Embed Size (px)
Citation preview
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
SOC 2: Build Trust & Confidence Overview & Considerations
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
01. Background / Overview of SOC 2 02. The AICPA Framework 03. Purpose and Scope 04. The Anatomy 05. Considerations 06. Mapping – Other Standards 06. Q/A
Contents
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
Background & Overview 01
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
Growth & Popularity
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
Service Auditors
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved ©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
Service Providers
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved ©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
User Entities
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
Why Do You Need a SOC Report? Regulatory requirements
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
Why Do You Need a SOC Report? Regulatory requirements User entity mandates
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
Why Do You Need a SOC Report? Regulatory requirements User entity mandates Vendor management programs
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
Why Do You Need a SOC Report? Regulatory requirements User entity mandates Vendor management programs Due diligence
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
Why Do You Need a SOC Report? Regulatory requirements User entity mandates Vendor management programs Due diligence Independent 3rd party opinion
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
Why Do You Need a SOC Report? Regulatory requirements User entity mandates Vendor management programs Due diligence Independent 3rd party opinion Competition and market
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
Overview
• What is a SOC 2 report? • How does a SOC 2 differ from a SOC 1 report • SOC 2 versus SOC 3
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
Overview of the AICPA Framework 02
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
AICPA SOC Framework Applicable SOC-1 SOC-2 SOC-3
Standard/Guidance SSAE 16: AICPA Guide (2013)
AT 101: AICPA Guide (2013)
AT 101: Technical Practice Aid
(2014)
Scope ICFR Security/Systems, Privacy Security/Systems, Privacy
Criteria Control Objectives Trust Services Principles/GAPP
Trust Services Principles/GAPP
Usage of report User auditor, user entity, management of SO Knowledgeable parties Anyone
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
Purpose & Scope 03
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
Purpose
• What SOC 2 does cover? • What SOC 2 does cover?
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
• System • Boundaries • Commitments • System Requirements
Scope
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
Principles • Security • Availability • Processing Integrity • Confidentiality • Privacy
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
Common Criteria (Security):
1: Organization & Mgmt
2: Communications
3: Risk Mgmt & Controls
4: Monitoring of Controls
5: Logical and Physical Access
6: System Operations
7: Change Management
Principles
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
Principles
Availability Common Criteria: +3
Processing Integrity Common Criteria: +6
Confidentiality Common Criteria: +6
Privacy Common Criteria: +74
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
• Type 1 • Type 2
Report Type
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
The Anatomy 04
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
Service Auditor’s Report – “The Opinion”
Management’s Assertion
Description of the System
Tests of Controls and Corresponding Results
Additional Information – Provided by Service Organization
Report Structure
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
Unqualified vs. Qualified
Service Auditor’s Report
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
• Commitment - suitability and accuracy • Subservice organizations
Management’s Assertion
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
• Management’s objective description of the services provided to user entities
• Components of a System Description
System Description
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
• Test procedures • Results • Deviations / Exceptions
Test of Controls / Results
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
Intended Use • Management of service organization • User entities of the services • Other knowledgeable parties
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
Considerations 05 ©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
Relevance To The User
• RFP requirements • Customer mandates • Regulatory needs • Vendor management process
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
Understanding Reporting • SOC 1 vs. SOC 2 • AT 101 • AT 601 • Agreed Upon Procedures • Readiness Assessment • PCI
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
Education & Preparedness • Contracts, RFP, SLA • AICPA website • Training and awareness • Executive communication • Discussion with service auditor
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
Control Environment • Start-up • Developing systems • No customers yet • Lack of documentation /evidence • No monitoring of controls
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
Carve-out Vs Inclusive • Subservice organization • Carve-out method emphasis • Inclusive method requirements
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
Perform a risk assessment
Risk Assessment & Scope
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
• Internally • Service auditors
Readiness Assessment
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
• Policies / Procedures • Segregation of duties • Monitoring
Remediation
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
• Licensed CPA firm • Independent • Single vendor approach • Audit team
Audit Firm Selection
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
Mapping to Other Standards 06
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
• SOC 1 • ISO 27001 • HIPAA • HITRUST • PCI
Other Standards
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
View the Webinar View the Webinar
