01. Background / Overview of SOC Examinations02. The AICPA Framework03. Purpose and Scope04. Boundaries and Benefits05. Common Challenges and Benefits06. Q/A
Contents
Title | 3
Background& Overview01
Title | 4
OVERVIEW
• SSAE 16• SOC 1• AT Section 801• ISAE 3402
Presenter
Presentation Notes
SSAE 16: AICPA proposed changes were known as the Statements on Standards for Attestation Engagements AT section 801: When the guidance was accepted and effective it was included in the AICPA attestation code. Attestation Standards (AT) section 801 was reserved for SSAE 16 SOC 1: The AICPA established the Service Organization Controls (SOC) reporting brands for service organizations. ISAE 3402: International Standard from IAASB
Title | 5
SERVICE AUDITORS
Presenter
Presentation Notes
A Certified Public Accounting (CPA) firm that is hired by the service organization or the user organization to perform the examination Issues an opinion on the service organization’s description of relevant internal controls Issues an opinion on the service organization’s control design and control operation (Type 2) Must be independent of the service organization
Title | 6
SERVICE PROVIDERS
Presenter
Presentation Notes
Provides a service that may impact user’s ICFR Data Center Services Cloud Services Data Services Business Services Technology Services Financial Services Managed Services Claims Processing Health Care Insurance Payment Card Transactions Public Sector
Title | 7
USERENTITIES
Presenter
Presentation Notes
Typically considered the clients, customers, or members of the service organization Need assurance regarding the ICFR Can be business units or divisions within the same organization (e.g. data center operations facility serving or hosting related business processes)
Title | 8
USERAUDITORS
Presenter
Presentation Notes
A CPA firm who performs an audit of the user entity’s financial reporting systems. Need assurance regarding the service organization’s impact to the user entity’s ICFR Authorized users of the SOC 1 report
Criteria Control Objectives Trust Services Principles/GAPP
Trust Services Principles/GAPP
Usage of report User auditor, user entity, management of SO Knowledgeable parties Anyone
Presenter
Presentation Notes
(Presenter Notes: address usage vs distribution time permiting)
Title | 12
Purpose & Scope03
Title | 13
WHY DO YOU NEED AN SOC REPORT?
Regulatory requirements User entity mandates Outsourcing relationshipsInternal control analysisIndependent 3rd party opinionCompetition and market
Presenter
Presentation Notes
Increased regulatory requirements (e.g., SOX, Basel II) Mandated by user entity (e.g., VMO, SLA) -Satisfy multiple compliance standards and broad range of customers (security questions) Increased outsourcing relationships Need for insight into internal controls Provides an independent 3rd party opinion Competition and market expectations
Title | 14
Focused on financial reporting risks
Presenter
Presentation Notes
Focused on financial reporting risks. Service organization must understand the risks and determine the impact to users Classes of transactions Procedures for processing transactions Accounting records of the system Handling significant events Report preparation for users
Title | 15
SPECIFIED BY THE SERVICE ORGANIZATION
• Operational/Application• General IT controls
Presenter
Presentation Notes
The scope, control objectives and control activities are specified by the service organization and evaluated by the service auditor Transaction processing controls Data Input Processing / Posting / Updating Reporting Service Level Agreements General IT Controls Access Controls (Logical & Physical) Program Change Management Computer Operations (Maintaining System Availability) Data Communications and Transmissions * SOC 1 report might cover only IT general controls depending on the services provided by the service organization
Title | 16
TheBoundaries04
Title | 17
If there is internal control over financial reporting relevance, there is
SOC 1 examination!
Title | 18
BOUNDARIES
• What SOC 1 does cover?• What SOC 1 does cover?
Presenter
Presentation Notes
What SOC 1 does cover? Classes of transactions Procedures for processing transactions Accounting records of the system Handling significant events Report preparation for users IT general controls supporting ICFR systems What SOC 1 does not cover? Controls regarding operational effectiveness or quality Controls over user privacy or identity protection Compliance with regulations, laws, contracts, or rules (AT 601) Disaster Recovery
Title | 19
BOUNDARIES
• Limited for specific users• Limited purpose
Presenter
Presentation Notes
Limited for specific users Service organization management User auditors User entities Limited Purpose User entity assessments of financial reporting systems (e.g. financial statement audits) Examinations of internal controls – integrated with the financial statement audit Examination of internal controls for financial reporting (i.e., SOX) Not intended as purely a marketing tool
Title | 20
The Anatomy05
Title | 21
Service Auditor’s Report – “The Opinion”
Management’s Assertion
Description of the System
Tests of Controls and Corresponding Results
Additional Information – Provided by Service Organization
REPORT STRUCTURE
Title | 22
Unqualified vs. Qualified
SERVICE AUDITOR’S REPORT
Presenter
Presentation Notes
Unqualified vs. Qualified Unqualified is a “clean” opinion The description presented fairly demonstrates the service organization’s system The controls were suitably designed to achieve the related control objectives and For a type 2 report, the controls tested operated effectively throughout the period Qualified / Modified opinion Management’s description of the system is not fairly presented Controls were not suitably designed Insufficient evidence For a type 2 report, controls were not operating effectively or there was a significant change during the review period
Management’s commitment to the suitability and accuracy of the description within the report. Must be defined and documented in the report: Fair presentation of the system description and the criteria used to make that determination Suitability of the design of controls Operating effectiveness of controls (Type 2 only) Similar to SOX Section 302 certification Also a requirement for subservice organizations
Title | 24
Objective description of the services
SYSTEM DESCRIPTION
Presenter
Presentation Notes
Management’s objective description of the service(s) �provided to user entities. Includes: Services provided Control environment, risk assessment, control activities, �information & communication, and monitoring Procedures and policies relevant to the services provided Classes of transactions and accounting records Initiate, authorize, record, process, record, document transactions General computing controls Frequency and nature of controls
Title | 25
Management’s objective description of the services provided to user entities.
SYSTEM DESCRIPTION
Presenter
Presentation Notes
Management’s objective description of the service(s) provided to user entities. Includes: Significant events / changes Control objectives and related controls User control considerations Subservice organization description / controls (if applicable) Designed to meet the needs of a broad base of user entities
Title | 26
• Test procedures• Results• Deviations / Exceptions
TEST OF CONTROLS / RESULTS
Presenter
Presentation Notes
TYPE 2 EXAMINATIONS Service auditor’s documentation of the test procedures performed and the corresponding results The controls that were tested The type of testing performed (inquiry, observation, inspection, sample testing) The population / selection used Description of the test and documentation reviewed to determine design and/or operating effectiveness* Deviations or Exceptions - results must include: The nature of the issue The occurrence of the issue (based on the sample size and testing approach)
Title | 27
Information not related to ICFR
ADDITIONAL INFORMATION
Presenter
Presentation Notes
Service organization may want to provide additional information to user entities and their auditors, that is not related to ICFR Provided by management Documented in a separate section of the report Reviewed by service auditor, but not considered an audited section of the report Example: Disaster Recovery, Additional Service Offerings, Responses to Deviations (Type 2)
Title | 28
Common Challenges and Benefits05
Title | 29
• Impact on financial reporting• Legal / regulatory compliance • Impact on production /quality
RELEVANCE TO CUSTOMERS’ ICFR
Presenter
Presentation Notes
Service organizations may have a direct impact on financial reporting data Compliance with laws, regulations, rules, contracts or grants Impact to user entities’ production or quality control
Title | 30
• No financial reporting impact• Misuse of the report
RELEVANCE TO CUSTOMERS’ ICFR
Presenter
Presentation Notes
One of the reasons that the SAS 70 was updated to the SOC 1 and SOC 2 reporting was reports were showing no financial reporting impact of the service organization on the user entity.
Title | 31
RELEVANCE TO CUSTOMERS’ ICFR
• Accurate use of report• User auditor expectations
Presenter
Presentation Notes
The benefits though are easy, if the SOC examination is aligned with the standard and used correctly, organizations will be able to meet the expectations of their users / clients and the user auditors.
Title | 32
• Contracts, RFP, SLA• AICPA website• Training and awareness• Executive communication• Discussion with service auditor
EDUCATION & PREPAREDNESS
Presenter
Presentation Notes
Review the client or prospects contracts, RFP, and / or SLA to see what the client is expecting from the report Review AICPA website Resources Guidance SOC guide Webinars / training Perform training and awareness Develop communication plans with members of executive management and functional areas within the organization Kick off discussion with service auditor Set expectations Make sure contract related point speaks to understanding your organizations obligations for providing such a report, right to audit, as well as the commitments made in standard contracts that might be fodder for the scope of the eventual examination.
Title | 33
EDUCATION & PREPAREDNESS
• Insufficient timing• Silos / groups
Presenter
Presentation Notes
Not providing upfront education and planning is a challenge for service organizations. The education and planning should be done months in advance of the auditors coming onsite to perform testing. Also, not preparing everyone can be a pitfall too. Just preparing IT or HR is not going to be sufficient as several of the control objectives may span different groups.
Title | 34
• Demonstrates management’s responsibility and accountability
• Promotes successful examination efforts
EDUCATION & PREPAREDNESS
Presenter
Presentation Notes
Title | 35
CUSTOMER REQUIREMENTS
• Document client needs• Client discussions • Decide on report type
Presenter
Presentation Notes
Compile list of user entities and their needs Review contracts and agreements Set up round table discussions Have conversations with account executives Decide on report type Determine the user entities intended use of the report SOC 1, 2, 3, AT 101 Type 1 / 2 (point-in-time or period-of-time)
Title | 36
CUSTOMER REQUIREMENTS• Choosing the correct report• Trying to meet multiple compliance
efforts as a single deliverable
Presenter
Presentation Notes
Know how your customers use you systems, whenever practical/possible Understand the needs of a broad base of your customers Determine if one or many report vehicles are necessary / preferred
Title | 37
CUSTOMER REQUIREMENTS• Meet ICFR regulatory or contractual
mandates• Bolster trust and confidence• One exam meets multiple customer requests• Promote a stronger control environment
Define subservice organization Increased emphasis on carve-out method Subservice organization must meet SSAE 16 requirements Requirements for inclusive method Subservice organization must provide representation letter Report would include assertion from the subservice organization Report would include system description of the subservice organization’s controls and processes
Title | 39
CARVE-OUT VS INCLUSIVE• Obtaining cooperation / documentation
for subservice organization(s)
Title | 40
CARVE-OUT VS INCLUSIVE• Focused and tailored report
Title | 41
• Type 1• Type 2
REPORT TYPE
Presenter
Presentation Notes
Type 1�Suitability of the design of the controls to achieve the control objectives as of a specified date� Type 2�Suitability of the design and operating effectiveness to achieve the control objectives throughout a specified period
Title | 42
• Insufficient coverage• Implementation of controls
REPORT TYPE
Presenter
Presentation Notes
Insufficient coverage Timing Control operation Implementation of controls Controls not in place for the entire review period Next, when do you start the audit period (we will discuss more about remediation and the timeline needed to select sample sizes after remediation later in the presentation) Last, what is going to be the period of the audit - can you do 3 months, why? Do you decide with 6, 9, 12 months.
Title | 43
• Both attestation reports• Timeliness of report• Report coverage and content
REPORT TYPE
Presenter
Presentation Notes
Type 1 – Faster report Type 2 – Tests of controls and results of tests, more assurance, greater period of coverage
Title | 44
Perform a risk assessment
RISK ASSESSMENT & SCOPE
Presenter
Presentation Notes
Perform a risk assessment Identify in-scope services Select physical locations Identify subservice organizations Identify risks Document processes Identify control objectives Identify control activities Identify timeline
Title | 45
• Accurate scope • Control identification
RISK ASSESSMENT & SCOPE
Presenter
Presentation Notes
Challenges: During this phase the challenges can be – especially for 1st time examinations, making sure that the scope is accurate. Need to have a working session with the user entities and internal stakeholders to confirm that the report will have all the control objectives needed to satisfy the current user entities and potential new customers during that year. Risk assessments with incomplete or insufficient control or risk mitigation strategies
Title | 46
• Pre-planning process• Better understanding of environment• Early identification of issues
RISK ASSESSMENT & SCOPE
Presenter
Presentation Notes
Risk assessments have great benefits as well. It will make the pre-planning process much easier. It will allow the service organization to be better prepared when the auditors begin their testing process. In addition, it will provide an opportunity for early detection of any issues that can be remediated. Critical component of an effective system of internal control
Title | 47
• Direct assistance• Use work of others
INTERNAL AUDIT ASSISTANCE
Presenter
Presentation Notes
Service auditors can use direct assistance from the internal audit department Determine adequacy Determine the nature and scope of work Perform training and provide templates Describe the tests to be performed Determine the subjectivity used in the evaluation
Title | 48
• Learning curve• Difference in testing strategies
INTERNAL AUDIT ASSISTANCE
Title | 49
• Professional fees and time• Understanding of environment• Evidence gathering and management
INTERNAL AUDIT ASSISTANCE
Title | 50
• Internally• Service auditors
READINESS ASSESSMENT
Presenter
Presentation Notes
You can do the assessment internally if needed. Service auditors can perform a readiness assessment prior to the actual SOC examination to assess the preparedness: Develop the description of the system Define control objectives Identify control activities Evaluate design of the control activities through evidence Perform a gap analysis to identify controls that are not in place or designed inadequately Provide an internal use report for management
Title | 51
• Inaccurate description of process• Lack of resources
READINESS ASSESSMENT
Title | 52
• Increase success in the audit• Earlier remediation efforts• Better preparation • Documentation of the narrative
READINESS ASSESSMENT
Title | 53
• Policies/Procedures• Segregation of duties• Monitoring
REMEDIATION
Presenter
Presentation Notes
Remediation is key after the readiness assessment. You should give yourself 6-8 weeks of remediation time. The usual areas of remediation are documentation of policies and procedures. Also, segregation of duties violations, and implementation of monitoring and response procedures for control deviations and breakdowns.
Insufficient planning Aggressive timeline for follow-up examinations Misunderstanding of issues Resource Constraints - Typically time and personnel
Title | 55
• Meet ICFR regulatory or contractual mandates• Bolster confidence• Promote a stronger control environment
REMEDIATION
Presenter
Presentation Notes
Bolster internal confidence in a successful subsequent examination
Title | 56
• Licensed CPA firm• Independent• Single Vendor Approach• Audit Team
AUDIT FIRM SELECTION
Presenter
Presentation Notes
SOC experience Confirm the service provider is a CPA firm (e.g., outsourced, loan staff) The number of SOC reports performed annually Involvement with the AICPA guidance/task forces/exposure drafts Certifications and experience of the Audit Team Audit team members individual SOC experience Certifications (e.g., CISA, CIA, CISSP, CPA) Industry experience Fees and project timeline expectations Fixed fees vs. hourly fees Timeline for final reports Single Vendor Approach Leverage for other compliance initiatives Verifiable industry accreditations (e.g. PCI-QSA, FedRAMP 3PAO, etc.)
Title | 57
• Lack of mature methodology • Remote only testing• Use of offshore resources
AUDIT FIRM SELECTION
Presenter
Presentation Notes
Not all audit firms are created equally. There may be an audit firm who can perform SOC examinations – administratively, but finding out how much experience they have is key. You want to pick a firm that has both SOC experience and industry experience. Also, do the auditors come on-site to perform testing, or is testing always done remotely. This can be a challenge, especially if there is a certain time constraint on obtaining a report that is complete and accurately reflecting the service organizations environment. Last, a challenge can also be when the audit firm offshores the work – as this can add time and fees to the audit.
Title | 58
• Acceptable auditor to auditor communication
• Value-added controls assessment process
AUDIT FIRM SELECTION
Presenter
Presentation Notes
Value-added controls assessment process – beyond just the SOC 1 deliverable, an experienced service auditor can provide a deeper understanding of your control environment, control identification, performance feedback; recommendations/action items for control improvements
