SERVICE ORGANIZATION CONTROL REPORTS SM Formerly SAS 70 Reports.

Slides:



Advertisements
Similar presentations
Assurance Services Independent professional services that “improve the quality of information, or its context, for decision makers” Assurance service encompass.
Advertisements

29e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 29 th INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY.
Additional Assurance Services: Other Information
Table of contents Overview of third-party assurance reporting AT 101, 201, and 601 reports SOC 1, 2, and 3 reports SOC 2 deep-dive.
CHAPTER 1 AUDITING AND THE PUBLIC ACCOUNTING PROFESSION Fall 2007 u What is auditing? u Types of Audits u Independent Auditor Relationships u Services.
©2010 Prentice Hall Business Publishing, Auditing 13/e, Arens/Elder/Beasley The CPA Profession Chapter 2.
©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley The CPA Profession Chapter 2.
Audit and Assurance services
Dr. Mohamed A. Hamada Lecturer of Accounting Information Systems Advanced Auditing Lecture 1 Assurance and Attestation Services.
March 6, 2012 SOC Reporting: What is New in the Audit Guides?
Learning Objectives LO1 Describe the current audit environment, including developments in regulatory oversight and provincial regulation of public accountants.
Chapter 20 Additional Assurance Services: Other Information
American Institute of CPAs ® An Overview of the New Comprehensive Definition of Attest Gary McIntosh AICPA Co-Chair, Uniform Accountancy Act Committee.
Chapter 21 Assurance, Attestation, and Internal Auditing Services Copyright © 2012 by The McGraw-Hill Companies, Inc. All rights reserved.McGraw-Hill/Irwin.
The Role of the Public Accountant in the American Economy.
©2008 Prentice Hall Business Publishing, Auditing 12/e, Arens/Beasley/Elder The Demand for Audit and Other Assurance Services Chapter 1.
1 ACC 3303: AUDITING 2 Assurance Services ?? Need for Assurance ? Illustration using an Audit Engagement as an example.
Third Party Reporting © 2008 Ernst & Young LLP. All rights reserved. For Internal Use Within EY Only; Not for Distribution to Clients. Third Party Reporting.
Module A1 Other Public Accounting Services ACCT 4080.
The Demand for Audit and Other Assurance Services Chapter 1.
OTHER SERVICES AND REPORTS. STATEMENTS FOR CPAS PROVIDING ACCOUNTING AND AUDITING SERVICES COMMITTEE ON AUDITING PROCEDURES –STATEMENTS ON AUDITING.
CSE 4482, 2009 Session 21 Personal Information Protection and Electronic Documents Act Payment Card Industry standard Web Trust Sys Trust.
©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley Other Assurance Services Chapter 24.
2-1 McGraw-Hill/Irwin ©2002 by The McGraw-Hill Companies, Inc. All rights reserved. Chapter 2 Professional Standards: “The Rules of the Road”
Auditing A Risk-Based Approach To Conducting A Quality Audit
18- 1 © 2006 The McGraw-Hill Companies, Inc., All Rights Reserved. Chapter 18 Integrated Audits of Internal Control (For Public Companies Under Sarbanes-Oxley.
Professional Standards. McGraw-Hill/Irwin © 2004 The McGraw-Hill Companies, Inc., All Rights Reserved. 2-2 Generally Accepted Auditing Standards-- General.
The CPA Profession Chapter 2.
Additional Assurance Services: Other Information Chapter 20 McGraw-Hill/Irwin Copyright © 2010 by The McGraw-Hill Companies, Inc. All rights reserved.
SAS No. 70 BADM 559 Jong Choi. Overview of SAS 70 Definition ▫SAS 70 helps service auditors to assess operational and technical controls of a service.
Chapter Nine Conducting the IT Audit. Audit Standards AICPA — Statements of Auditing Standards (SASs) AICPA — Statements of Auditing Standards (SASs)
Navigating Guidance Changes for Service Organization Control (SOC) Reports NSAA 2011 Annual Conference Deloitte & Touche LLP June 16, 2011.
SOC1 vs. SOC2 vs. SOC3 Source: ryServices/Pages/AICPASOC3Report.aspx.
Service Organization Control (SOC) Reporting Options and Information
The CPA Profession Chapter 2 By Arens et. al. Learning Objective 1 Describe the nature of CPA firms, what they do, and their structure.
PwC Internal Control Reports: Facts, Myths and Best Practices FIRMA National Risk Management Training Conference – San Francisco, CA Wednesday March 31,
Chapter 07 Internal Control McGraw-Hill/IrwinCopyright © 2014 by The McGraw-Hill Companies, Inc. All rights reserved.
Chapter 1 Assurance Services. Need for Assurance Why do you need assurance? Potential bias in providing information. Remoteness between a user and the.
WebTrust SM/TM Principles and Criteria for Certification Authorities CA Trust Jeff
Chapter 7 Auditing Internal Control over Financial Reporting McGraw-Hill/Irwin ©2008 The McGraw-Hill Companies, All Rights Reserved.
1 - 1 ©2006 Prentice Hall Business Publishing, Auditing 11/e, Arens/Beasley/Elder The Demand for Audit and Other Assurance Services Chapter 1.
Assurance Report on Controls at Service Organizations SAE 3402
Learning Objectives LO1 Define the various financial presentations and levels of service involved in association with special reports and compliance reporting.
Copyright © 2015 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education.
Copyright © 2007 Pearson Education Canada 1 Chapter 1: The Demand for Auditing and Assurance Services.
Managed by the International Fuel Tax Association, Inc. Funds Netting 2011 Annual IFTA Business Meeting Lonette L. Turner Executive Director IFTA, Inc.
Chapter 20 Additional Assurance Services: Other Information McGraw-Hill/IrwinCopyright © 2014 by The McGraw-Hill Companies, Inc. All rights reserved.
ISSAI 400 Compliance Auditing
McGraw-Hill/Irwin Copyright © 2013 by The McGraw-Hill Companies, Inc. All rights reserved.
CHAPTER 1 An Overview of Auditing. What does an auditor do?
Copyright © 2006 by The McGraw-Hill Companies, Inc. All rights reserved. McGraw-Hill/Irwin 7-1 Chapter Seven Auditing Internal Control over Financial Reporting.
Service Organization Controls (SOC) Overview Shared Assessment Member Forum Presentation April 10, 2012.
Chapter 02 Professional Standards McGraw-Hill/IrwinCopyright © 2014 by The McGraw-Hill Companies, Inc. All rights reserved.
SAS No. 70, Service Organizations A standard for reporting on a service organization’s controls affecting user entities' financial statements. Only for.
©2005 Prentice Hall Business Publishing, Auditing and Assurance Services 10/e, Arens/Elder/Beasley Other Assurance Services Chapter 25.
Service Organization Control Reports What Have We Learned? Chris Bruhn DIRECTOR, IT RISK SERVICES, BKD, LLP SAS 70 ENDS EXIT TO SSAE 16.
1 Presented by: Chris Pembrook, CPA, MBA, CGAP, Cr.FA Frank Crawford, CPA Crawford & Associates, P.C.
ACC 491 Week 1 DQ 1 The American Institute of Certified Public Accountants (AICPA) and the Institute.
The Demand for Audit and Other Assurance Services
Chapter Two The CPA Profession
Session 11 Other Assurance Services
Service Organization Control (SOC)
Professional Standards
Chapter 20 Additional Assurance Services: Other Information
The CPA Profession Chapter 2.
Other Assurance Services
Chapter 20 Additional Assurance Services: Other Information
Chapter 20 Additional Assurance Services: Other Information
SOFE CDS – Monday, July 16th, 2018
Presentation transcript:

SERVICE ORGANIZATION CONTROL REPORTS SM Formerly SAS 70 Reports

American Institute of CPAs SAS No. 70, Service Organizations Standard for reporting on a service organization’s controls affecting user entities’ financial statements Misuse: “SAS 70 Certified” or “SAS 70 Compliant” Controls related to subject matter other than internal control over financial reporting Only for use by service organization management, existing user entities and their auditors

American Institute of CPAs Other Service Organization Control (SOC) Reports Marketplace demand for detailed report on controls on subject matter other than internal control over financial reporting Security Availability Processing integrity Confidentiality Privacy Cloud computing, outsourcing elevated issue

American Institute of CPAs How AICPA Addressed Issues Split SAS 70 into two standards: one for service auditors (SSAE 16), the other for user auditors (effective for 2012 year-end audits) Recognized need for assessment of controls over security, availability, processing integrity, confidentiality or privacy Brought together all options for reporting on controls at service orgs Supported public interest by helping CPAs/service orgs correctly apply and use the standards

American Institute of CPAs SERVICE ORGANIZATION CONTROL REPORTS SM 3 reports to help service organizations demonstrate reliability CPA, client determine proper engagement for market need SOC logo for service org’s marketing, websites Information on SOC reports: aicpa.org/soc

American Institute of CPAs For CPAs who provide the services that result in a SOC 1 SM, SOC 2 SM or SOC 3 SM report For service organizations that had a SOC 1 SM, SOC 2 SM or SOC 3 SM engagement within the past year SOC Report Logos

American Institute of CPAs Brochure on SOC Engagements Provides history of service organization reporting Explains the 3 SOC reporting options Free, online at aicpa.org/SOC

American Institute of CPAs New Standards and Names Trust Services Principles and Criteria

American Institute of CPAs SOC 1 SM Report (restricted use) Report on controls at a service organization relevant to a user entity’s internal control over financial reporting Engagement performed under: SSAE 16 (auditor obtains same level of evidence and assurance as in SAS 70 service auditor engagement) AICPA Guide, Applying SSAE No. 16, Reporting on Controls at a Service Organization Contents of report package: Description of service organization’s system CPA’s opinion on fairness of description, suitability of design, operating effectiveness of controls

American Institute of CPAs SSAE 16: New Requirement for Written Assertion Service auditor must obtain written assertion from service organization’s management about the fairness of the presentation of the description of the service organization’s system and about the suitability of the design For type 2 engagements, operating effectiveness of the controls must be included in assertion Assertion will either accompany service auditor’s report or be included in description of service organization’s system

American Institute of CPAs SOC 1 SM Reports – Type 1 and Type 2 Both report on the fairness of the presentation of management’s description of the service organization’s system, and… Type 1 also reports on the suitability of the design of the controls to achieve the related control objectives included in the description as of a specified date Type 2 also reports on the suitability of the design and operating effectiveness of the controls to achieve the related control objectives included in the description throughout a specified period

American Institute of CPAs SOC 2 SM Report (use determined by auditor) Report on controls at a service organization relevant to security, availability, processing integrity, confidentiality or privacy Engagement performed under: AT 101, Attestation Engagements AICPA Guide, Reporting on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality or Privacy Contents of report package same as SOC 1

American Institute of CPAs SOC 2 SM Reports – Type 1 and Type 2 Both report on management’s description of a service organization’s system, and … Type 1 also reports on suitability of design of controls Type 2 also reports on suitability of design and operating effectiveness of controls

American Institute of CPAs SOC 3 SM Report (general use) Trust Services Report for Service Organizations Engagement performed under: AT 101, Attestation Engagements AICPA TPA, Trust Services Principles, Criteria and Illustrations Contents of report package: CPA’s opinion on whether entity maintained effective controls over its system A seal can be issued on service organization’s website (if CPA is so licensed by CICA)

American Institute of CPAs SOC 3 Seal

American Institute of CPAs Report Comparison Who the users areWhyWhat SOC 1 SM Users’ controller’s office and user auditors Audits of f/sControls relevant to user financial reporting SOC 2 SM Management Regulators Others GRC programs Oversight Due diligence Concerns regarding security, availability, processing integrity, confidentiality or privacy SOC 3 SM Any users with need for confidence in service organization’s controls Marketing purposes; detail not needed Seal and easy to read report on controls

American Institute of CPAs Which SOC Report Is Right for You? Will report be used by your customers and their auditors to plan/perform an audit of their financial statements? YesSOC 1 SM Report Will report be used by customers and/or stakeholders to gain confidence and place trust in a service organization’s system? YesSOC 2 SM or SOC 3 SM Report Do you need to make report generally available or seal? YesSOC 3 SM Report

American Institute of CPAs Deciding Between SOC 2 SM and SOC 3 SM Reports YesSOC 2 SM Report NoSOC 3 SM Report Do your customers have the need for/ ability to understand the details of processing and controls at a service organization, the tests performed by the service auditor and results of those tests?

American Institute of CPAs More information on AICPA.org/SOC

American Institute of CPAs … And on CPA2Biz.com

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.