Presentation is loading. Please wait.

Presentation is loading. Please wait.

Service Organization Controls (SOC) Overview Shared Assessment Member Forum Presentation April 10, 2012.

Published byMartin Hawkins Modified over 8 years ago

Similar presentations

Presentation on theme: "Service Organization Controls (SOC) Overview Shared Assessment Member Forum Presentation April 10, 2012."— Presentation transcript:

1 Service Organization Controls (SOC) Overview Shared Assessment Member Forum Presentation April 10, 2012

2 Introduction Mark Cornish Mark is a Director in PwC’s Financial Services Assurance practice in Boston with over 13 years of domestic and international public accounting and professional services experience, primarily focusing on financial services, specifically the asset management and insurance industries. Mark possesses an extensive knowledge of financial services systems, processes and controls, and continues to assist clients with risk management, compliance and internal controls work. Mark has extensive experience developing, performing and reporting on service organization controls. Mark has served as the service organization controls reporting director for several global organizations and has covered areas such as fund accounting, custody, securities lending and application service providers, for example. Jeff Trent Jeff is a Director in PwC’s Financial Services Assurance practice in NY with over 15 years of experience working with clients to address a wide range of internal control, technology and operational risk related solutions. He has led the development of service organization / vendor management reporting solutions for PwC at Prime Brokers, Pricing Vendors, Card and Merchant Payment Services and has also provided audit and consulting services for technology and controls across various Financial Services clients. Jeff has served as the service organization controls reporting director in areas such as: prime brokerage, trade processing, securities clearing and settlement, investment advisory, trust and custody, pricing services, money transfer, insurance claims processing, credit card operations, merchant processing operations, lockbox payment and document processing.

3 Agenda 1.Types of Service Organization Control (SOC) Reports 2.Transition from SAS 70 to SSAE16 3.SOC2 4.SOC3 5.Customized Attestations 6.What attestation report should you request? 7.Q&A

4 Types of Service Organization Control (SOC) Reports New Standards & Reporting Options SOC1 (SSAE16) SOC2SOC3Custom Attestation AT 801 Restricted Use Report (Type I or II report) Reports on controls for F/S audits Underlying Standard Report Distribution Purpose AT 101 Generally a Restricted Use Report (Type I or II report) Reports on controls related to compliance or operations AT 101 General Use Report (with a public seal) Reports on controls related to compliance or operations Trust Services Principles & Criteria AT 101 Can be either Restricted or General Use Report on controls or results based on specified criteria

5 Transition from SAS 70 to SSAE 16 What is SSAE 16? Statement on Standards for Attestation Engagements No. 16 (SSAE 16)—and its global counterpart—International Standard for Assurance Engagements No. 3402 (ISAE 3402)— provide the framework for service organizations that need to deliver consistent global reporting relating to internal controls over financial reporting (ICFR). The differences between SAS 70 and SSAE 16 are minimal. SAS 70 is an audit standard while SSAE 16 is an attest standard. A provision requiring a written assertion from the service organization’s management is the most notable difference between the two standards. The format of service auditor’s opinion has changed with SSAE 16. The new SSAE 16 standard became effective with periods ending on or after June 15, 2011.

6 SOC 2 – Reports on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality and Privacy SOC 2 report is very similar in structure to the SOC 1 report (Formerly SAS 70 report). The scope of the SOC 2 report is based on one or more of the AICPA Trust Services Principles and Criteria (TSPC): Security Availability Processing Integrity Confidentiality Privacy This report is intended for knowledgeable parties and stakeholders This report is restricted in use

7 SOC 2 - Case Study Issue A leading digital content distributor and supplier of content management, distribution and hosting solutions was struggling to respond to a user request for controls comfort. The organization was eager to meet the needs of this particular user, while also providing a level of comfort to other users that had not requested such comfort. The company understood the user was not asking specifically for an SSAE 16 report over their platform and was subsequently advised that an SSAE 16 report was not necessarily the best fit because it did not relate to internal controls over financial reporting. In working with the organization and utilizing a SOC 2 report, the differences between the reporting standards were highlighted. Action The company identified and documented controls over the system specific to the Processing Integrity Principle. Management's description of their system was examined and the design of controls evaluated to meet the criteria for the processing integrity principle set forth in Trust Services Principles section 100, Trust Services Principles, Criteria, and Illustrations for Security, Availability, Processing Integrity, Confidentiality, and Privacy (American Institute of Certified Public Accountants ("AICPA"), Technical Practice Aids) (applicable trust services criteria). Impact Rather than a using a traditional SSAE 16 report, the SOC 2 report provided greater alignment to what users are seeking comfort over (processing integrity, security) and can be used to provide greater transparency. This also assisted in reducing the volume of questions, and number of due diligence reviews performed by vendor management programs at their clients.

8 SOC 3 – Trust Services Report for Service Organization Although similar to the SOC 2 report, this report does not provide a detailed description of the service auditor’s tests and results Unlike the SOC 1 and SOC 2 reports the SOC 3 report is available to the general public Users of these reports may include business partners, consumers, regulators, banks, outsourcers and those using outsourced services. SOC 3 is an attestation report based on the same TSPCs as SOC 2. It is intended to meet the needs of users who want assurance of the controls at a service organization such as security, availability, process integrity, confidentiality and privacy. Historically, SOC 3 reports were named SysTrust or WebTrust

9 Customized Attestation When one of the three SOC based reports may not be the right fit, another option exists to provide comfort and assurance. Customized Attestations, based on the AT101 standard, are meant to allow for assurance reporting across a wide spectrum of different subject matter and is flexible enough to meet a wide variety of needs. A customized attestation can provide varying levels of assurance, and can potentially be unlimited in distribution to third parties. Customized attestations can provide opinions covering either controls or specific results. Requirements for customized attestations require suitable criteria, which must be: Objective, Measurable, Complete, and Relevant.

10 Which attestation report should you request? SOC 1 For users that have previously obtained a SAS 70 report from a service organization for an outsourced process related to internal controls over financial reporting. For independent assurance on controls over processes related to financial reporting that have been outsourced to a third party. For auditor-to-auditor communication.

11 Which attestation report should you request? (continued) SOC 2 For independent assurance on controls related to systems that do not impact financial reporting but may be relevant to controls over security, availability, processing integrity, confidentiality and /or privacy. For assurance over a system that has been outsourced which is of key operational importance. For providing management and/or the board of directors comfort over risks beyond financial reporting. For assurance over a third party data center or cloud computing company. For users that work in a highly regulated industry such as health care, utilities or financial reporting. For an outsourced provider that has had a recent data/security breach. For parties knowledgeable of the service organization.

12 Which attestation report should you request? (continued) SOC 3 For users that may not be knowledgeable of the service organization’s system and/or would rather have a summary report. For users that would like to view reports related to a third party service provider where they are not the service/user management or user auditor. For companies that do business online and want to obtain assurance or “seal of approval” over the privacy of the information provided to the third party. For business-to-business and business-to-consumer communication.

13 Which attestation report should you request? (continued) Customized Attestation For users that need transparency over non-financial reporting operations that are not covered in SOC2 or SOC3 For vendors supplying services where annual due diligence or oversight is required, and performed using a defined assessment framework, to confirm the existence and effectiveness of controls related to the services being provided For users that require a high level of assurance over customized subject matter and criteria outside of traditional technology related activities For organizations that may need assurance over results of activities and not necessarily controls For organizations that are not service organizations (traditional or otherwise) to provide a high level of comfort to relevant stakeholders For organizations that have a requirement to provide a high level of assurance to a regulator or other oversight body

14 Q & A Example questions: 1. What due diligence are you performing over your vendors to gain comfort over their operations (e.g. site visits, testing of certain processes/controls, etc.)? 2. Will SOC2 and SOC3 reporting assist with your oversight procedures for certain vendors? 3. Would a customized attestation address the need to performed detailed due diligence reviews and reduce potential cost?

15 © 2012 PricewaterhouseCoopers LLP. All rights reserved. In this document, “PwC” refers to PricewaterhouseCoopers LLP, which is a member firm of PricewaterhouseCoopers International Limited, each member firm of which is a separate legal entity. Contact Details Jeff Trent, Director Assurance Email:Jeff.S.Trent@us.pwc.com Tel:646-471-7343 Mark Cornish, Director Assurance Email:Mark.Cornish@us.pwc.com Tel:617-530-7160

Download ppt "Service Organization Controls (SOC) Overview Shared Assessment Member Forum Presentation April 10, 2012."

Similar presentations

Assurance Services Independent professional services that “improve the quality of information, or its context, for decision makers” Assurance service encompass.

Assurance Services Independent professional services that “improve the quality of information, or its context, for decision makers” Assurance service encompass.
29e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 29 th INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY.

29e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 29 th INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY.
Table of contents Overview of third-party assurance reporting AT 101, 201, and 601 reports SOC 1, 2, and 3 reports SOC 2 deep-dive.

Table of contents Overview of third-party assurance reporting AT 101, 201, and 601 reports SOC 1, 2, and 3 reports SOC 2 deep-dive.
Navigating Compliance Requirements DCM 6.2 Regs and Codes linford & co llp.

Navigating Compliance Requirements DCM 6.2 Regs and Codes linford & co llp.
Audit and Assurance services

Audit and Assurance services
Dr. Mohamed A. Hamada Lecturer of Accounting Information Systems Advanced Auditing Lecture 1 Assurance and Attestation Services.

Dr. Mohamed A. Hamada Lecturer of Accounting Information Systems Advanced Auditing Lecture 1 Assurance and Attestation Services.
SERVICE ORGANIZATION CONTROL REPORTS SM Formerly SAS 70 Reports.

SERVICE ORGANIZATION CONTROL REPORTS SM Formerly SAS 70 Reports.
March 6, 2012 SOC Reporting: What is New in the Audit Guides?

March 6, 2012 SOC Reporting: What is New in the Audit Guides?
Third Party Verification Requests The Letter of Comfort

Third Party Verification Requests The Letter of Comfort
PwC Advisory Services Asbestos: A way forward from financial uncertainty 14 June 2005.

PwC Advisory Services Asbestos: A way forward from financial uncertainty 14 June 2005.
The Advisers Act Custody Rule

The Advisers Act Custody Rule
Chapter 20 Additional Assurance Services: Other Information

Chapter 20 Additional Assurance Services: Other Information
American Institute of CPAs ® An Overview of the New Comprehensive Definition of Attest Gary McIntosh AICPA Co-Chair, Uniform Accountancy Act Committee.

American Institute of CPAs ® An Overview of the New Comprehensive Definition of Attest Gary McIntosh AICPA Co-Chair, Uniform Accountancy Act Committee.
Performing a Fiduciary Review of Trust Administration FIRMA April 2009 Independent Fiduciary Services ® Independent Fiduciary Services, Inc.  805 15 th.

Performing a Fiduciary Review of Trust Administration FIRMA April 2009 Independent Fiduciary Services ® Independent Fiduciary Services, Inc.  th.
Assurance Services and Auditing Research Chapter 8.

Assurance Services and Auditing Research Chapter 8.
Chapter 21 Assurance, Attestation, and Internal Auditing Services Copyright © 2012 by The McGraw-Hill Companies, Inc. All rights reserved.McGraw-Hill/Irwin.

Chapter 21 Assurance, Attestation, and Internal Auditing Services Copyright © 2012 by The McGraw-Hill Companies, Inc. All rights reserved.McGraw-Hill/Irwin.
Assurance, Attestation, and Internal Auditing Services

Assurance, Attestation, and Internal Auditing Services
BA 427 – Assurance and Attestation Services Lecture 18 The Types of Services Offered by Public Accounting Firms.

BA 427 – Assurance and Attestation Services Lecture 18 The Types of Services Offered by Public Accounting Firms.
©2008 Prentice Hall Business Publishing, Auditing 12/e, Arens/Beasley/Elder 1 - 1 The Demand for Audit and Other Assurance Services Chapter 1.

©2008 Prentice Hall Business Publishing, Auditing 12/e, Arens/Beasley/Elder The Demand for Audit and Other Assurance Services Chapter 1.
Third Party Reporting © 2008 Ernst & Young LLP. All rights reserved. For Internal Use Within EY Only; Not for Distribution to Clients. Third Party Reporting.

Third Party Reporting © 2008 Ernst & Young LLP. All rights reserved. For Internal Use Within EY Only; Not for Distribution to Clients. Third Party Reporting.

Similar presentations

Ads by Google