Rec ecen ent C Chan anges es t to S SOC C Rep eportin ing S - - PowerPoint PPT Presentation

Rec ecen ent C Chan anges es t to S SOC C Rep eportin ing S Stan andar ards ds: Wha hat Y You

• u Shou

Should K Kno now a and nd How to Pr

• Prepa

pare

June 28, 28, 20 2018 Troy Fine ine - Ma Manager, Ri Risk Advi visory y Servi vices Scott Walt lton

• n - Ma

Manager, Ri Risk Advi visory y Services

Housekeeping Items

• To obtain CPE for this event:

– Respond to the 3 polling questions. – Complete the evaluation form that will be emailed to you approximately one hour after the conclusion of the program.

• CPE Certificates will be emailed out to those that

completed the polling questions and online evaluation.

2

Who Is Sc Is Schneid ider Do r Downs?

• One of the top 60 largest accounting and business advisory firms

in the United States

• Established in 1956; offices in Pittsburgh, PA and Columbus, OH
• Largest regional independently owned, registered public

accounting and business advisory firm in Western Pennsylvania. Approximately 450 personnel in total, including more than 45 shareholders

• Registered with the PCAOB
• Risk Advisory Services

– SOC Reports – Cybersecurity/Penetration Testing – SOX Section 404 Compliance – Internal Audit Outsourcing/Co-sourcing – Risk Assessments – Internal Control/Business Process Reviews

3

Troy Fine

• Manager, Risk Advisory Services
• CPA/CITP, CISA
• Joined Schneider Downs in 2011
• Areas of expertise:

– SOC 1 and 2 assurance services – SOC 2+ assurance services (HITRUST) – SOC for Cybersecurity assurance services – SOX Section 404 compliance – Internal control assessments – HIPAA assessments

• Industry experience: Cloud Computing/Software-as-a-Service, Higher

Education, Banking, Financial Services, Healthcare, Manufacturing, Nonprofit

• AICPA CITP Credential Committee Member
• Pennsylvania’s CPA Journal Editorial Board Member

4

Sco cott W tt Walt lton

• Manager, Risk Advisory Services
• Joined Schneider Downs in 2008
• CISA, CIA (Certified Internal Auditor)
• 10 + years of experience in Internal Audit / IT Audit
• Experience in delivering information technology general

control reviews, security assessments, enterprise risk assessments, internal audit co-sourcing services and process improvement engagements

• Industry Experience: Data Centers, Software-as-a-Service,

Higher Education, Financial Services, Healthcare, Manufacturing, Nonprofit, Insurance

• Manage the SOC practice for the Columbus office

5

Agenda enda

• Nomenclature Update
• Brief Overview of SOC Reports
• SSAE 18 Updates and Impacts
• SOC 2 Updates and Impacts
• SOC for Cybersecurity Overview

6

SOC Nomenclature SOC - System and Organization Controls

(No longer Service Organization Controls)

SSAE 18 Attestation Standard

(supersedes SSAE 16 Attestation Standard)

SOC Suite of Services

7

Timeline of Change

• 1992 – SAS 70 – Service Organizations
• 2003 – Trust Services Principles and Criteria

(Merger between SysTrust and Webtrust)

• 2010 – SSAE 16 Reporting on Controls at a Service

Organization

• 2011 – SOC 1, SOC 2, SOC 3
• 2016 – SSAE 18 (AT-C105, AT-C205 (SOC 1 & 2),

AT-C Section 320 (SOC 1))

• 2017 – SOC for Cybersecurity
• In the near future – SOC for Vendor Supply Chain

8

System and Organization Controls (SOC)

(New) (Under Development)

9

System and Organization Controls (SOC)

SOC for Service Organizations SOC for Cybersecurity SOC for Vendor Supply Chain

SOC Suite of Services

SOC 1 SOC 3 SOC 2

Polling Question #1

10

Overview of SOC Reports

11

Overview of SOC Reports

SOC SOC for

• r Se

Servic ice Or Organiza ganizatio ions

• SOC 1:

A report on controls at a Service Organization that are relevant to user entities' internal control over financial reporting.

• SOC 2:

A report on a business's nonfinancial reporting controls as they relate to the Trust Services Criteria security, availability, processing integrity, confidentiality and/or privacy of a system.

• SOC 3:

A report that is based on the Trust Services Criteria, like the SOC 2, but is intended for a general audience and is therefore shorter and includes less detail than a SOC 2.

12

Overview of SOC Reports

SOC OC f for

• r Cy

Cyber bersec securit ity

• Report on an entity’s effectiveness of its

cybersecurity risk management programs.

SOC C for V Vendo endor S Suppl upply Ch Chai ain

• Internal controls report on a vendor’s manufacturing

processes for customers of manufacturers and distributors to better understand cybersecurity risks in their supply chains. (Under Development by the AICPA)

13

Overview of SOC Reports

Typ ypes of

• f SOC

OC R Repor

• rts

ts

• Type I:

An attestation of controls at a service organization at a specific point in time. Attests on the design of controls.

• Type II:

An attestation of controls at a service organization over a period of time. Attests on the design and operating effectiveness of controls.

14

Components of a SOC Report

Section I: Independent Auditor’s Report Section II: Management Assertion Section III: Management’s Description of the System Section IV: Description of Testing Performed and the Results of Testing for a Type II Examination. Section V: Other Information Provided by the Service Organization

15

Components of SOC Reports

Service Audi uditor’s R ’s Repor port

• On the fairness of the presentation of the system

description (except SOC 3)

• The suitability of design and operating

effectiveness of the controls to achieve the

• bjectives of the system or program

16

Components of SOC Reports

Mana nageme ment nt’s s As Assertion

• Management’s fair presentation of the system

description (except SOC 3)

• The suitability of design and operating

effectiveness of the controls to achieve the

• bjectives of the system or program

17

Components of SOC Reports

Mana nageme ment nt’s s Descript ption of

• f th

the System em

• Of the service organization’s system

– (SOC 1, SOC 2 and SOC for Vendor Supply Chain)

• Of the entity’s cybersecurity risk management

program

– (SOC for Cybersecurity)

18

SSAE 18 Updates and Impacts

19

SSAE 18 Updates and Impacts

Statement on Standards for Attestation Engagements

• SSAE 18 (supersedes SSAE 16)
• Significantly restructures the attestation standards into

the following sections: – AT-C 105 - Common Concepts: matters that relate to all attestation engagements. – AT-C 205 - Examinations: the performance and reporting requirements and application guidance. – AT-C 320 - Reporting on an Examination of Controls at a Service Organization Relevant to User Entities' Internal Control Over Financial Reporting

20

SSAE 18 Updates and Impact

SSAE 18 vs SSAE 16 Differences (cont.) Requires the service organization to include two sets

• f control detail related to subservice organizations.

– Complementary User Entity Controls – Complementary Subservice Organization Controls – Both need to be included in management’s description

• f the system

– The service organization needs to monitor the effectiveness of the controls at the subservice

• rganization.

21

Polling Question #2

22

SOC 2 Updates

23

SOC 2 Updates – What Changed?

• April 2017 – SOC 2 Trust Services Criteria (TSC)

Updated

• April 2018 – SOC 2 System Description Criteria

Updated (DC Section 200)

24

Effective Dates

• Report periods ending on
• n or af
• r after 12/16/2018

– Must use updated 2017 TSC and 2018 Description Criteria

• Report periods ending on
• n or p
• r prior t

rior to

• 12/15/2018

– Can use current versions of TSC and Description Criteria

25

2017 TSC Updates

• Codified in TSP 100 - 2017 Trust Services Criteria

for Security, Availability, Processing Integrity Confidentiality, and Privacy

– Restructured and aligned the TSC with the COSO Internal Control Framework – Added supplemental criteria to better address cybersecurity risks – Expanded requirements for existing criteria – Added Points of Focus – Removed the term “Principles” and renamed to “Categories”

26

Organization of 2017 TSC

27

2018 Description Criteria Updates

• Codified in DC Section 200 - Description Criteria for

a Description of a Service Organization’s System in a SOC 2 Report

– New disclosures about the service organization’s principal service commitments and system requirements – New disclosures about certain security incidents

28

How to Prepare for SOC 2 Updates

29

How to Prepare for 2017 TSC

• If you issued a SOC 2 Report Using the 2016 TSC in 2017:

– If SOC 2 examination period end date is on or before 12/15/18:

• Perform examination using 2016 TSC and 2015 DC
• Simultaneously, perform a readiness assessment using the 2017 TSC and

2018 DC

• Review and update system description to ensure it meets the 2018 DC

– If SOC 2 examination period end date is on or after 12/16/18:

• Must perform examination using 2017 TSC and 2018 DC
• Risk having pervasive exceptions that could cause the report to be qualified
• Consider ending examination period prior to 12/16/18

30

How to Prepare for 2017 TSC

• If you did not issue a SOC 2 Report in 2017 and have

completed a readiness assessment based on the 2016 TSC:

– If SOC 2 examination period end date is on or before to 12/15/18:

• Perform examination using 2016 TSC and 2015 DC
• Simultaneously, perform a readiness assessment using the 2017 TSC and

2018 DC

• Review and update system description to ensure it meets the 2018 DC.

– If SOC 2 examination period end date is on or after 12/16/18:

• Must perform examination using 2017 TSC and 2018 DC.
• Risk having pervasive exceptions that could cause the report to be

qualified.

• Consider ending examination period prior to 12/16/18 or;
• Consider moving examination period start date back and perform a

readiness assessment using the 2017 TSC and 2018 DC.

31

How to Prepare for 2017 TSC

• If you are in the process of engaging a CPA firm to

perform a SOC 2 for the first time:

– Determine customer requirements

• Services to include
• Contractual requirements
• Consider deadlines for providing reports to customers

– Determine scope of report – Engage a CPA firm to perform a readiness assessment using the 2017 TSC and 2018 DC

32

SOC for Cybersecurity

33

Polling Question #3

34

Why SOC for Cybersecurity?

• Boards of Directors and other stake holders require

information about cybersecurity risks and controls.

• No framework existed for a CPA firm to assess the

effectiveness of an entity’s cybersecurity risk management program.

35

Potential Users of the Report

• Board of Directors
• Analysts and Investors
• Business Partners
• Industry Regulators
• Customers

36

What Is a Cybersecurity Risk Management Program?

An entity’s cybersecurity risk management program is the set of policies, processes, and controls designed to protect information and systems from security events and to detect, respond to, mitigate, and recover from security events that are not prevented.

37

What Is a SOC for Cybersecurity Report?

• Two Subject Matters

– Management’s description of the entity’s cybersecurity risk management program – The effectiveness of controls within that program to achieve the entity's cybersecurity objectives

• Will cover a specific time period

– Can be point in time (i.e. design-only exam) under certain circumstances

38

Components of a SOC for Cybersecurity Report

• Management's description of the entity's

cybersecurity risk management program

• Management’s Assertion
• Practitioner’s Report and opinion on whether:

– the description is presented in accordance with the description criteria and – the controls within the entity's cybersecurity risk management program were effective to achieve the entity's cybersecurity objectives based on the control criteria.

39

Components of a SOC for Cybersecurity Report (Cont.)

• Practitioner's tests of controls and test results are

not included.

– General-use report

40

What Are the Control Criteria?

• Control Criteria – Benchmark used by the

practitioner when evaluating the effectiveness of controls.

– Suitable Criteria:

• The criteria for the security, availability, and confidentiality

categories (2017 Trust Services Criteria)

– Other potential suitable control criteria (requires practitioner judgment):

• NIST Cybersecurity Framework
• ISO 27001

41

What Are the Description Criteria?

• Description Criteria – A set of benchmarks to be

used when preparing and evaluating the presentation of a description of the entity’s cybersecurity risk management program.

– Assurance Services Executive Committee (ASEC) of the AICPA published “Description Criteria for Management’s Description of the Entity’s Cybersecurity Risk Management Program”

42

Categories of the Description Criteria

• Nature of Business and Operations
• Nature of Information at Risk
• Cybersecurity Objectives
• Factors That Have a Significant Effect on Inherent Cybersecurity Risks
• Cybersecurity Risk Governance Structure
• Cybersecurity Risk Assessment Process
• Cybersecurity Communications and the Quality of Cybersecurity

Information

• Monitoring of the Cybersecurity Risk Management Program
• Cybersecurity Control Processes

– Illustrative SOC for Cybersecurity is available and includes an example description (https://www.aicpa.org/content/dam/aicpa/interestareas/frc/assuranceadviso ryservices/downloadabledocuments/illustrative-cybersercurity-risk- management-report.pdf)

43

How to Prepare for a SOC for Cybersecurity Exam

• Understand the intended users of the report.
• Determine if scope will be entity-wide or over a

specific business unit.

• Determine if the examination will cover a period of

time or a point in time (design only).

• Write the system description based on the

description criteria.

• Determine the control criteria to be used.
• Engage a CPA firm to perform a readiness.

44

Quest stion ions? s?

Con

• ntact

act In Infor

• rmat

atio ion

Troy Fine – tfine@schneiderdowns.com - 412-697-5238 Scott Walton– swalton@schneiderdowns.com - 614-586-7238 Visit our blog for more information on SOC Reports: https://www.schneiderdowns.com/our-thoughts-on SOC Report FAQs: https://www.schneiderdowns.com/soc-report-faq

45