Presentation is loading. Please wait.

Presentation is loading. Please wait.

Navigating Guidance Changes for Service Organization Control (SOC) Reports NSAA 2011 Annual Conference Deloitte & Touche LLP June 16, 2011.

Published byClarissa Wilcox Modified over 9 years ago

Similar presentations

Presentation on theme: "Navigating Guidance Changes for Service Organization Control (SOC) Reports NSAA 2011 Annual Conference Deloitte & Touche LLP June 16, 2011."— Presentation transcript:

1 Navigating Guidance Changes for Service Organization Control (SOC) Reports NSAA 2011 Annual Conference Deloitte & Touche LLP June 16, 2011

2 Agenda Overview Consideration of Changes to SSAE 16 Key Changes
Management’s Assertion and Risk Assessment Additional Considerations Other Service Organization Control Reports Overview and Background Using SSAE 16 as a Model to Report on non-financial reporting controls (i.e., security, privacy, etc.) SOC 2 – Example of Services Provided By User Organization Which SOC is right for your purpose? Questions 2

3 Overview Control Reports have become increasingly prevalent in the marketplace since the issuance of the Statements on Auditing Standards No. 70, Services Organizations (SAS 70) in 1992. SAS 70 was originally designed as an auditor to auditor communication - however, SAS 70 evolved and reports were being viewed more broadly. New Standards represent the first significant modifications since it was issued nearly two decades ago. The American Institute of Certified Public Accountants (AICPA) approved the Statement on Standards for Attestation Engagements (SSAE 16) International Auditing and Assurance Standards Board (IAASB) issued the new International Standard on Assurance Engagements (ISAE 3402), Assurance Reports on Controls at a Third Party Service Organization New standards not significantly different from each other, nor from SAS 70, however they do present changes that should be considered 3

4 AICPA Service Organization Control (SOC) Reports
Overview: Changes in Reporting Standards AICPA Service Organization Control (SOC) Reports Historically SAS 70 Reports 4

5 Overview: Notable Similarities with SAS 70 for Service Organizations
Issuance of Type 1 and Type 2 reports Management is responsible for the description of the system Management to specify control objectives Requirement for management to design and implement controls that achieve the control objectives Disclosure of complementary user entity controls (UCCs) Carve out and inclusive method of reporting for subservice organizations Management to provide representation letter Restricted Use Report Ability to include information in a separate section (i.e. Section 4) 5

6 Overview: Notable Similarities with SAS 70 for Service Auditors
Testing aligned with AU 350 Use of Internal Audit – Direct Assistance & Using their Work Reporting of Test Procedures Reporting of Qualifications 6

7 Overview: Key Terminology
Topic SSAE 16 Guidance Terminology – SSAE 16 Reports on controls at service organizations will now be performed and issued under SSAE 16 (AT801) (also referred to as a SOC 1 report) A ‘SAS 70’ report will no longer exist. Effective Date Periods ending on or after June 15, 2011 (early adoption allowed) Scope Specific to covering internal control over financial reporting Additional Guidance AICPA Practitioner Guide expected to be issued June 2011 Practitioner guide will be usable for both the US and International standards and provide information for all involved (Service Auditors, Service Organizations, User Entities, User Auditors) 7

8 Consideration of Changes to SSAE 16
Result of the Change 1. Form of Standard Auditing Standard to an Attest Standard 2. Applicability of Report Specific to internal control over financial reporting 3. Management is required to provide a written assertion - Management needs to have a basis to support their assertion 4. Identify risks that threaten the achievement of control objectives Management’s responsibility to identify risks and include them in the evaluation of the design of controls and development of control objectives. 5. Service Auditor required to assess suitability of criteria Management needs to select suitable criteria to prepare description of systems and to evaluate whether controls have been designed, implemented and operating effectively. 6. Type 2 Report to cover a period for D&I, rather than point in time The opinion will now include coverage throughout the period for design (new), implementation (new), and operating effectiveness. 8 Discussed in further detail on following slides

9 Consideration of Changes to SSAE 16
Result of the Change 7. Cannot use prior-year evidence to conclude on operating effectiveness of controls Auditor may not reduce tests of controls below the minimum standards (AU350) based on the results from the prior year. 8. Clearly identify work performed by Internal Audit function in description of tests of controls Description of tests of operating effectiveness needs to include description of Internal Audit’s work and Service Auditor’s procedures over Internal Audit’s work (not applicable for direct assistance) 9. Service Auditor to investigate the nature and cause of any deviations and whether these were caused by intentional acts. Cannot disclaim deviation as isolated. Previous standard allowed disclaiming of deviations as isolated incidents. New consideration of intentional acts 10. Subservice organizations are required to provide a similar assertion when the inclusive method is used Assertion will be included in the report Inclusive method only Continues to require a management representation letter as well 9

10 Key Change - Management’s Assertion
Management's written assertion – most significant change: Management is required to provide a written assertion: It can be included as a separate section of the report, or The assertion can be part of the description of the system –appropriately identified as the assertion. Key components of management’s assertion: The description of controls fairly presents the system that was designed and implemented throughout the specified period;   The controls were suitably designed to achieve the control objectives throughout the specified period, including identifying the risks that threaten the achievement of the control objectives; and The controls operated effectively throughout the period to achieve those control objectives. There is no requirement for the assertion to be signed – it’s at the option of the service organization. 10

11 Key Change - Management’s Assertion (Continued)
Risk Assessment Service organization management must identify risks that threaten the achievement of the control objectives stated in the description of the system. Management may consider the following for each objective: Identify risk statement(s) that threaten the achievement of the objective Document control activities in place to mitigate risk(s) identified Document assertion(s) satisfied by the control activity (consider each assertion – e.g. Authorization, Completeness, Accuracy and Timeliness) These may be formal or informal processes and require ongoing monitoring/updating. This process may take some upfront effort to determine whether any additional risks may exist (for ongoing reports). Basis for Assertion Management needs to have a reasonable basis to provide the assertion. Standards provide flexibility in the actual procedures performed by management. Management may not rely solely on the testing done by the service auditor.

12 Key Change - Management’s Assertion (Continued)
Procedures to Support the Assertion Management’s activities such as monitoring or separate evaluations may provide evidence of the design, implementation, and operating effectiveness of controls in support of management’s assertion. These may be accomplished through: Ongoing monitoring activities Regular management and supervisory activities Sub-certifications Review of compliant files Separate evaluations Internal auditors or other personnel (risk/compliance) performing specific audits /examinations Information from external parties (e.g. Regulatory reviews) Combination of both Support for Assertion Management considers what support it will need for its written assertion There is no requirement to retain documentation – however, this is a prudent and sound governance practice. 12

13 Reasonable basis for managements assertion*
Management’s Written Assertion: Example Activities Reasonable basis for managements assertion* SOX/MAR Testing Level of Assertion Separate Evaluations No Basis Ongoing Monitoring Example Procedures Service auditor performs testing and issues report Management reporting and other oversight activities Management risk assessment Internal Audit testing/monitoring Independent regulatory exam Independent risk assessment Management or independent assessment of operating effectiveness Supporting Documentation None Management monitoring documentation Management risk assessment documentation Regulatory reporting Internal Audit reporting Independent risk assessment results Testing evidence for the operating effectiveness * A combination of ongoing monitoring and separate evaluations will usually help ensure that internal control maintains its effectiveness over time. 13

14 Additional Considerations – Subservice Organizations
Carve Out It’s expected that the Service Organization will do something – they can’t just turn a blind eye. Monitoring Procedures: Obtain SSAE 16 reports(if they exist) and review the report Consider IA or others to perform testing Perform other monitoring procedures – periodic discussions/review of reports Apply User Entity Control Considerations Consider the impact to service organization's report if a qualification is identified at the sub. Inclusive Subservice organization has to provide both an assertion (to be included in the report) and representation letter. Control environment, control objectives and controls are included in the report and tested by service auditor. The expected use will mainly be related party entities (e.g. investment adviser uses an affiliated custodian or affiliated IT organizations). 14

15 Additional Considerations – User Entities / User Auditors
Education and notice to user entities What is different in the report? Are there any changes to scope? Was internal audit leveraged? If so, how and to what extent? Consider other types of reports to satisfy changes to scope (e.g. SOC 2). Potential for refinement of user contracts - Is the current contract specific to SAS 70? An SSAE 16 report is strictly for the processing of transactions related to ICFR. “No relevant exceptions noted” has been changed to “No exceptions noted”. Recommended Reading from ISACA: New Service Auditor Standard – A User Entity Perspective 15

16 Additional Considerations – User Entities / User Auditors (Continued)
Understand the effect of the service organization(s) on your financial statement assertions and specific accounts Understand and consider management’s assertion Understand if the service organization intends to use the inclusive method (more complete picture) or carve-out method. Is the scope of the report sufficient for your needs? Are you receiving a Type 1 or Type 2 Report? Understand and consider the period of coverage for Type 2 reports Understand and evaluate completeness of the control objectives for your state’s needs Understand how/if your state is addressing the user entity controls included in the report Understand the tests performed by the service auditor and how the test results impact specific assertions and accounts Understand the changes to the Opinion (see next slide) 16

17 Additional Considerations - Changes to the SSAE 16 Opinion
The opinion references management’s assertion and their responsibility for identifying risks that threaten achievement of the control objectives. The opinion continues to cover the subject matter: Fair presentation of the description of the system; design and implementation of controls; and operating effectiveness Includes the entire period, rather than as of a point in time, for a Type 2 report The opinion does NOT include a statement on whether management had a reasonable basis for providing their assertion. 17

18 AICPA Service Organization Control (SOC) Reports:
Other Service Organization Control Reports: Overview and Background AICPA Service Organization Control (SOC) Reports: Historically SAS 70 reports 18

19 SOC 2 – What is it? An AICPA report that allows service auditor to provide an opinion on the security, availability, processing integrity, confidentiality or privacy of a service organization’s controls. Can include one or more of the above Trust Services principles Similar in structure and general approach to SAS 70 (SSAE 16): An option for a Type 1 or Type 2 report. An opinion A section describing the processing environment Description of control objectives, control activities, and tests

20 SOC 2 – Differences from SAS 70 / SSAE 16
A SOC2 report does not need to cover processing related to financial reporting, nor is it intended to support financial reporting for your users. It can potentially be supplied to a wider audience. Intended users are management of the service organization, user entities, and other “specified parties.” Specified parties can be anyone who understands the nature of the services being provided by the service organization, how the service organization operates, and internal controls.

21 SOC 2 – Differences from SAS 70 / SSAE 16
In a SOC 2 report, the AICPA has supplied the criteria, where in a SAS 70/SSAE 16, management specifies the objectives and controls. So, SOC 2 reports should be much more consistent across the marketplace. Exception is for SOC 2 reports which cover privacy. These reports would also need to include the service organization’s privacy policy, which would obviously vary from organization to organization. Most practitioners who have looked at SOC 2 feel it will provide more detail throughout the report; narrative section, control activities, tests, etc. than the existing reports.

22 SOC 2 – Possible Users of Attestation Report
Provider of Cloud Computing Services A SOC2 report is an excellent way to show customers and others that the service organization is meeting the specified criteria for a particular Trust Services Principle. Example: Outsourced Services are critical to user organization (client) daily operations; however, they may not be significant from a financial reporting standpoint; therefore, SSAE 16 may not be the right mechanism. However, SOC 2 can show that a service organization has controls to protect the security of information, availability of services, and privacy of information.

23 SOC 2 – Possible Users of Attestation Report
Call Center Services SSAE 16 may not be a good fit because while call center services are important from a business perspective, the processes executed may not be financially significant for customers of a service provider User Organizations may be concerned about handling of end- customer information and a SOC 2 report may demonstrate that there are controls encompassing the security, confidentiality, and privacy of information Medical Claims Processing Service Provider A SOC 2 report focused on processing integrity (completeness, accuracy, timelines, etc.) could provide customers with comfort regarding the controls over transactions in claims processing.

24 SOC 2 – Where is the guidance?
AICPA Guidance Guidance is still being finalized. SOC 2 is built upon the following components: AT 101 – known as the “bedrock” – outlines the guidance around the basic attest service Audit Guide “Reporting on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy” – (currently under development). Technical Practice Aid (TPA) Trust Services Principles, Criteria, and Illustrations – provides much of the detail involved for a SOC 2 engagement. This supplies the detailed criteria that will be used for all engagements. It is available from the AICPA at

25 Other Service Organization Control Reports: Which SOC is right for your purpose?
SOC 1 Report SOC 2 Report SOC 3 Report Professional standard used SSAE 16 (AT 801) AT 101 Used by auditors to plan and perform financial audits Yes No Used by user entities to gain confidence and place trust in service organization systems Obtain details of the processing performed and related controls, the tests performed by the service auditor and results of those tests Report generally available - can be freely distributed or posted on a website as a “SysTrust for Service Organizations” seal  25

26 QUESTIONS? For more information: Sue Nersessian Brian Lane Eric Bowlin
Director Partner Senior Manager Deloitte & Touche LLP National SOC Reporting

27 This presentation contains general information only and Deloitte is not, by means of this presentation, rendering accounting, business, financial, investment, legal, tax, or other professional advice or services. This presentation is not a substitute for such professional advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified professional advisor. Deloitte, its affiliates, and related entities shall not be responsible for any loss sustained by any person who relies on this presentation. About Deloitte Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee, and its network of member firms, each of which is a legally separate and independent entity. Please see for a detailed description of the legal structure of Deloitte Touche Tohmatsu Limited and its member firms. Please see for a detailed description of the legal structure of Deloitte LLP and its subsidiaries. Certain services may not be available to attest clients under the rules and regulations of public accounting. 27

Download ppt "Navigating Guidance Changes for Service Organization Control (SOC) Reports NSAA 2011 Annual Conference Deloitte & Touche LLP June 16, 2011."

Similar presentations

Assurance Services Independent professional services that “improve the quality of information, or its context, for decision makers” Assurance service encompass.

Assurance Services Independent professional services that “improve the quality of information, or its context, for decision makers” Assurance service encompass.
Additional Assurance Services: Other Information

Additional Assurance Services: Other Information
Understanding Audit Reports

Understanding Audit Reports
Table of contents Overview of third-party assurance reporting AT 101, 201, and 601 reports SOC 1, 2, and 3 reports SOC 2 deep-dive.

Table of contents Overview of third-party assurance reporting AT 101, 201, and 601 reports SOC 1, 2, and 3 reports SOC 2 deep-dive.
©2010 Prentice Hall Business Publishing, Auditing 13/e, Arens/Elder/Beasley 2 - 1 The CPA Profession Chapter 2.

©2010 Prentice Hall Business Publishing, Auditing 13/e, Arens/Elder/Beasley The CPA Profession Chapter 2.
SERVICE ORGANIZATION CONTROL REPORTS SM Formerly SAS 70 Reports.

SERVICE ORGANIZATION CONTROL REPORTS SM Formerly SAS 70 Reports.
March 6, 2012 SOC Reporting: What is New in the Audit Guides?

March 6, 2012 SOC Reporting: What is New in the Audit Guides?
Global Rewards Update Sandy Shurin Deloitte Tax LLP.

Global Rewards Update Sandy Shurin Deloitte Tax LLP.
Mind the Gap: Evaluating Internal Controls in Pharmaceutical Supply Chains across Sub-Saharan Africa AIDS 2012: July 22-27 Julianna Kohler, Revathi Avasarala,

Mind the Gap: Evaluating Internal Controls in Pharmaceutical Supply Chains across Sub-Saharan Africa AIDS 2012: July Julianna Kohler, Revathi Avasarala,
Chapter 20 Additional Assurance Services: Other Information

Chapter 20 Additional Assurance Services: Other Information
Assurance, Attestation, and Internal Auditing Services

Assurance, Attestation, and Internal Auditing Services
Third Party Reporting © 2008 Ernst & Young LLP. All rights reserved. For Internal Use Within EY Only; Not for Distribution to Clients. Third Party Reporting.

Third Party Reporting © 2008 Ernst & Young LLP. All rights reserved. For Internal Use Within EY Only; Not for Distribution to Clients. Third Party Reporting.
Module A1 Other Public Accounting Services ACCT 4080.

Module A1 Other Public Accounting Services ACCT 4080.
25 - 1 ©2006 Prentice Hall Business Publishing, Auditing 11/e, Arens/Beasley/Elder Other Assurance Services Chapter 25.

©2006 Prentice Hall Business Publishing, Auditing 11/e, Arens/Beasley/Elder Other Assurance Services Chapter 25.
©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley 24 - 1 Other Assurance Services Chapter 24.

©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley Other Assurance Services Chapter 24.
Auditing A Risk-Based Approach To Conducting A Quality Audit

Auditing A Risk-Based Approach To Conducting A Quality Audit
18- 1 © 2006 The McGraw-Hill Companies, Inc., All Rights Reserved. Chapter 18 Integrated Audits of Internal Control (For Public Companies Under Sarbanes-Oxley.

18- 1 © 2006 The McGraw-Hill Companies, Inc., All Rights Reserved. Chapter 18 Integrated Audits of Internal Control (For Public Companies Under Sarbanes-Oxley.
Purpose of the Standards

Purpose of the Standards
Internal Auditing and Outsourcing

Internal Auditing and Outsourcing
SOC1 vs. SOC2 vs. SOC3 Source: ryServices/Pages/AICPASOC3Report.aspx.

SOC1 vs. SOC2 vs. SOC3 Source: ryServices/Pages/AICPASOC3Report.aspx.

Similar presentations

Ads by Google