340 likes | 396 Views
Changes to SAS No. 70 and the Impact on the Audit Function and Information Security. Presented by: Peter Viglucci, CISA, CRISC Director of Technology, P&G Associates. P&G Associates - 646 Highway 18, East Brunswick, NJ 08816 - (877) 651-1700
E N D
Changes to SAS No. 70 and the Impact on the Audit Function and Information Security Presented by: Peter Viglucci, CISA, CRISC Director of Technology, P&G Associates P&G Associates - 646 Highway 18, East Brunswick, NJ 08816 - (877) 651-1700 pviglucci@pgcpa.com - www.pandgassociates.com
Objectives Who, what, why, and how Who do the changes affect? What is changing? Why is there a need for a change? How will the changes impact new business, audit, and information security? 2
Who? Terminology definitions 3
Relationships External Audit Core Processor CPA Bank Service Organization User Auditor Internal Audit, Regulators User Entity Off-site Data Storage Vendor Service Auditor Prospective customers Service Organization User Auditors Other Interested Parties 4
Service Organization Reports (SOC Reports) The big picture: SAS No. 70 is now SSAE No. 16 reported as SOC 1 Reports on controls at a service organization relevant to security, availability, processing integrity, confidentiality, or privacy SOC 2 to be reported as and/or SOC 3 Effective for reporting periods ending on or after June 15, 2011 5
What is changing? Three new Service Organization Control reporting options:
SAS No. 70 was always intended to be a report on an entities internal controls over financial reporting It is sometimes incorrectly used as a report on an entities operation controls (e.g. privacy, integrity, etc.) not related to financial reporting Internal audit has contributed to the problem by incorrectly requesting SAS No.70 for non-financial reporting based control audits Regulatory pressure? GLBA + Vendor Management = Ask for the SAS 70 SAS No. 70 is primarily an auditor-to-auditor communication It is sometimes used incorrectly as a marketing tool by the service organization (we are “SAS 70 Certified”) SAS No. 70 has an inherent weakness in that the service organization defines the scope of the controls evaluated This potentially leads to very acute information security issues for the user organization if it is used for non-financial reporting Align with international standards Align with SOX (management assertions) Why the new reporting options? 7
Service Organization Report 1 (SOC 1) The big picture: SAS No. 70 is now SSAE No. 16 reported as SOC 1 8
What is changing? The International Auditing and Assurance Standards Board (“IAASB”) and the Auditing Standards Board (“ASB”) of the American Institute of Certified Public Accountants (“AICPA”) have approved new standards for reporting on controls at a service organization Statement on Auditing Standard No. 70 (SAS 70) will be replaced with two standards: A service auditor’s standard, International Standard for Attest Engagements No. 3402 (ISAE 3402), Assurance Reports on Controls at Service Organizations which will guide service organization auditors in when conducting examinations A user auditor’s standard, International Standard on Auditing No. 402 (ISA 402), Audit Considerations Relating to an Entity Using a Service Organization that will guide user auditor’s when assessing internal controls of a service organization 9
What is changing? The ASB has adopted new domestic standards Statement on Standards for Attest Engagements No. 16 (SSAE 16), Reporting on Controls at a Service Organization. SAS ED: Audit Considerations Relating to an Entity Using a Service Organization Expected to be final in December 2011 10
SSAE No. 16 is an attestation standard The service auditor is reporting on the service organization’s description of its systems and controls; not reporting on financial statements Aligns the standard with the actual work being performed Written assertion by management The management of the service provider will be required to present a written assertion covering the entire specified period about whether their description Fairly presents the system that was designed and implemented The controls were suitably designed to achieve the control objectives The controls operated effectively The management of the service provider must have a reasonable basis to support the assertion Risk Assessment Monitoring What’s new in SSAE No. 16? 11
Can’t use evidence of satisfactory operation of controls in prior periods as a basis for reducing the testing in the current period The service auditor is required to identify and describe any tests of controls performed by internal audit and the service auditors process with respect to that work In a type 2 engagement, the service auditors opinion covers the period. In a SAS No. 70, the opinion is as of a specified date The “materiality loophole” has been closed “The concept of materiality is not applied when disclosing, in the description of the tests of controls, the results of those tests when deviations have been identified” SSAE No. 16 effectively states that service auditors will no longer be permitted to hypothesize about what may, or may not, be relevant to user entities and user auditors What’s new in SSAE No. 16? 12
Report is a “limited” in its distribution. The report is not intended and should not be distributed to other organizations including prospective clients or investors Service auditor’s tests and results included in report Sample sizes disclosed only when deviations are identified “User Control Considerations” will still be included in the report What’s the same in SSAE No. 16? 13
Two types of reports: Type 1 and Type 2 Type 1 A report on the fairness of the presentation of management’s description of the service organization’s system and the suitability of the design of the controls to achieve the related control objectives included in the description as of a specified date Type 2 Same as type 1 report but also includes 1) the services auditor’s opinion on the operating effectiveness of the controls and 2) a description of the service auditor’s tests of the operating effectiveness and the results of those tests The difference is the opinion now covers the period What’s the same in SSAE No. 16? 14
What value does it add? Adds accountability at the service organization The management of the service organization can’t hide behind the service auditors report Adds transparency to the system in question How many times have you read a SAS 70 and still had no idea what the system did? Gives additional comfort to the user entity that senior management at the service organization is involved What does it not do? It does not shift responsibility to the service organization User entities are ultimately responsible for the systems they use, whether they are deployed and managed in-house or outsourced It should not be considered a vehicle that transfers risk Management Assertion 15
Management Assertion • XYZ Service Organization's Assertion • We have prepared the description of XYZ Service Organization's [type or name of] system (description) for user entities of the system during some or all of the period [date] to [date] and their user auditors who have a sufficient understanding to consider it, along with other information, including information about controls implemented by user entities of the system themselves, when assessing the risks of material misstatements of user entities' financial statements. We confirm, to the best of our knowledge and belief, that • the description fairly presents the [type or name of] system made available to user entities of the system during some or all of the period [date] to [date] for processing their transactions [or identification of the function performed by the system]. The criteria we used in making this assertion were that the description • presents how the system made available to user entities of the system was designed and implemented to process relevant transactions, including • the classes of transactions processed. • the procedures, within both automated and manual systems, by which those transactions are initiated, authorized, recorded, processed, corrected as necessary, and transferred to the reports presented to user entities of the system. • the related accounting records, supporting information, and specific accounts that are used to initiate, authorize, record, process, and report transactions; this includes the correction of incorrect information and how information is transferred to the reports presented to user entities of the system. • how the system captures and addresses significant events and conditions, other than transactions. • the process used to prepare reports or other information provided to user entities' of the system. • specified control objectives and controls designed to achieve those objectives. • other aspects of our control environment, risk assessment process, information and communication systems (including the related business processes), control activities, and monitoring controls that are relevant to processing and reporting transactions of user entities of the system. The intended audience is still restricted SOC 1 is about financial reporting The assertion covers the period (type 2) Risk assessment and monitoring form the reasonable basis
Management Assertion It is important to realize that the report will be used by many different user entities, subject to differing regulatory requirements, and will therefore focus on common controls applicable to all. • does not omit or distort information relevant to the scope of the [type or name of] system, while acknowledging that the description is prepared to meet the common needs of a broad range of user entities of the system and the independent auditors of those user entities, and may not, therefore, include every aspect of the [type or name of] system that each individual user entity of the system and its auditor may consider important in its own particular environment. • the description includes relevant details of changes to the service organization's system during the period covered by the description when the description covers a period of time. • the controls related to the control objectives stated in the description were suitably designed and operated effectively throughout the period [date] to [date] to achieve those control objectives. The criteria we used in making this assertion were that • the risks that threaten the achievement of the control objectives stated in the description have been identified by the service organization; • the controls identified in the description would, if operating as described, provide reasonable assurance that those risks would not prevent the control objectives stated in the description from being achieved; and • the controls were consistently applied as designed, including whether manual controls were applied by individuals who have the appropriate competence and authority. It is the user entity’s responsibility to understand additional controls it might require Change in the system is okay so long as it is documented and the control objectives hold The assertion covers the period The risk assessment
What to look for in an SOC 1 type 2 report Independent Service Auditor's Report Scope We have examined XYZ Service Organization's description of its [type or name of] system for processing user entities' transactions [or identification of the function performed by the system] throughout the period [date] to [date] and the suitability of the design and operating effectiveness of controls to achieve the related control objectives stated in the description. Service organization's responsibilities On page [X] of the description, XYZ Service Organization has provided an assertion about the fairness of the presentation of the description and suitability of the design and operating effectiveness of the controls to achieve the related control objectives stated in the description. XYZ Service Organization is responsible for preparing the description and for the assertion, including the completeness, accuracy, and method of presentation of the description and the assertion; providing the services covered by the description; specifying the control objectives and stating them in the description; identifying the risks that threaten the achievement of the control objectives; selecting the criteria; and designing, implementing, and documenting controls to achieve the related control objectives stated in the description. Service auditor's responsibilities Our responsibility is to express an opinion on the fairness of the presentation of the description and on the suitability of the design and operating effectiveness of the controls to achieve the related control objectives stated in the description, based on our examination. We conducted our examination in accordance with attestation standards established by the American Institute of Certified Public Accountants. Those standards require that we plan and perform our examination to obtain reasonable assurance about whether, in all material respects, the description is fairly presented and the controls were suitably designed and operating effectively to achieve the related control objectives stated in the description throughout the period [date] to [date]. Management’s assertion It includes a statement of risk assessment – it is unlikely an actual risk assessment will be included in the report – but we can dream The service auditor must also opine on the suitability of the design over the period
What to look for in an SOC 1 type 2 report Inherent limitations Because of their nature, controls at a service organization may not prevent, or detect and correct, all errors or omissions in processing or reporting transactions [or identification of the function performed by the system]. Also, the projection to the future of any evaluation of the fairness of the presentation of the description, or conclusions about the suitability of the design or operating effectiveness of the controls to achieve the related control objectives, is subject to the risk that controls at a service organization may become inadequate or fail. Opinion In our opinion, in all material respects, based on the criteria described in XYZ Service Organization's assertion on page [X], The description fairly presents the [type or name of] system that was designed and implemented throughout the period [date] to [date]. the controls related to the control objectives stated in the description were suitably designed to provide reasonable assurance that the control objectives would be achieved if the controls operated effectively throughout the period [date] to [date]. the controls tested, which were those necessary to provide reasonable assurance that the control objectives stated in the description were achieved, operated effectively throughout the period [date] to [date]. Description of tests of controls The specific controls tested and the nature, timing, and results of those tests are listed on pages YY–ZZ. Restricted use This report, including the description of tests of controls and results thereof on pages YY–ZZ, is intended solely for the information and use of XYZ Service Organization, user entities of XYZ Service Organization's [type or name of] system during some or all of the period [date] to [date], and the independent auditors of such user entities, who have a sufficient understanding to consider it, along with other information including information about controls implemented by user entities themselves, when assessing the risks of material misstatements of user entities' financial statements. This report is not intended to be and should not be used by anyone other than these specified parties. The opinion covers a period whereas a SAS 70 opinion is as of a date Type 2: the controls operated effectively This is still a restricted report
SOC 1 Stakeholders External Audit Core Processor CPA Bank Service Organization User Auditor Internal Audit, Regulators User Entity Off-site Data Storage Vendor Service Auditor Prospective customers Service Organization User Auditors Other Interested Parties 20
Service Organization Report 2 (SOC 2) The big picture: Reports on controls at a service organization relevant to security, availability, processing integrity, confidentiality, or privacy SOC 2 21
Focused on Trust Services Principles Security Availability Processing Integrity Confidentiality Privacy Performed under AT Section 101 The soon to be released AICPA guide Reporting on Controls at a service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy is an application of AT section 101 Type 1 Type 2 Trust Service Principles add consistency to the reviews so user entities can evaluate different vendors using common criteria Service Organization Control Report 2 (SOC 2) 22
Meet regulatory compliance needs of user entities GLBA, HIPAA Remove the need for user entity auditing rights They can potentially disrupt operations They can potentially compromise security They are expensive to support Answer questions before they are asked Questions from user entities will generally align with the trust service principles For example, questions related to a cloud based storage service will likely revolve around security and availability Why consider an SOC 2 report? 23
SOC 2 Stakeholders External Audit Core Processor CPA Bank Service Organization User Auditor Internal Audit, Regulators User Entity Off-site Data Storage Vendor Service Auditor Prospective customers Service Organization User Auditors Other Interested Parties 24
Like SOC 2, focused on Trust Services Principles Security Availability Processing Integrity Confidentiality Privacy However, does not include a description of tests of controls or the results It does include a description of the system but is less detailed than an SOC 1 or SOC 2 report and the description is not covered by the service auditor’s report SysTrust In addition to a report, the results of an SOC 3 engagement can be delivered in the form of a seal for display on the service organization’s website The report is not restricted and freely distributable Service Organization Control Report 3 (SOC 3) 25
Marketing to current and prospective customers or any other interested party that does not need detailed reporting on controls Why consider an SOC 3 report? 26
SOC 3 Stakeholders External Audit Core Processor CPA Bank Service Organization User Auditor Internal Audit, Regulators User Entity Off-site Data Storage Vendor Service Auditor Prospective customers Service Organization User Auditors Other Interested Parties 27
The impact on external, internal, and regulatory audits? Can now more effectively evaluate vendors (both selection and management) The description and management assertion add context to the controls In SOC 2 and SOC 3 reports, trust service principles define the control objectives Reports are standardized – you can compare multiple vendors using common criteria! Be aware, in an SOC 1 report the vendor, not the auditor, still specifies the control objectives “No exceptions” now means no exceptions – not, no exceptions in the tests the service auditor deemed relevant Remember that the responsibility still remains with the user organization Existing vendor management policies can probably remain the same but consider enhancing the language to reflect a review of the description and assertion The report opinion now covers the period so make sure the coverage is contiguous between reports You still must pay special attention to the “User Control Considerations” 29
How will the changes impact information security? Information is now more visible and easier to understand improving the process of due diligence and the practice of due care Service organizations that did not deal with financial reporting were not required to undergo SAS No. 70 reviews With the introduction of the new reporting options: Market pressure will likely result in the adoption of SOC 2 and SOC 3 reports in regulated industries Non-financial reporting vendors to undergo reviews commensurate with those organizations that are required to have SOC 1 reviews performed The new scrutiny should generally improve information security 30
How will the changes impact new business? The universe of potential clients for service audit firms increases Many service organizations that are not subject to SOC 1 are now potential customers for SOC 2 and SOC 3 SOC 2 + SOC 3 = Billable Hours Most applicable to regulated industries (GLBA, HIPAA, etc.) Regulators and Internal Audit will contribute to the demand Technology is not going away and security is just starting to become something service organizations care about As security needs increase marketing pressure will likely contribute to the adoption of SOC 2 and SOC 3 31
A Practical Example The CPA delivers an SOC 1 (type 2) report to the organization that needs a report on internal controls over financial reporting SOC 1 External Audit Core Processor CPA As part of its vendor management program the Bank requests the SOC 1 report from the core processor and the SOC 2 report from the data storage vendor Recognizing they provide critical services to their customers, the vendors engage a CPA to attest to the adequacy of their controls Bank Service Organization User Auditor As part of the external audit, the auditor requests the SOC 1 (type 2!) from the Bank Internal Audit, Regulators User Entity Wishing to market itself to other Banks, the data storage vendor displays the SOC 3 seal on its website Off-site Data Storage Vendor Service Auditor and SOC 2 (type 2) & 3 reports to the organization that needs a report on internal controls over security, availability, processing integrity, confidentiality, or privacy Prospective customers Service Organization User Auditors SOC 2 As part of the internal and regulatory audits, the auditors request the SOC 2 (type 2!) from the Bank SOC 3 Other Interested Parties 32
References (AICPA) Statement on Standards for Attestation Engagements (SSAE No. 16) (AICPA) Trust Service Principles and Criteria (AICPA) Service Organizations: New Reporting Options (AICPA) Service Organizations: Applying SSAE No. 16, Reporting on Controls at a Service Organization Guide (SOC 1) (AICPA) Reporting on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC 2) (ISACA) New Service Auditor Standard: A User Entity Perspective (AICPA Trust/Data Integrity Task Force) Understanding How Users Would Make Use of a SOC 2 Report 33
Questions P&G Associates Peter Viglucci 877-651-1700 or pviglucci@pgcpa.com