rec ecen ent c chan anges es t to s soc c rep eportin ing
play

Rec ecen ent C Chan anges es t to S SOC C Rep eportin ing S - PowerPoint PPT Presentation

Aug 26, 2022 •247 likes •699 views

Rec ecen ent C Chan anges es t to S SOC C Rep eportin ing S Stan andar ards ds: Wha hat Y You ou Shou Should K Kno now a and nd How to Pr o Prepa pare June 28, 28, 20 2018 Troy Fine ine - Ma Manager, Ri Risk Advi

  1. Rec ecen ent C Chan anges es t to S SOC C Rep eportin ing S Stan andar ards ds: Wha hat Y You ou Shou Should K Kno now a and nd How to Pr o Prepa pare June 28, 28, 20 2018 Troy Fine ine - Ma Manager, Ri Risk Advi visory y Servi vices Scott Walt lton on - Ma Manager, Ri Risk Advi visory y Services

  2. Housekeeping Items • To obtain CPE for this event: – Respond to the 3 polling questions. – Complete the evaluation form that will be emailed to you approximately one hour after the conclusion of the program. • CPE Certificates will be emailed out to those that completed the polling questions and online evaluation. 2

  3. Who Is Sc Is Schneid ider Do r Downs? One of the top 60 largest accounting and business advisory firms • in the United States Established in 1956; offices in Pittsburgh, PA and Columbus, OH • Largest regional independently owned, registered public • accounting and business advisory firm in Western Pennsylvania. Approximately 450 personnel in total, including more than 45 shareholders Registered with the PCAOB • Risk Advisory Services • – SOC Reports – Cybersecurity/Penetration Testing – SOX Section 404 Compliance – Internal Audit Outsourcing/Co-sourcing – Risk Assessments – Internal Control/Business Process Reviews 3

  4. Troy Fine Manager, Risk Advisory Services • CPA/CITP, CISA • Joined Schneider Downs in 2011 • Areas of expertise: • – SOC 1 and 2 assurance services – SOC 2+ assurance services (HITRUST) – SOC for Cybersecurity assurance services – SOX Section 404 compliance – Internal control assessments – HIPAA assessments Industry experience: Cloud Computing/Software-as-a-Service, Higher • Education, Banking, Financial Services, Healthcare, Manufacturing, Nonprofit AICPA CITP Credential Committee Member • Pennsylvania’s CPA Journal Editorial Board Member • 4

  5. Sco cott W tt Walt lton Manager, Risk Advisory Services • Joined Schneider Downs in 2008 • CISA, CIA (Certified Internal Auditor) • 10 + years of experience in Internal Audit / IT Audit • Experience in delivering information technology general • control reviews, security assessments, enterprise risk assessments, internal audit co-sourcing services and process improvement engagements Industry Experience: Data Centers, Software-as-a-Service, • Higher Education, Financial Services, Healthcare, Manufacturing, Nonprofit, Insurance Manage the SOC practice for the Columbus office • 5

  6. Agenda enda • Nomenclature Update • Brief Overview of SOC Reports • SSAE 18 Updates and Impacts • SOC 2 Updates and Impacts • SOC for Cybersecurity Overview 6

  7. SOC Nomenclature SOC - System and Organization Controls (No longer Service Organization Controls) SSAE 18 Attestation Standard (supersedes SSAE 16 Attestation Standard) SOC Suite of Services 7

  8. Timeline of Change • 1992 – SAS 70 – Service Organizations • 2003 – Trust Services Principles and Criteria (Merger between SysTrust and Webtrust) • 2010 – SSAE 16 Reporting on Controls at a Service Organization • 2011 – SOC 1, SOC 2, SOC 3 • 2016 – SSAE 18 (AT-C105, AT-C205 (SOC 1 & 2), AT-C Section 320 (SOC 1)) • 2017 – SOC for Cybersecurity • In the near future – SOC for Vendor Supply Chain 8

  9. SOC Suite of Services System and Organization Controls (SOC) System and Organization Controls (SOC) SOC for SOC for Vendor SOC for Service Organizations Cybersecurity Supply Chain (New) ( Under Development) SOC 2 SOC 1 SOC 3 9

  10. Polling Question #1 10

  11. Overview of SOC Reports 11

  12. Overview of SOC Reports SOC SOC for or Se Servic ice Or Organiza ganizatio ions • SOC 1: A report on controls at a Service Organization that are relevant to user entities' internal control over financial reporting. • SOC 2: A report on a business's nonfinancial reporting controls as they relate to the Trust Services Criteria security, availability, processing integrity, confidentiality and/or privacy of a system. • SOC 3: A report that is based on the Trust Services Criteria, like the SOC 2, but is intended for a general audience and is therefore shorter and includes less detail than a SOC 2. 12

  13. Overview of SOC Reports SOC OC f for or Cy Cyber bersec securit ity • Report on an entity’s effectiveness of its cybersecurity risk management programs. SOC C for V Vendo endor S Suppl upply Ch Chai ain • Internal controls report on a vendor’s manufacturing processes for customers of manufacturers and distributors to better understand cybersecurity risks in their supply chains. (Under Development by the AICPA) 13

  14. Overview of SOC Reports Typ ypes of of SOC OC R Repor orts ts • Type I: An attestation of controls at a service organization at a specific point in time. Attests on the design of controls. Type II: • An attestation of controls at a service organization over a period of time. Attests on the design and operating effectiveness of controls. 14

  15. Components of a SOC Report Section I: Independent Auditor’s Report Section II: Management Assertion Section III: Management’s Description of the System Section IV: Description of Testing Performed and the Results of Testing for a Type II Examination. Section V: Other Information Provided by the Service Organization 15

  16. Components of SOC Reports Service Audi uditor’s R ’s Repor port • On the fairness of the presentation of the system description (except SOC 3) • The suitability of design and operating effectiveness of the controls to achieve the objectives of the system or program 16

  17. Components of SOC Reports Mana nageme ment nt’s s As Assertion • Management’s fair presentation of the system description (except SOC 3) • The suitability of design and operating effectiveness of the controls to achieve the objectives of the system or program 17

  18. Components of SOC Reports Mana nageme ment nt’s s Descript ption of of th the System em • Of the service organization’s system – (SOC 1, SOC 2 and SOC for Vendor Supply Chain) • Of the entity’s cybersecurity risk management program – (SOC for Cybersecurity) 18

  19. SSAE 18 Updates and Impacts 19

  20. SSAE 18 Updates and Impacts Statement on Standards for Attestation Engagements SSAE 18 (supersedes SSAE 16) • Significantly restructures the attestation standards into • the following sections: AT-C 105 - Common Concepts: matters that relate to – all attestation engagements. AT-C 205 - Examinations: the performance and – reporting requirements and application guidance. AT-C 320 - Reporting on an Examination of Controls – at a Service Organization Relevant to User Entities' Internal Control Over Financial Reporting 20

  21. SSAE 18 Updates and Impact SSAE 18 vs SSAE 16 Differences (cont.) Requires the service organization to include two sets of control detail related to subservice organizations. – Complementary User Entity Controls – Complementary Subservice Organization Controls – Both need to be included in management’s description of the system – The service organization needs to monitor the effectiveness of the controls at the subservice organization. 21

  22. Polling Question #2 22

  23. SOC 2 Updates 23

  24. SOC 2 Updates – What Changed? • April 2017 – SOC 2 Trust Services Criteria (TSC) Updated • April 2018 – SOC 2 System Description Criteria Updated (DC Section 200) 24

  25. Effective Dates • Report periods ending on on or af or after 12/16/2018 – Must use updated 2017 TSC and 2018 Description Criteria • Report periods ending on on or p or prior t rior to o 12/15/2018 – Can use current versions of TSC and Description Criteria 25

  26. 2017 TSC Updates • Codified in TSP 100 - 2017 Trust Services Criteria for Security, Availability, Processing Integrity Confidentiality, and Privacy – Restructured and aligned the TSC with the COSO Internal Control Framework – Added supplemental criteria to better address cybersecurity risks – Expanded requirements for existing criteria – Added Points of Focus – Removed the term “Principles” and renamed to “Categories” 26

  27. Organization of 2017 TSC 27

  28. 2018 Description Criteria Updates • Codified in DC Section 200 - Description Criteria for a Description of a Service Organization’s System in a SOC 2 Report – New disclosures about the service organization’s principal service commitments and system requirements – New disclosures about certain security incidents 28

  29. How to Prepare for SOC 2 Updates 29

  30. How to Prepare for 2017 TSC • If you issued a SOC 2 Report Using the 2016 TSC in 2017: – If SOC 2 examination period end date is on or before 12/15/18: • Perform examination using 2016 TSC and 2015 DC • Simultaneously, perform a readiness assessment using the 2017 TSC and 2018 DC • Review and update system description to ensure it meets the 2018 DC – If SOC 2 examination period end date is on or after 12/16/18: • Must perform examination using 2017 TSC and 2018 DC • Risk having pervasive exceptions that could cause the report to be qualified • Consider ending examination period prior to 12/16/18 30

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Res esea earch ch S Site P e Per erspecti ctives Chan anges es i in S Site a e and P

Res esea earch ch S Site P e Per erspecti ctives Chan anges es i in S Site a e and P

Res esea earch ch S Site P e Per erspecti ctives Chan anges es i in S Site a e and P Patient B Burden en David P. Walling, Ph.D CNS Network, LLC. Long Beach, CA COST PER CONSENT COST PER CONSENT 1/ 1/ 16 $1,886 1 / 1 / 1 6

780 views • 5 slides
Summ mmer er En Enrollment ollment Changes anges to to Be Benefi nefits ts FY FY 20

Summ mmer er En Enrollment ollment Changes anges to to Be Benefi nefits ts FY FY 20

Human man Res esou ources rces pres esent ents: s: Summ mmer er En Enrollment ollment Changes anges to to Be Benefi nefits ts FY FY 20 2021 21 June ne 29 th through ough July ly 24 24 th th Changes anges Ef Effec

551 views • 31 slides
KARACH I TAX BAR ASSOCI ATI ON SEM I NAR ON SALES TAX I M PORTANT CH ANGES I N SALES TAX ACT,

KARACH I TAX BAR ASSOCI ATI ON SEM I NAR ON SALES TAX I M PORTANT CH ANGES I N SALES TAX ACT,

Karachi Tax Bar Association KARACH I TAX BAR ASSOCI ATI ON SEM I NAR ON SALES TAX I M PORTANT CH ANGES I N SALES TAX ACT, 1990 BY M R. ASI F H AROON PARTNER A.F FERGUSON & CO., CH ARTERED ACCOUNTANTS AUGUST 17, 2016 PwC 1 KTBA

294 views • 13 slides
Rec ecen ent U Updates es to o J2J 2J Ex Explorer er Job ob H Hop opping A g Acr cros

Rec ecen ent U Updates es to o J2J 2J Ex Explorer er Job ob H Hop opping A g Acr cros

Rec ecen ent U Updates es to o J2J 2J Ex Explorer er Job ob H Hop opping A g Acr cros oss Cities Heath Hayward Longitudinal Employer-Household Dynamics Research U.S. Census Bureau December 2019 1 Disclaimer er Any opinions

633 views • 51 slides
PROP OPOS OSED D CAM CAMPUS BU BUS CHANG ANGES WHY HY? Reduce crowding Improve

PROP OPOS OSED D CAM CAMPUS BU BUS CHANG ANGES WHY HY? Reduce crowding Improve

PROP OPOS OSED D CAM CAMPUS BU BUS CHANG ANGES WHY HY? Reduce crowding Improve accessible access Manage costs and minimize cost increases while assuring efficient use of resources Confirm correct locations served,

248 views • 22 slides
Tal Talki kin Bout out My My Gen Gener erati ation: n: Im Implem emen enting

Tal Talki kin Bout out My My Gen Gener erati ation: n: Im Implem emen enting

Tal Talki kin Bout out My My Gen Gener erati ation: n: Im Implem emen enting ting Ch Chan anges es to to Ad Adap apt t To To Haw Hawai aiis E Evol olving ing Wor Workf kfor orce ce Presented by Accuity LLP

397 views • 28 slides
Sushi Gone Wild: Skit & Music Details for the flight of The Wild Sushi Adrienne Chan

Sushi Gone Wild: Skit & Music Details for the flight of The Wild Sushi Adrienne Chan

Sushi Gone Wild: Skit & Music Details for the flight of The Wild Sushi Adrienne Chan Elizabeth Chan Jenny Chan Katherine Chan July 21, 2006 Leonard Chan Wild Thing Models that represent the team and aircraft (from left to right):

134 views • 10 slides
GANGES: G anges A ction for N egotiation of G aining E nvironmental S tability Brown, Harrington,

GANGES: G anges A ction for N egotiation of G aining E nvironmental S tability Brown, Harrington,

GANGES: G anges A ction for N egotiation of G aining E nvironmental S tability Brown, Harrington, Kathreptis, Medhaug Background and History The Ganges River Basin is a transboundary basin, it is shared amongst India, Nepal, Bangladesh,

374 views • 11 slides
ECEN 5022 Cryptography Introduction Peter Mathys University of Colorado Spring 2008 Peter

ECEN 5022 Cryptography Introduction Peter Mathys University of Colorado Spring 2008 Peter

Introduction ECEN 5022 Cryptography Introduction Peter Mathys University of Colorado Spring 2008 Peter Mathys ECEN 5022 Cryptography Introduction Basic Definitions, Overview Historically, cryptography is the science and study of secret

670 views • 28 slides
M& M&A A in in Is Isra rael el by Barry Levenfeld Se Sele lected ted Rec ecen

M& M&A A in in Is Isra rael el by Barry Levenfeld Se Sele lected ted Rec ecen

US-Israel Cross-Border Corporate Transactions Tuesday, March 29, 2011 4:00 PM to 6:00 PM Boston Bar Association - 16 Beacon Street, Boston, MA M& M&A A in in Is Isra rael el by Barry Levenfeld Se Sele lected ted Rec ecen ent

414 views • 29 slides
Computer Graphics CPSC 453 Fall 2018 Sonny Chan Your Professor Dr. Sonny Chan -

Computer Graphics CPSC 453 Fall 2018 Sonny Chan Your Professor Dr. Sonny Chan -

Introduction to Computer Graphics CPSC 453 Fall 2018 Sonny Chan Your Professor Dr. Sonny Chan - sonny.chan@ucalgary.ca Office: - MS 634 (and HRIC 1C56) - Tuesdays & Fridays @ 10:00-11:50 AM Your Teaching Assistants Alejandro

680 views • 54 slides
Fleet Forum May 18, 2017 Assistant Director Stewart Cowley Intr troduct ctio ion Financial

Fleet Forum May 18, 2017 Assistant Director Stewart Cowley Intr troduct ctio ion Financial

Fleet Forum May 18, 2017 Assistant Director Stewart Cowley Intr troduct ctio ion Financial Information Motor Pool Rat ate Chan anges es $79 79,600.40 ,600.40 Approved Lease Rate Correction Rat ate Impact acts

752 views • 19 slides
THE WASHINGTON STATE BOARD OF EDUCATION A high-quality education system that prepares all students

THE WASHINGTON STATE BOARD OF EDUCATION A high-quality education system that prepares all students

THE WASHINGTON STATE BOARD OF EDUCATION A high-quality education system that prepares all students for college, career, and life. Title itle: Possible I Index an and Accountability C Chan anges s under t the ESSA ESSA As As Rel elated

302 views • 17 slides
IN IN REC ECEN ENT T TIMES IMES Rahul Dey Manager- Capacity Building and Training services

IN IN REC ECEN ENT T TIMES IMES Rahul Dey Manager- Capacity Building and Training services

CHAL ALLEN LENGES GES IN IN LOGIS GISTICS TICS AND SUP UPPL PLY Y CHAIN AIN MANAGEM GEMENT NT IN IN REC ECEN ENT T TIMES IMES Rahul Dey Manager- Capacity Building and Training services What are we going to talk about? WHAT IS

286 views • 14 slides
ECEN 5022 Cryptography Introduction to Information Theory Peter Mathys University of Colorado

ECEN 5022 Cryptography Introduction to Information Theory Peter Mathys University of Colorado

Entropy Mutual Information Perfect Cryptosystem ECEN 5022 Cryptography Introduction to Information Theory Peter Mathys University of Colorado Spring 2008 Peter Mathys ECEN 5022 Cryptography Entropy Entropy Mutual Information Binary

484 views • 12 slides
ECEN 5022 Cryptography Elementary Algebra and Number Theory Peter Mathys University of Colorado

ECEN 5022 Cryptography Elementary Algebra and Number Theory Peter Mathys University of Colorado

Primes Groups, Rings, Fields Ring of Integers Modulo n ECEN 5022 Cryptography Elementary Algebra and Number Theory Peter Mathys University of Colorado Spring 2008 Peter Mathys ECEN 5022 Cryptography Primes Groups, Rings, Fields Ring of

633 views • 50 slides
Preparing SOC 1, SOC 2 or SOC 3 Reports: Best Practices Meeting Challenges Arising From SSAE 16,

Preparing SOC 1, SOC 2 or SOC 3 Reports: Best Practices Meeting Challenges Arising From SSAE 16,

Presenting a live 110 minute teleconference with interactive Q&A Preparing SOC 1, SOC 2 or SOC 3 Reports: Best Practices Meeting Challenges Arising From SSAE 16, ISAE 3402 and Other Service Company Control Standards WEDNESDAY, MARCH 7, 2012

842 views • 58 slides
State-of-the-Art for Small Satellite Propulsion Systems Khary I. Parker NASA/Goddard Space

State-of-the-Art for Small Satellite Propulsion Systems Khary I. Parker NASA/Goddard Space

State-of-the-Art for Small Satellite Propulsion Systems Khary I. Parker NASA/Goddard Space Flight Center 2 nd Planetary CubeSat Science Institute NASA/Goddard Space Flight Center Greenbelt, MD September 26, 2017 Agenda State-of-the-Art

301 views • 18 slides
How intelligent is artificial intelligence? On the surprising and mysterious secrets of deep

How intelligent is artificial intelligence? On the surprising and mysterious secrets of deep

How intelligent is artificial intelligence? On the surprising and mysterious secrets of deep learning Vegard Antun (UiO) Anders C. Hansen (Cambridge, UiO) Joint work with: B. Adcock (SFU), M. Colbrook (Cambridge) N. Gottschling

946 views • 67 slides
WMSCR SWIM Presented to: Demonstration and Prototyping Information Exchange Briefing By:

WMSCR SWIM Presented to: Demonstration and Prototyping Information Exchange Briefing By:

Federal Aviation Administration WMSCR SWIM Presented to: Demonstration and Prototyping Information Exchange Briefing By: <WMSCR SWIM June 3, 2009 Date: Description The Weather Message Switching Center Replacement System (WMSCR)

444 views • 12 slides
Presentation to the NSW Legislative Council Standing Committee on Soc~al Issues Inquiry into

Presentation to the NSW Legislative Council Standing Committee on Soc~al Issues Inquiry into

Presentation to the NSW Legislative Council Standing Committee on Soc~al Issues Inquiry into homelessness and low-cost rental accommodation Nazha Saad Chief Executive QReer Fridayl9 June 2009 SGCH - A snapshot Established in 1985 Over 2,600

481 views • 13 slides
Eduardo Gandara LEARNING OUTCOMES Introduced to the SOC Program Brief History of SOC

Eduardo Gandara LEARNING OUTCOMES Introduced to the SOC Program Brief History of SOC

Sustainable Office Certification (SOC) Presented By: Eduardo Gandara LEARNING OUTCOMES Introduced to the SOC Program Brief History of SOC Program Learn about the SOC Programs process Areas for improvement Goals for the SOC

569 views • 27 slides
Battery modeling Presentation Battery modeling Presentation MengJie Huang Cheng Ru Chang

Battery modeling Presentation Battery modeling Presentation MengJie Huang Cheng Ru Chang

Battery modeling Presentation Battery modeling Presentation MengJie Huang Cheng Ru Chang Cheng Ru Chang A new BMS system based on cell redundancy Antonio Manenti, Andrea Abba, Alessandro Merati, Sergio M. Savaresi IEEE Transactions on

733 views • 38 slides
PUBLIC POLICY PROJECT REPORT How could Social Outcomes Contracting help to promote social and

PUBLIC POLICY PROJECT REPORT How could Social Outcomes Contracting help to promote social and

Sciences Po Paris School of Public Affairs - Master in Public Affairs 2018-19 PUBLIC POLICY PROJECT REPORT How could Social Outcomes Contracting help to promote social and economic integration of migrants in the EU? Mariko Kaneko, Benjamin

459 views • 21 slides

More recommend