Preparing SOC 1, SOC 2 or SOC 3 Reports: Best Practices Meeting - - PowerPoint PPT Presentation

SLIDE 1

Presenting a live 110‐minute teleconference with interactive Q&A

Preparing SOC 1, SOC 2 or SOC 3 Reports: Best Practices

Meeting Challenges Arising From SSAE 16, ISAE 3402 and Other Service Company Control Standards

1pm Eastern | 12pm Central | 11am Mountain | 10am Pacific WEDNESDAY, MARCH 7, 2012

Today’s faculty features:

1pm Eastern | 12pm Central | 11am Mountain | 10am Pacific Suzanne Nersessian, Director, National Service Organization Controls Reporting, Deloitte & Touche, Boston , , g p g, , David Palmer, Managing Director, KPMG, Chicago Nargiz Yusupova, Manager, P&N Consulting, Baton Rouge, La. Ryan Buckner, Shareholder, BrightLine CPAs & Assoc., Atlanta

For this program, attendees must listen to the audio over the telephone.

Please refer to the instructions emailed to the registrant for the dial-in information. Attendees can still view the presentation slides online. If you have any questions, please contact Customer Service at1-800-926-7926 ext. 10.

SLIDE 2

Conference Materials

If you have not printed the conference materials for this program, please complete the following steps:

• Click on the + sign next to “Conference Materials” in the middle of the left-

hand column on your screen hand column on your screen.

• Click on the tab labeled “Handouts” that appears, and there you will see a

PDF of the slides for today's program.

• Double click on the PDF and a separate page will open.

Double click on the PDF and a separate page will open.

• Print the slides by clicking on the printer icon.

SLIDE 3

Continuing Education Credits

FOR LIVE EVENT ONLY

Attendees must listen to the audio over the telephone. Attendees can still view

the presentation slides online but there is no online audio for this program.

Attendees must stay on the line for at least 100 minutes in order to qualify for

a full 2 credits of CPE. Attendance is monitored as required by NASBA. Please refer to the instructions emailed to the registrant for additional

• information. If you have any questions, please contact Customer Service

at 1-800-926-7926 ext. 10. at 1 800 926 7926 ext. 10.

SLIDE 4

Tips for Optimal Quality

S d Q lit S

• und Qualit y

For this program, you must listen via the telephone by dialing 1-866-873-1442 and entering your PIN when prompted. There will be no sound over the web connection. co ect o . If you dialed in and have any difficulties during the call, press *0 for assistance. You may also send us a chat or e-mail sound@straffordpub.com immediately so we can address the problem.

Viewing Qualit y

To maximize your screen, press the F11 key on your keyboard. To exit full screen, press the F11 key again press the F11 key again.

SLIDE 5

P i SOC SOC SOC Preparing SOC 1, SOC 2 or SOC 3 Reports: Best Practices Seminar

March 7, 2012 David Palmer, KPMG

davepalmer@kpmg.com

Suzanne Nersessian, Deloitte & Touche

snersessian@deloitte.com

Ryan Buckner, BrightLine CPAs & Assoc.

buckner@brightline.com

Nargiz Yusupova, P & N Consulting

nyusupova@pncpa.com

SLIDE 6

Today’s Program

Introduction To SOC Framework

[S uzanne Nersessian]

Slide 7 – Slide 10 SOC 1 Review

[S uzanne Nersessian]

Slide 11 – Slide 23 SOC 2 Review

[David Palmer]

SOC 3 Review Slide 35 – Slide 46 Slide 24 – Slide 34 SOC 3 Review

[Nargiz Y usupova]

Considerations In Selecting An Attestation Examination Slide 35 – Slide 46 Slide 47 – Slide 58

[Ryan Buckner]

SLIDE 7

INTRODUCTION TO SOC

Suzanne Nersessian, Deloitte & Touche

INTRODUCTION TO SOC FRAMEWORK

SLIDE 8

B k d Wh Th Ch Background: Why The Change

• Original intent of SAS 70
• Growth of service organizations over last 40 years
• SAS 70 used in ways that were never intended
• SAS 70 became a de fact o global standard

SAS 70 became a de fact o global standard.

• Convergence of U.S. and international standards

8

SLIDE 9

Ch I R i O C l Changes In Reporting On Controls

I.ISAE 3402 led to the development of SSAE 16. II.SAS 70 split A AU 402

• A. AU 402
• B. SSAE 16

III.Effective date: Periods ending on or after June 15, 2011. g , Specific to covering internal control over financial reporting IV.AICPA Practitioner Guide: Usable for both standards, and for practitioners and service organizations alike practitioners and service organizations alike V.Allows for the use of the framework/guidance to perform engagements under another standard (e.g., SOC 2)

9

SLIDE 10

Reporting Standards p g

AICPA Service Organization Control (SOC) Reports

d d New Standards & Options

Service Org Control 1 Service Org Control 2 Service Org Control 3 Control 1

(SOC 1)

SSAE16 – Service auditor guidance

Control 2

(SOC 2)

AT 101

Control 3

(SOC 3)

AT 101 auditor guidance Generally Restricted Use Report

(Type I or II Report)

General Use

Report

(w/ public seal)

Restricted Use Report

(Type I or II Report)

Trust Services Principles & Criteria

Purpose: Reports on controls for F/S audits

Purpose: Reports on controls related to compliance or operations Purpose: Reports on controls related to compliance or operations

10

SLIDE 11

SOC 1 REVIEW

Suzanne Nersessian, Deloitte & Touche

SOC 1 REVIEW

SLIDE 12

SOC R t P /I t d d U SOC 1 Reports: Purpose/Intended Use

• Purpose
• To provide user entities and their independent auditors with information and a

CPA’s opinion about controls at the service organization relevant to user entities’ internal control over financial reporting

• Covers fair presentation, design and operating effectiveness

p g p g

• Restricted use report
• Management of the service organization
• User entities of the service organization’s system during some or all of the period

covered by the report (for Type 2 reports)

• Independent auditors of user entites
• Indirect users
• Does not include pot ent ial users
• Intended use
• Report on controls that are likely to be relevant to user entities’ internal controls
• ver financial reporting
• For use in a financial statement audit

12

SLIDE 13

ISAE 3402 Relationship To SSAE 16: Notable Differences Notable Differences

SSAE 16 ISAE 3402

Use of report p

Required to include a statement restricting the use of the report to management of the service organization, user entities of the system and user auditors Required to state that it is only intended for user entities and their auditors, but does not require inclusion of statement restricting the use. Does not prohibit the inclusion of restricted use language

Intentional acts

Service auditor considers impact of intentional acts on the description of the system, design and operating effectiveness of controls. Silent on this requirement

U f i l di Use of internal audit

Provides for use of internal audit in direct assistance Does not provide for the use of internal audit for direct assistance; however, is being considered for adoption

Subsequent events

Service auditor to consider Type 2 subsequent events after Limits the service auditor’s disclosure to those events that Service auditor to consider Type 2 subsequent events after the report date Limits the service auditor’s disclosure to those events that could affect their opinion (i.e. a type 1 subsequent event)

Deviations/exceptions

All exceptions are reported regardless of whether they Enables a service auditor to conclude that a deviation All exceptions are reported regardless of whether they affect the opinion. Enables a service auditor to conclude that a deviation identified when performing tests of controls involving sampling is not representative of the population from which the sample was drawn (anomaly) 13

SLIDE 14

l b l SAS 70 History: Global Environment

• ISAE 3402 - Global
• SSAE 16 – U.S.
• CSAE 3416 - Canada
• CSAE 3416 Canada
• DE-IDW PS 951 – Germany
• HKSAE 3402 “Assurance Reports on Controls at a Service

O i ti ” H K Organization” – Hong Kong

• Audit and Assurance Standard (AAF) 1/06 – U.K.
• ASAE 3402 “ Assurance Reports on Controls at a Service

O i ti ” A t li Organization” - Australia

14

SLIDE 15

Notable Changes From SAS 70 To SSAE 16

15

SLIDE 16

Notable Changes From SAS 70 To SSAE 16 (Cont.)

16

SLIDE 17

Key Change: Management’s Assertion

• Management is required to provide a written assertion.
• It can be included as a separate section of the report, or
• The assertion can be part of the description of the system – appropriately

identified as the assertion.

• Assertion most often (and recommended to be) on company letterhead
• Key components of management’s assertion:
• The description of the system fairly presents the system that was designed

and implemented throughout the specified period

• The controls were suitably designed to achieve the control objectives

throughout the specified period, including identifying the risks that threaten the achievement of the control objectives.

• The controls operated effectively throughout the period to achieve those

t l bj ti control objectives.

17

SLIDE 18

Key Change: Management’s Assertion (Cont.)

• Signing the assertion
• No requirement to sign
• However most currently issued reports have been signed
• However, most currently issued reports have been signed.
• May be signed by company or by individuals (most have been

individuals)

18

SLIDE 19

Risk assessment

Key Change: Management’s Assertion (Cont.)

• Service organization management must identify risks that threaten

the achievement of the control objectives stated in the description

• f the system.
• May be formal or informal processes, require ongoing

monitoring/updating

• Process commonly takes up-front effort to determine risks or

Process commonly takes up front effort to determine risks or reassess whether any additional risks may exist (for ongoing reports).

Basis for assertion

• Management needs reasonable basis to provide assertion
• Management needs reasonable basis to provide assertion
• No requirements on specific procedures to be performed
• Management may not rely solely on the testing done by the service

di auditor.

19

SLIDE 20

Key Change: Management’s Assertion (Cont.)

Common procedures to support the assertion Common procedures to support the assertion

• Ongoing monitoring activities

― Regular management and supervisory activities ― Sub-certifications ― Sub-certifications ― Review of compliant files

• Separate evaluations

l di h l ( i k/ li ) ― Internal auditors or other personnel (risk/compliance) performing specific audits/examinations ― Information from external parties (e.g., regulatory reviews) C bi ti f b th

• Combination of both

Support for assertion

• Management support it will need for its written assertion
• No documentation-retention requirement, but is sound practice

20

SLIDE 21

C i i Criteria

• Criteria pertain to services provided to a broad range of users that

relate to financial reporting of user entities and include:

• Types of services including classes of transactions
• Procedures by which services are provided

Procedures by which services are provided

• Related accounting records
• How the system captures significant events
• Process used to prepare reports and other information
• Specified objectives and controls

Other aspects of the control environment risk assessment

• Other aspects of the control environment, risk assessment,

information, and communication and monitoring

• Details of changes during the period
• Does not omit or distort information relevant to the system

21

SLIDE 22

Id l C did P fil /U C Ideal Candidate Profile/Use Case

Determine intended use of the report Consider SOC 1 if:

• Services relate to internal controls over financial reporting of

p g the users

• Receiving requests from independent auditors
• Users and their auditors want to do testing at the service

g

• rganization

SOC 1 vs. SOC 2

• May not be black or white in all cases
• Don’t solely base decisions on user requests; consider the facts

and circumstances

• Both reports may be warranted in certain circumstances

22

SLIDE 23

S i C id i Scoping Considerations

• Determine services that will be covered and select the criteria
• Identify users of the report
• Understand how will the report be used - in connection with an audit of

financial statements

• Choose the type of report (Type 1 vs. Type 2); commonly, a Type 1 report is
• nly undertaken in year 1
• Consider reporting periods of the users, in order to drive the SOC 1

examination period

• Identify sub-service organizations
• Inclusive method
• Carve-out method
• Ascertain whether there are complementary user entity controls
• Determine if management has reasonable basis to provide an assertion

Determine if management has reasonable basis to provide an assertion

23

SLIDE 24

SOC 2 REVIEW

David Palmer, KPMG

SLIDE 25

SOC 2 Reports: Purpose/Intended Use

• To provide management of a service organizat ion, user ent it ies

and ot her specified part ies wit h informat ion and a CP A ’s opinion about cont rols at t he service organizat ion

• Focus is on one or more of the following domains:

S it

• Security
• Availability
• Processing integrity
• Processing integrity
• Confidentiality
• Privacy

Privacy

25

SLIDE 26

SOC 2 Reports: Purpose/Intended Use (Cont.) p p / ( )

• Intended use
• Provide user entities with detailed information on the

design and operating effectiveness of the service des g a d ope at g e ect ve ess o t e se v ce

• rganization’s controls
• However, a SOC 2 report:
• Is not intended to address controls that are relevant to a

user entity’s financial reporting y p g

• Is not intended for general distribution

26

SLIDE 27

SOC 2 Reports: Applicability/Subject Matter

• Since a SOC 2 report is not linked to financial reporting it can apply to a
• Since a SOC 2 report is not linked to financial reporting, it can apply to a

wide range of systems.

• For example:
• Data center hosting
• Data center-hosting
• Call center operations
• Document management

g

• Marketing services
• Healthcare case management
• It can also be used to provide additional information on systems that are

relevant to financial reporting.

• Since there is no link to financial reporting, the boundaries of the

system may be less apparent and need to be clearly defined.

27

SLIDE 28

Overview Of Trust Services Principles

Domain Principle Domain Principle Security

 The system is protected against unauthorized access

(both physical and logical). Availability

 The system is available for operation and use as

Availability

 The system is available for operation and use as

committed or agreed. Confidentiality

 Information designated as confidential is protected as

committed or agreed. committed or agreed. Processing integrity

 System processing is complete, accurate, timely and

authorized. Privacy

 Personal information is collected used retained

Privacy

 Personal information is collected, used, retained,

disclosed and destroyed in conformity with the commitments in the entity’s privacy notice and with criteria set forth in generally accepted privacy principles (GAPP) issued by the AICPA and CICA.

28

SLIDE 29

Grouping Of Criteria: Security, Availability, p g y, y, Processing Integrity And Confidentiality

Topic Focus of Criteria Topic Focus of Criteria Policies

 Policies relevant to the selected principle(s) are defined

and documented. Communications

 Defined policies are communicated to responsible

Communications

 Defined policies are communicated to responsible

parties and authorized users of the system. Procedures

 Procedures have been placed in operation to achieve

the service provider’s objectives in accordance with its the service provider s objectives in accordance with its defined policies. Monitoring

 The service provider monitors the system and takes

action to maintain compliance with its defined policies.

29

SLIDE 30

G i Of C i i P i Grouping Of Criteria: Privacy

Topic Focus of Criteria p Management



The entity defines, documents, communicates and assigns accountability for its privacy policies and procedures. Notice



The entity provides notice about its privacy policies and procedures and identifies the purposes for which personal information is collected, used, retained and disclosed. Choice and Consent



The entity describes the choices available to the individual and obtains implicit or explicit consent with respect to the collection, use and disclosure of personal information. Collection



Personal information is only collected for the purposes identified in the notice. Use Retention and



Limits the use of personal information to the purposes identified in the notice and for which f disposal the individual has provided implicit or explicit consent. Personal information is retained only as long as necessary to fulfill the stated purposes or as required by law or regulation, and then appropriately discarded. Access



Individuals are provided access to their personal information for review and update. Disclosure to third



Personal information is only disclosed to third parties for the purposes identified in the notice parties y p p p and with the implicit or explicit consent of the individual. Security for privacy



Personal information is protected against unauthorized access (both physical and logical). Quality



The entity maintains accurate, complete and relevant personal information for the purposes identified in the notice. Monitoring and enforcement



The entity monitors compliance with its privacy polices and procedures, and has procedures to address privacy related inquiries, complaints and disputes. 30

SLIDE 31

f Summary Of SOC2/3 Criteria Topics

Security Availability Confidentiality Processing Integrity Privacy



IT security policy



Security awareness and communication



Availability policy



Back-up and restoration



Confidentiality policy



Confidentiality of inputs



System processing integrity policies



Completeness,



Privacy policies



PII classification



Risk assessment



Risk assessment



Logical access



Physical access



Environmental controls



Security monitoring



Incident Management



Disaster recovery



Business continuity management



Confidentiality of data processing



Confidentiality of

• utputs



Information accuracy, timeliness and authorization of inputs, system processing and

• utputs



Incident and breach management



Provision of notice



Choice and consent



Collection



Security monitoring



User authentication



Incident management



Asset classification/mgt.



Systems development and



Security



Change management



Monitoring/complian ce disclosures (including third parties)



Confidentiality of Information in systems



Information-tracing, from source to disposition



Incident management



Collection



Use and retention



Disposal



Access



Disclosure to third maintenance



Personnel security



Configuration mgt.



Change management



Monitoring/compliance systems development



Incident management



Security



Change



Security



Change management



Availability



Monitoring parties



Security (logical and physical)



Quality



Monitoring and g p



Change management



Monitoring g enforcement 31

SLIDE 32

Id l C did P fil /U C Ideal Candidate Profile/Use Case

• Entities that rely on service organizations and want detailed

information on the service organizations controls include:

• Vendor management programs

Ve do a age e t p og a s

• GRC programs
• Regulatory compliance
• Due diligence

32

SLIDE 33

E l SOC SM U C Example SOC 2SM Use Cases

Service Provider Scenario Key Risks Principles Reported Service Provider Scenario Key Risks Principles Reported Healthcare: Advisory and processing of claims

• Privacy, security
• HIPAA compliance
• Privacy

Provider of targeted marketing

• Timeliness and accuracy in
• Processing integrity

g g campaigns y execution of marketing campaigns g g y

• Security
• Confidentiality

Financial services: SaaS for equity trading

• Timely, accurate quote and trade

execution

• Processing integrity
• Availability

equity trading execution

• Data breach
• Availability

Communications gateway bridging user entity back office

• Exposure of sensitive data being

processed and translated

• Availability
• Security

environment and mobile communications carriers

• System downtime
• Confidentiality

Document management

• Exposure of sensitive case data

I t i d i t l i

• Confidentiality

P i i t it

• Incorrect indexing, cataloging,

storage

• Processing integrity

33

SLIDE 34

S i C id i Scoping Considerations

• How will the report be used and by whom?
• Which principle(s) are applicable?
• Which principle(s) are applicable?
• Type 1 vs. Type 2 report and period to be addressed
• Are there sub-service organizations?
• Is there a need for complementary user entity controls?

34

SLIDE 35

SOC 3 REVIEW

Nargiz Yusupova, P & N Consulting

3

SLIDE 36

A d F Thi S i Agenda For This Section

• Purpose/intended use
• Applicability/subject matter
• Applicability/subject matter
• Ideal candidate profile/use cases
• Examination process
• Scoping considerations
• SOC seal and registration process

36

SLIDE 37

SOC 3 Reports: Purpose And Intended Use

Report purpose

• Service organization to general public communication
• General use report
• Can be freely distributed/promoted with the AICPA SOC 3

seal on the service organization’s Web site Intended audience

• General public

Intended audience General public Standards under

• AT 101, attestation engagements

Standards under which engagement is performed AT 101, attestation engagements

• AICPA technical practice aid, trust services principles,

criteria and illustrations

37

SLIDE 38

SOC 3 Reports: Purpose And Intended Use (Cont.)

Included in the report

• Statement whether the system achieved the applicable trust

services principles, criteria and illustrations

• Addresses one or more of the following key system

attributes: Security, availability, processing integrity, confidentiality or privacy NOT included in the report

• Financial controls related to compliance and operations at a

service organization

• Description of the systems
• Description of the systems
• Detailed description and results of tests of controls

38

SLIDE 39

SOC 3 Reports: Applicability/Subject Matter

• Trust services report for service organization

U d fi d it i i t t i i i l d it i

• Uses pre-defined criteria in trust services principles and criteria
• Security
• Availability
• Confidentiality
• Processing integrity
• Privacy
• Can be issued on one or multiple trust services principles

39

SLIDE 40

d l d d l Ideal Candidate/Example Use Cases

Users who want assurance on the controls at a service organization related to security, availability, processing integrity, confidentiality or privacy but do not have the need for or the knowledge necessary to make effective use of a SOC 2 report

K Ri k P i i l R t d P i i l Obj ti

\

Key Risks Principles Reported Principle Objective

Theft of credit card information Security Secure sites for e-commerce Unavailability of service for a Availability Ability to meet critical needs of

\

Unavailability of service for a significant period of time Availability Ability to meet critical needs of business customers Disclosure of confidential information such as legal documents Confidentiality Compliance with confidentiality practices Loss, duplication processing, corruption of electronic business transactions Processing integrity Business transactions processed completely and accurately E f l P i C t i Exposure of personal information Privacy Customer privacy

40

SLIDE 41

E i i P Examination Process

Principle selection and assessment Principle selection and assessment

• Select one or more trust service principles and criteria
• Point-in-time vs. period of time

Reporting

• SOC 3 report

Brief na dited s stem description

• Brief unaudited system description
• Auditor’s opinion on compliance with the specified trust services

principles and criteria

SOC3 seal

• Compliance with selected criteria

License to display seal on Web site

• License to display seal on Web site

41

SLIDE 42

Scoping Considerations

AICPA, SOC2 [1.19]:

• All applicable trust services criteria must be met.

All li bl b i i ti t b i l d d

• All applicable subservice organizations must be included.
• Significance of complementary user-entity controls

42

SLIDE 43

SOC Seal And Registration Process

• SOC3 SysTrust for service organizations
• SOC3 SysTrust for service organizations
• Managed between American Institute of CPAs (AICPA) and Canadian

Institute of Chartered Accountants (CICA)

• Complete assessment based on the trust services principles and criteria
• An unqualified attestation report

Valid for one year

• Valid for one year
• License to display the seal on Web site
• Licensing fee

43

SLIDE 44

SOC S l A d R i i P (C ) SOC Seal And Registration Process (Cont.)

Authorized provider list p

44

SLIDE 45

SOC Seal And Registration Process (Cont.)

Monitoring seals g

• Seal renewal

Valid for one year plus 90 days grace period

• Valid for one year plus 90 days grace period
• Revoking or suspending seals
• Fail to comply with the trust services principles & criteria

p y p p

• Fail to renew the seal
• Restoring seals

If lifi d b d d

• If unqualified report can be rendered
• Suspending a practitioner
• Practitioner’s firm is no longer a member in good standing
• Practitioner s firm is no longer a member in good standing

45

SLIDE 46

SOC Seal And Registration Process (Cont.)

Online trust services page p g

You have arrived here from a SysTrust SM/TM or WebTrust SM/TM certified site. The applicable SysTrust or WebTrust Seal of assurance symbolizes that this site has been examined by an independent accountant. Further, the Seal represents the practitioner’s report (see below) on management's assertion(s) that the entity's business being relied upon is in conformity with the applicable Trust Services Principle(s) and Criteria …

Trust services principle(s) and criteria A dit t li k Audit report link Trust services and criteria links

46

SLIDE 47

CONSIDERATIONS IN

Ryan Buckner, BrightLine CPAs & Assoc.

SELECTING AN ATTESTATION EXAMINATION EXAMINATION

SLIDE 48

Obj i F Thi S i Objectives For This Section

• Comparison summary of SOC reporting options
• Recap on the proper use of SOC reports
• Avoiding the common SOC reporting pitfalls

Utili i th tt t ti ti

• Utilizing other attestation options

48

SLIDE 49

C i Of SOC R Comparison Of SOC Reports

SOC Report Purpose Typical External Users SOC 1SM Provide information to users regarding the outsourced services and the controls likely relevant to users entities’ internal control over financial reporting The information provided is useful for the user entities’  Management of user entities  Financial statement auditors of user entities The information provided is useful for the user entities financial statement auditors during their risk assessment and financial audit planning.  Always restricted‐use SOC 2SM Provide information to users regarding the outsourced  Current or prospective services and the controls relevant to one or more of the trust service Principles (security, availability, processing integrity, confidentiality and/or privacy) customers concerned with the TSP  Regulators  Other interested and authorized parties  Generally restricted use SOC 3SM Provide information to users regarding the outsourced services and assurance on one or more of the trust  Any interested party services and assurance on one or more of the trust service principles; similar to SOC 2 but without the controls and tests  General use

49

SLIDE 50

f ( ) Comparison Of SOC Reports (Cont.)

SOC Report Scope (Subject Matter) Period Of Coverage SOC Report Scope (Subject Matter) Period Of Coverage SOC 1SM (SSAE 16) A description of the outsourced services performed by the service organization(s), based on pre‐defined minimum description criteria and the controls that are likely relevant to  Point‐in‐time (Type 1) d f description criteria, and the controls that are likely relevant to users entities’ internal control over financial reporting  Period of time (Type 2) SOC 2SM (AT S t 101) A description of the outsourced services performed by the service organization, based on predefined minimum description  Point‐in‐time (Type 1) (AT Sect. 101) criteria, and the controls relevant to one or more of the trust service principles (security, availability, processing integrity, confidentiality and/or privacy) and applicable pre‐defined criteria Additional subject matter is allowed, provided it meets certain  Period of time (Type 2) Additional subject matter is allowed, provided it meets certain minimum guidelines. SOC 3SM (AT Sect. 101) Provide information to users regarding the outsourced services and assurance on one or more of the trust service principles  Point‐in‐time  Period of time

50

SLIDE 51

f ( ) Comparison Of SOC Reports (Cont.)

Report Component SOC 1 SOC 2 SOC 3 p p

Opinion letter

  

Management assertion(s)

  

Detailed description of the system

 

• Control objectives and controls



Trust services principles criteria and controls



Trust services principles criteria and controls selected by the service organization



• Tests of controls and results of testing

(Type 2 reports only)

 

Optional additional information

 

AICPA logo use

  

Seal (requires AICPA licensing and fee)



51

SLIDE 52

Ch i Th B R Choosing The Best Report

Key considerations

• What needs to be communicated?
• ICFR controls? Privacy controls?

Regulatory compliance?

• How will it be communicated?
• Seal on Web site? Report only?

Wh i th i t d d di ?

• Who is the intended audience?
• Existing customer? Regulatory

entity? Everyone?

• What are the intended uses?
• What are the intended uses?
• Financial statement audit? Due

diligence assessment?

52

SLIDE 53

Understanding Proper Use Of SOC Reports

d f h h h How To Identify The SOC Report That Is Right For You

Will the report be used by your customers and their auditors to plan and perform an audit or integrated audit of your customer’s financial statements? Yes SOC 1 report audit of your customer s financial statements? Will the report be used by your customers as part of their compliance with the Sarbanes‐Oxley Act or similar law or regulation? Yes SOC 1 report Will th t b d b t Will the report be used by your customers or stakeholders to gain confidence and place trust in a service organization’s systems? Yes SOC 2 or SOC 3 report Do you need to make the report generally available

• r seal?

Yes SOC 3 report

• r seal?

Do your customers have the need for, and ability to, understand the details of the processing and controls at a service organization, the tests performed by the service auditor and results of Yes SOC 2 report No SOC 3 report performed by the service auditor and results of those tests? No SOC 3 report

Source: www.aicpa.org/soc 53

SLIDE 54

Avoiding Common SOC Reporting Pitfalls

I.Improper report selection

• RFP pressure from misinformed customers and prospects
• Misinformation based on industry “pundits” (e.g., data centers or cloud providers

do not need SOC 1; SOC 2 is “better”)

• Incompatible scope (subject matter)
• Incompatible scope (subject matter)
• Non-ICFR controls in SOC 1 report
• Pre-defined TSP criteria incongruent with business operations and controls
• Need to communicate regulatory compliance or other set of benchmarks
• Need to communicate regulatory compliance or other set of benchmarks

separately from TSP principles and criteria II.Lack of preparedness

• Lack of understanding of reporting options
• Lack of understanding of SOC reporting requirements
• Immaturity of system and related controls
• Little monitoring of control effectiveness

g

• Treatment of related, relevant 3rd parties (inclusive vs. carve-out rep. methods)

54

SLIDE 55

Avoiding Common SOC Reporting Pitfalls (Cont.)

III.Overly complex or hybrid SOC reports

• “Information not covered by the service auditor’s report” in SOC 1 reports
• “Additional subject matter” in SOC 2 reports

PCI HIPAA CSA CCM

• PCI, HIPAA, CSA-CCM

IV.Insufficient review period selection V.Improper communication of the completion of the SOC engagement

• Unauthorized logos and seals
• Unauthorized logos and seals
• “Certifications”
• Press release guarantees or unfounded conclusions

55

SLIDE 56

I SOC R Th B O i ? Is SOC Report The Best Option?

I Key considerations I.Key considerations

• Applicability of the SOC report
• No ICFR impact
• No ability or desire to effectively benchmark against the TSP
• Specific needs of management

Pre defined analysis procedures

• Pre-defined analysis procedures
• Flexibility in reporting
• Specific use of the report

p p

• Single customer demand
• Compliance with regulations, standards, contracts, etc.

56

SLIDE 57

Non‐SOC Reporting Options: AT Sect. 101

F d ti f ll tt t ti AT Section 101

• Foundation for all attestation

engagements

• Allows for increased flexibility and

customized scope (subject matter) p ( j )

• Agreed-upon procedures

engagements – AT Sect. 201

• Compliance Attestations – AT Sect.

AT Section 101

601

• General attestations

Attestation

 Opinion letter  Management’s assertion letter  Customized subject matter  Optional additional information

57

SLIDE 58

C l i Conclusion

AT Section 101

• Know your options
• Speak with a competent

professional regarding your professional regarding your reporting needs and options

• Understand the proper

h l f h i g AT Section 101 channels for sharing your report

• When necessary, consider

non-attest options as well (e.g., ISO 27001)

58