Download Presentation - Plante Moran
Download Presentation - Plante Moran
Download Presentation - Plante Moran
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
Service Organizations Control (SOC) Report<br />
SAS 70 to SSAE 16: What Companies Need to Know<br />
Session #: 373<br />
IASA 85 TH ANNUAL EDUCATIONAL CONFERENCE & BUSINESS SHOW
Introduction<br />
Sharon L. Gipson, CPA<br />
Director II and Asst. General Auditor<br />
Blue Cross Blue Shield of Michigan<br />
SGipson@bcbsm.com<br />
(313) 225 8077<br />
Raj J. Patel, CISM<br />
Partner<br />
<strong>Plante</strong> <strong>Moran</strong><br />
Raj.Patel@<strong>Plante</strong><strong>Moran</strong>.com<br />
(248) 223 3428<br />
2
Introduction<br />
Many companies function more efficiently and<br />
profitably by outsourcing tasks or entire functions<br />
to other organizations (i.e., service organizations)<br />
that have the personnel, expertise, equipment or<br />
technology to accomplish these tasks.<br />
As part of these services, a service organization<br />
will often collect, process, transmit, store,<br />
organize, maintain, and dispose of information for<br />
its customers.<br />
3
Introduction<br />
Although a company may outsource tasks to a service organization, company management retains its<br />
responsibility for the outsourced tasks and the manner in which they are performed. For this reason, it is<br />
important for service organizations to provide their customers with sufficient information about the system<br />
used to perform outsourced tasks. In order to provide customers with assurance that stakeholder<br />
expectations are met, a service organization needs a process for:<br />
Developing procedures to identify risks resulting<br />
from its outsourcing relationships.<br />
Assessing those risks.<br />
Identifying controls at the service organizations<br />
that address the risks.<br />
Evaluating the suitability of the design and<br />
operating effectiveness of the service<br />
organization’s controls.<br />
Implementing and maintaining controls to address<br />
risks not addressed by controls at the service<br />
organization.<br />
4
Service Organizations<br />
that need a SOC review<br />
Medical & insurance claims<br />
processors<br />
Cloud Computing / Software as a<br />
service<br />
Data Center Hosting<br />
Payroll processing<br />
Loan servicing<br />
Mortgage servicers<br />
Custodians for investment<br />
companies<br />
Sub-service Organizations<br />
5
Benefits to Service Organization<br />
Competitive Differentiator - A Service Auditor's Report with an unqualified opinion issued by an<br />
independent accounting firm differentiates the service organization from its peers by demonstrating the<br />
establishment of effectively designed controls.<br />
Build Trust - A Service Auditor's Report also helps a service organization build trust with its user<br />
organizations (i.e., customers) and sometimes prospective clients.<br />
Time Saver - Without a current Service Auditor's Report, a service organization may have to entertain<br />
multiple audit requests from its customers and their respective auditors. Multiple visits from user<br />
auditors can place a strain on the service organization's resources.<br />
Consistency - A Service Auditor's Report ensures that all user organizations and their auditors have<br />
access to the same information to satisfy the user auditor's requirements.<br />
Independent Qualified Assessment - SOC engagements are performed by control oriented<br />
professionals who have experience in accounting, auditing, and information security. A SOC<br />
engagement allows a service organization to have its control policies and procedures evaluated and<br />
tested by an independent party.<br />
Control Improvements - Very often this process results in the identification of opportunities for<br />
improvements in operational areas.<br />
6
Benefits to User Organization<br />
User organizations that obtain a Service Auditor's Report from their service organization(s) receive<br />
valuable information regarding the service organization's controls and the effectiveness of those<br />
controls (in the case of a Type II report). The user organization receives a detailed description of the<br />
service organization's controls and an independent assessment of whether the controls were placed in<br />
operation, suitably designed, and operating effectively.<br />
For controls over financial reporting, user organizations may provide a Service Auditor's Report to their<br />
auditors. This will greatly assist the user auditor in planning the audit of the user organization's<br />
financial statements. Without a Service Auditor's Report, the user organization would likely have to<br />
incur additional costs in sending their auditors to the service organization to perform their procedures.<br />
7
SAS 70 Background<br />
Developed by the American Institute of Certified Public<br />
Accountants (AICPA)<br />
Type I<br />
Point in time assessment<br />
Description of controls presents<br />
fairly in all material aspects<br />
Controls designed to achieve<br />
specific control objectives<br />
Type II<br />
Specific audit period<br />
Description of controls presents<br />
fairly in all material aspects<br />
Controls designed to achieve<br />
specific control objectives<br />
Detailed testing of controls<br />
effectiveness to provide reasonable<br />
assurance<br />
8
Reasons for New Standard<br />
Clear confusion on use of SAS 70 - Separate reporting for service organizations that<br />
impact financial reporting from those that do not<br />
Security, availability, confidentiality, processing integrity, and privacy are more of a<br />
concern<br />
New regulations such as Sarbanes-Oxley<br />
Federal privacy regulations such as GLBA, HIPAA, FERPA, FISMA, etc.<br />
Advances in technology (online portals, mobile, cloud, etc.)<br />
Increase in outsourcing tasks to service organizations<br />
9
SOC – Types of Engagements<br />
SOC engagements are designed to meet the needs of user entities and other<br />
stakeholders by providing service organizations with criteria for describing their<br />
systems, criteria for evaluating the suitability of design and operating effectiveness of<br />
the service organization’s controls, and an independent CPA’s opinion on the<br />
description of the system and the design and operating effectiveness of the service<br />
organization’s controls.<br />
There are three SOC report options:<br />
SOC 1 reports are performed in accordance with the Statement of Standards for<br />
Attestation Engagements (SSAE 16) and focus solely on controls at the service<br />
organization that are relevant to the audit of a user’s financial statements.<br />
SOC 2 reports are performed under Attestation Standards (AT) Section 101 “Attest<br />
Engagements”, and are based on the AICPA’s Trust Services Principles and Criteria.<br />
These reports address one or more of the following key system attributes: security,<br />
availability, processing integrity, confidentiality, and privacy.<br />
There are<br />
two types of<br />
reports for<br />
both SOC 1<br />
and SOC 2<br />
examination<br />
s. A Type 1<br />
and Type 2<br />
SOC 3 reports use the same Trust Services Principles and Criteria as SOC 2. Like SOC<br />
2, SOC 3 reports can address one or more of the five Trust Services Principles and<br />
Criteria. SOC 3 reports differ from SOC 2 reports in that they are for general use, without<br />
a description of the service auditor’s tests and results.<br />
10
SOC – Types of Engagements<br />
Regardless of whether a SOC 1 or 2 is chosen, there are two types of SOC<br />
examinations. A Type I examination provides assurance over the design of controls<br />
and a Type II examination provides assurance over the design of controls and their<br />
operating effectiveness. SOC 3 examinations provide assurance over both the design<br />
of controls and their operating effectiveness (i.e., Type II).<br />
Type I<br />
Coverage A Type I report examines the suitability of the<br />
design of controls in meeting specified control<br />
objectives or the applicable trust services<br />
criteria, as of a specified date (e.g. June 30).<br />
Control Design An opinion is given on (1) the fairness of the<br />
presentation of management’s description of<br />
its system, and (2) the suitability of the design<br />
of controls in meeting the specified control<br />
objectives (SOC 1) or trust services criteria<br />
(SOC 2 and 3).<br />
Type II<br />
A Type II report examines the suitability of the<br />
design of controls, and the operating<br />
effectiveness of the controls over a specified<br />
period (e.g. January 1 to June 30).<br />
An opinion is given on (1) the fairness of the<br />
presentation of management’s description of<br />
its system, and (2) the suitability of the design<br />
of controls in meeting the specified control<br />
objectives (SOC 1) or trust services criteria<br />
(SOC 2 and 3) during the period specified.<br />
Control<br />
Effectiveness<br />
N/A<br />
An opinion is given on the (3) operating<br />
effectiveness of the controls in meeting the<br />
specified control objectives (SOC 1) or trust<br />
services criteria (SOC 2 and 3) during the<br />
period specified.<br />
11
Service Organization Controls Basics<br />
SOC I<br />
(SSAE 16)<br />
Title Report on Controls at a<br />
Service Organization<br />
Relevant to User Entities’<br />
Internal Control over<br />
Financial Reporting (SSAE<br />
16)<br />
SOC 2<br />
(AT 101)<br />
Report on Controls at a<br />
Service Organization<br />
Relevant to Security,<br />
Availability, Processing<br />
Integrity, Confidentiality or<br />
Privacy<br />
SOC 3<br />
(AT 101)<br />
Trust Services Report for<br />
Service Organizations<br />
Type Of Services<br />
Provided<br />
Controls relevant to user<br />
entities’ internal control over<br />
financial reporting<br />
Controls relevant to security,<br />
availability, processing<br />
integrity confidentiality, or<br />
privacy<br />
Controls relevant to security,<br />
availability, processing<br />
integrity confidentiality, or<br />
privacy<br />
Report Format Type I or Type II Type I or Type II Type II only<br />
Who Will Use The<br />
Report?<br />
User Entities,<br />
User Entities’ Auditors<br />
User Entities, User Entities’<br />
Auditors, Prospective User<br />
Entities<br />
Anyone<br />
Is The Report<br />
Available For<br />
Public Use?<br />
No No Yes<br />
12
SOC 1 Control Objective Examples<br />
IT General Controls<br />
Information Security<br />
Logical Access<br />
Environmental Controls<br />
Physical Security<br />
Data Backup and Recovery<br />
System Development and Change<br />
Management<br />
System Monitoring and Maintenance<br />
Processing Controls<br />
Claims Receipt<br />
Claims Output<br />
Master File Maintenance<br />
Reconciling Provider Payment<br />
Reporting<br />
13
SOC 2 and 3 Trust Principles<br />
1. Security<br />
2. Availability<br />
3. Processing Integrity<br />
4. Confidentiality<br />
5. Privacy<br />
Management<br />
Notice<br />
Choice and consent<br />
Collection<br />
Use, retention, disposal<br />
Access<br />
Disclosure to third parties<br />
Security for privacy<br />
Quality<br />
Monitoring and enforcement<br />
14
SAS 70 vs. SSAE 16<br />
Report Date<br />
Planning<br />
SAS 70<br />
-Scope<br />
-Description of Control<br />
Operating Effectiveness<br />
Design<br />
Subsequent Event<br />
Mgt. Report Letter &<br />
report<br />
Start of Audit Period<br />
End of Audit Period<br />
Delivery<br />
SSAE 16<br />
-Scope<br />
-Description of Control<br />
Management Assertion<br />
Risk Assessment<br />
Operating Effectiveness<br />
Design<br />
Subsequent Event<br />
Mgt. Report Letter &<br />
report
Preparing for a SOC Review<br />
System Description<br />
Management of the service organization is responsible for preparing the<br />
description of the service org’s system, including the completeness, accuracy,<br />
and method of presentation of the description.<br />
16
Preparing for a SOC Review (cont.)<br />
Defining Scope of Engagement<br />
Management of the service org considers which services, business units,<br />
functional areas, or applications are likely to be relevant to its user entities.<br />
Management also considers whether the service org has any contractual<br />
obligations to provide the report to one or more of its user entities, including<br />
frequency.<br />
These may be separate entities from the service org or may be entities related to<br />
her service org. A service org that uses a subservice org may use the carve-out<br />
method or the inclusive method to present info about services provided by the<br />
subservice org in its description of the service org’s system.<br />
Determine period - SSAE No. 16 states that a type II report that covers a period<br />
of less than six months is unlikely to be useful to user entities and their auditors.<br />
17
Preparing for a SOC Review (cont.)<br />
Service Organization Management Responsibilities<br />
Management of the service organization is responsible for the following:<br />
18
Preparing for a SOC Review (cont.)<br />
Use of Internal Audit work<br />
SSAE No. 16 states that if the service org has an internal audit function, the<br />
service auditor should obtain an understanding of the nature of the internal<br />
audit function’s responsibilities and activities to determine whether the<br />
internal audit function is likely to be relevant to the engagement.<br />
19
Case Study - Risk Assessment<br />
Objective: C ontrols provide reasonable assurance that physical access to computer <br />
equipment, storage media, and program documentation is restricted to authorized <br />
personnel.<br />
What Can Go Wrong:<br />
Relevance<br />
Probability:<br />
Impact:<br />
Daily Weekly Monthly Quarterly Annually<br />
No Inmpact Nuisance Significant Crisis<br />
Key Controls<br />
1. Encrypted Mobiles devices / USB <br />
drives<br />
2. C ard controlled data center access<br />
3. Receptionist during business hours<br />
1. C omputer equipment (including mobile devices) lost or stollen.<br />
2. D ata storage U SB drives lost or stollen<br />
3. U nauthorized access to data center<br />
4. <br />
5.<br />
Designed <br />
Effectively<br />
Operating <br />
Effectively<br />
Test Results<br />
Yes Partially Exceptions Noted<br />
Yes<br />
Yes<br />
No exceptions <br />
noted<br />
Yes<br />
Yes<br />
No exceptions <br />
noted<br />
Conclusion Meets / Does Not Meet Risks O bjectives<br />
20
Case Study - Risk Assessment<br />
Objective:<br />
What Can Go Wrong:<br />
Relevance<br />
Key Controls<br />
Probability:<br />
Impact:<br />
Daily Weekly Monthly Quarterly Annually<br />
No Inmpact Nuisance Significant Crisis<br />
Designed <br />
Effectively<br />
Operating <br />
Effectively<br />
Test Results<br />
Conclusion Meets / Does Not Meet Risks O bjectives<br />
21
During the SOC Review<br />
Timing of Audit Testing<br />
22
During the SOC Review<br />
Types of Tests<br />
• Inquiry – Lowest level of assurance, with collaboration with one of the three types of<br />
tests below.<br />
• Observation – Consider multiple observations during the examination period,<br />
especially if no documentary evidence exists<br />
• Inspection of documents, reports, or electronic files that contain evidence of the<br />
performance of the control<br />
• Re-performance of the control<br />
23
Reporting<br />
Deviations / Control Deficiencies<br />
If deviations have been identified, the service auditor’s description of tests and results<br />
should identify the extent of testing performed by the service auditor that led to the<br />
identification of the deviations, including:<br />
# of items tested<br />
Number and nature of deviations noted<br />
If deviations have been identified, it may be helpful to users of the report for management to<br />
disclose, to the extent known<br />
Causative factors for the deviation<br />
Controls that mitigate the effect of the deviation<br />
Corrective actions taken<br />
Other qualitative factors that would assist users in understanding the effect of the<br />
deviations<br />
Information provided by management about controls that mitigate the effect of deviations or<br />
corrective actions should not include forward-looking info, such as future plans to implement<br />
controls.<br />
24
Reporting<br />
Types of Opinions<br />
Unqualified Opinion – The controls are designed and operating effectively. They meet<br />
the needs of the objectives.<br />
Qualified Opinion - When the service auditor has determined that the controls do not meet<br />
the objectives (i.e., poorly designed, not operating effectively).<br />
Disclaimer<br />
• Refusal to provide a written assertion<br />
• Refusal by management to provide a representation reaffirming their<br />
• assertion<br />
• Information provided by the Service Organization<br />
25
New Report Structure<br />
SAS 70<br />
1. Independent Service<br />
Auditor’s Report<br />
2. Description of Controls<br />
3. Control Objectives and<br />
Related Controls<br />
4. Other Information Provided<br />
by the Service Organization<br />
SOC<br />
1. Auditor’s Opinion<br />
2. Management’s Assertion<br />
3. Description of the Systems<br />
4. Information provided by the<br />
Service Auditor<br />
5. Information provided by the<br />
Service Organization<br />
26
Management Assertion<br />
(additional requirements under new standard)<br />
The SSAE 16 standard requires management of the service organization to provide the<br />
service auditor with a written assertion.<br />
Management "asserts" to a number of clauses, such as the following:<br />
That management's description of the service organization's "system" fairly presents the<br />
service organization's system that was designed and implemented at either a specific date<br />
(SSAE Type 1 report) or implemented throughout a specified time period (SSAE 16 Type 2<br />
report).<br />
The control objectives stated in management's description of the service organization's<br />
system were suitably designed to achieve those control objectives at either a specific date<br />
(SSAE 16 Type 1 report) or designed throughout a specified time period (SSAE 16 Type 2<br />
report) to achieve those control objectives along with having them operate effectively<br />
throughout the specified time period.<br />
The criteria used to effectively making these assertions, which again, are additional<br />
statements and supporting references regarding risk factors relating to controls and control<br />
objectives and (for a SSAE 16 Type 2 report) that the controls were consistently applied.<br />
27
Management Assertion<br />
Written assertion from the subservice organization if inclusive method is<br />
used<br />
28
SOC Seals & Logos<br />
<br />
There are three AICPA SOC logos:<br />
• one (“Service Organization SOC Logo”)<br />
for service organizations obtaining a<br />
SOC report (i.e., SOC 1, SOC2 and/or<br />
SOC 3),<br />
• One (“SOC 3 Seal”) for service<br />
organizations obtaining an unqualified<br />
SOC 3 report, and<br />
• One (“Service Auditor CPA SOC Logo”)<br />
for licensed CPAs performing SOC<br />
examinations.<br />
29
Please Complete the Session Evaluation Form on<br />
the Conference App and Include Your Conference<br />
Registration ID# to be Included in a Drawing for a<br />
Free Conference Registration for the 2014 Annual<br />
Conference!<br />
NOTE: Your Conference Registration ID# is Located at the<br />
Bottom Left Hand Corner of Your Badge.<br />
IASA 85 TH ANNUAL EDUCATIONAL CONFERENCE & BUSINESS SHOW