Presentation is loading. Please wait.

Presentation is loading. Please wait.

Service Organization Control (SOC) Reporting Options and Information

Published byDamian Goodwin Modified over 9 years ago

Similar presentations

Presentation on theme: "Service Organization Control (SOC) Reporting Options and Information"— Presentation transcript:

1 Service Organization Control (SOC) Reporting Options and Information

2 Overview Service Organization Control (SOC) reports are designed to help service organizations meet specific user needs: SOC 1 Report – Addresses internal controls over financial reporting Performed in accordance with Statement on Standards for Attestation Engagements (SSAE) 16, Reporting on Controls at a Service Organization Focus solely on controls at a service organization that are likely to be relevant to an audit of a user entity’s financial statements SOC 2 and SOC 3 Reports - Address controls at the service organization that typically relate to understanding effectiveness of controls around operations and technology compliance SOC 2 Report - Report on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality and/or Privacy SOC 3 Report - Trust Services Report – Opinion Letter Only “When users of a service organization’s services (user entities) outsource these tasks and functions, many of the risks of the service organization become risks of the user entities.” - AICPA, Service Organization Controls, November, 2010 2

3 SOC 1 Reports Focus is on internal control over financial reporting.
Similar to SAS 70, there are two types of SOC 1 reports: Type 1: A report on management’s description of the service organization’s system and the suitability of the design of the controls to achieve the related control objectives included in the description as of a specified date Type 2: A report on management’s description of the service organization’s system and the suitability of the design and operating effectiveness of the controls to achieve the related control objectives included in the description throughout a specified period Use of subservice organizations - (use carve-out or inclusive methods) Is a restricted-use report – to user organizations and their auditors 3

4 SOC 2 & 3 Reporting Overview
Addresses controls at the service organization that relate to operations and/or compliance and are based on Trust Services principles and criteria: Security Availability Processing integrity Confidentiality Privacy Report may cover one or more of the Trust Services Principles, as specified by management. 4

5 SOC 2 Reporting Similar to a SOC 1 report, there are two types of reports: Type 1: report on management’s description of a service organization’s system and the suitability of the design of controls. Type 2: report on management’s description of a service organization’s system and the suitability of the design and operating effectiveness of controls Many of the requirements for SOC 2 are the same as SOC 1: May be restricted in use Management’s assertion System description, risk assessment, etc A service organization may request that the service auditor’s report address additional subject matter that is not specifically covered by the Trust Service Principles (regulatory items such as HIPAA, GLBA, etc.) 5

6 SOC 3 Reporting Designed to meet the needs of users who want assurance on controls at a service organization but do not have the need for or the knowledge necessary to make effective use of a SOC 2 Report. Prepared using the AICPA/CICA Trust Services principles and criteria that include Security, Availability, Processing Integrity, Confidentiality, and Privacy.  The key difference between a SOC 2 report and a SOC 3 report is that a SOC 2 report, which is generally a restricted-use report, contains a detailed description of the service auditor’s tests of controls – The SOC 3 only provides an opinion letter (the report), and potentially a SysTrust Seal (for unqualified opinions only). Because they are general use reports, SOC 3 reports can be freely distributed or posted on a website as a seal. 6

7 Trust Principles Security: The system is protected against unauthorized access (both physical and logical). Availability: The system is available for operation and use as committed or agreed. Processing Integrity: System processing is complete, accurate, timely, and authorized. Confidentiality: Information designated as confidential is protected as committed or agreed. Privacy: Personal information is collected, used, retained, disclosed, and destroyed in conformity with the commitments in the entity’s privacy notice and with criteria set forth in generally accepted privacy principles issued by the AICPA and CICA.  Reminder: A report (audit) may cover one or more of the Trust Services Principles, as specified by management. 7

8 Organization of Trust Principles
Each of the Trust Services Principles is organized into four areas, and each with its own set of criteria: Policies. The entity has defined and documented its policies relevant to the particular principle. Communications. The entity has communicated its defined policies to authorized users. Procedures. The entity uses procedures to achieve its objectives in accordance with its defined policies. Monitoring. The entity monitors the system and takes action to maintain compliance with its defined policies. 8

9 Organization of Trust Principles
There is much commonality between each of the Trust Principle Areas, such that examining one area, under one principle often covers the similar examination of the others. Starting in December 2014 the standards combine these redundant criteria. SECURITY AVAILABILITY PROCESSING INTEGRITY CONFIDENTIALITY Policies (3) Communications (5) Procedures (14) Monitoring (3) Policies (3) Communications (5) Procedures (17) Monitoring (3) Policies (3) Communications (5) Procedures (21) Monitoring (3) Policies (3) Communications (5) Procedures (21) Monitoring (3) 25 Criteria 28 Criteria 32 Criteria 32 Criteria 9

10 Generally Accepted Privacy Principles (GAPP)
Generally Accepted Privacy Principles have a number of unique areas and criteria within each. Policies and Communications Notice Choice and Consent Collection Use, Retention and Disposal Privacy Policies (3) Procedures and Controls (11) Policies and Communications (2) Procedures and Controls (3) Policies and Communications (3) Procedures and Controls (4) Policies and Communications (3) Procedures and Controls (4) Policies and Communications (2) Procedures and Controls (3) Access Disclosure to Third Parties Security for Privacy Quality Monitoring and Enforcement Policies and Communications (2) Procedures and Controls (6) Policies and Communications (3) Procedures and Controls (4) Policies and Communications (2) Procedures and Controls (7) Policies and Communications (2) Procedures and Controls (2) Policies and Communications (2) Procedures and Controls (5) 10

11 Summary of New Standards & Options
Summary of New Standards & Options SOC 1 SOC 2 SOC 3 Purpose: Reports on controls related to Financial Statement audits (ICFR) Purpose: Typically reports on controls related to compliance or operations Purpose: Reports on controls related to compliance or operations Trust Services Principles & Criteria* SSAE 16 – Service Auditor Guidance AT 101 Restricted Use Report (Type I or II report) Generally a Restricted Use Report General Use Report (with a public seal) Description of the service organization’s system. CPA’s opinion on fairness of presentation of the description, suitability of design and in a type 2 report, the operating effectiveness of controls. A type 2 report includes a description of the CPA firm’s tests of controls and results A type 2 report includes a description of the CPA firm’s tests of controls and results An unaudited system description used to delineate the boundaries of the system CPA’s opinion on whether the entity maintained effective controls over its systems. Does not contain a description of the CPA firm’s tests of controls and results (Opinion letter only) 11

12 Readiness Assessment Service Approach
Readiness Assessment Service Approach Review relevant client agreements/contracts and determine which Trust Service Principles covered in the SOC Report(s). Perform a readiness assessment covering the design effectiveness of control activities supporting TSP criteria selected. Review Company’s policies and procedures documentation to identify internal controls and identify gaps. Meet with management to develop remediation plan and next steps Perform high-level testing to determine operating effectiveness of controls. Report areas that are not operating effectively and develop plan to remediate control deficiencies. (Optional) Perform SOC 2, Type 1 design testing and issue an opinion letter and report. 12

13 Formal SOC Reporting Service Approach
Formal SOC Reporting Service Approach Testing Phase – Schedule fieldwork visits to company offices (3 to 5 days on-sight) Interim Testing - Perform the initial assessments, walkthroughs and effectiveness testing. Testing team meets with key control owners to gain an understanding of your control environment and request documentation used to assess the operating effectiveness of controls. Roll-forward Testing - Perform effectiveness testing just prior to end of reporting period. Testing team requests documentation used to assess the period end operating effectiveness of your controls. Reporting Phase - Engagement team assembles the report and completes final reviews to issue our opinion and formal report. 13

Download ppt "Service Organization Control (SOC) Reporting Options and Information"

Similar presentations

Assurance Services Independent professional services that “improve the quality of information, or its context, for decision makers” Assurance service encompass.

Assurance Services Independent professional services that “improve the quality of information, or its context, for decision makers” Assurance service encompass.
29e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 29 th INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY.

29e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 29 th INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY.
Additional Assurance Services: Other Information

Additional Assurance Services: Other Information
Dr. Mohamed A. Hamada Lecturer of Accounting Information Systems Advanced Auditing Lecture 1 Assurance and Attestation Services.

Dr. Mohamed A. Hamada Lecturer of Accounting Information Systems Advanced Auditing Lecture 1 Assurance and Attestation Services.
SERVICE ORGANIZATION CONTROL REPORTS SM Formerly SAS 70 Reports.

SERVICE ORGANIZATION CONTROL REPORTS SM Formerly SAS 70 Reports.
March 6, 2012 SOC Reporting: What is New in the Audit Guides?

March 6, 2012 SOC Reporting: What is New in the Audit Guides?
1 WebTrust for Certification Authorities (CAs) Overview October 2011 WebTrust for Certification Authorities (CAs) Overview October 2011 Presentation based.

1 WebTrust for Certification Authorities (CAs) Overview October 2011 WebTrust for Certification Authorities (CAs) Overview October 2011 Presentation based.
Chapter 20 Additional Assurance Services: Other Information

Chapter 20 Additional Assurance Services: Other Information
Audit Documentation PCAOB Auditing Standard no.3.

Audit Documentation PCAOB Auditing Standard no.3.
Chapter 21 Assurance, Attestation, and Internal Auditing Services Copyright © 2012 by The McGraw-Hill Companies, Inc. All rights reserved.McGraw-Hill/Irwin.

Chapter 21 Assurance, Attestation, and Internal Auditing Services Copyright © 2012 by The McGraw-Hill Companies, Inc. All rights reserved.McGraw-Hill/Irwin.
Other Assurance & Attestation Services By David N. Ricchiute

Other Assurance & Attestation Services By David N. Ricchiute
Assurance, Attestation, and Internal Auditing Services

Assurance, Attestation, and Internal Auditing Services
McGraw-Hill/Irwin © 2003 The McGraw-Hill Companies, Inc., All Rights Reserved. 21-1 Chapter 21 CHAPTER 21 ASSURANCE, ATTESTATION, AND OTHER FORMS OF SERVICES.

McGraw-Hill/Irwin © 2003 The McGraw-Hill Companies, Inc., All Rights Reserved Chapter 21 CHAPTER 21 ASSURANCE, ATTESTATION, AND OTHER FORMS OF SERVICES.
Third Party Reporting © 2008 Ernst & Young LLP. All rights reserved. For Internal Use Within EY Only; Not for Distribution to Clients. Third Party Reporting.

Third Party Reporting © 2008 Ernst & Young LLP. All rights reserved. For Internal Use Within EY Only; Not for Distribution to Clients. Third Party Reporting.
Module A1 Other Public Accounting Services ACCT 4080.

Module A1 Other Public Accounting Services ACCT 4080.
25 - 1 ©2006 Prentice Hall Business Publishing, Auditing 11/e, Arens/Beasley/Elder Other Assurance Services Chapter 25.

©2006 Prentice Hall Business Publishing, Auditing 11/e, Arens/Beasley/Elder Other Assurance Services Chapter 25.
OTHER SERVICES AND REPORTS. STATEMENTS FOR CPAS PROVIDING ACCOUNTING AND AUDITING SERVICES 1939 - COMMITTEE ON AUDITING PROCEDURES –STATEMENTS ON AUDITING.

OTHER SERVICES AND REPORTS. STATEMENTS FOR CPAS PROVIDING ACCOUNTING AND AUDITING SERVICES COMMITTEE ON AUDITING PROCEDURES –STATEMENTS ON AUDITING.
CSE 4482, 2009 Session 21 Personal Information Protection and Electronic Documents Act Payment Card Industry standard Web Trust Sys Trust.

CSE 4482, 2009 Session 21 Personal Information Protection and Electronic Documents Act Payment Card Industry standard Web Trust Sys Trust.
©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley 24 - 1 Other Assurance Services Chapter 24.

©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley Other Assurance Services Chapter 24.
Auditing A Risk-Based Approach To Conducting A Quality Audit

Auditing A Risk-Based Approach To Conducting A Quality Audit

Similar presentations

Ads by Google