Presentation is loading. Please wait.

Presentation is loading. Please wait.

SOFE CDS – Monday, July 16th, 2018

Published by刃 从 Modified over 4 years ago

Similar presentations

Presentation on theme: "SOFE CDS – Monday, July 16th, 2018"— Presentation transcript:

1 SOFE CDS – Monday, July 16th, 2018
B18 - Understanding and Utilizing SOC 1 and SOC 2 Reports in an Examination SOFE CDS – Monday, July 16th, 2018 Presented by: Donald W. Sirois, CFE, CPA The INS Companies, 2018 ©

2 Distinguish between SOC 1, SOC 2 and SOC 3 reports.
Key Objectives Distinguish between SOC 1, SOC 2 and SOC 3 reports. Understand when reliance that can be placed on the report by the exam team Recall issues to consider when exam team plans to rely upon SOC reports The INS Companies, 2018 ©

3 Overview Insurers use organizations to perform service:
Premiums and claims processing Data processing Investment services TPAs The INS Companies, 2018 ©

4 SOC Rebranding In 2017, the AICPA introduced the term system and organization controls (SOC) Formerly SOC referred to service organization controls Introduction of new internal control examination: Other types of organizations On either system-level or entity level controls The INS Companies, 2018 ©

5 Definitions Service organization Subservice organization
SOC Report User entity Service auditor The INS Companies, 2018 ©

6 Components of SOC report
Management’s assertion Managements description of the system SOC Report Service Auditor’s report The INS Companies, 2018 ©

7 Managements description of the system
Control environment Risk assessment Information and communication systems Control activities Monitoring controls The INS Companies, 2018 ©

8 Management’s assertion
Management’s description of the service organization’s system fairly presents the system that was designed and implemented The controls related to the control objectives stated in management’s descriptions of the system were suitably designed to achieve the control objectives The controls related to the control objectives stated in management’s description of the system operated effectively The INS Companies, 2018 ©

9 Service Auditor’s report
Type 2 Fairness of the description of the system Suitability of the design and operating effectiveness of the controls to achieve the related control objectives Effectiveness of the controls Test of controls Auditors opinion Type 1 Operating effectiveness of controls not evaluated Opinion is as of specific date The INS Companies, 2016 ©

10 Components of SOC report (Cont)
Design Implementation Type 1 Operating effectiveness Type 2 The INS Companies, 2018 ©

11 SOC for Service Organizations Reports
Focus of Report Controls applicable to users entities’ internal controls over financial reporting Controls applicable to security, availability, processing integrity, confidentiality, or privacy Easy-to-read report on controls (Marketing) Purpose of report Controls relevant to user entities’ internal controls over financial reporting Oversight, due diligence Marketing The INS Companies, 2018 ©

12 SOC for Service Organizations Reports
Focus Controls applicable to user entities’ internal controls over financial reporting Controls applicable to security, availability, processing integrity, confidentiality, or privacy Users Management of the service organization, user entities, and the auditors of the financial statements Management of the service organization and other specific parties who have sufficient knowledge and understanding Users who wants to place reliance in the service organization’s controls The INS Companies, 2018 ©

13 SOC for Service Organizations Reports
SOC 2 / SOC 3 Organizations who would need the report Payroll service provider Trust administrator / Investment custodian Benefit plan administrator Claims management processor Premium / agency management provider Enterprise IT outsourcing Sales force automation Customer service provider Cloud-based solutions provider The INS Companies, 2018 ©

14 SOC for Service Organizations Report sections
Description A description of the service organization’s system An unaudited system description that describes boundaries of the system Assertion Management’s assertions The INS Companies, 2018 ©

15 SOC for Service Organizations Report sections
Auditor’s report The auditor’s report should contain an opinion on the fairness of the presentation of the description of the service organization’s system and the design of the controls to achieve the control objectives The auditor’s report should contain an opinion on the fairness of the presentation of the description of the service organization’s system in accordance with the description criteria and the design of the controls to achieve its service commitments and system requirements based on the applicable trust services criteria The auditor’s report should contain an opinion on whether the entity maintained effective controls over its system as it relates to the trust services principles being reported on. The INS Companies, 2018 ©

16 SOC 1 and SOC 2 Reports - Types
A report on Type 1 Type 2 Management’s description of the service organization’s system At a specific date A specific period The suitability of the design of the controls The operating effectiveness of the controls N/A The INS Companies, 2018 ©

17 SOC 1 and SOC 2 Reports - Types
Type two reports will also have An opinion on the effectiveness of the controls A description of the auditor’s tests of the controls and the results of the test The INS Companies, 2018 ©

18 Controls over the changes in application software
Risk considerations The risk concerns and controls that address identified risk are likely to differ between reports SOC 1 SOC 2 Controls over the changes in application software Focus is on risks affecting the financial process and software used in the process May cover the risks of unauthorized changes to a much greater range of application programs that could impact the attainment of the service commitments and system requirements The INS Companies, 2018 ©

19 Risk considerations (Cont.)
The risk concerns and controls that address identified risk are likely to differ between reports SOC 1 SOC 2 Controls over protection of the system Focus is on risks affecting the completeness and accuracy (integrity) of financial data. Provides assurance regarding the risks of loss or unauthorized access to systems and data The INS Companies, 2018 ©

20 Examiner Condition Examiner's Handbook
SOC 1 Provides information regarding the ICFR environment at the service organization Without an opinion on operating effectiveness of internal control limited impact on reliance on controls Type II reports can provide useful information regarding reliance on a control for financial examinations purposes. (3B) The INS Companies, 2018 ©

21 Examiner Condition Examiner's Handbook
SOC 2 Offers information on controls beyond financial reporting SOC 3 Not relevant in regards to audits/examinations The INS Companies, 2018 ©

22 B18 - Understanding and Utilizing SOC 1 and SOC 2 Reports in an Examination
QUESTIONS? The INS Companies, 2018 ©

Download ppt "SOFE CDS – Monday, July 16th, 2018"

Similar presentations

Assurance Services Independent professional services that “improve the quality of information, or its context, for decision makers” Assurance service encompass.

Assurance Services Independent professional services that “improve the quality of information, or its context, for decision makers” Assurance service encompass.
Table of contents Overview of third-party assurance reporting AT 101, 201, and 601 reports SOC 1, 2, and 3 reports SOC 2 deep-dive.

Table of contents Overview of third-party assurance reporting AT 101, 201, and 601 reports SOC 1, 2, and 3 reports SOC 2 deep-dive.
Learning Objectives LO1 Explain the importance of auditing. LO2 Distinguish auditing from accounting. LO3 Explain the role of auditing in information risk.

Learning Objectives LO1 Explain the importance of auditing. LO2 Distinguish auditing from accounting. LO3 Explain the role of auditing in information risk.
SERVICE ORGANIZATION CONTROL REPORTS SM Formerly SAS 70 Reports.

SERVICE ORGANIZATION CONTROL REPORTS SM Formerly SAS 70 Reports.
March 6, 2012 SOC Reporting: What is New in the Audit Guides?

March 6, 2012 SOC Reporting: What is New in the Audit Guides?
Welcome! Internal Auditing CHAPTER 1. Definition Internal auditing is an independent, objective, assurance and consulting activity designed to add value.

Welcome! Internal Auditing CHAPTER 1. Definition Internal auditing is an independent, objective, assurance and consulting activity designed to add value.
Chapter 20 Additional Assurance Services: Other Information

Chapter 20 Additional Assurance Services: Other Information
©2008 Prentice Hall Business Publishing, Auditing 12/e, Arens/Beasley/Elder 1 - 1 The Demand for Audit and Other Assurance Services Chapter 1.

©2008 Prentice Hall Business Publishing, Auditing 12/e, Arens/Beasley/Elder The Demand for Audit and Other Assurance Services Chapter 1.
SOX and IT Audit Programs John R. Robles Thursday, May 31, 2007 Tel: 787-647-396.

SOX and IT Audit Programs John R. Robles Thursday, May 31, Tel:
CSE 4482, 2009 Session 21 Personal Information Protection and Electronic Documents Act Payment Card Industry standard Web Trust Sys Trust.

CSE 4482, 2009 Session 21 Personal Information Protection and Electronic Documents Act Payment Card Industry standard Web Trust Sys Trust.
Auditing A Risk-Based Approach To Conducting A Quality Audit

Auditing A Risk-Based Approach To Conducting A Quality Audit
18- 1 © 2006 The McGraw-Hill Companies, Inc., All Rights Reserved. Chapter 18 Integrated Audits of Internal Control (For Public Companies Under Sarbanes-Oxley.

18- 1 © 2006 The McGraw-Hill Companies, Inc., All Rights Reserved. Chapter 18 Integrated Audits of Internal Control (For Public Companies Under Sarbanes-Oxley.
SAS No. 70 BADM 559 Jong Choi. Overview of SAS 70 Definition ▫SAS 70 helps service auditors to assess operational and technical controls of a service.

SAS No. 70 BADM 559 Jong Choi. Overview of SAS 70 Definition ▫SAS 70 helps service auditors to assess operational and technical controls of a service.
Chapter 7 Auditing Internal Control over Financial Reporting McGraw-Hill/IrwinCopyright © 2012 by The McGraw-Hill Companies, Inc. All rights reserved.

Chapter 7 Auditing Internal Control over Financial Reporting McGraw-Hill/IrwinCopyright © 2012 by The McGraw-Hill Companies, Inc. All rights reserved.
Navigating Guidance Changes for Service Organization Control (SOC) Reports NSAA 2011 Annual Conference Deloitte & Touche LLP June 16, 2011.

Navigating Guidance Changes for Service Organization Control (SOC) Reports NSAA 2011 Annual Conference Deloitte & Touche LLP June 16, 2011.
SOC1 vs. SOC2 vs. SOC3 Source: ryServices/Pages/AICPASOC3Report.aspx.

SOC1 vs. SOC2 vs. SOC3 Source: ryServices/Pages/AICPASOC3Report.aspx.
Auditing Internal Control over Financial Reporting

Auditing Internal Control over Financial Reporting
Service Organization Control (SOC) Reporting Options and Information

Service Organization Control (SOC) Reporting Options and Information
PwC Internal Control Reports: Facts, Myths and Best Practices FIRMA National Risk Management Training Conference – San Francisco, CA Wednesday March 31,

PwC Internal Control Reports: Facts, Myths and Best Practices FIRMA National Risk Management Training Conference – San Francisco, CA Wednesday March 31,
Auditing Internal Control over Financial Reporting

Auditing Internal Control over Financial Reporting

Similar presentations

Ads by Google