Professional Documents
Culture Documents
Presentation Objectives
Background Information
Answer Questions
Background
Terminology
Service Organization
Organization which provides services relevant to a user entitys (customer) internal controls. Issuer of the internal controls report.
The customer of the service organization. User of the internal control report. Internal control reports on the services provided by a Service Organization (SOC 1, SOC 2 and SOC 3). Professional standard used by auditors when issuing a report on internal controls related to financial reporting (SOC 1).
Professional standard used by auditors when issuing a report on internal controls related to non-financial related topics (SOC 2 & 3).
Standardized principles used to measure an entitys controls around specific IT areas. Standards used by auditors to evaluate a companys controls around the Trust Services Principles specifically associated with the web (WebTrust) and Systems (SysTrust). 4
Outsourced service processors (e.g. Payroll, Actuarial, Claims) Datacenters and co-location facilities Software as a Service (SaaS) IT support Data analytics providers
User Entities
Public companies (subject to Sarbanes-Oxley) Financial institutions Healthcare entities Governmental agencies Companies with other compliance requirements (e.g. PCI, FFIEC)
Security
Availability Processing Integrity Confidentiality Privacy
The system is protected against unauthorized access (both physical and logical).
The system is available for operation and use as committed or agreed. System processing is complete, accurate, timely and authorized. Information designated as confidential is protected as committed and agreed. Personal information is collected, used, retained, disclosed and destroyed in conformity with the commitments in the entitys privacy notice and with criteria set forth in generally accepted privacy principles (GAPP) issued by the AICPA.
32
34 49 47 66
Historical
Current
SAS 70
Use
Audit Outcome
Objectives defined by management Focus on procedures impacting customers financial information Customers (and/or their auditors) may wish to modify
Control Objectives
Same as SOC 1
Use
Audit Outcome
Principle(s) selected by management Pre-defined criteria (not modifiable) support Principles Audit covers all criteria of selected Principle(s)
10
Same as SOC 2
Use
Audit Outcome
11
Type II
Report on the design (only) of a user entitys control structure Auditor Opinion is as of a point in time (similar to a balance sheet) Usually performed during first year only Involves performing walkthroughs of controls Not as useful to the auditors of user entities
Report on the design and operating effectiveness of controls Auditor Opinion covers a period of time (generally 6 months) Report usually issued one time per year Period ending driven by year ends of customers (user entities) Provide description of tests performed and results of tests (including exceptions) More useful to auditors of user entities
12
Managements Assertion
Section III Description of the Service Organizations Processes and Controls
Section IV
Information Provided by the Independent Service Auditor Type I Listing of Controls Type II Listing of Controls and Tests Performed by the Independent Service Auditor (and Results of Tests)
13
Other Information
Review contract with Service Organization Applicability of Control Objectives/Principles (SOC 1 & 2)
Ensure that your service is included in the scope of the report (including location of service being provided). Determine if objectives meet your requirements and if they do not, discuss changes with service organization.
Evaluate impact of qualified Determine if the issues impact your reliance on the report. auditor opinion Evaluate impact of testing exceptions (section IV) Evaluate User Entity Considerations section of report Verify audit period Determine if the exceptions impact your reliance on the report. Determine if your organization is performing the procedures required. Determine if the end of the audit period is within 6 months of your companys year end (stale considerations).
15
Industry Trends
Increase proliferation of SaaS applications and outsourcing of IT systems to Datacenters SOC 1 report continues to be most popular report issued Report consistency & robustness has not yet been achieved with new SSAE 16 guidance Service Organizations are moving toward obtaining SOC 2 reports (in addition to SOC 1)
SOC 3 report is not pervasive at this time
16
Reporting Advantages
Leads to strengthening of internal control structure
Marketing differentiator
SOC Reports
Avoids duplication of audit effort
17
Questions?
john.moellenberg@holtzmanpartners.com michael.sobczyk@holtzmanpartners.com
Appendices
20
21