SOFE CDS – Monday, July 16th, 2018

Slides:



Advertisements
Similar presentations
Assurance Services Independent professional services that “improve the quality of information, or its context, for decision makers” Assurance service encompass.
Advertisements

Table of contents Overview of third-party assurance reporting AT 101, 201, and 601 reports SOC 1, 2, and 3 reports SOC 2 deep-dive.
Learning Objectives LO1 Explain the importance of auditing. LO2 Distinguish auditing from accounting. LO3 Explain the role of auditing in information risk.
SERVICE ORGANIZATION CONTROL REPORTS SM Formerly SAS 70 Reports.
March 6, 2012 SOC Reporting: What is New in the Audit Guides?
Welcome! Internal Auditing CHAPTER 1. Definition Internal auditing is an independent, objective, assurance and consulting activity designed to add value.
Chapter 20 Additional Assurance Services: Other Information
©2008 Prentice Hall Business Publishing, Auditing 12/e, Arens/Beasley/Elder The Demand for Audit and Other Assurance Services Chapter 1.
SOX and IT Audit Programs John R. Robles Thursday, May 31, Tel:
CSE 4482, 2009 Session 21 Personal Information Protection and Electronic Documents Act Payment Card Industry standard Web Trust Sys Trust.
Auditing A Risk-Based Approach To Conducting A Quality Audit
18- 1 © 2006 The McGraw-Hill Companies, Inc., All Rights Reserved. Chapter 18 Integrated Audits of Internal Control (For Public Companies Under Sarbanes-Oxley.
SAS No. 70 BADM 559 Jong Choi. Overview of SAS 70 Definition ▫SAS 70 helps service auditors to assess operational and technical controls of a service.
Chapter 7 Auditing Internal Control over Financial Reporting McGraw-Hill/IrwinCopyright © 2012 by The McGraw-Hill Companies, Inc. All rights reserved.
Navigating Guidance Changes for Service Organization Control (SOC) Reports NSAA 2011 Annual Conference Deloitte & Touche LLP June 16, 2011.
SOC1 vs. SOC2 vs. SOC3 Source: ryServices/Pages/AICPASOC3Report.aspx.
Auditing Internal Control over Financial Reporting
Service Organization Control (SOC) Reporting Options and Information
PwC Internal Control Reports: Facts, Myths and Best Practices FIRMA National Risk Management Training Conference – San Francisco, CA Wednesday March 31,
Auditing Internal Control over Financial Reporting
Chapter 07 Internal Control McGraw-Hill/IrwinCopyright © 2014 by The McGraw-Hill Companies, Inc. All rights reserved.
INTERNAL CONTROL OVER FINANCIAL REPORTING
Chapter 7 Auditing Internal Control over Financial Reporting McGraw-Hill/Irwin ©2008 The McGraw-Hill Companies, All Rights Reserved.
Assurance Report on Controls at Service Organizations SAE 3402
Chapter 7 Auditing Internal Control over Financial Reporting McGraw-Hill/IrwinCopyright © 2012 by The McGraw-Hill Companies, Inc. All rights reserved.
Copyright © 2015 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education.
Copyright © 2013 by The McGraw-Hill Companies, Inc. All rights reserved.McGraw-Hill/Irwin.
Chapter 20 Additional Assurance Services: Other Information McGraw-Hill/IrwinCopyright © 2014 by The McGraw-Hill Companies, Inc. All rights reserved.
McGraw-Hill/Irwin © 2003 The McGraw-Hill Companies, Inc., All Rights Reserved. 6-1 Chapter 6 CHAPTER 6 INTERNAL CONTROL IN A FINANCIAL STATEMENT AUDIT.
CHAPTER 1 An Overview of Auditing. What does an auditor do?
Service Organization Controls (SOC) Overview Shared Assessment Member Forum Presentation April 10, 2012.
Statement on Auditing Standards (SAS) No. 70, Service Organizations BADM 559 Final Project By: Kristina Morales.
Acumen insight ideas attention reach expertise depth agility talent SAS 70 – Readiness Kick-off Presented by Rod Walsh.
McGraw-Hill/Irwin © The McGraw-Hill Companies 2010 Auditing Internal Control over Financial Reporting Chapter Seven.
The common structure and ISO 9001:2015 additions
1 - 1 Copyright  2003 Pearson Education Canada Inc. CHAPTER 1 An Overview of Auditing and Assurance Services.
Statement of Auditing Standard No. 94 The Effect of Information Technology on the Auditor’s Consideration of Internal Control in a Financial Statement.
1 Overview of PCAOB Auditing Standard No. 5 An Audit of Internal Control Over Financial Reporting that is Integrated with an Audit of Financial Statements.
SAS No. 70, Service Organizations A standard for reporting on a service organization’s controls affecting user entities' financial statements. Only for.
Service Organization Control Reports What Have We Learned? Chris Bruhn DIRECTOR, IT RISK SERVICES, BKD, LLP SAS 70 ENDS EXIT TO SSAE 16.
1 Presented by: Chris Pembrook, CPA, MBA, CGAP, Cr.FA Frank Crawford, CPA Crawford & Associates, P.C.
Chapter 6 Internal Control in a Financial Statement Audit McGraw-Hill/IrwinCopyright © 2012 by The McGraw-Hill Companies, Inc. All rights reserved.
©2005 Prentice Hall Business Publishing, Auditing and Assurance Services 10/e, Arens/Elder/Beasley Internal Control and Control Risk Chapter 10.
What Is ISO ISO 27001, titled "Information Security Management - Specification With Guidance for Use", is the replacement for BS It is intended.
The Demand for Audit and Other Assurance Services
Chapter Two The CPA Profession
Automating Vendor Management
Session 11 Other Assurance Services
Internal and Governmental Financial Auditing and Operational Auditing
Service Organization Control (SOC)
Chapter 20 Additional Assurance Services: Other Information
LATIHAN MID SEMINAR AUDIT hiday.
Other Assurance Services
SSAE18 Language: SOC1s, CUECs, and CSOCs… Oh My!
Understanding the entity
Jessica Thompson, KPMG Managing Director,
Other Assurance Services
Other Assurance Services
AU-C Section 240 Consideration of fraud in a financial statement
Effects of IT on Consideration of Internal Control in a Financial Statement Audit Dr. Donald McConnell Jr. 12/1/2018.
Chapter 20 Additional Assurance Services: Other Information
Chapter 20 Additional Assurance Services: Other Information
Canadian Auditing Standards (CAS)
Statement of Auditing Standard No. 94
Evaluating AICPA SOC Reports
Chapter 1 The Demand for Audit Services
Internal Control Internal control is the process designed and affected by owners, management, and other personnel. It is implemented to address business.
An overview of Internal Controls Structure & Mechanism
Presentation transcript:

SOFE CDS – Monday, July 16th, 2018 B18 - Understanding and Utilizing SOC 1 and SOC 2 Reports in an Examination SOFE CDS – Monday, July 16th, 2018 Presented by: Donald W. Sirois, CFE, CPA The INS Companies, 2018 ©

Distinguish between SOC 1, SOC 2 and SOC 3 reports. Key Objectives Distinguish between SOC 1, SOC 2 and SOC 3 reports. Understand when reliance that can be placed on the report by the exam team Recall issues to consider when exam team plans to rely upon SOC reports The INS Companies, 2018 ©

Overview Insurers use organizations to perform service: Premiums and claims processing Data processing Investment services TPAs The INS Companies, 2018 ©

SOC Rebranding In 2017, the AICPA introduced the term system and organization controls (SOC) Formerly SOC referred to service organization controls Introduction of new internal control examination: Other types of organizations On either system-level or entity level controls The INS Companies, 2018 ©

Definitions Service organization Subservice organization SOC Report User entity Service auditor The INS Companies, 2018 ©

Components of SOC report Management’s assertion Managements description of the system SOC Report Service Auditor’s report The INS Companies, 2018 ©

Managements description of the system Control environment Risk assessment Information and communication systems Control activities Monitoring controls The INS Companies, 2018 ©

Management’s assertion Management’s description of the service organization’s system fairly presents the system that was designed and implemented The controls related to the control objectives stated in management’s descriptions of the system were suitably designed to achieve the control objectives The controls related to the control objectives stated in management’s description of the system operated effectively The INS Companies, 2018 ©

Service Auditor’s report Type 2 Fairness of the description of the system Suitability of the design and operating effectiveness of the controls to achieve the related control objectives Effectiveness of the controls Test of controls Auditors opinion Type 1 Operating effectiveness of controls not evaluated Opinion is as of specific date The INS Companies, 2016 ©

Components of SOC report (Cont) Design Implementation Type 1 Operating effectiveness Type 2 The INS Companies, 2018 ©

SOC for Service Organizations Reports Focus of Report Controls applicable to users entities’ internal controls over financial reporting Controls applicable to security, availability, processing integrity, confidentiality, or privacy Easy-to-read report on controls (Marketing) Purpose of report Controls relevant to user entities’ internal controls over financial reporting Oversight, due diligence Marketing The INS Companies, 2018 ©

SOC for Service Organizations Reports Focus Controls applicable to user entities’ internal controls over financial reporting Controls applicable to security, availability, processing integrity, confidentiality, or privacy Users Management of the service organization, user entities, and the auditors of the financial statements Management of the service organization and other specific parties who have sufficient knowledge and understanding Users who wants to place reliance in the service organization’s controls The INS Companies, 2018 ©

SOC for Service Organizations Reports SOC 2 / SOC 3 Organizations who would need the report Payroll service provider Trust administrator / Investment custodian Benefit plan administrator Claims management processor Premium / agency management provider Enterprise IT outsourcing Sales force automation Customer service provider Cloud-based solutions provider The INS Companies, 2018 ©

SOC for Service Organizations Report sections Description A description of the service organization’s system An unaudited system description that describes boundaries of the system Assertion Management’s assertions The INS Companies, 2018 ©

SOC for Service Organizations Report sections Auditor’s report The auditor’s report should contain an opinion on the fairness of the presentation of the description of the service organization’s system and the design of the controls to achieve the control objectives The auditor’s report should contain an opinion on the fairness of the presentation of the description of the service organization’s system in accordance with the description criteria and the design of the controls to achieve its service commitments and system requirements based on the applicable trust services criteria The auditor’s report should contain an opinion on whether the entity maintained effective controls over its system as it relates to the trust services principles being reported on. The INS Companies, 2018 ©

SOC 1 and SOC 2 Reports - Types A report on Type 1 Type 2 Management’s description of the service organization’s system At a specific date A specific period The suitability of the design of the controls The operating effectiveness of the controls N/A The INS Companies, 2018 ©

SOC 1 and SOC 2 Reports - Types Type two reports will also have An opinion on the effectiveness of the controls A description of the auditor’s tests of the controls and the results of the test The INS Companies, 2018 ©

Controls over the changes in application software Risk considerations The risk concerns and controls that address identified risk are likely to differ between reports SOC 1 SOC 2 Controls over the changes in application software Focus is on risks affecting the financial process and software used in the process May cover the risks of unauthorized changes to a much greater range of application programs that could impact the attainment of the service commitments and system requirements The INS Companies, 2018 ©

Risk considerations (Cont.) The risk concerns and controls that address identified risk are likely to differ between reports SOC 1 SOC 2 Controls over protection of the system Focus is on risks affecting the completeness and accuracy (integrity) of financial data. Provides assurance regarding the risks of loss or unauthorized access to systems and data The INS Companies, 2018 ©

Examiner Condition Examiner's Handbook SOC 1 Provides information regarding the ICFR environment at the service organization Without an opinion on operating effectiveness of internal control limited impact on reliance on controls Type II reports can provide useful information regarding reliance on a control for financial examinations purposes. (3B) The INS Companies, 2018 ©

Examiner Condition Examiner's Handbook SOC 2 Offers information on controls beyond financial reporting SOC 3 Not relevant in regards to audits/examinations The INS Companies, 2018 ©

B18 - Understanding and Utilizing SOC 1 and SOC 2 Reports in an Examination QUESTIONS? The INS Companies, 2018 ©