Director Assurance Tel: Mark Cornish, Director Assurance Tel: