Transcript SOC Reporting

SOC Reporting: What is New in the Audit Guides?
March 6, 2012
Agenda
 Introduction
Nick Wedel, CISSP, CISA
McGladrey – Technology Risk Advisory Services (Kansas City)
 Background (SAS70 to SOC)
 Overview of SOC Reporting Options
 Trust Services Principles & Criteria
 Key differences between SOC 2 and SOC 3 reports
 What is Included in the Audit Guides?
 SOC 1 Audit Guide Highlights
 SOC 2 Audit Guide Highlights
 Frequently Asked Questions
 Other Questions?
Background (SAS70 to SOC)
Reasons for Change
 Mis-understandings, Mis-applications, and Mis-uses of SAS70
 New Technologies
-Virtualization
-Mobile Computing
-Cloud Computing
 Need for greater international consistency
-Alignment with International Standards on Attestation
Engagements (ISAE 3402)
2
REPORT
DISTRIBUTION
FOCUS
GUIDANCE
Overview of Service Organization Control
(SOC) Reporting Options
SOC1
SOC2
SOC3
Other Reports
AICPA Attest Standards
(SSAE 16)
AICPA Attest Standards
(AT101)
Trust Services Principles
AICPA Attest Standards
(AT101)
Trust Services Principles
AICPA Attest Standards
(AT101)
• Auditor to auditor opinion
report for financial
reporting controls
• Audit entity meets
definition of service
organization
• CPA firm responsible for
the adequacy of the
procedures
• Opinion report on system
security, availability,
processing integrity and
confidentiality/or privacy
• Detailed like SOC1
• CPA firm responsible for
the adequacy of the
procedures
• Opinion report on system
security, availability,
processing integrity and
confidentiality/or privacy
• Client description is not
audited
• CPA firm responsible for
the adequacy of the
procedures
• Doesn’t fall under SSAE
16 or Trust Services
Principles
• Reporting on the design
of internal controls
• CPA firm responsible for
the adequacy of the
procedures
• Report distribution to
service organization
users
• Restricted use report
• Issued by licensed CPA
• Intended for non-auditor
audience (e.g., CIO)
• Restricted use report
• Issued by licensed CPA
• Intended for non-auditor
audience (e.g., CIO)
• General use report
• Issued by licensed CPA
• May be issued for
general or restricted use
• Issued by licensed CPA
3
SOC2/SOC3: Trust Services Principles &
Criteria
Five Trust Services Principles
 Availability – The system is available for operation and use as
committed or agreed.
 Confidentiality – Information designated as confidential is
protected as committed or agreed.
 Privacy – Personal information is collected, used, retained,
disclosed, and destroyed in conformity with the commitments in
the entity’s privacy notice and with criteria set forth in Generally
Accepted Privacy Principles (GAPP).
 Processing integrity – System processing is complete, accurate,
timely, and authorized.
 Security – The system is protected against unauthorized access
(both physical and logical).
4
SOC2/SOC3: Trust Services Principles &
Criteria
Four Trust Services Criteria Domains
 Policies – The entity has defined and documented its policies
relevant to the particular principle.
 Communications – The entity has communicated its defined
policies to responsible parties and authorized users of the
system.
 Procedures – The entity placed in operation procedures to
achieve its objectives in accordance with its defined policies.
 Monitoring – The entity monitors the system
5
Key Differences: SOC2 and SOC3 Reports
SOC2
SOC3
Includes detailed description of the service organization’s
system prepared by management which the service auditor
opines on
Includes a high level description that the service auditor
does not opine on
Intended for parties who are knowledgeable about:
• Nature of the services
• How the service organization interacts with its users
• Internal control and its limitations
• Trust principles, criteria and risks
• Complementary user-entity controls and how they
interact with controls at the service organization
Intended for a general audience that is not presumed to
have specific knowledge about the report and its contents
Restricted use report
General distribution report
Can use “carve-out” method
Carve-out method not allowed
Can have significant user control considerations
Cannot have significant user control considerations
Not intended for marketing purposes
Use allowed for marketing purposes
No seal available
Availability of seal
6
What is Included in the Audit Guides?
The two audit guides follow the same general format and address
similar topics, including:






Introduction and Background
Use of the Report
Planning the SOC Engagement
Performing the SOC Engagement
Reporting
Appendices
- Illustrative representation letters
- Illustrative management assertions
- Illustrative control objectives (SOC1 Audit Guide)
- Trust Service Principles and Criteria for Security Availability, Processing
Integrity, Confidentiality, and Privacy (SOC2 Audit Guide)
- Illustrative Reports
7
SOC1 Audit Guide Highlights
 Examples of using detailed criteria for developing the description
of controls (as presented in SSAE16)
 Concept that management’s thoughtfulness in developing control
objectives constitutes an informal risk assessment
 Illustrative control objectives for various types of service
organizations are included in Appendix D:
- General computer controls
- Application service provider
- Claims processor
- Credit card payment processor
- Investment manager
- Payroll processor
- Transfer agent
8
SOC2 Audit Guide Highlights
 Detailed outline of what information should be included in
management’s description
 Definition of “system” for the purposes of scoping the report
 Detailed trust services principles and criteria
 Dealing with criteria that is not applicable
 The guide largely mirrors what is outlined in the SOC1 Audit
guide, except for information specific to the trust service
principles
9
Frequently Asked Questions
Question 1: Can service organizations market that they are “SOC
certified”?
 No. A popular misconception is that a service organization
becomes “certified” after completing and issuing a SOC report.
No such certification exists; however, the AICPA does allow for
the below logo to be displayed on Service Organization websites
upon completion of a SOC attestation and registration with the
AICPA.
10
Frequently Asked Questions
Question 2: How do I determine which SOC report is best for me?
 First, you need to determine who will be using the report and for
what purposes, that will guide which report is most appropriate.
In some cases you might decide to issue multiple reports. If a
client’s financial statement auditor is going to use the report,
most of the time that will result in the need for a SOC 1 report. If
it is client management (e.g., CIO) requesting the report for their
operational assessment and monitoring of your processing, a
SOC2 or SOC3 might better serve their needs.
11
Frequently Asked Questions
Question 3: What do I need to do to prepare for the new SOC
reports?
 The answer will depend upon a couple of items. First, what type
of report will you be needing and second have you previously
issued this type of report before. If the answer to the second
question is “no” there is quite a bit of work that needs to be done
to get ready for the SOC attestation.
12
Other Questions?
Resources
AICPA.org/publications
mcgladrey.com/Events/Service-Organization-Control-Reports
Nick Wedel
816.751.4051
[email protected]
13
McGladrey & Pullen, LLP
Certified Public Accountants
www.mcgladrey.com