500 likes | 1.01k Views
Service Organization Control (SOC) Reports, Performing Audits of Third-Party Processors Presented by: Karen Krebsbach , Ernst & Young Advisory Manager. With you today. Karen Krebsbach Advisory Manager Ernst & Young Denver, CO Karen.Krebsbach@ey.com 720 931 4475 . Agenda.
E N D
Service Organization Control (SOC) Reports, Performing Audits of Third-Party ProcessorsPresented by:Karen Krebsbach, Ernst & Young Advisory Manager
With you today Karen Krebsbach Advisory Manager Ernst & Young Denver, CO Karen.Krebsbach@ey.com 720 931 4475
Agenda • The new standards • Understanding the SOC reports • SAS 70 vs SSAE 16 / ISAE 3402 • SOC 1 reporting options • Impact on Service Organizations • Impact on User Entities • Additional reporting options • Trust Services Principles and Criteria • SOC 2 report • SOC 3 report • Why SOC 2 / SOC 3 • Comparing the options • Resources
The new standardsHistorically vs Now • Historically… Now… SAS 70 U.S. CICA 5970 Canada ISAE 3402 International AAF 01/06 UK AUS 810 Australia SSAE16 U.S. ASAE 3402 Australia CSAE 3416 Canada AAF xx/11 UK HKCPA 860.2 HK/China NAGA 56 Chile AAS24 India HKCPA 860 HK/China Others
Understanding the SOC reports SOC 1 reports ISAE 3402 International Reports on Controls at Service Organizations Relevant to Security, Confidentiality, Availability, Processing Integrity, and/or Privacy SSAE16 U.S. ASAE 3402 Australia CSAE 3416 Canada AAF xx/11 UK SOC 2 reports AAS24 India HKCPA 860 HK/China Others SOC 3 reports SysTrustSM
SAS 70 vs SSAE 16 / ISAE 3402 Key similarities and differences – Service Organizations
SAS 70 vs SSAE 16 / ISAE 3402 Key similarities and differences – Subservice Organizations
SOC 1 reportingElements of the report – SAS 70 elements User financial statements System Control objectives Controls Control description Serviceauditor’sreport
SOC 1 reportingElements of the report – SOC 1 elements User financial statements System Risk assessment Controls System description Control objectives Monitoring and testing Management’swrittenassertion
SOC 1 reporting • Consider the users of the report when determining the best reporting option • SSAE 16 only report • Combined SSAE 16 / ISAE 3402 report • For other countries, rules may differ • Reporting under SSAE 16 may be permissible • Reporting under ISAE 3402 only may be permissible • AICPA seal available for service organizations for limited marketing purposes (terms of use on AICPA website)
Impact on Service Organizations • Management provides a written assertion for inclusion in the report [SSAE 16: 4] • Management must have a reasonable basis for the assertion [SSAE 16: 9.c.ii] • That reasonable basis must be based on Suitable Criteria [SSAE 16: 13]
Impact on Service OrganizationsSuitable Criteria – Design Did management’s criteria include the following: • Identification of the risks that threaten the achievement of the control objectives stated in management’s description of its system • Identification of controls in management’s description of its system that would, if operating as described, provide reasonable assurance that those risks would not prevent the control objectives stated in the description from being achieved [SSAE 16: 15]
Impact on Service OrganizationsSuitable Criteria – Operating Effectiveness Did management’s criteria include the following: • An evaluation of whether the controls were consistently applied as designed throughout the specified period • An evaluation of whether manual controls were applied by individuals who have the appropriate competence and authority [SSAE 16: 16]
Impact on User Entities • Timing of SSAE 16 – Required for all reports with periods ending on or after June 15, 2011 (early adoption is permitted) • Users should generally expect control objectives, control activities and testing to be consistent with the historical SAS 70 • Users may see changes in scope based on the service organizations re-evaluation of risks, relevance of controls to financial reporting, etc.
Impact on User EntitiesUnderstanding the report Consider reviewing the report in this order: • Report of the independent auditor (previously Section I) • Is the scope of the report adequate (e.g., services, systems covered) • Was the opinion qualified or unqualified • Were there any sub-service organizations (inclusive versus carve-out) • Are complementary user entity controls necessary • Management assertion (new section) • Is there any unexpected information • Is the assertion consistent with the opinion
Impact on User EntitiesUnderstanding the report • Description of controls, tests, and results (previously Section III) • Were the control objectives and controls adequate • Was the testing by the service auditor adequate (e.g, inquiry versus re-performance testing) • Were there any exceptions that might impact the user entity audit approach • Description of the system (previously Section II) • Does the description match the user entity needs and expectations • Were there changes to processes or controls • Complementary user entity controls (determine key versus non-key to the user entity) • Other information provided by the Service Organization (previously Section IV)
Additional reporting optionsSOC 2 and SOC 3 reports • Report subject matter includes areas of internal control outside of financial controls • Regulatory compliance • Operational metrics • Performed under AT Section 101 (Attest Engagements) of the AICPA attestation standards using the Trust Services Criteria • Security • Availability • Processing Integrity • Confidentiality • Privacy • US created guidance; designed to also be used in other countries
Trust Services Principles and Criteria • Security - the system is protected against unauthorized access (both physical and logical) • Availability - the system is available for operation and use as committed or agreed • Processing Integrity - system processing is complete, accurate, timely, and authorized • Confidentiality - information designated as confidential is protected as committed or agreed • Privacy - personal information is collected, used, retained, disclosed, and disposed of in conformity with the commitments in the entity’s privacy notice and with criteria set forth in Generally Accepted Privacy Principles GAPP issued by the AICPA and Canadian Institute of Chartered Accountants ** One or more of the principles can be selected for the report **
Trust Services Principles and Criteria Procedures to address the principles are divided into the following broad categories (all applicable criteria must be met): • Policies – policies relevant to the principle exist • Communications – policies have been communicated to relevant parties • Procedures – procedures are placed in operation to achieve the objectives defined in the policies • Monitoring – the system is monitored and action is taken to maintain compliance with policies The standard criterion for each principle are publicly available to readers of the report on AICPA site or in the report
SOC 2 report • Broader intended distribution in comparison to SOC 1: existing AND prospective customers, regulators, business partners • Detailed report format similar to a SOC 1 with Type I or Type II options • Opinion covers description of system, control design, and control operating effectiveness (for a Type II report) • Not intended for reliance for a financial statement audit by user entities • Allows for opining on ‘additional subject matter’ AICPA expected to formalize mappings in the next year (HIPAA, GLBA, NIST, Cloud Security Alliance, ISO 27001, etc.)
SOC 2 reportElements of the report Internal control concerns System Controls System description Trust Services criteria (includes risk assessment) Monitoring and testing Management’swrittenassertion Service auditor’sreport
SOC 3 report • Similar to a SysTrust report – specifically for service organizations • Updated seal for SOC 3 • Same subject matter as a SOC 2 report with key differences: • General / public use report • No description of tests and results • Opinion covers the management assertion or subject matter of the report (not the description of the system) • Seal may be posted on site including a link to the report (if unqualified)
SOC 3 reportElements of the report Internal control concerns System Controls System description Trust Services criteria (includes risk assessment) Monitoring and testing Writtenassertion Service auditor’sreport
Why SOC 2 / SOC 3User entity perspective • Improve / enable oversight of the service organization • Enhance vendor selection and management • Regulatory or operational compliance • If a SAS 70 was received in the past, who was relying on it? Will that subject matter be addressed in a SOC 1 considering the focus on financial reporting?
Why SOC 2 / SOC 3Service Organization perspective • Demonstrate compliance with requirements • Marketing / competitive edge in RFP processes • Reduce on-site audits or questionnaires • Integral piece of the service package provided to customers
Resources • www.aicpa.org/soc • SOC Brochure - Service Organization Controls: Managing Risks by Obtaining a Service Auditor’s Report (describes key differences and purposes for SOC 1, SOC 2, and SOC 3) – www.aicpa.org/soc Karen Krebsbach: karen.krebsbach@ey.com