Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 Presented by: Chris Pembrook, CPA, MBA, CGAP, Cr.FA Frank Crawford, CPA Crawford & Associates, P.C.

Published byElvin Stevens Modified over 8 years ago

Similar presentations

Presentation on theme: "1 Presented by: Chris Pembrook, CPA, MBA, CGAP, Cr.FA Frank Crawford, CPA Crawford & Associates, P.C."— Presentation transcript:

1 1 Presented by: Chris Pembrook, CPA, MBA, CGAP, Cr.FA Frank Crawford, CPA Crawford & Associates, P.C. www.crawfordcpas.com chris@crawfordcpas.com frank@crawfordcpas.com @fcrawfordcpa (twitter)

2  SSAE 16 and SOC reporting 2

3 Standard for reporting on a service organization’s controls affecting user entities’ financial statements Misuse: “SAS 70 Certified” or “SAS 70 Compliant” Controls related to subject matter other than internal control over financial reporting Only for use by service organization management, existing user entities and their auditors

4 Marketplace demand for detailed report on controls on subject matter other than internal control over financial reporting Security Availability Processing integrity Confidentiality Privacy Cloud computing, outsourcing elevated issue

5 Split SAS 70 into two standards: one for service auditors (AT 801), the other for user auditors (AU-C 402) Recognized need for assessment of controls over security, availability, processing integrity, confidentiality and/or privacy Brought together all options for reporting on controls at service orgs Supported public interest by helping CPAs/service orgs correctly apply and use the standards

6 3 reports to help service organizations demonstrate reliability CPA, client determine proper engagement for market need SOC logo for service org’s marketing, websites Information on SOC reports: aicpa.org/soc

7 Trust Services Principles and Criteria

8  Report on controls at a service organization relevant to a user entity’s internal control over financial reporting  Engagement performed under: ◦ AT 801, Attestation Engagements ◦ AICPA Guide, Reporting on Controls at a Service Organization Relevant to User Entities’ Internal Control Over Financial Reporting  Contents of report package: ◦ Description of service organization’s system ◦ CPA’s opinion on fairness of description, suitability of design, operating effectiveness of controls

9  Both report on the fairness of the presentation of management’s description of the service organization’s system, and… ◦ Type 1 also reports on the suitability of the design of the controls to achieve the related control objectives included in the description as of a specified date ◦ Type 2 also reports on the suitability of the design and operating effectiveness of the controls to achieve the related control objectives included in the description throughout a specified period

10  Acceptance & Continuance ◦ Service Auditor is capable and competent to perform the engagement ◦ SA preliminary knowledge indicates that:  Criteria to be used will be suitable and available to user auditors and entities  SA will have access to sufficient appropriate evidence  Scope and description of SO system will not be so limited that they are not useful to user entities and auditors ◦ Management agrees to the terms of engagement and accepts responsibility for:  Preparing description of SO’s system and its assertions  Having a reasonable basis for its assertions  Selecting criteria to be used and stating them in the assertion  Specifying the control objectives 10

11  Continued ◦ Identifying risk that threaten achievement of control objective and designing controls to ensure objectives will be achieved ◦ Providing service auditor:  Access to information relevant to description and assertions of the SO system  Unrestricted access to personnel deemed necessary to obtain evidence relevant to the engagement  Written representations at conclusion of engagement. 11

12  Service auditor must obtain written assertion from service organization’s management about the fairness of the presentation of the description of the service organization’s system and about the suitability of the design  For type 2 engagements, operating effectiveness of the controls must be included in assertion  Assertion will either accompany service auditor’s report or be included in description of service organization’s system  Refusal to provide assertion represents a scope limitation

13  Access whether management has used suitable criteria in: ◦ Preparing description of SO’s system ◦ Evaluating whether controls were suitably designed to achieve objectives  Type 2 report also whether they are effective throughout period covered  Obtain an understanding of the SO’s system 13

14  Obtain evidence regarding description of the SO’s system ◦ Control objectives are reasonable ◦ Controls identified by management were implemented ◦ Complimentary user controls are adequately described ◦ Services performed by subservice organizations are adequately described  Obtain evidence regarding design of controls 14

15  Design and perform test of controls ◦ Ensure control was applied ◦ Consistency with which it was applied ◦ By whom or by what means it was applied  If sampling is applied follow AU-C 530  Evaluate any deviations to determine if rate is acceptable of if additional testing is needed  Materiality  Use of Internal Auditors  Obtain Written Representation  Inquire of subsequent invents 15

16  Report on controls at a service organization relevant to one or more of the following: security, availability, processing integrity, confidentiality and/or privacy  Engagement performed under: ◦ AT 101, Attestation Engagements ◦ AICPA Guide, Reporting on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality or Privacy (SOC 2®)  Contents of report package same as SOC 1

17  SOC 2 reports are not bound to financial reporting and can be far reaching.  Service Auditor and Management must agree to the subject matter – “Est. Boundaries” ◦ Infrastructure. The physical and hardware components of a system (facilities, equipment, and networks) ◦ Software. The programs and operating software of a system (systems, applications, and utilities) ◦ People. The personnel involved in the operation and use of a system (developers, operators, users, and managers) ◦ Procedures. The automated and manual procedures involved in the operation of a system ◦ Data. The information used and supported by a system (transaction streams, files, databases, and tables) 17

18  Services that may have a SOC 2 report: ◦ Customer support ◦ Sales force automation ◦ Health care claims management and processing ◦ Enterprise IT outsourcing ◦ Managed Security ◦ Cloud Computing 18

19  Similar Requirements of SOC 1 ◦ Acceptance & Continuance ◦ Written assertions & representation ◦ Evaluating Evidence  Design/implemented and effective ◦ Materiality ◦ Use of Internal Audit 19

20  SOC 2 reports use Trust Service Principles and criteria, specific requirements developed by AICPA and CICA. ◦ TSP 100 20 Domain PrinciplePrinciple Security The system is protected against unauthorized access (both physical and logical) AvailabilityThe system is available for operation and use as committed or agreed. Confidentiality Information designated as confidential is protected as committed or agreed. Processing IntegritySystem processing is complete, accurate, timely, and authorized. Privacy Personal information is collected, used, retained, disclosed, and destroyed in conformity with the commitments in the entity’s privacy notice and with criteria set forth in generally accepted privacy principles (GAPP)

21  The system is protected against unauthorized access (both physical and logical) : ◦ IT security policy ◦ Security awareness and communication ◦ Risk assessment ◦ Logical access ◦ Physical access ◦ Environmental controls ◦ Security monitoring ◦ User authentication ◦ Personnel security ◦ Change management ◦ Monitoring / compliance 21

22  The system is available for operation and use as committed or agreed. ◦ Availability policy ◦ Backup and restoration ◦ Incident Management ◦ Disaster recovery ◦ Security ◦ Change Management 22

23  Information designated as confidential is protected as committed or agreed. ◦ Confidentiality policy ◦ Confidentiality of inputs ◦ Confidentiality of data processing ◦ Confidentiality of outputs ◦ Information disclosures ◦ Incident Management 23

24  System processing is complete, accurate, timely, and authorized. ◦ System processing integrity policies ◦ Completeness, accuracy, timeliness, and authorization of inputs, system processing, and outputs ◦ Information tracing from source to disposition ◦ Availability ◦ Monitoring 24

25  Personal information is collected, used, retained, disclosed, and destroyed in conformity with the commitments in the entity’s privacy notice and with criteria set forth in generally accepted privacy principles (GAPP) ◦ Privacy Policies ◦ Risk Assessment ◦ Choice and consent ◦ Use and retention ◦ Access ◦ Disclosure to third parties ◦ Security (logical & physical) ◦ Monitoring and enforcement 25

26  Both report on management’s description of a service organization’s system, and … ◦ Type 1 also reports on suitability of design of controls ◦ Type 2 also reports on suitability of design and operating effectiveness of controls

27  Trust Services Report for Service Organizations  Engagement performed under: ◦ AT 101, Attestation Engagements ◦ AICPA TPA, Trust Services Principles, Criteria and Illustrations  Contents of report package: ◦ CPA’s opinion on whether entity maintained effective controls over its system

28 28

29 29 Report ComponentsSOC 1SOC 2SOC 3 Opinion Letter  Management Assertions (System Description)  Detailed Description of the System  Control Objective and Controls  TSP Criteria and Controls  * Test of Controls and Results (Type 2)  Optional additional information 

30 30

31 31 Will report be used by service users and their auditors to plan/perform an audit of their financial statements? Yes SOC 1 Report Will report be used by service users and/or stakeholders to gain confidence and place trust in a service organization’s system? YesSOC 2 or SOC 3 Report Does the report need to be made generally available or is a seal needed? YesSOC 3 Report

32  Guidance for the auditor of the financial statements in which an entity uses a “Service Organization” ◦ AU-C Section 315 “Understanding the Entity Its Environment & Assessing the RMM”  Requires the User Auditor to gain understanding of the entity’s internal control to sufficiently assess RMM ◦ AU-C Section 402 “Audit Considerations Relating to an Entity Using a Service Organization” 32

33  Service Organization: Organization or segment of an organization the provides services to user entities that are relevant to the user entities’ internal control over financial reporting.  Examples of Service Organizations: ◦ Health Insurance Company – Process claims for self-insured health plans ◦ Trust departments of banks ◦ Custodians for investments ◦ Depository institutions that service loans for others ◦ Outsourcing of Payroll, Utility billing, etc. 33

34  A S.O. services are part of the user’s information system/process if the services affect any of the following: ◦ Significant classes of transactions that are significant to the user entity's financial statement ◦ The procedures or supporting records in which transactions are initiated, authorized, recorded, processed, transferred to the general ledger, and reported in the financial statements ◦ Financial reporting process used to prepare the financial statements and disclosures ◦ Controls surrounding journal entries 34

35  Services that are limited to processing an entity's transactions that are specifically authorized by the entity. ◦ Bank – only processing checking account transactions ◦ Broker – processing transactions when user entity retains responsibility for authorizing transactions and maintaining accountability.  Also not applicable to proprietary financial interest in another entity “equity interest”: ◦ Partnership, corporation, joint venture 35

36  If unable to gain understanding through the user entity the auditor should obtain the understanding by performing one or more of the following: ◦ Obtain and read a SOC 1 type 1 or 2 report ◦ Contacting the service organization, through the user entity, to obtain specific information ◦ Visiting the service organization and performing procedures that will provide the necessary information about the relevant controls at the service organization ◦ Using another auditor to perform procedures that will provide the necessary information about the relevant controls at the service organization 36

37  Auditor should be satisfied by in regards to the sufficiency and appropriateness of the type 1 or 2 report by: ◦ The service auditor’s professional competence & independence ◦ Adequacy of the standards under which the type 1 or type 2 was issued  If report is evidence of understanding of internal controls: ◦ Evaluate date of report is appropriate (either type 1 or 2) for purpose ◦ Evaluate sufficiently and appropriateness of evidence provided ◦ Determine whether complementary user entity controls are relevant in addressing RMM relating to relevant assertions 37

38  Auditor may deem it necessary to test controls, if it is necessary the auditor should perform one or more of the following: ◦ Obtain and read a SOC 1 type 2 report ◦ Perform test of controls at the service organization ◦ Use another auditor to perform test of controls on behalf of user auditor ◦ What if they have only had a type 1 report performed? 38

39  User auditor should determine if the report provides appropriate audit evidence regarding effectiveness of controls to support the user auditors risk assessment by: ◦ Evaluating the period of the report is appropriate for the user auditor ◦ Determine if complimentary user entity controls identified by the SO are relevant in addressing RMM for the relevant assertions  If so obtain understanding of the whether they are designed/implemented and if so test effectiveness 39

40  Continued ◦ Evaluate adequacy of time period covered by test of controls and time elapsed since such tests ◦ Evaluate test performed and results, ensure they provide sufficient appropriate audit evidence to support user auditor’s risk assessment and the relevant assertions of the user entities financial statements  Evaluate any deviations/modified opinion in the service auditor’s type 2 report  What if they type 2 report doesn’t cover the entire reporting period of the financial statements? 40

41  User auditor should inquire of user entity management the following in regards to the service organization: ◦ Fraud ◦ Noncompliance with laws & regulations ◦ Uncorrected misstatements  If any above identified user auditor should evaluate the effect of the nature, timing, & extent of the user auditor’s further audit procedures including user auditor conclusions and user auditor’s report 41

42  User auditor should modify user auditor’s report if unable to obtain appropriate audit evidence regarding service provided by SO relevant to the financial statements  User auditor should not refer to the work of a service auditor in the user auditor’s report containing an unmodified opinion  If modified opinion and reference to work of service auditor is relevant to understanding modification, user auditor should indicate the reference does not diminish the user auditor’s responsibility for the opinion 42

Download ppt "1 Presented by: Chris Pembrook, CPA, MBA, CGAP, Cr.FA Frank Crawford, CPA Crawford & Associates, P.C."

Similar presentations

Assurance Services Independent professional services that “improve the quality of information, or its context, for decision makers” Assurance service encompass.

Assurance Services Independent professional services that “improve the quality of information, or its context, for decision makers” Assurance service encompass.
SERVICE ORGANIZATION CONTROL REPORTS SM Formerly SAS 70 Reports.

SERVICE ORGANIZATION CONTROL REPORTS SM Formerly SAS 70 Reports.
March 6, 2012 SOC Reporting: What is New in the Audit Guides?

March 6, 2012 SOC Reporting: What is New in the Audit Guides?
Chapter 20 Additional Assurance Services: Other Information

Chapter 20 Additional Assurance Services: Other Information
Other Assurance & Attestation Services By David N. Ricchiute

Other Assurance & Attestation Services By David N. Ricchiute
Assurance, Attestation, and Internal Auditing Services

Assurance, Attestation, and Internal Auditing Services
©2008 Prentice Hall Business Publishing, Auditing 12/e, Arens/Beasley/Elder 1 - 1 The Demand for Audit and Other Assurance Services Chapter 1.

©2008 Prentice Hall Business Publishing, Auditing 12/e, Arens/Beasley/Elder The Demand for Audit and Other Assurance Services Chapter 1.
Module A1 Other Public Accounting Services ACCT 4080.

Module A1 Other Public Accounting Services ACCT 4080.
25 - 1 ©2006 Prentice Hall Business Publishing, Auditing 11/e, Arens/Beasley/Elder Other Assurance Services Chapter 25.

©2006 Prentice Hall Business Publishing, Auditing 11/e, Arens/Beasley/Elder Other Assurance Services Chapter 25.
OTHER SERVICES AND REPORTS. STATEMENTS FOR CPAS PROVIDING ACCOUNTING AND AUDITING SERVICES 1939 - COMMITTEE ON AUDITING PROCEDURES –STATEMENTS ON AUDITING.

OTHER SERVICES AND REPORTS. STATEMENTS FOR CPAS PROVIDING ACCOUNTING AND AUDITING SERVICES COMMITTEE ON AUDITING PROCEDURES –STATEMENTS ON AUDITING.
CSE 4482, 2009 Session 21 Personal Information Protection and Electronic Documents Act Payment Card Industry standard Web Trust Sys Trust.

CSE 4482, 2009 Session 21 Personal Information Protection and Electronic Documents Act Payment Card Industry standard Web Trust Sys Trust.
©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley 24 - 1 Other Assurance Services Chapter 24.

©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley Other Assurance Services Chapter 24.
2-1 McGraw-Hill/Irwin ©2002 by The McGraw-Hill Companies, Inc. All rights reserved. Chapter 2 Professional Standards: “The Rules of the Road”

2-1 McGraw-Hill/Irwin ©2002 by The McGraw-Hill Companies, Inc. All rights reserved. Chapter 2 Professional Standards: “The Rules of the Road”
Auditing April 1, 2015 1 Chapter Two The CPA Profession just skim the section on Generally Accepted Auditing Standards Page 32-36.

Auditing April 1, Chapter Two The CPA Profession just skim the section on Generally Accepted Auditing Standards Page
18- 1 © 2006 The McGraw-Hill Companies, Inc., All Rights Reserved. Chapter 18 Integrated Audits of Internal Control (For Public Companies Under Sarbanes-Oxley.

18- 1 © 2006 The McGraw-Hill Companies, Inc., All Rights Reserved. Chapter 18 Integrated Audits of Internal Control (For Public Companies Under Sarbanes-Oxley.
Internal Control. COSO’s Framework Committee of Sponsoring Organizations 1992 issued a white paper on internal control Since this time, this framework.

Internal Control. COSO’s Framework Committee of Sponsoring Organizations 1992 issued a white paper on internal control Since this time, this framework.
Purpose of the Standards

Purpose of the Standards
Auditing & Assurance Services, 6e

Auditing & Assurance Services, 6e
Internal Auditing and Outsourcing

Internal Auditing and Outsourcing
Navigating Guidance Changes for Service Organization Control (SOC) Reports NSAA 2011 Annual Conference Deloitte & Touche LLP June 16, 2011.

Navigating Guidance Changes for Service Organization Control (SOC) Reports NSAA 2011 Annual Conference Deloitte & Touche LLP June 16, 2011.

Similar presentations

Ads by Google