Service Organization Control (SOC) Reporting Options and Information

1

Overview

Service Organization Control (SOC) reports are designed to help service organizations meet specific user needs: SOC 1 Report – Addresses internal controls over financial reporting

 Performed in accordance with Statement on Standards for Attestation Engagements (SSAE) 16, Reporting on Controls at a Service Organization  Focus solely on controls at a service organization that are

likely to be relevant to an audit of a user entity’s financial statements SOC 2 and SOC 3 Reports - Address controls at the service organization that typically relate to understanding effectiveness of controls around operations and technology compliance



SOC 2 Report

- Report on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality and/or Privacy 

SOC 3 Report -

Trust Services Report – Opinion Letter Only

“When users of a service organization’s services (user entities) outsource these tasks and functions, many of the risks of the service organization become risks of the user entities.” - AICPA, Service Organization Controls, November, 2010

2

SOC 1 Reports

•

Focus is on internal control over financial reporting.

•

Similar to SAS 70, there are two types of SOC 1 reports: Type 1:

A report on management’s description of the service organization’s system and the suitability of the

design

of the controls to achieve the related control objectives included in the description as of a specified date

Type 2:

A report on management’s description of the service organization’s system and the suitability of the

design and operating effectiveness

of the controls to achieve the related control objectives included in the description throughout a specified period •

Use of subservice organizations - (use carve-out or inclusive methods)

•

Is a restricted-use report – to user organizations and their auditors

3

SOC 2 & 3 Reporting Overview

•

Addresses controls at the service organization that relate to operations and/or compliance and are based on Trust Services principles and criteria:

–

Security

–

Availability

–

Processing integrity

–

Confidentiality

–

Privacy

•

Report may cover one or more of the Trust Services Principles, as specified by management.

4

SOC 2 Reporting

•

Similar to a SOC 1 report, there are two types of reports: Type 1:

report on management’s description of a service organization’s system and the suitability of the design of controls.

Type 2:

report on management’s description of a service organization’s system and the suitability of the design and operating effectiveness of controls •

Many of the requirements for SOC 2 are the same as SOC 1:

– May be restricted in use – Management’s assertion – System description, risk assessment, etc •

A service organization may request that the service auditor’s report address additional subject matter that is not specifically covered by the Trust Service Principles (regulatory items such as HIPAA, GLBA, etc.)

5

SOC 3 Reporting

• Designed to meet the needs of users who want assurance on controls at a service organization but do not have the need for or the knowledge necessary to make effective use of a SOC 2 Report. • Prepared using the AICPA/CICA Trust Services principles and criteria that include Security, Availability, Processing Integrity, Confidentiality, and Privacy.

• The key difference between a SOC 2 report and a SOC 3 report is that a SOC 2 report, which is generally a restricted-use report, contains a detailed description of the service auditor’s tests of controls – The SOC 3 only provides an opinion letter (the report), and potentially a SysTrust Seal (for unqualified opinions only). • Because they are general use reports, SOC 3 reports can be freely distributed or posted on a website as a seal.

6

Trust Principles

•

Security:

The system is protected against unauthorized access (both physical and logical). •

Availability:

agreed. The system is available for operation and use as committed or •

Processing Integrity:

and authorized. System processing is complete, accurate, timely, •

Confidentiality:

Information designated as confidential is protected as committed or agreed. •

Privacy:

and Personal information is collected, used, retained, disclosed, destroyed in conformity with the commitments in the entity’s privacy notice and with criteria set forth in generally accepted privacy principles issued by the AICPA and CICA.

Reminder: A report (audit) may cover one or more of the Trust Services Principles, as specified by management.

7

Organization of Trust Principles

Each of the Trust Services Principles is organized into four areas, and each with its own set of criteria:

•

Policies.

The entity has defined and documented its policies relevant to the particular principle.

•

Communications

. The entity has communicated its defined policies to authorized users.

•

Procedures.

The entity uses procedures to achieve its objectives in accordance with its defined policies.

•

Monitoring

. The entity monitors the system and takes action to maintain compliance with its defined policies.

8

Organization of Trust Principles

There is much commonality between each of the Trust Principle Areas, such that examining one area, under one principle often covers the similar examination of the others. Starting in December 2014 the standards combine these redundant criteria.

SECURITY AVAILABILITY PROCESSING INTEGRITY CONFIDENTIALITY Policies (3) Communications (5) Procedures (14) Monitoring (3) 25 Criteria Policies (3) Communications (5) Procedures (17) Monitoring (3) 28 Criteria Policies (3) Communications (5) Procedures (21) Monitoring (3) 32 Criteria Policies (3) Communications (5) Procedures (21) Monitoring (3) 32 Criteria

9

Generally Accepted Privacy Principles (GAPP)

Generally Accepted Privacy Principles have a number of unique areas and criteria within each.

Policies and Communications Notice Choice and Consent Collection Use, Retention and Disposal Privacy Policies (3) Procedures and Controls (11) Policies and Communications (2) Procedures and Controls (3) Policies and Communications (3) Procedures and Controls (4) Policies and Communications (3) Procedures and Controls (4) Policies and Communications (2) Procedures and Controls (3) Access Policies and Communications (2) Procedures and Controls (6) Disclosure to Third Parties Policies and Communications (3) Procedures and Controls (4) Security for Privacy Policies and Communications (2) Procedures and Controls (7) Quality Policies and Communications (2) Procedures and Controls (2) Monitoring and Enforcement Policies and Communications (2) Procedures and Controls (5)

10

Summary of New Standards & Options

SOC 1

Purpose: Reports on controls related to

Financial Statement

audits

(ICFR)

SOC 2 SOC 3

Purpose: Typically reports on controls related to

compliance or operations AT 101

Purpose: Reports on controls related to

compliance or operations

Trust Services Principles & Criteria*

AT 101 SSAE 16

– Service Auditor Guidance

Restricted Use Description

Report (Type I or II report) of the service organization’s

system

.

Generally a

Restricted Use

(Type I or II report)

Description

of the service organization’s

system

.

Report CPA’s

opinion

on fairness of presentation of the description, suitability of

design

and in a type 2 report, the

operating effectiveness

of controls.

CPA’s

opinion

on fairness of presentation of the description, suitability of

design

and in a type 2 report, the

operating effectiveness

of controls.

General Use

Report (with a

public seal

) An

unaudited system description

used to delineate the boundaries of the system CPA’s opinion on whether the entity maintained effective controls over its systems.

A type 2 report includes a description of the CPA firm’s

tests

of controls and

results

A type 2 report includes a description of the CPA firm’s

tests

of controls and

results

Does

not

contain a description of the CPA firm’s tests of controls and results (Opinion letter only) 11

Readiness Assessment Service Approach

• Review relevant client agreements/contracts and determine which Trust Service Principles covered in the SOC Report(s).

• Perform a readiness assessment covering the design effectiveness of control activities supporting TSP criteria selected. • Review Company’s policies and procedures documentation to identify internal controls and identify gaps.

• Meet with management to develop remediation plan and next steps • Perform high-level testing to determine operating effectiveness of controls. • Report areas that are not operating effectively and develop plan to remediate control deficiencies.

• (Optional) Perform SOC 2, Type 1 design testing and issue an opinion letter and report.

12

Formal SOC Reporting Service Approach

• •

Testing Phase

– Schedule fieldwork visits to company offices (3 to 5 days on-sight) •

Interim Testing

- Perform the initial assessments, walkthroughs and effectiveness testing. Testing team meets • with key control owners to gain an understanding of your control environment and request documentation used to assess the operating effectiveness of controls.

Roll-forward Testing

- Perform effectiveness testing just prior to end of reporting period. Testing team requests documentation used to assess the period end operating effectiveness of your controls.

Reporting Phase

- Engagement team assembles the report and completes final reviews to issue our opinion and formal report.

13