Service Organization Controls (SOC) Overview Shared Assessment Member Forum Presentation April 10, 2012
Introduction Mark Cornish Mark is a Director in PwC’s Financial Services Assurance practice in Boston with over 13 years of domestic and international public accounting and professional services experience, primarily focusing on financial services, specifically the asset management and insurance industries. Mark possesses an extensive knowledge of financial services systems, processes and controls, and continues to assist clients with risk management, compliance and internal controls work. Mark has extensive experience developing, performing and reporting on service organization controls. Mark has served as the service organization controls reporting director for several global organizations and has covered areas such as fund accounting, custody, securities lending and application service providers, for example. Jeff Trent Jeff is a Director in PwC’s Financial Services Assurance practice in NY with over 15 years of experience working with clients to address a wide range of internal control, technology and operational risk related solutions. He has led the development of service organization / vendor management reporting solutions for PwC at Prime Brokers, Pricing Vendors, Card and Merchant Payment Services and has also provided audit and consulting services for technology and controls across various Financial Services clients. Jeff has served as the service organization controls reporting director in areas such as: prime brokerage, trade processing, securities clearing and settlement, investment advisory, trust and custody, pricing services, money transfer, insurance claims processing, credit card operations, merchant processing operations, lockbox payment and document processing.
Agenda 1.Types of Service Organization Control (SOC) Reports 2.Transition from SAS 70 to SSAE16 3.SOC2 4.SOC3 5.Customized Attestations 6.What attestation report should you request? 7.Q&A
Types of Service Organization Control (SOC) Reports New Standards & Reporting Options SOC1 (SSAE16) SOC2SOC3Custom Attestation AT 801 Restricted Use Report (Type I or II report) Reports on controls for F/S audits Underlying Standard Report Distribution Purpose AT 101 Generally a Restricted Use Report (Type I or II report) Reports on controls related to compliance or operations AT 101 General Use Report (with a public seal) Reports on controls related to compliance or operations Trust Services Principles & Criteria AT 101 Can be either Restricted or General Use Report on controls or results based on specified criteria
Transition from SAS 70 to SSAE 16 What is SSAE 16? Statement on Standards for Attestation Engagements No. 16 (SSAE 16)—and its global counterpart—International Standard for Assurance Engagements No (ISAE 3402)— provide the framework for service organizations that need to deliver consistent global reporting relating to internal controls over financial reporting (ICFR). The differences between SAS 70 and SSAE 16 are minimal. SAS 70 is an audit standard while SSAE 16 is an attest standard. A provision requiring a written assertion from the service organization’s management is the most notable difference between the two standards. The format of service auditor’s opinion has changed with SSAE 16. The new SSAE 16 standard became effective with periods ending on or after June 15, 2011.
SOC 2 – Reports on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality and Privacy SOC 2 report is very similar in structure to the SOC 1 report (Formerly SAS 70 report). The scope of the SOC 2 report is based on one or more of the AICPA Trust Services Principles and Criteria (TSPC): Security Availability Processing Integrity Confidentiality Privacy This report is intended for knowledgeable parties and stakeholders This report is restricted in use
SOC 2 - Case Study Issue A leading digital content distributor and supplier of content management, distribution and hosting solutions was struggling to respond to a user request for controls comfort. The organization was eager to meet the needs of this particular user, while also providing a level of comfort to other users that had not requested such comfort. The company understood the user was not asking specifically for an SSAE 16 report over their platform and was subsequently advised that an SSAE 16 report was not necessarily the best fit because it did not relate to internal controls over financial reporting. In working with the organization and utilizing a SOC 2 report, the differences between the reporting standards were highlighted. Action The company identified and documented controls over the system specific to the Processing Integrity Principle. Management's description of their system was examined and the design of controls evaluated to meet the criteria for the processing integrity principle set forth in Trust Services Principles section 100, Trust Services Principles, Criteria, and Illustrations for Security, Availability, Processing Integrity, Confidentiality, and Privacy (American Institute of Certified Public Accountants ("AICPA"), Technical Practice Aids) (applicable trust services criteria). Impact Rather than a using a traditional SSAE 16 report, the SOC 2 report provided greater alignment to what users are seeking comfort over (processing integrity, security) and can be used to provide greater transparency. This also assisted in reducing the volume of questions, and number of due diligence reviews performed by vendor management programs at their clients.
SOC 3 – Trust Services Report for Service Organization Although similar to the SOC 2 report, this report does not provide a detailed description of the service auditor’s tests and results Unlike the SOC 1 and SOC 2 reports the SOC 3 report is available to the general public Users of these reports may include business partners, consumers, regulators, banks, outsourcers and those using outsourced services. SOC 3 is an attestation report based on the same TSPCs as SOC 2. It is intended to meet the needs of users who want assurance of the controls at a service organization such as security, availability, process integrity, confidentiality and privacy. Historically, SOC 3 reports were named SysTrust or WebTrust
Customized Attestation When one of the three SOC based reports may not be the right fit, another option exists to provide comfort and assurance. Customized Attestations, based on the AT101 standard, are meant to allow for assurance reporting across a wide spectrum of different subject matter and is flexible enough to meet a wide variety of needs. A customized attestation can provide varying levels of assurance, and can potentially be unlimited in distribution to third parties. Customized attestations can provide opinions covering either controls or specific results. Requirements for customized attestations require suitable criteria, which must be: Objective, Measurable, Complete, and Relevant.
Which attestation report should you request? SOC 1 For users that have previously obtained a SAS 70 report from a service organization for an outsourced process related to internal controls over financial reporting. For independent assurance on controls over processes related to financial reporting that have been outsourced to a third party. For auditor-to-auditor communication.
Which attestation report should you request? (continued) SOC 2 For independent assurance on controls related to systems that do not impact financial reporting but may be relevant to controls over security, availability, processing integrity, confidentiality and /or privacy. For assurance over a system that has been outsourced which is of key operational importance. For providing management and/or the board of directors comfort over risks beyond financial reporting. For assurance over a third party data center or cloud computing company. For users that work in a highly regulated industry such as health care, utilities or financial reporting. For an outsourced provider that has had a recent data/security breach. For parties knowledgeable of the service organization.
Which attestation report should you request? (continued) SOC 3 For users that may not be knowledgeable of the service organization’s system and/or would rather have a summary report. For users that would like to view reports related to a third party service provider where they are not the service/user management or user auditor. For companies that do business online and want to obtain assurance or “seal of approval” over the privacy of the information provided to the third party. For business-to-business and business-to-consumer communication.
Which attestation report should you request? (continued) Customized Attestation For users that need transparency over non-financial reporting operations that are not covered in SOC2 or SOC3 For vendors supplying services where annual due diligence or oversight is required, and performed using a defined assessment framework, to confirm the existence and effectiveness of controls related to the services being provided For users that require a high level of assurance over customized subject matter and criteria outside of traditional technology related activities For organizations that may need assurance over results of activities and not necessarily controls For organizations that are not service organizations (traditional or otherwise) to provide a high level of comfort to relevant stakeholders For organizations that have a requirement to provide a high level of assurance to a regulator or other oversight body
Q & A Example questions: 1. What due diligence are you performing over your vendors to gain comfort over their operations (e.g. site visits, testing of certain processes/controls, etc.)? 2. Will SOC2 and SOC3 reporting assist with your oversight procedures for certain vendors? 3. Would a customized attestation address the need to performed detailed due diligence reviews and reduce potential cost?
© 2012 PricewaterhouseCoopers LLP. All rights reserved. In this document, “PwC” refers to PricewaterhouseCoopers LLP, which is a member firm of PricewaterhouseCoopers International Limited, each member firm of which is a separate legal entity. Contact Details Jeff Trent, Director Assurance Tel: Mark Cornish, Director Assurance Tel: