Presentation is loading. Please wait.

Presentation is loading. Please wait.

Service Organization Control Reports What Have We Learned? Chris Bruhn DIRECTOR, IT RISK SERVICES, BKD, LLP SAS 70 ENDS EXIT TO SSAE 16.

Published byJeremy Harvey Modified over 8 years ago

Similar presentations

Presentation on theme: "Service Organization Control Reports What Have We Learned? Chris Bruhn DIRECTOR, IT RISK SERVICES, BKD, LLP SAS 70 ENDS EXIT TO SSAE 16."— Presentation transcript:

1 Service Organization Control Reports What Have We Learned? Chris Bruhn DIRECTOR, IT RISK SERVICES, BKD, LLP SAS 70 ENDS EXIT TO SSAE 16

2 Agenda What are Service Organization Control (SOC) Reports? Reading a Report Experiences – SOC1 (SSAE 16) Experiences – SOC 2 & SOC 3 Current Developments Questions / Discussion

3 SOC Report: Key Terms Service Organization – provider of services that may impact a risk to a user’s financial reporting, or that pose a business or compliance risk Service auditor – a CPA who examines and reports on controls at a service organization Users and User Auditor – clients of service organization and their financial auditors  May need assurance regarding controls over ICFR (SOC1) or security, availability, processing integrity, confidentiality or privacy (SOC2) By the way…  No such thing as SOC “certified”

4 Service Organization Control Reports SAS 70 ENDS EXIT TO SSAE 16

5 Service Organization Control Reports SOC 1SOC 2SOC 3 PurposeReport on controls relevant to user entities ICFR 1 Report on controls related to compliance and operations Use of ReportRestricted 2 Restricted 3 General Report DetailIncludes Testing Detail Type 1 or Type 2 Includes Testing Detail Type 1 or Type 2 No Testing Detail AICPA Interpretive Guidance & Reporting Vehicle SSAE 16, AICPA Guide AT 101, AICPA Trust Services Principles, AICPA Guide AT 101, AICPA Trust Services Principles TSP 100 1 Internal Control Over Financial Reporting 2 Service Organization Management, Users, Users Auditor 3 Service Organization Management, Users, Knowledgeable Parties

6 SOC Report: Two Types Type 1  Auditor’s opinion includes: fairness of presentation of management’s description of the service organization’s system, and; The suitability of design of controls  As of a point in time May be useful when: Organization is new An understanding system and controls is needed Recently made significant changes Insufficient time or history to perform Type 2

7 SOC Report: Two Types Type 2  Auditor’s opinion covers the same as Type1 plus: operating effectiveness of key controls  Covers a period of time Changes must be captured in the description and control testing  A detailed description of service auditor’s tests of controls and results

8 Reading a Report

9 SOC Report Content Section I  Auditor Opinion Section II  Management Assertion  Description of the system (Narrative)  Complementary User Entity Control Considerations (CUEC’s) Section III  Control Objectives, Control Activities, and results of testing for Type 2  And for SOC 2 – mapping of organization’s controls to applicable trust services principle criteria Section IV  Other – unaudited information

10 Report Components: Auditor’s Opinion Auditor’s Opinion  Qualified (Modified) Concept of materiality is not applicable when auditor reports results of testing  References to subservice organizations Inclusive or Exclusive  Complementary User Entity Controls (CUEC’s)  Auditor is in the role of providing assurance regarding management’s assertions

11 Report Components: Management Assertion Management’s Assertion states*  System fairly represented  System suitably designed and implemented  The related controls activities were suitably designed to achieve the stated control objectives  That the control activities are operating effectively throughout the report period (Type 2 only) *The auditor opinion attests to these statements. Subservice Organizations Inclusive or Exclusive

12 Report Components: Management Assertion The report will reference that management is responsible for:  Preparing the system description  Providing the stated services  Specifying the control objectives  Identifying the risks  Selecting and stating the criteria for their assertion (e.g. monitoring activities)  Designing, implementing and documenting controls that are suitably designed and operating effectively

13 Report Components: System Description SSAE 16 requires a description of the system Components common to Descriptions  Organizational Overview  Types of Services covered  COSO Risk Categories  Specified Control objectives and related control activities  Complementary user entity controls (CUEC’s)

14 Report Components: Control Description Control Objectives  Organization / scope of objectives  Sufficiency of service process areas compared to services utilized  Completeness for your purpose Control Activities  Completeness  Description of testing  Results / exceptions  Impact of exceptions on your services

15 Report Components Other Information  Period of coverage  Other unaudited information relevant to user Management responses to opinion modifications or testing exceptions Glossary BCP / DR executive overview Organizational information Subsequent events

16 SOC 1 – Experiences and Key Issues

17 Using a SOC1 Report  Understand scope of assertion and description Unique service lines or applications Sub-service organizations (inclusive vs. exclusive)  Can I place reliance on the report? Is the scope of the report in-line with related services impacting financial reporting? Are objectives and controls appropriate for the financial reporting risks associated with services? Are User Controls in place?

18 Key Issues: Supporting Control Design Risk Assessment Supporting Control Design Services Provided Assessment of risks to services leads to: Control Objectives Assessment of risk to control objective leads to: Control Activities

19 Key Issues: Supporting Control Design Types of Control Objectives  Entity  IT General Controls  Business Process  Regulatory or customer defined Risk Assertions defined  ICFR (complete, accurate, timely, valuation, etc.)  Trust Services Principles

20 Key Issues: Design of Control Activities Completeness of activities to address risks to control objective Specificity of activities  Controls vs. processes  Specific  Testable Identifying and maintaining supporting documentation Relating user entity control considerations

21 SOC 2 –Experiences and Key Issues

22 SOC 2 Reporting TSP Criteria  Security (Common Criteria): The system is protected against unauthorized access, use, or modification  Availability: The system is available for operation and use as committed or agreed.  Processing Integrity: System processing is complete, valid, accurate, timely, and authorized.  Confidentiality: Information designated as confidential is protected as committed or agreed.  Privacy: System’s collection, use, retention, disclosure, and disposal of personal information in conformity with the commitments in the entity’s privacy notice and with criteria set forth in generally accepted privacy principles (GAPP) issued by the AICPA and Canadian Institute of Chartered Accountants

23 Unique SOC 2 Key Issues Most Issues the same as SSAE 16 Identification of applicable Trust Service Principles / Criteria Major issue was overlap of criteria –addressed with TSP update effective 12/15/14 New SOC 2 & 3 audit guide issued June 2015  More guidance on identifying expectations at subservice organization

24 Unique SOC 2 Key Issues Narrative  Discussion of key TSP criteria managed by subservice organizations  Identification of reliance on relevant subservice organizations controls for achieving key TSP criteria Report  Display of control activities supporting selected TSP criteria

25 Reporting to Multiple Audiences Multiple reports scenarios  SOC 1 and SOC 2 Services impacting ICFR of user and other services with trust services principles concerns  SOC 2 and SOC 3 Services not impacting ICFR and need to use beyond current userssuch as marketing to prospects  SOC 1 and SOC 3 Services impacting ICFR of user and other services with trust services principles concerns or marketing needs Note – must be separate reports

26 Unique SOC 3 Considerations Public report Very abbreviated report – essentially a “SOC 2 light” Assertion and Opinion only opine on:  Suitability of design  Operating effectiveness of controls  Not on system description Description is brief and does not include the detail as a SOC 2 No longer has a required seal  There is a SOC logo that an organization can display from AICPA  Must register and have a report within the last year

27 Unique SOC 3 Requirements Essentially must do SOC 2 in order to issue a SOC 3  SOC 2 report must have an unqualified opinion  Must cover at least a 2 month period Currently cannot issue a SOC 3 unqualified opinion if  There are carved out subservice organizations in the SOC 2  There are significant complementary user-entity controls necessary to achieve the applicable trust services principles’ criteria

28 Current Developments SOC2 Plus  Cloud Security Alliance  HITRUST  Additional considerations for the future Privacy TSP exposure draft out now for comment

29 Questions / Discussion

30 Thank you for attending. Learn more at bkd.com FOR MORE INFORMATION // For a complete list of our offices and subsidiaries, visit bkd.com or contact: Chris Bruhn, CPA, CISA, CITP // Director cbruhn@bkd.com // 816.221.6300

Download ppt "Service Organization Control Reports What Have We Learned? Chris Bruhn DIRECTOR, IT RISK SERVICES, BKD, LLP SAS 70 ENDS EXIT TO SSAE 16."

Similar presentations

Assurance Services Independent professional services that “improve the quality of information, or its context, for decision makers” Assurance service encompass.

Assurance Services Independent professional services that “improve the quality of information, or its context, for decision makers” Assurance service encompass.
29e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 29 th INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY.

29e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 29 th INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY.
Additional Assurance Services: Other Information

Additional Assurance Services: Other Information
Internal Control–Integrated Framework

Internal Control–Integrated Framework
Understanding Audit Reports

Understanding Audit Reports
SOC 2 Reports – A Third Party Risk Management Tool for Cloud Providers

SOC 2 Reports – A Third Party Risk Management Tool for Cloud Providers
SERVICE ORGANIZATION CONTROL REPORTS SM Formerly SAS 70 Reports.

SERVICE ORGANIZATION CONTROL REPORTS SM Formerly SAS 70 Reports.
March 6, 2012 SOC Reporting: What is New in the Audit Guides?

March 6, 2012 SOC Reporting: What is New in the Audit Guides?
Chapter 20 Additional Assurance Services: Other Information

Chapter 20 Additional Assurance Services: Other Information
Other Assurance & Attestation Services By David N. Ricchiute

Other Assurance & Attestation Services By David N. Ricchiute
GAO Standards Brian M. Leighton Virginia Department of Motor Vehicles.

GAO Standards Brian M. Leighton Virginia Department of Motor Vehicles.
Third Party Reporting © 2008 Ernst & Young LLP. All rights reserved. For Internal Use Within EY Only; Not for Distribution to Clients. Third Party Reporting.

Third Party Reporting © 2008 Ernst & Young LLP. All rights reserved. For Internal Use Within EY Only; Not for Distribution to Clients. Third Party Reporting.
Standards for Internal Control in the Government Going Green Standards for Internal Control in the Federal Government 1.

Standards for Internal Control in the Government Going Green Standards for Internal Control in the Federal Government 1.
25 - 1 ©2006 Prentice Hall Business Publishing, Auditing 11/e, Arens/Beasley/Elder Other Assurance Services Chapter 25.

©2006 Prentice Hall Business Publishing, Auditing 11/e, Arens/Beasley/Elder Other Assurance Services Chapter 25.
CSE 4482, 2009 Session 21 Personal Information Protection and Electronic Documents Act Payment Card Industry standard Web Trust Sys Trust.

CSE 4482, 2009 Session 21 Personal Information Protection and Electronic Documents Act Payment Card Industry standard Web Trust Sys Trust.
©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley 24 - 1 Other Assurance Services Chapter 24.

©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley Other Assurance Services Chapter 24.
Auditing A Risk-Based Approach To Conducting A Quality Audit

Auditing A Risk-Based Approach To Conducting A Quality Audit
18- 1 © 2006 The McGraw-Hill Companies, Inc., All Rights Reserved. Chapter 18 Integrated Audits of Internal Control (For Public Companies Under Sarbanes-Oxley.

18- 1 © 2006 The McGraw-Hill Companies, Inc., All Rights Reserved. Chapter 18 Integrated Audits of Internal Control (For Public Companies Under Sarbanes-Oxley.
Information Systems Controls for System Reliability -Information Security-

Information Systems Controls for System Reliability -Information Security-
Internal Auditing and Outsourcing

Internal Auditing and Outsourcing

Similar presentations

Ads by Google