Presentation is loading. Please wait.

Presentation is loading. Please wait.

SSAE18 Language: SOC1s, CUECs, and CSOCs… Oh My!

Published bySudirman Tanudjaja Modified over 6 years ago

Similar presentations

Presentation on theme: "SSAE18 Language: SOC1s, CUECs, and CSOCs… Oh My!"— Presentation transcript:

1 SSAE18 Language: SOC1s, CUECs, and CSOCs… Oh My!
Michele Gaw Deputy Director, DFAS Columbus Integrity - Service - Innovation

2 Integrity - Service - Innovation
What is an SSAE18? Statement on Standards for Attestation Engagements: “…establish requirements and provide application guidance for performing and reporting on examination, review, and agreed-upon procedures engagements (attestation engagements).” Applicable to examinations, reviews, and agreed-upon procedures Key Attestation Standards (AT-C) Section 105: Concepts Common to All Attestation Engagements Section 205: Examination Engagements Section 320: Reporting on an Examination of Controls at a Service Organization Relevant to User Entities’ Internal Control over Financial Reporting 9/21/2018 Integrity - Service - Innovation

3 Integrity - Service - Innovation
What is an SSAE18? (cont) Other key terms: Type 2 Report (SOC1) “Management’s description…and a service auditor’s report on that description and on the suitability of the design and operating effectiveness of controls…” Complementary User Entity Controls (CUECs) “Controls that management…assumes…will be implemented by user entities and are necessary to achieve the control objectives stated in the management’s description…” Complementary Subservice Organization Controls (CSOCs) “Controls that management…assumes…will be implemented by the subservice organizations and are necessary to achieve the control objectives stated in management’s description…” 9/21/2018 Integrity - Service - Innovation

4 Integrity - Service - Innovation
Why an SSAE? Allows DFAS and DoD to gain audit efficiencies During Financial Audits of our customers, IPAs can rely on our SOC1 Reports instead of being required to re-test key processes and controls Enhances auditor reliance on the services DFAS provides to its customers Focus on enhancing DFAS’ internal control environment 9/21/2018 Integrity - Service - Innovation

5 SSAE History Results of DFAS SSAEs Assessable Unit FY12 FY13 FY14 FY15
Civilian Pay Service Qualified Unqualified Unmodified Military Pay Service Modified, Qualified Standard Disbursing Service Contract Pay Service Financial Reporting Service Modified, Adverse Defense Cash Accountability System (DCAS) Vendor Pay Service

6 SOC 1 Desired Outcomes What are we trying to achieve?
Unqualified / Unmodified SOC 1 Opinions (performed under the examination standards SSAE 18, AT-C 105, AT-C 205, AT-C 320) User Entities Place Reliance on the SOC 1 Reports (following A-123 Appendix A / ICOFR requirements) User Auditors Place Reliance on the SOC 1 Reports (as allowed by the auditing standards … ex., AU 324) It is possible to get an unqualified / unmodified opinion that does not meet the needs of the User Auditor.

7 Connecting the Dots Between DFAS Controls, CUECs, and CSOCs
We currently have lots of dots to connect with the DoD SOC 1 reports. Updates are probable for some FY 17 SOC 1 reports.

8 Designed & Operating Effectively
Relationship Between DFAS Controls, CUECs, and CSOCs (Connecting the Dots) DFAS Control Objective (Ex., Civilian Pay Service Access Control): Controls provide reasonable assurance that logical access to DCPS programs and data is restricted to authorized users. CSOCs (SSAE 18) DFAS controls were designed assuming certain controls were in place at the Sub-service Organization (DISA). These assumptions will now be included in Management’s Description for each Sub-service Organization. Some basis is needed for the assumptions and DFAS is responsible for monitoring Sub-service providers. CUECs (SAS 70, SSAE 16, and SSAE 18) DFAS controls were designed assuming certain controls were in place at the customer (Reporting Entity). These assumptions have been and will continue to be included in Management’s Description. Some basis is needed for the assumptions but DFAS is not responsible for monitoring customers. DFAS Controls Designed & Operating Effectively CUECs CSOCs DISA Controls User Entity Controls Appropriate controls need to be in place at the Reporting Entity, Service Organization(s), and Sub-service Organization(s) to achieve the Control Objective.

9 Integrity - Service - Innovation
Connecting the Dots Reporting / User Entities Controls Controls CUECs (SSAE 16 & 18) DFAS controls were designed assuming certain controls were in place at the customer (Reporting Entity) Reporting Entity / User Auditors CUECs Controls DFAS Civilian Pay Service SOC 1 Controls CSOCs CSOCs (SSAE 18) DFAS controls were designed assuming certain controls were in place at the Sub-service Organization (DISA) CUECs (SSAE 16 & 18) DISA controls were designed assuming certain controls were in place at the customer (DFAS) This chart shows how collaboration across entities is key to ensuring the end-users of the SSAE18 SOC1 reports can truly rely on them. Using DFAS Civilian Pay as an example in the middle, gold puzzle piece, I’m going to walk you through how this relationship works between the asserting entity, the user entity(s) and the subservice organization(s). In the middle box, you can see we have 3 types of controls identified: Controls (DFAS identified controls that DFAS performs) CUECs (Complementary User-Entity Controls) CSOCs (Complementary Subservice Organization Controls) The arrows all show the relationship and connection points between each of the entities depicted in the 3 middle puzzle pieces: CUECs point up to the user entity, and represent controls performed by the user entity. DFAS assumes the user entity has the proper control(s) in place to ensure DFAS can meet its key control objective(s). CSOCs point down to subservice organizations – such as DISA, in this example. DFAS assumes DISA has certain controls in-place in order to help DFAS meet its key control objectives. Similarly, DISA may identify CUECs, which identify DFAS as a user-entity, where DISA assumes DFAS is performing certain controls in support of DISA’s key control objectives. As you can tell, there’s a lot of “assumptions” being made about who has what controls in place. That’s why the SSAE18 guidance emphasizes the need for the asserting organization (in this case, DFAS for Civilian Pay) to monitor these CUECs and CSOCs in order to ensure they are in-place and operating effectively. We have to be communicating regularly and having these discussions on a reoccurring basis, instead of just assuming someone else is doing what we think they should be doing. If all of this occurs as it should, then ultimately, the Reporting Entity and their User Auditor can rely on these SOC1 reports and ultimately achieve our Department’s goal of gaining audit efficiencies. Controls CUECs Controls DISA Hosting Services SOC 1 Collaboration across the Department is imperative to ensure the “assumed” CUECs and CSOCs are implemented, monitored, and mitigated where necessary. Integrity - Service - Innovation

10 Inclusion of CSOCs in the SOC 1 Report
OUSD(C) FIAR developed a template with IPA community input. DFAS / OUSD(C) FIAR collaborated to develop the DISA CSOCs and map to the DISA SOC 1. Each IPA may have preferences, but it is reasonable to assume presentation format can be similar to CUECs with similar explanatory language. Presentation will likely be similar to the past / current presentation of CUECs (aligned to relevant SOC 1 control objectives).

11 Defense Agency and Military Service Responsibilities
As discussed at Service Provider Working Group Meetings & CUEC Workshops: Identify all Service Organizations (Service Providers) that impact the Reporting Entity’s internal controls over financial reporting. Document an understanding of the Service Providers impact on the Reporting Entity’s Financial Reporting and Associated Risks. Document the Reporting Entity’s Understanding of Service Provider Controls in Place to Mitigate Financial Reporting Risks. Evaluate the Design and Operating Effectiveness of Service Provider Controls in Place to Mitigate Financial Reporting Risks. Address Complementary User Entity Controls (CUECs) Identified by the Service Provider (i.e., implement effective controls within the Reporting Entity). Establish Regular Communications with Service Providers to Monitor Performance and Identify Events that may Impact Internal Controls Over Financial Reporting. D O C U M E T Establish MOUs that clearly identify who is responsible for what.

12 Defense Agency and Military Service Responsibilities
DFAS SOC 1 reports (typically) include only those controls that are common to multiple customers and (typically) do not include controls that are unique to individual customers. User Entity ….. I am relying on your controls! ….. CUECS! DFAS User Entity ….. but DFAS does that for me too :-0 For some CUECs, DFAS operates the control on behalf of the User Entity. The User Entity auditors will likely need to test these other DFAS performed controls.

13 Questions

Download ppt "SSAE18 Language: SOC1s, CUECs, and CSOCs… Oh My!"

Similar presentations

Service Provider Support of Audit Readiness Office of the Under Secretary of Defense (Comptroller) March 14, 2011.

Service Provider Support of Audit Readiness Office of the Under Secretary of Defense (Comptroller) March 14, 2011.
Chapter 1 An Introduction to Assurance and Financial Statement Auditing McGraw-Hill/Irwin Copyright © 2012 by The McGraw-Hill Companies, Inc. All rights.

Chapter 1 An Introduction to Assurance and Financial Statement Auditing McGraw-Hill/Irwin Copyright © 2012 by The McGraw-Hill Companies, Inc. All rights.
March 6, 2012 SOC Reporting: What is New in the Audit Guides?

March 6, 2012 SOC Reporting: What is New in the Audit Guides?
An Introduction to Assurance and Financial Statement Auditing

An Introduction to Assurance and Financial Statement Auditing
An Introduction to Assurance and Financial Statement Auditing

An Introduction to Assurance and Financial Statement Auditing
Audit Guidance Using the Federal Information System Controls Audit Manual (FISCAM) to Achieve Audit Objectives in Financial and Performance Audits Mickie.

Audit Guidance Using the Federal Information System Controls Audit Manual (FISCAM) to Achieve Audit Objectives in Financial and Performance Audits Mickie.
Office of Inspector General (OIG) Internal Audit

Office of Inspector General (OIG) Internal Audit
Service Organization Control (SOC) Reporting Options and Information

Service Organization Control (SOC) Reporting Options and Information
PwC Internal Control Reports: Facts, Myths and Best Practices FIRMA National Risk Management Training Conference – San Francisco, CA Wednesday March 31,

PwC Internal Control Reports: Facts, Myths and Best Practices FIRMA National Risk Management Training Conference – San Francisco, CA Wednesday March 31,
Chapter 07 Internal Control McGraw-Hill/IrwinCopyright © 2014 by The McGraw-Hill Companies, Inc. All rights reserved.

Chapter 07 Internal Control McGraw-Hill/IrwinCopyright © 2014 by The McGraw-Hill Companies, Inc. All rights reserved.
INTERNAL CONTROL OVER FINANCIAL REPORTING

INTERNAL CONTROL OVER FINANCIAL REPORTING
Considering Internal Control

Considering Internal Control
Internal Control in a Financial Statement Audit

Internal Control in a Financial Statement Audit
Internal Control in a Financial Statement Audit

Internal Control in a Financial Statement Audit
Learning Objectives LO5 Illustrate how business risk analysis is used to assess the risk of material misstatement at the financial statement level and.

Learning Objectives LO5 Illustrate how business risk analysis is used to assess the risk of material misstatement at the financial statement level and.
Assurance Report on Controls at Service Organizations SAE 3402

Assurance Report on Controls at Service Organizations SAE 3402
Chapter 1 An Introduction to Assurance and Financial Statement Auditing Copyright © 2014 McGraw-Hill Education. All rights reserved. No reproduction or.

Chapter 1 An Introduction to Assurance and Financial Statement Auditing Copyright © 2014 McGraw-Hill Education. All rights reserved. No reproduction or.
Copyright © 2015 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education.

Copyright © 2015 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education.
An Introduction to Assurance and Financial Statement Auditing

An Introduction to Assurance and Financial Statement Auditing
CHAPTER 5 INTERNAL CONTROL OVER FINANCIAL REPORTING.

CHAPTER 5 INTERNAL CONTROL OVER FINANCIAL REPORTING.

Similar presentations

Ads by Google