Embed Size (px)
Citation preview
SOC 1 Type 2 Evaluations for SOX Compliance Alan Barnes
Victoria Tudor 8-12-2015
1
AGENDA • What is a SOC Report? • Types of SOC Reports • SOC 1 Report Sections • SOC 1 Evaluation Process Flow • Initial Steps Prior to Evaluation • Subservice Organizations • Bridge Letter Guidance • IT General Controls (ITGC) • Complementary End User Controls (CEUC) • Questions
2
What is a SOC Report? • SOC = Service Organization Controls • An independent CPA examines and reports on the service organization’s
controls in order to meet the needs of their user entities. • The report is an objective evaluation of the effectiveness of controls that
address operations and compliance, as well as financial reporting at those user entities.
• The AICPA has established three SOC reporting options to address the needs of the marketplace and enable CPAs to protect the public:
• SOC 1 • SOC 2 • SOC 3
3
Types of SOC Reports SOC 1 reports on controls at a service organization relevant to a user entities’ internal control over financial reporting (ICFR). • SOC 1 engagements are performed under the AICPA Statement on
Standards for Attestation Engagements (SSAE) 16. • Use of a SOC 1 report is restricted to existing user entities.
• Type 1 - A report on management’s description of the service organization’s system and the suitability of the design of the controls to achieve the related control objectives included in the description as of a specified date.
• Type 2 - A report on management’s description of the service organization’s system and the suitability of the design and operating effectiveness of the controls to achieve the related control objectives included in the description throughout a specified period.
4
Types of SOC Reports SOC 2 reports on controls at a service organization relevant to the five Trust Service principles: • Security, Availability, Processing Integrity, Confidentiality,
and Privacy. • SOC 2 engagements use the Trust Services Criteria, as well
as the requirements and guidance in the AICPA AT Section 101, Attest Engagements.
• A SOC 2 can also be a Type 1 or Type 2 just as with a SOC 1. • Use of a SOC 2 report is generally restricted to existing user
entities. 5
Types of SOC Reports SOC 3 reports on controls at a service organization using the same Trust Service principles that are also used in SOC 2 engagements. • The SOC 3 report is generally is a general-use report that
provides only whether the system achieved the Trust Services.
• SOC 3 reports can be issued on one or more of the Trust Services principles.
• A SOC 3 allows a client to use the SOC 3 seal on its website.
6
SOC 1 Report Sections Section Section Name Responsibility
I Independent Service Auditor’s Report (“opinion”) * Service Auditor
II Management’s Assertion (may also include a subservice
organization’s assertion)
Service Organization
III Description of the System (overall control environment,
control objectives, controls related to system being examined)
Service Organization
IV Control Objectives, Related Controls, and Independent
Service Auditor’s Tests of Controls and Results of Tests (Type
2 only)
Service Auditor
V Supplemental Information Service Organization
7
SOC 1 Evaluation Process Flow
8
Obtain SOC 1 Report
Complete SOC 1
Evaluation Form
SOX PMO/IA Completes
Review.
SOX PMO/IA Provides SOC 1 and Evaluation
to External Auditor.
Yes
Notify SOX PMO/IA
Immediately and Evaluate
potential Impact.
No Submit Evaluation Form to SOX PMO/IA
for Review.
Any Updates?
Any Issues?
Yes
No
Initial Steps Prior to Evaluation • Is the SOC 1 report a Type 2? • Are there any testing exceptions and if so perform a preliminary
assessment and determine if they are significant enough to impact use of the report.
• Is the service auditor’s opinion unqualified? If qualified what is the qualification for and what is the impact on use of the report? (emphasis-of-matter paragraph usually related to a testing exception)
• Is period covered at least nine months of current calendar year? If not alternative procedures are needed at the client level.
• Are there any subservice organizations listed and if so are they included in the report or not (carved out) and thus you may need other SOC1 reports from them?
9
Subservice Organizations • A subservice organization is a service organization
employed by a service organization to process, record and report financial data for its user entities. (aka 4th Party)
• In management’s description of the service organization’s system it may elect to use either the inclusive method or the carve-out method in its discussion of the services provided by a subservice organization.
10
Subservice Organizations Inclusive Method • A method used to describe the services provided by a subservice
organization included within the management’s description of the service organization’s system. The management’s description of the subservice organization‘s system identifies the nature of the services perform by the subservice organization and includes a description of the scope of the service auditor’s engagement and the subservice organization’s relevant control objectives and related controls.
• For the Inclusive Method there should be a separate Management Assertion section for each one.
• The control objectives, controls, and testing results ARE INCLUDED in the 3rd party vendor’s SOC 1 report.
11
Subservice Organizations Carve-out Method • This method permits the management’s description of the service
organization‘s system to identify the nature of the services perform by the subservice organization and excludes from the description and from the scope of the services auditor’s engagement the subservice organization’s relevant control objectives and related controls. In other words, the carve-out method allows the service auditor to exclude subservice organizations from the audit.
• The control objectives, controls, and testing results ARE NOT included in the 3rd party vendor’s SOC 1 report.
• An assessment of the services provided by the 4th party must be assessed as to their significance to the user entity and whether or not a SOC 1 Type 2 report is needed from each of the 4th parties.
12
13
Bridge Letters Guidance continued
Bridge Letter Guidance
14
Period Covered by SOC 1 Type 2 Bridge Letter Required?
SOC 1 covers 9 full months or more of current
year
Yes – Obtain a Bridge Letter by mid-Jan that
covers through end of current year
SOC 1 covers 6 months or less of current year No – Bridge Letter not sufficient to provide
assurance for remaining period of current
year.
Obtain 2nd SOC 1 covering remainder of year.
SOC 1 covers less than 9 full months of current
year but 2nd SOC 1 not available
Maybe – Bridge Letter alone is not sufficient to
provide assurance for remaining period of
current year.
Contact SOX PMO/IA to discuss alternate
procedures.
This bridge letter guidance also pertains to any SOC 1 report required for any sub-service organization based on the current SOX year coverage period.
IT General Controls (ITGC) Here is a typical list of the most common ITGCs • Logical Security (access) • Information Security (password parameters, firewall, intrusion
detection) • Physical Security/Environmental Systems • Application Development • Change Management (OS, database, application, network, etc.) • Computer Operations (job scheduling and monitoring) • Backup Management • Data Transmissions
15
Complementary End User Controls (CEUC)
The 3rd party’s control environment description typically indicates that certain complementary user entity controls (CEUC) must be suitably designed and operating effectively at user entities for related controls at the service organization to be considered suitably designed to achieve the related control objectives.
16
Complementary End User Controls (CEUC)
17
Complementary End User Controls (CEUC) Examples of CEUCs: • Validation of data inputs into vendor systems. • Validation of output reports from vendor systems. • Assurance access and password parameters conform to your
user entity standards. • Do their ITGC controls adhere to your policy and
procedures? • Does the vendor adhere to your privacy and confidentiality
requirements. 18
QUESTIONS?
19
