Presentation is loading. Please wait.

Presentation is loading. Please wait.

SOFE CDS – Monday, July 16th, 2018

Similar presentations


Presentation on theme: "SOFE CDS – Monday, July 16th, 2018"— Presentation transcript:

1 SOFE CDS – Monday, July 16th, 2018
B18 - Understanding and Utilizing SOC 1 and SOC 2 Reports in an Examination SOFE CDS – Monday, July 16th, 2018 Presented by: Donald W. Sirois, CFE, CPA The INS Companies, 2018 ©

2 Distinguish between SOC 1, SOC 2 and SOC 3 reports.
Key Objectives Distinguish between SOC 1, SOC 2 and SOC 3 reports. Understand when reliance that can be placed on the report by the exam team Recall issues to consider when exam team plans to rely upon SOC reports The INS Companies, 2018 ©

3 Overview Insurers use organizations to perform service:
Premiums and claims processing Data processing Investment services TPAs The INS Companies, 2018 ©

4 SOC Rebranding In 2017, the AICPA introduced the term system and organization controls (SOC) Formerly SOC referred to service organization controls Introduction of new internal control examination: Other types of organizations On either system-level or entity level controls The INS Companies, 2018 ©

5 Definitions Service organization Subservice organization
SOC Report User entity Service auditor The INS Companies, 2018 ©

6 Components of SOC report
Management’s assertion Managements description of the system SOC Report Service Auditor’s report The INS Companies, 2018 ©

7 Managements description of the system
Control environment Risk assessment Information and communication systems Control activities Monitoring controls The INS Companies, 2018 ©

8 Management’s assertion
Management’s description of the service organization’s system fairly presents the system that was designed and implemented The controls related to the control objectives stated in management’s descriptions of the system were suitably designed to achieve the control objectives The controls related to the control objectives stated in management’s description of the system operated effectively The INS Companies, 2018 ©

9 Service Auditor’s report
Type 2 Fairness of the description of the system Suitability of the design and operating effectiveness of the controls to achieve the related control objectives Effectiveness of the controls Test of controls Auditors opinion Type 1 Operating effectiveness of controls not evaluated Opinion is as of specific date The INS Companies, 2016 ©

10 Components of SOC report (Cont)
Design Implementation Type 1 Operating effectiveness Type 2 The INS Companies, 2018 ©

11 SOC for Service Organizations Reports
Focus of Report Controls applicable to users entities’ internal controls over financial reporting Controls applicable to security, availability, processing integrity, confidentiality, or privacy Easy-to-read report on controls (Marketing) Purpose of report Controls relevant to user entities’ internal controls over financial reporting Oversight, due diligence Marketing The INS Companies, 2018 ©

12 SOC for Service Organizations Reports
Focus Controls applicable to user entities’ internal controls over financial reporting Controls applicable to security, availability, processing integrity, confidentiality, or privacy Users Management of the service organization, user entities, and the auditors of the financial statements Management of the service organization and other specific parties who have sufficient knowledge and understanding Users who wants to place reliance in the service organization’s controls The INS Companies, 2018 ©

13 SOC for Service Organizations Reports
SOC 2 / SOC 3 Organizations who would need the report Payroll service provider Trust administrator / Investment custodian Benefit plan administrator Claims management processor Premium / agency management provider Enterprise IT outsourcing Sales force automation Customer service provider Cloud-based solutions provider The INS Companies, 2018 ©

14 SOC for Service Organizations Report sections
Description A description of the service organization’s system An unaudited system description that describes boundaries of the system Assertion Management’s assertions The INS Companies, 2018 ©

15 SOC for Service Organizations Report sections
Auditor’s report The auditor’s report should contain an opinion on the fairness of the presentation of the description of the service organization’s system and the design of the controls to achieve the control objectives The auditor’s report should contain an opinion on the fairness of the presentation of the description of the service organization’s system in accordance with the description criteria and the design of the controls to achieve its service commitments and system requirements based on the applicable trust services criteria The auditor’s report should contain an opinion on whether the entity maintained effective controls over its system as it relates to the trust services principles being reported on. The INS Companies, 2018 ©

16 SOC 1 and SOC 2 Reports - Types
A report on Type 1 Type 2 Management’s description of the service organization’s system At a specific date A specific period The suitability of the design of the controls The operating effectiveness of the controls N/A The INS Companies, 2018 ©

17 SOC 1 and SOC 2 Reports - Types
Type two reports will also have An opinion on the effectiveness of the controls A description of the auditor’s tests of the controls and the results of the test The INS Companies, 2018 ©

18 Controls over the changes in application software
Risk considerations The risk concerns and controls that address identified risk are likely to differ between reports SOC 1 SOC 2 Controls over the changes in application software Focus is on risks affecting the financial process and software used in the process May cover the risks of unauthorized changes to a much greater range of application programs that could impact the attainment of the service commitments and system requirements The INS Companies, 2018 ©

19 Risk considerations (Cont.)
The risk concerns and controls that address identified risk are likely to differ between reports SOC 1 SOC 2 Controls over protection of the system Focus is on risks affecting the completeness and accuracy (integrity) of financial data. Provides assurance regarding the risks of loss or unauthorized access to systems and data The INS Companies, 2018 ©

20 Examiner Condition Examiner's Handbook
SOC 1 Provides information regarding the ICFR environment at the service organization Without an opinion on operating effectiveness of internal control limited impact on reliance on controls Type II reports can provide useful information regarding reliance on a control for financial examinations purposes. (3B) The INS Companies, 2018 ©

21 Examiner Condition Examiner's Handbook
SOC 2 Offers information on controls beyond financial reporting SOC 3 Not relevant in regards to audits/examinations The INS Companies, 2018 ©

22 B18 - Understanding and Utilizing SOC 1 and SOC 2 Reports in an Examination
QUESTIONS? The INS Companies, 2018 ©


Download ppt "SOFE CDS – Monday, July 16th, 2018"

Similar presentations


Ads by Google