Presentation is loading. Please wait.

Presentation is loading. Please wait.

March 6, 2012 SOC Reporting: What is New in the Audit Guides?

Published byJoy McDaniel Modified over 9 years ago

Similar presentations

Presentation on theme: "March 6, 2012 SOC Reporting: What is New in the Audit Guides?"— Presentation transcript:

1 March 6, 2012 SOC Reporting: What is New in the Audit Guides?

2  Introduction Nick Wedel, CISSP, CISA McGladrey – Technology Risk Advisory Services (Kansas City)  Background (SAS70 to SOC)  Overview of SOC Reporting Options  Trust Services Principles & Criteria  Key differences between SOC 2 and SOC 3 reports  What is Included in the Audit Guides?  SOC 1 Audit Guide Highlights  SOC 2 Audit Guide Highlights  Frequently Asked Questions  Other Questions? Agenda

3 Background (SAS70 to SOC) Reasons for Change  Mis-understandings, Mis-applications, and Mis-uses of SAS70  New Technologies -Virtualization -Mobile Computing -Cloud Computing  Need for greater international consistency -Alignment with International Standards on Attestation Engagements (ISAE 3402) 2

4 Overview of Service Organization Control (SOC) Reporting Options 3 SOC1SOC2SOC3Other Reports AICPA Attest Standards (SSAE 16) AICPA Attest Standards (AT101) Trust Services Principles AICPA Attest Standards (AT101) Trust Services Principles AICPA Attest Standards (AT101) Auditor to auditor opinion report for financial reporting controls Audit entity meets definition of service organization CPA firm responsible for the adequacy of the procedures Opinion report on system security, availability, processing integrity and confidentiality/or privacy Detailed like SOC1 CPA firm responsible for the adequacy of the procedures Opinion report on system security, availability, processing integrity and confidentiality/or privacy Client description is not audited CPA firm responsible for the adequacy of the procedures Doesn’t fall under SSAE 16 or Trust Services Principles Reporting on the design of internal controls CPA firm responsible for the adequacy of the procedures Report distribution to service organization users Restricted use report Issued by licensed CPA Intended for non-auditor audience (e.g., CIO) Restricted use report Issued by licensed CPA Intended for non-auditor audience (e.g., CIO) General use report Issued by licensed CPA May be issued for general or restricted use Issued by licensed CPA FOCUS REPORT DISTRIBUTION GUIDANCE

5 SOC2/SOC3: Trust Services Principles & Criteria Five Trust Services Principles  Availability – The system is available for operation and use as committed or agreed.  Confidentiality – Information designated as confidential is protected as committed or agreed.  Privacy – Personal information is collected, used, retained, disclosed, and destroyed in conformity with the commitments in the entity’s privacy notice and with criteria set forth in Generally Accepted Privacy Principles (GAPP).  Processing integrity – System processing is complete, accurate, timely, and authorized.  Security – The system is protected against unauthorized access (both physical and logical). 4

6 SOC2/SOC3: Trust Services Principles & Criteria Four Trust Services Criteria Domains  Policies – The entity has defined and documented its policies relevant to the particular principle.  Communications – The entity has communicated its defined policies to responsible parties and authorized users of the system.  Procedures – The entity placed in operation procedures to achieve its objectives in accordance with its defined policies.  Monitoring – The entity monitors the system 5

7 Key Differences: SOC2 and SOC3 Reports 6 SOC2SOC3 Includes detailed description of the service organization’s system prepared by management which the service auditor opines on Includes a high level description that the service auditor does not opine on Intended for parties who are knowledgeable about: Nature of the services How the service organization interacts with its users Internal control and its limitations Trust principles, criteria and risks Complementary user-entity controls and how they interact with controls at the service organization Intended for a general audience that is not presumed to have specific knowledge about the report and its contents Restricted use reportGeneral distribution report Can use “carve-out” methodCarve-out method not allowed Can have significant user control considerationsCannot have significant user control considerations Not intended for marketing purposesUse allowed for marketing purposes No seal availableAvailability of seal

8 What is Included in the Audit Guides? The two audit guides follow the same general format and address similar topics, including:  Introduction and Background  Use of the Report  Planning the SOC Engagement  Performing the SOC Engagement  Reporting  Appendices -Illustrative representation letters -Illustrative management assertions -Illustrative control objectives (SOC1 Audit Guide) -Trust Service Principles and Criteria for Security Availability, Processing Integrity, Confidentiality, and Privacy (SOC2 Audit Guide) -Illustrative Reports 7

9 SOC1 Audit Guide Highlights  Examples of using detailed criteria for developing the description of controls (as presented in SSAE16)  Concept that management’s thoughtfulness in developing control objectives constitutes an informal risk assessment  Illustrative control objectives for various types of service organizations are included in Appendix D: 8 -General computer controls -Application service provider -Claims processor -Credit card payment processor -Investment manager -Payroll processor -Transfer agent

10 SOC2 Audit Guide Highlights  Detailed outline of what information should be included in management’s description  Definition of “system” for the purposes of scoping the report  Detailed trust services principles and criteria  Dealing with criteria that is not applicable  The guide largely mirrors what is outlined in the SOC1 Audit guide, except for information specific to the trust service principles 9

11 Frequently Asked Questions 10 Question 1: Can service organizations market that they are “SOC certified”?  No. A popular misconception is that a service organization becomes “certified” after completing and issuing a SOC report. No such certification exists; however, the AICPA does allow for the below logo to be displayed on Service Organization websites upon completion of a SOC attestation and registration with the AICPA.

12 Frequently Asked Questions 11 Question 2: How do I determine which SOC report is best for me?  First, you need to determine who will be using the report and for what purposes, that will guide which report is most appropriate. In some cases you might decide to issue multiple reports. If a client’s financial statement auditor is going to use the report, most of the time that will result in the need for a SOC 1 report. If it is client management (e.g., CIO) requesting the report for their operational assessment and monitoring of your processing, a SOC2 or SOC3 might better serve their needs.

13 Frequently Asked Questions 12 Question 3: What do I need to do to prepare for the new SOC reports?  The answer will depend upon a couple of items. First, what type of report will you be needing and second have you previously issued this type of report before. If the answer to the second question is “no” there is quite a bit of work that needs to be done to get ready for the SOC attestation.

14 Other Questions? 13 Resources AICPA.org/publications mcgladrey.com/Events/Service-Organization-Control-Reports Nick Wedel 816.751.4051 nick.wedel@mcgladrey.com

15 McGladrey & Pullen, LLP Certified Public Accountants www.mcgladrey.com

Download ppt "March 6, 2012 SOC Reporting: What is New in the Audit Guides?"

Similar presentations

Assurance Services Independent professional services that “improve the quality of information, or its context, for decision makers” Assurance service encompass.

Assurance Services Independent professional services that “improve the quality of information, or its context, for decision makers” Assurance service encompass.
29e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 29 th INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY.

29e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 29 th INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY.
Presented by YOUR NAME THE DATE

Presented by YOUR NAME THE DATE
Understanding Audit Reports

Understanding Audit Reports
SOC 2 Reports – A Third Party Risk Management Tool for Cloud Providers

SOC 2 Reports – A Third Party Risk Management Tool for Cloud Providers
Agreeing to the terms of audit engagement and management representations ISAs (UK and Ireland) 210 and 580 Martyn Jones November 2009.

Agreeing to the terms of audit engagement and management representations ISAs (UK and Ireland) 210 and 580 Martyn Jones November 2009.
Dr. Mohamed A. Hamada Lecturer of Accounting Information Systems Advanced Auditing Lecture 1 Assurance and Attestation Services.

Dr. Mohamed A. Hamada Lecturer of Accounting Information Systems Advanced Auditing Lecture 1 Assurance and Attestation Services.
SERVICE ORGANIZATION CONTROL REPORTS SM Formerly SAS 70 Reports.

SERVICE ORGANIZATION CONTROL REPORTS SM Formerly SAS 70 Reports.
1 WebTrust for Certification Authorities (CAs) Overview October 2011 WebTrust for Certification Authorities (CAs) Overview October 2011 Presentation based.

1 WebTrust for Certification Authorities (CAs) Overview October 2011 WebTrust for Certification Authorities (CAs) Overview October 2011 Presentation based.
Chapter 20 Additional Assurance Services: Other Information

Chapter 20 Additional Assurance Services: Other Information
Assurance, Attestation, and Internal Auditing Services

Assurance, Attestation, and Internal Auditing Services
©2008 Prentice Hall Business Publishing, Auditing 12/e, Arens/Beasley/Elder 1 - 1 The Demand for Audit and Other Assurance Services Chapter 1.

©2008 Prentice Hall Business Publishing, Auditing 12/e, Arens/Beasley/Elder The Demand for Audit and Other Assurance Services Chapter 1.
Third Party Reporting © 2008 Ernst & Young LLP. All rights reserved. For Internal Use Within EY Only; Not for Distribution to Clients. Third Party Reporting.

Third Party Reporting © 2008 Ernst & Young LLP. All rights reserved. For Internal Use Within EY Only; Not for Distribution to Clients. Third Party Reporting.
Module A1 Other Public Accounting Services ACCT 4080.

Module A1 Other Public Accounting Services ACCT 4080.
The Demand for Audit and Other Assurance Services Chapter 1.

The Demand for Audit and Other Assurance Services Chapter 1.
25 - 1 ©2006 Prentice Hall Business Publishing, Auditing 11/e, Arens/Beasley/Elder Other Assurance Services Chapter 25.

©2006 Prentice Hall Business Publishing, Auditing 11/e, Arens/Beasley/Elder Other Assurance Services Chapter 25.
OTHER SERVICES AND REPORTS. STATEMENTS FOR CPAS PROVIDING ACCOUNTING AND AUDITING SERVICES 1939 - COMMITTEE ON AUDITING PROCEDURES –STATEMENTS ON AUDITING.

OTHER SERVICES AND REPORTS. STATEMENTS FOR CPAS PROVIDING ACCOUNTING AND AUDITING SERVICES COMMITTEE ON AUDITING PROCEDURES –STATEMENTS ON AUDITING.
CSE 4482, 2009 Session 21 Personal Information Protection and Electronic Documents Act Payment Card Industry standard Web Trust Sys Trust.

CSE 4482, 2009 Session 21 Personal Information Protection and Electronic Documents Act Payment Card Industry standard Web Trust Sys Trust.
©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley 24 - 1 Other Assurance Services Chapter 24.

©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley Other Assurance Services Chapter 24.
Auditing A Risk-Based Approach To Conducting A Quality Audit

Auditing A Risk-Based Approach To Conducting A Quality Audit

Similar presentations

Ads by Google