Presentation is loading. Please wait.

Presentation is loading. Please wait.

Table of contents Overview of third-party assurance reporting AT 101, 201, and 601 reports SOC 1, 2, and 3 reports SOC 2 deep-dive.

Published byRaquel Custard Modified over 9 years ago

Similar presentations

Presentation on theme: "Table of contents Overview of third-party assurance reporting AT 101, 201, and 601 reports SOC 1, 2, and 3 reports SOC 2 deep-dive."— Presentation transcript:

0 Information Systems Audit and Controls Association Third-Party Assurance Reporting: Focus on SOC 2
August XX, 2014 Dan Zychinski Senior Manager, Deloitte & Touche LLP DRAFT

1 Table of contents Overview of third-party assurance reporting AT 101, 201, and 601 reports SOC 1, 2, and 3 reports SOC 2 deep-dive

2 Overview of third-party assurance reporting
In this section tie in why people should care about this

3 Third-party assurance (TPA) reporting – questions
When should we care about TPA reports? When an IT or business process is outsourced and the user entity and/or user auditor is looking for assurance that the service providers' corporate controls operate effectively and that data is not exposed to undue risk Why should we care about TPA reports? Provides an independent assessment of the service organization’s controls Financial statement audit, Sarbanes-Oxley (SOX), regulatory, and vendor compliance Used by company boards as part of their oversight responsibilities for service providers Used by financial auditors of the user entities When can we place reliance on TPA reports? The scope of the report aligns to the user entity outsourced process (i.e., application processing systems, locations, etc.) The ‘reporting period’ or ‘as of’ date of the report aligns to the user entity audit period (for SOC 1 reports only) Tie into SSAE16 & ISAE34 – what are they

4 Third-party assurance – report type snapshot
AUP (AT 201) AT 101, 601 Soc  1 Soc 2 Soc 3 Scope Fairly open-ended and not limited to Internal Control Over Financial Reporting (ICFR) Management defined scope based on assertion (AT101 defined as attestation, AT601 defined as compliance) ICFR Trust Principles (Security, Availability, Processing Integrity, Confidentiality and/or Privacy) Audience User entity (customer), their auditors, and the service provider User entity (customers) and their auditors User entity and prospective customers Anyone interested in the report Use Vendor management and operational audit Custody Rule, Operational and regulatory audits Financial and SOX audits Operational, and regulatory audits General Format High-level report that includes the auditor opinion related to the agreed-upon-procedures (not a control based report) A flexible report that can either be high level or have detailed results A detailed report that includes results of tests performed to obtain assurance of operating effectiveness of controls (Type 2) A detailed report that includes results of operating effectiveness (Type 2) A summary report that can be in the form of a Seal displayed on the website Report Components Auditor Opinion and List of Agreed-Upon-Procedures Service Auditor Opinion, Management Assertion, and Additional information as requested Service Auditor Opinion, Management Assertion, System Description, and Controls (including tests of operating effectiveness and results) (Type 2) Service Auditor Opinion, Management Assertion, System Description Tie into SSAE16 & ISAE34 – what are they

5 AT 101, 201, and 601 In this section tie in why people should care about this

6 Attestation standards and reports
What are the “AT” standards? As an extension to Generally Accepted Auditing Standards (GAAS), the Attestation Standards (AT) specifically define the framework for attest related engagements including guidance on planning, performing, and reporting on such engagements. AT Section 101 Management assertion report (can be issued as a full report on management’s assertion or an assertion letter) covering operational areas that would NOT be covered by SOC 1 (controls over financial reporting) Note: SOC 2 and SOC 3 reports are issued under AT101 guidance. AT Section 201 Agreed-upon procedures (AUP) – covering specific testing procedures defined between two parties (typically the outsourced services provider and a single customer) covering any subject matter AT Section 601 Management assertion report (can be issued as a full report on management’s assertion or an assertion letter) covering compliance areas that would NOT be covered by SOC 1 reporting Tie into SSAE16 & ISAE34 – what are they

7 SOC 1, 2, and 3 In this section tie in why people should care about this

8 What is a Service Organization Controls (SOC) report?
What is a SOC report? “Service Organization Controls reports are designed to help service organizations, organizations that operate information systems and provide information system services to other entities, build trust and confidence in their service delivery processes and controls through a report by an independent certified public accountant.”1 So what does this mean? SOC reports cover situations where one company outsources some portion of their business or technology to another company. What is a SOC 2 report? SOC 2 reports are an examination engagement to report on controls at a service organization intended to mitigate risks related to security, availability, processing integrity, confidentiality, or privacy (trust services principles). What are a few examples of SOC 2 reports? Examples of service providers where a SOC 2 report might be relevant include cloud computing, customer call centers, enterprise IT outsourced services. Tie into SSAE16 & ISAE34 – what are they 1 — Definition from AICPA

9 Types of SOC reports Standards and options
Service Org Control 1 (SOC 1) Service Org Control 2 (SOC 2) Service Org Control 3 (SOC 3) SSAE16 — Service auditor guidance AT 101 AT 101 Restricted Use Report (Type I or II Report) Generally Restricted Use Report (Type I or II Report) General Use Report (w/ public seal) Purpose: Reports on controls for F/S audits Purpose: Reports on controls related to compliance or operations Purpose: Reports on controls related to compliance or operations Trust Services Principles and Criteria Historically SAS 70 Reports

10 Key SOC report terms Service auditor
A practitioner who reports on controls at a service organization. Service organization An organization or segment of an organization that provides services to user entities, which are likely to be relevant to those user entities’ control environment Subservice organization A service organization used by another service organization to perform some of the services provided to user entities that are likely to be relevant to those user entities’ control environment User entity An entity that uses a service organization. Applicable trust services criteria The criteria in Trust Services Principles (TSP) section 100, i.e., Trust Services Principles, Criteria, and Illustrations for Security, Availability, Processing Integrity, Confidentiality, and Privacy (AICPA, Technical Practice Aids), that are applicable to the principle(s) being reported on. These are issued by issued by the Assurance Services Executive Committee of the AICPA (the committee). Boundaries of the system The boundaries of a system are the specific aspects of a service organization’s infrastructure, software, people, procedures, and data necessary to provide its services. Tie into SSAE16 & ISAE34 – what are they

11 Key SOC report terms (cont.)
Engagement letter A formal letter representing the written contract between the service auditor and the service organization to perform SOC services. Management assertion A written statement by management of the service organization regarding the description of the service organization’s system; the suitability of the design of the controls; and in a Type 2 report, the operating effectiveness of the controls. Management representation letter A letter signed by management of the service organization that includes written statements of facts or representations that controls are suitably designed and implemented (Type 1) and operating effectively (Type 2). Test of controls A procedure designed to evaluate the operating effectiveness of controls in achieving the control objectives stated in management’s description of the service organization’s system (Type 2). Tie into SSAE16 & ISAE34 – what are they Additional definitions are available in Appendix D of the AICPA Guide, “Reporting on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC 2)”

12 SOC 2 reports – deep dive In this section tie in why people should care about this

13 SOC 2 overview Topic SOC 2 guidance Professional guidance
AICPA Attestation engagement under AT section 101 AICPA Guide, “Reporting on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy” Effective date As of May 2011 Scope Controls at a service organization intended to mitigate risks related to security, availability, processing integrity, confidentiality, or privacy (trust services principles) Application of SOC 2 SOC 2 can be applied for regulatory or non-regulatory purposes to cover business areas outside of financial reporting. The report can be distributed to customers and other stakeholders to demonstrate a focus on system and processing controls to meet their requirements. SOC 2 can be applied to virtually every industry and business sector. SOC 2 will allow service organizations to provide assurance to customers and other stakeholders that effective internal controls are in place.

14 SOC 2 overview (cont.) SOC 2 is an AICPA report that allows service auditor to provide an opinion on the following principles: Security Availability Processing integrity Confidentiality Privacy Can include one or more of the above trust services principles but may need to address entire principle scoped in unless it was deemed not applicable. That would need to be documented. In a SOC 2 report, the AICPA has supplied the criteria, where in a Statement on Standards for Attestation Engagements No. 16 (SSAE 16)/SOC 1, management specifies the objectives and controls. So, SOC 2 reports should be much more consistent across the marketplace. Exception is for SOC 2 reports which cover privacy. These reports would also need to include the service organization’s privacy policy, which could obviously vary from organization to organization.

15 SOC 2 principles Security IT security policy
Security awareness and communication Risk assessment Logical access Physical access Environmental controls Security monitoring (breaches) User authentication Incident management Asset classification and management Systems development and maintenance Configuration management Availability Confidentiality Processing integrity Privacy Availability policy Backup and restoration Disaster recovery Confidentiality policy Confidentiality of inputs Confidentiality of data processing Confidentiality of outputs Information disclosures (including third parties) Confidentiality of Information in systems development System processing integrity policies Completeness, accuracy, timeliness, and authorization of inputs, system processing, and outputs Information tracing from source to disposition Notice Choice On-ward transfer Access Security Data Integrity Training and awareness Enforcement and compliance

16 Security vs. privacy Security relates to the authorization of transactions and protection of the integrity of those transactions throughout the system and also protecting personal and other information from unauthorized use or disclosure from the time it is collected until the time it is disposed of. Security may also relate to the protection of the system from interruptions in processing availability. Privacy encompasses a much broader set of activities beyond security that contribute to the effectiveness of a privacy program, including, for example, providing users with the following: Notice of the service organization’s privacy commitments and practices Choice regarding the use and disclosure of their personal information (PII) Access to their personal information for review and update An inquiry, complaint, and dispute resolution process

17 Service auditor’s opinion on a SOC 2 engagement
In a SOC 2 report, the service auditor expresses an opinion on the following: Whether the description of the service organization’s system is fairly presented Whether the controls are suitably designed to provide reasonable assurance that the applicable trust services criteria could be met if the controls operated effectively In Type 2 reports, whether the controls were operating effectively to meet the applicable trust services criteria In engagements to report on the privacy principle, whether the service organization complied with the commitments in its statement of privacy practices

18 Type 1 and Type 2 SOC 2 reports
Reports on controls placed in operation (as of a point in time) Looks at the design and implementation of controls; not operating effectiveness Considered for information purposes only Often performed only in the first year a client has a SOC report completed Type 2 Reports on the design, implementation and operating effectiveness over a period of time (generally not less than six months) Includes tests of operating effectiveness and results More comprehensive Requires more internal and external effort More emphasis on evidential matter Neither a Type 1 or Type 2 SOC 2 report can be used for reliance purposes by financial auditors.

19 SOC 2 reports — benefits Reports can be referenced by boards as part of their oversight responsibility of service providers Reduces questions and site visits from clients, prospective clients to the service provider Often requested by prospective clients during the due diligence process Can act as a differentiator from competitors during new business negotiation process Certain organizations are requiring the issuance of SOC 2 reports as a part of the service contracts and agreements Demonstrate compliance with regulatory and legal requirements (such as Federal Information Security Management Act (FISMA))

20 Components of a SOC 2 report
2–4 weeks** 1–2 weeks** SOC 2 report The Final SOC2 report contains: Executive summary Section I: Independent Service Auditors’ Report Section II: Management Assertion Section III: System Description Overview Section IV: Description of Controls and tests of operating effectiveness Section V: Other Information Provided by the service organization Baseline walkthrough The purpose of the baseline walkthrough is to gather engagement planning information required for a SOC 2. COSO* walkthrough This information covers governance and higher level entity controls to understand how the organization provides fundamental discipline and structure to its internal control system. Topical areas relate to how organizations look at their business. Topical areas walkthrough Testing phase The description of controls are tested in this phase for operating effectiveness. 4–8 weeks** *Committee of Sponsoring Organizations of the Treadway Commission ** Estimated, depends on current control environment and documentation

21 How does SOC 2 differ from SSAE 16/SOC 1?
Similar in structure and general approach to SOC 1: An option for a Type 1 or Type 2 report. An opinion An assertion A section describing the processing environment Description of control activities, and tests Management representation letter A SOC 2 report does not need to cover processing related to financial reporting, nor is it intended to support financial reporting for your users (it is seen to be more technical and can cover operational items for the business). A SOC 2 report can be supplied to a wider audience. Intended users are management of the service organization, user entities, and other “specified parties.” Specified parties can be anyone who understands the nature of the services being provided by the service organization, how the service organization operates, and internal controls. Question for audiences – Is your firm currently performing a SOC1 or a SOC2 report? Where do you see possible uses of a SOC2 report in your current organization

22 Is SOC 2 the right report for your purpose?
SOC 1 report SOC 2 report SOC 3 report Professional standard used AT 801 AT 101 Used by auditors to plan and perform financial audits Yes No Used by user entities to gain confidence and place trust in service organization systems Obtain details of the processing performed and related controls, the tests performed by the service auditor and results of those tests Report generally available — can be freely distributed or posted on a website as a “SysTrust for Service Organizations” seal 

23 Is SOC 2 the right report for your purpose?
Some challenges Deciding on the right principle(s) to include in scope We recommend inventorying customers’ requests Align with overall departmental/company strategies Drawing report boundaries Few organizations had a previous need to look at their systems in the manner needed for a SOC 2 Example — tracing PII through the environment Smaller, non-public organizations selling to SEC Filers Extent of policies and procedures needed seen as extensive Level of precision to meet principles and criteria

24 SOC 2 reports — industry application
Market feedback Marketplace appears to be embracing the product: Security principal is being used extensively Software as a Service (SAAS) providers are taking advantage of “full” reports by covering all five areas Smaller service organizations are issuing SOC 2 reports Number of Privacy reports being issued is low Service providers appreciate the “closed” nature of SOC 2 Guidance: Trust Principles draw some “bright lines” around definitions of sound security, privacy, etc. Guidance seen as proscriptive Can be provided to both current users as well as prospective users Still to come: SOC 2 to replace individual on-site audits and questionnaires SOC 2 to replace aspects of regulatory exams

25 SOC 2 illustrative applications
SOC 2 reports provide a way to build trust with customers and demonstrate compliance in controls with various industry regulations and standards. Illustrative applications of SOC 2 reports Cloud Computing Cloud service providers can give their customers assurance of effective controls across the SOC 2 Trust Principles. Smart Grid Smart grid companies can demonstrate compliance with various regulatory body requirements, industry frameworks, and standards. FISMA Agencies with federal contracts can demonstrate that controls meet the FISMA requirements. ISO Tie into SSAE16 & ISAE34 – what are they ISO 27001, regulations can be reported under the SOC 2 reporting framework. Consolidation SOC 2 Multiple surveys or questionnaires from user entities can be encompassed under a consolidated SOC 2 report.

26 SOC 2 illustrative applications
Call centers Call center services SOC 1 may not be a good fit because while call center services are important from a business perspective, the processes executed may not be financially significant for customers of a service provider. User entities may be concerned about handling of end-customer information and a SOC 2 report may demonstrate that there are controls encompassing the security, confidentiality, and privacy of information.

27 SOC 2 illustrative applications
Medical claims processing Medical claims processing service provider A SOC 2 report focused on processing integrity (completeness, accuracy, timelines, etc.) could provide customers with comfort regarding the controls over transactions in claims processing. This may be prepared in addition to a SOC 1 report leveraging existing controls and testing.

28 SOC 2 illustrative applications
Information technology services Data center hosting SOC 1 or SOC 2 may be a good fit for these types of services. Hosting does have relevance to Internal Controls over Financial Reporting (ICFR), however there could be security and availability concerns that may be addressed with a SOC 2 report. Cloud service providers Cloud service providers need to provide their customers assurance of effective controls across the SOC 2 trust principles in order for those customers to comfortably entrust the cloud provider with their sensitive data and critical computing needs. SOC 2 reports provide a way to build trust with customers and demonstrate compliance in controls with various industry regulations and standards (e.g., The Health Insurance Portability and Accountability Act/Health Information Technology for Economic and Clinical Health Act (HIPAA/HITECH), Gramm-Leach-Bliley Act (GLBA), FISMA).

29 SOC 2 illustrative applications
Financial services Credit card processing A SOC 1 or SOC 2 are both alternatives. Payment card processing may have relevance to a user’s ICFR, thus fitting the SOC 1 criteria. From a SOC 2 perspective the report may cover a number of principles of interest including security, confidentiality, availability, integrity of processing, and privacy of the credit card holders personal information.

30 SOC 2 illustrative applications
Power and utility companies Power and utility compliance Power and utilities companies can leverage SOC 2 to demonstrate compliance with various regulatory body requirements, industry frameworks, and standards such as Natural Environment Research Council (NERC) Critical Infrastructure Protection (NERC CIP), Smart Grid: National Institute of Standards and Technology (NIST) IR 7628 — Guidelines for Smart Grid Cyber Security, Advanced Metering Infrastructure (AMI) — Securities and Exchange Commission (SEC) System Security Requirements, and state privacy requirements.

31 Questions?

32 This presentation contains general information only and Deloitte is not, by means of this presentation, rendering accounting, business, financial, investment, legal, tax, or other professional advice or services. This presentation is not a substitute for such professional advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified professional advisor. Deloitte shall not be responsible for any loss sustained by any person who relies on this presentation. About Deloitte Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee (“DTTL”), its network of member firms, and their related entities. DTTL and each of its member firms are legally separate and independent entities. DTTL (also referred to as “Deloitte Global”) does not provide services to clients. Please see for a detailed description of DTTL and its member firms. Please see for a detailed description of the legal structure of Deloitte LLP and its subsidiaries. Certain services may not be available to attest clients under the rules and regulations of public accounting Copyright © 2014 Deloitte Development LLC. All rights reserved USC Member of Deloitte Touche Tohmatsu Limited 32

Download ppt "Table of contents Overview of third-party assurance reporting AT 101, 201, and 601 reports SOC 1, 2, and 3 reports SOC 2 deep-dive."

Similar presentations

Assurance Services Independent professional services that “improve the quality of information, or its context, for decision makers” Assurance service encompass.

Assurance Services Independent professional services that “improve the quality of information, or its context, for decision makers” Assurance service encompass.
29e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 29 th INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY.

29e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 29 th INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY.
Additional Assurance Services: Other Information

Additional Assurance Services: Other Information
Navigating Compliance Requirements DCM 6.2 Regs and Codes linford & co llp.

Navigating Compliance Requirements DCM 6.2 Regs and Codes linford & co llp.
Dr. Mohamed A. Hamada Lecturer of Accounting Information Systems Advanced Auditing Lecture 1 Assurance and Attestation Services.

Dr. Mohamed A. Hamada Lecturer of Accounting Information Systems Advanced Auditing Lecture 1 Assurance and Attestation Services.
SERVICE ORGANIZATION CONTROL REPORTS SM Formerly SAS 70 Reports.

SERVICE ORGANIZATION CONTROL REPORTS SM Formerly SAS 70 Reports.
March 6, 2012 SOC Reporting: What is New in the Audit Guides?

March 6, 2012 SOC Reporting: What is New in the Audit Guides?
Mind the Gap: Evaluating Internal Controls in Pharmaceutical Supply Chains across Sub-Saharan Africa AIDS 2012: July 22-27 Julianna Kohler, Revathi Avasarala,

Mind the Gap: Evaluating Internal Controls in Pharmaceutical Supply Chains across Sub-Saharan Africa AIDS 2012: July Julianna Kohler, Revathi Avasarala,
Chapter 20 Additional Assurance Services: Other Information

Chapter 20 Additional Assurance Services: Other Information
Assurance Services and Auditing Research Chapter 8.

Assurance Services and Auditing Research Chapter 8.
Assurance, Attestation, and Internal Auditing Services

Assurance, Attestation, and Internal Auditing Services
BA 427 – Assurance and Attestation Services Lecture 18 The Types of Services Offered by Public Accounting Firms.

BA 427 – Assurance and Attestation Services Lecture 18 The Types of Services Offered by Public Accounting Firms.
Third Party Reporting © 2008 Ernst & Young LLP. All rights reserved. For Internal Use Within EY Only; Not for Distribution to Clients. Third Party Reporting.

Third Party Reporting © 2008 Ernst & Young LLP. All rights reserved. For Internal Use Within EY Only; Not for Distribution to Clients. Third Party Reporting.
Assurance Services and Auditing Research Chapter 8.

Assurance Services and Auditing Research Chapter 8.
Security Controls – What Works

Security Controls – What Works
Module A1 Other Public Accounting Services ACCT 4080.

Module A1 Other Public Accounting Services ACCT 4080.
25 - 1 ©2006 Prentice Hall Business Publishing, Auditing 11/e, Arens/Beasley/Elder Other Assurance Services Chapter 25.

©2006 Prentice Hall Business Publishing, Auditing 11/e, Arens/Beasley/Elder Other Assurance Services Chapter 25.
CSE 4482, 2009 Session 21 Personal Information Protection and Electronic Documents Act Payment Card Industry standard Web Trust Sys Trust.

CSE 4482, 2009 Session 21 Personal Information Protection and Electronic Documents Act Payment Card Industry standard Web Trust Sys Trust.
©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley 24 - 1 Other Assurance Services Chapter 24.

©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley Other Assurance Services Chapter 24.
Auditing A Risk-Based Approach To Conducting A Quality Audit

Auditing A Risk-Based Approach To Conducting A Quality Audit

Similar presentations

Ads by Google