Scribd Logo
Upload

Welcome to Scribd!

  • An Overview of SSAE 16

    Uploaded by

    Holtzman Partners
    49 views21 pages
    Presentation given by Holtzman Partners on the new SSAE 16 standard, and what it means for service organizations. Additional topics discussed included purpose of SSAE 16 and how it’s different from SAS 70, scope and use of Service Organization Control (SOC) reports; industries most impacted by the change and overall differentiating factors.

    Copyright

    © Attribution Non-Commercial (BY-NC)

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    Presentation given by Holtzman Partners on the new SSAE 16 standard, and what it means for service organizations. Additional topics discussed included purpose of SSAE 16 and how it’s different from SAS 70, scope and use of Service Organization Control (SOC) reports; industries most impacted by the change and overall differentiating factors.

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    49 views21 pages

    An Overview of SSAE 16

    Uploaded by

    Holtzman Partners
    Presentation given by Holtzman Partners on the new SSAE 16 standard, and what it means for service organizations. Additional topics discussed included purpose of SSAE 16 and how it’s different from SAS 70, scope and use of Service Organization Control (SOC) reports; industries most impacted by the change and overall differentiating factors.

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 21

    An Overview of SSAE 16

    (Statement on Standards for Attestation Engagements No. 16)

    Presentation Objectives
    Background Information

    Types and Uses of Internal Control Reports (SOC 1, SOC 2, SOC 3)

    User Entity Considerations

    Industry Trends & Advantages

    Answer Questions

    Background

    Terminology
    Service Organization
    Organization which provides services relevant to a user entitys (customer) internal controls. Issuer of the internal controls report.
    The customer of the service organization. User of the internal control report. Internal control reports on the services provided by a Service Organization (SOC 1, SOC 2 and SOC 3). Professional standard used by auditors when issuing a report on internal controls related to financial reporting (SOC 1).

    User Entity (Customer) Service Organization Control (SOC) reports


    SSAE 16 AT 101 Trust Services Principles (SOC 2 & 3) WebTrust & SysTrust

    Professional standard used by auditors when issuing a report on internal controls related to non-financial related topics (SOC 2 & 3).
    Standardized principles used to measure an entitys controls around specific IT areas. Standards used by auditors to evaluate a companys controls around the Trust Services Principles specifically associated with the web (WebTrust) and Systems (SysTrust). 4

    Types of Service Organizations & User Entities


    Service Organizations

    Outsourced service processors (e.g. Payroll, Actuarial, Claims) Datacenters and co-location facilities Software as a Service (SaaS) IT support Data analytics providers

    User Entities

    Public companies (subject to Sarbanes-Oxley) Financial institutions Healthcare entities Governmental agencies Companies with other compliance requirements (e.g. PCI, FFIEC)

    Trust Services Principles


    Principle What It Means # of Criteria

    Security
    Availability Processing Integrity Confidentiality Privacy

    The system is protected against unauthorized access (both physical and logical).
    The system is available for operation and use as committed or agreed. System processing is complete, accurate, timely and authorized. Information designated as confidential is protected as committed and agreed. Personal information is collected, used, retained, disclosed and destroyed in conformity with the commitments in the entitys privacy notice and with criteria set forth in generally accepted privacy principles (GAPP) issued by the AICPA.

    32
    34 49 47 66

    History of Internal Control Reports


    Focus
    Evaluation of controls related to Financial Reporting

    Historical

    Current

    SAS 70

    SOC 1 (SSAE 16)

    Evaluation of controls related to IT processes

    Web Trust & Sys Trust

    SOC 2 (AT 101)

    SOC 3 (AT 101)

    Trust Services Principles


    7

    Types of Internal Control Reports

    SOC 1 Report (SSAE 16)


    Primarily by financial auditors of customers Supports control reliance Avoid duplication of effort by customers auditors. Audit Report SOC Logo (available for website)

    Use

    Audit Outcome

    Objectives defined by management Focus on procedures impacting customers financial information Customers (and/or their auditors) may wish to modify

    Control Objectives

    Audit Report Composition

    4 Sections Type I or Type II Management Assertion required User Entity Considerations

    SOC 2 Report (AT 101)


    Used by customers to evaluate IT controls May impact decision to use service organization May impact customers other compliance requirements

    Same as SOC 1

    Use

    Audit Outcome

    Principle(s) selected by management Pre-defined criteria (not modifiable) support Principles Audit covers all criteria of selected Principle(s)

    Trust Services Principles

    Audit Report Composition


    Same as SOC 1

    10

    SOC 3 Report (AT 101)

    Same as SOC 2

    SOC Seal (available for website) Audit Opinion

    Use

    Audit Outcome

    Trust Services Principles


    Same as SOC 2

    Audit Report Composition


    Audit Opinion and scope of services only No process description or test results No Type I or II

    11

    Types of SOC 1 & 2 Reports


    Type I


    Type II

    Report on the design (only) of a user entitys control structure Auditor Opinion is as of a point in time (similar to a balance sheet) Usually performed during first year only Involves performing walkthroughs of controls Not as useful to the auditors of user entities

    Report on the design and operating effectiveness of controls Auditor Opinion covers a period of time (generally 6 months) Report usually issued one time per year Period ending driven by year ends of customers (user entities) Provide description of tests performed and results of tests (including exceptions) More useful to auditors of user entities
    12

    SOC 1 & 2 Report Components


    Section I

    Independent Service Auditors Report (Opinion)


    Section II

    Managements Assertion
    Section III Description of the Service Organizations Processes and Controls

    Section IV
    Information Provided by the Independent Service Auditor Type I Listing of Controls Type II Listing of Controls and Tests Performed by the Independent Service Auditor (and Results of Tests)
    13

    Other Information

    User Entity Considerations


    Procedure Purpose

    Review contract with Service Organization Applicability of Control Objectives/Principles (SOC 1 & 2)

    Ensure that your service is included in the scope of the report (including location of service being provided). Determine if objectives meet your requirements and if they do not, discuss changes with service organization.

    Evaluate impact of qualified Determine if the issues impact your reliance on the report. auditor opinion Evaluate impact of testing exceptions (section IV) Evaluate User Entity Considerations section of report Verify audit period Determine if the exceptions impact your reliance on the report. Determine if your organization is performing the procedures required. Determine if the end of the audit period is within 6 months of your companys year end (stale considerations).
    15

    Industry Trends
    Increase proliferation of SaaS applications and outsourcing of IT systems to Datacenters SOC 1 report continues to be most popular report issued Report consistency & robustness has not yet been achieved with new SSAE 16 guidance Service Organizations are moving toward obtaining SOC 2 reports (in addition to SOC 1)
    SOC 3 report is not pervasive at this time

    16

    Reporting Advantages
    Leads to strengthening of internal control structure

    Cost savings for user entities

    Marketing differentiator

    SOC Reports
    Avoids duplication of audit effort

    Auditor reliance on controls for financial audit of service organization

    17

    Questions?
    john.moellenberg@holtzmanpartners.com michael.sobczyk@holtzmanpartners.com

    Appendices

    Logo for SOC 1 & 2 Reports


    Example

    20

    Seal for SOC 3 Reports


    Example

    21

    You might also like