SOC Standards - Nonprofit organizations

Your Audit Committee and the New SOC Standards

Jeffrey Stefan, CPAPartner

Douglas Boedeker, CPA, CMAPartner

September 8, 2011

Goals for Today

I. Obtain a basic understanding of the new

SOC reports.

II. Understand the differences between the

three types of SOC reports.

III. Understand other reporting options that

may be of interest to Boards and Audit

Committees.

Copyright © 2011 Tate & Tryon CPAs and ConsultantsSeptember 8. 2011

Course Outline

Why the new reporting options? What is SAS 70?

What are the new options: SOC 1 – the new “SAS 70”

SOC 2 – a “SAS 70” report that’s interesting!

SOC 3 – a “SAS 70” report for public

consumption


Course Outline

The Trust Services Principles: Security Availability Processing integrity Confidentiality Privacy

What else is out there? Integrated Examination of Internal Control

Agreed-Upon Procedures


Why the new reporting options?

SAS 70 became a catch-all for everything!

AICPA was not pleased with terms like:

“We’re SAS 70 Certified”

“We’re SAS 70 Compliant”

The movement to outsourced IT services made the problem more pronounced.


What was SAS 70?

Statement on Auditing Standards Number 70, Service Organizations.

Designed to address a service organization’s controls affecting user entities’ financial statements.

Controls over financial reporting.

Either a “Type 1” or a “Type 2” report.

Primarily an auditor-to-auditor communication.Copyright © 2011 Tate & Tryon CPAs and ConsultantsSeptember 8. 2011

The New Reporting Options......

September 8. 2011 Copyright © 2011 Tate & Tryon CPAs and Consultants

SOC 1 – the new “SAS 70”

Report content: Controls at a service organization relevant to a user

entities’ internal control over financial reporting. Intended audience is:

Management of service & user organizations Auditors of the user organizations

Nature of reports: Type 1 – Control description Type 2 – Control description & operating

effectiveness


SOC 2 – a more interesting “SAS 70”

Report Content: Service organization’s controls relevant to:

Security Availability Processing integrity Confidentiality Privacy

There is flexibility in choosing which controls to be included in the report.


SOC 2 – a more interesting “SAS 70”

Intended audience is: Management of service organizations Management of user organizations

Nature of reports: Type 1 – Control description Type 2 – Control description & operating

effectiveness

Note: A SOC 2 report cannot be combined with a SOC 1 report. They must be separate.


SOC 3 – A “SAS 70” for public consumption

Report Content: Service organization’s controls relevant to:

Security Availability Processing integrity Confidentiality Privacy

There is flexibility in choosing which controls to be included in the report.



Intended audience is: Any user with a need for confidence in the service

organization’s controls.

Nature of reports: Very short – similar to an auditor’s opinion on

financial statements. No detail of the organization’s controls



Limitations of SOC 3 Reports

An unqualified opinion cannot be issued if: Controls at subservice organizations have been

“carved out.” Complementary user-entity controls are significant.


The Trust Services Principles(The foundation for SOC 2 & 3)


The Security Principle

Refers to the protection of the system from unauthorized access, both logical and physical.

“Criteria” to be Tested Policies – were security policies defined and documented? Communications – were the policies communicated to the

appropriate parties? Procedures – are procedures in operation to achieve the goals of

the security policies? Monitoring – Is compliance with the policies monitored?


The Availability Principle

Refers to the accessibility to the system, products, or services as advertised or committed by contract, service-level, or other agreements.

“Criteria” to be Tested Policies – were availability policies defined and documented? Communications – were the policies communicated to the


the availability policies? Monitoring – Is compliance with the policies monitored?


The Processing Integrity Principle

Refers to the completeness, accuracy, validity, timeliness, and authorization of system processing.

“Criteria” to be Tested Policies – were processing integrity policies defined and

documented? Communications – were the policies communicated to the


the processing integrity policies? Monitoring – Is compliance with the policies monitored?


The Confidentiality Principle

Refers to the system’s ability to protect the information designated as confidential, as committed or agreed.

“Criteria” to be Tested Policies – were confidential information policies defined and

documented? Communications – were the policies communicated to the


the processing integrity policies? Monitoring – Is compliance with the policies monitored?


The Privacy Principle

Personal information is collected, used, retained, disclosed, and destroyed in conformity with the commitments in the entity’s privacy notice and with criteria set forth in generally accepted privacy principles (GAPP) issued by the AICPA and CICA.


The Privacy Principle - Criteria

Policies - The entity defines, documents, communicates, and assigns accountability for its privacy policies and procedures.

Notice - The entity provides notice about its privacy policies and procedures and identifies the purposes for which personal information is collected, used, retained and disclosed.



Choice and Consent – The entity describes the choices available to the individual and obtains implicit or explicit consent with respect to the collection, use, and disclosure of personal information.

Collection – The entity collects personal information only for the purposes identified in the notice.



Use, Retention, & Disposal - The entity limits the use of personal information to the purposes identified in the notice and for which the individual has provided implicit or explicit consent. The entity retains personal information for only as long as necessary to fulfill the stated purposes or as required by law or regulations and thereafter appropriately disposes of such information.



Access - The entity provides individuals with access to their personal information for review and update.

Disclosure to Third Parties – The entity discloses personal information to third parties only for the purposes identified in the notice and with the implicit or explicit consent of the individual.

Security – The entity protects personal information against unauthorized access.



Quality – The entity maintains accurate, complete, and relevant personal information for the purposes identified in the notice.

Monitoring & Enforcement – The entity monitors compliance with its privacy policies and procedures and has procedures to address privacy related inquiries, complaints, and disputes.


What else is out there......


Integrated Examination of Internal Control

Essentially a “SOX 404” report.

Performed in conjunction with a financial statement audit.

Provides an opinion on the organization’s controls over financial reporting.

A control “criteria” must be set. COSO is the most common criteria used.

Not a restricted use report.September 8. 2011 Copyright © 2011 Tate & Tryon CPAs and Consultants

Agreed-Upon Procedures

Our favorite option!

Gives maximum flexibility regarding pricing and work to be performed.

However, no professional opinion is actually rendered.

Restricted-use report.


Additional resources.....

For additional information on the new SOC reporting framework, here’s a handy web-site: http://www.aicpa.org/InterestAreas/FRC/AssuranceAdvisoryServi

ces/Pages/SORHome.aspx

Contact us with questions! Jeff Stefan, 202-419-5104, [email protected] Doug Boedeker, 202-419-5106,

[email protected]


http://www.aicpa.org/InterestAreas/FRC/AssuranceAdvisoryServices/Pages/SORHome.aspx�

http://www.aicpa.org/InterestAreas/FRC/AssuranceAdvisoryServices/Pages/SORHome.aspx�

mailto:[email protected]�

mailto:[email protected]�

Speaker Biography


Douglas Boedeker , is a partner within Tate & Tryon’s Audit and Assurance Services unit and is also actively involved in the Firm's exempt organization tax services group. He has more than 19 years of experience providing an array of audit, tax, and consulting services to a variety of nonprofit organizations and employee benefit plans. He takes particular pride that his family has contained at least one CPA every year since 1923. Doug graduated summa cum laude from Susquehanna University in Selinsgrove, Pennsylvania with a Bachelor of Science degree in accounting while simultaneously completing the coursework for a second major in arts administration. He was also named as the University’s recipient of The Wall Street Journal Outstanding Business Student Award.

Doug is a frequent speaker on a variety of exempt organization tax issues and the Form 990. He recently presented a session on easing the 990 preparation process for CFOs and auditors at the 2011 AICPA Not for Profit Industry Conference. Doug is a coauthor to Guide to the Newest IRS Form 990: Interpreting and Complying with the New Tax Reporting Requirements for Transparency and Accountability, (published by ASAE).

Speaker Biography

Jeff Stefan, is the partner in charge of Tate & Tryon’s auditing practice and has more than 25 years of experience serving the nonprofit sector. In addition to his extensive audit and tax experience, he has provided consulting services to organizations such as The World Bank, Public Company Accounting Oversight Board, and ASAE & The Center for Association Leadership in a variety of areas, including grant compliance, merger due diligence, and internal controls. He has also been called upon to consult on a variety of complex issues such as: Fair value accounting (FAS 157), Accounting for alternative investments (FAS 133), Split interest agreements, Endowment accounting (UPMIFA / FSP 117-1), and Uncertain tax positions (FIN 48).

Mr. Stefan has presented and authored articles on many recent accounting and auditing issues including: FASB Staff Position (FSP) FAS 117-1, “Endowments of Not-for-Profit Organizations: Net Asset Classification of Funds Subject to an Enacted Version of the Uniform Prudent Management of Institutional Funds Act, and Enhanced Disclosures for All Endowment Funds”, Educating Your Board About Audits, , and A Summary of the New Audit Risk Standards.
