SOC Reports – The 2017 Update - What’s new-What’s not …m.isaca.org/chapters1/Northeast-Ohio/events/Documents/NEO ISACA... · SOC Reports – The 2017 Update: What’s new,

SOC Reports – The 2017 Update:

What’s new, What’s not, and What you should be doing with the SOC Reports you receive!

Presented by Jeff Pershing

Page 1

SOC Reports – The 2017 Update

What’s new, What’s not, and What you

should be doing with the SOC Reports

you receive!

presented to Northeast Ohio ISACA

Thursday, April 20, 2017

Jeff Pershing, CISA, CISM, CISSP

Principal, Pershing Consulting, LLC

Slide 2

Introductions




Page 2

Slide 3

� Brief history of reports on Service Organizations

� Overview of AT 101, SSAE 16/SOC 1, SOC 2, and SOC 3

� Attestation Standards Updates / SSAE 18 Overview

� What’s new with SOC Reports

� Trust Services Principles – Overview and Updates

� What’s new with SOC 2

� User Auditor Requirements

� Lessons learned from the first years of SOC reporting

Overview

Slide 4

Brief history of reports onService Organizations




Page 3

Slide 5

SAS70

� In the beginning, the AICPA created the SAS70. The AICPA saw that the SAS70 was good and it was so. And then the AICPA rested . . .

� For nearly 20 years . . . .

� Okay, not quite . . . SAS78, SAS88, SAS94, . . .

� Until . . .

� “He’s dead, Jim . . . ”

� Leonard "Bones" McCoy

Slide 6

Why the need for a SAS70 Report anyway?

� Computers give rise to EDP – Electronic Data Processing

� Computers are very big and expensive (in the 60’s, 70’s, and 80’s)

� Okay, they’re still expensive now . . .

� Let’s share their use to be more efficient!

� This sounds like a business opportunity!

� Let’s create a company to provide processing to several companies at once

who can’t afford their own

� (Can anyone say, “cloud?”)

� Auditor: How do I know my financial calculations are correct and you have good

internal controls?

� Service Provider: “Trust us!”

� Auditor: “No, I will audit you. SAS55 says so. See you Monday. Here’s my

request list.”

� Service Provider: “Wait, I have hundreds of customers with auditors all saying

the say thing!”




Page 4

Slide 7

Service Provider Audit Reports – A Short History

� AICPA – American Institute of Certified Public Accountants

� SAS - Statement on Auditing Standards

� SAS 55 – Consideration of the Internal Control Structure in a

Financial Statement Audit

� Released in 1988

� Created “death by auditing” for service providers

� SAS70 – Service Organizations

� Issued in 1992 as “Reports on the Processing of Transactions

by Service Organizations”, effective for reports issued March

31, 1993

� One report to meet the needs of multiple user auditors

� Amended by SAS 88 and renamed “Service Organizations”

Slide 8

Service Provider Audit Reports – A Short History (cont)

� SAS70 amended several times by subsequent SAS

� 1998 by SAS78 - “Consideration of Internal Control in a Financial

Statement Audit: An Amendment to Statement on Auditing Standards

No. 55”

� 1999 by SAS88 – Title changed to “Service Organizations”

� 2002 by SAS94 - The Effect of Information Technology on the

Auditor's Consideration of Internal Control in a Financial Statement

Audit

� 2002 by SAS98 - Omnibus Statement on Auditing Standards-2002

� Other minor adjustments (“conforming changes”) in 2006 by SAS105

& SAS106, and 2007 by SAS109 & SAS110

� SAS70 was superseded by three Service Organization Control

(SOC) reports - SOC 1, SOC 2 and SOC 3 - for reports issued on or

after June 15, 2011

� SOC Reports were based on Attestation Standard 101 (AT 101)




Page 5

Slide 9

Why Change?

� SAS70 was abused - Intended for ICFR, but used for much more:

� To obtain assurance on controls regarding compliance and operations

� E.g. Hosted Data Centers providing no financial reporting

relevant services

� SysTrust or AT 101 should have been used instead

� SAS70 grew in familiarity outside the auditing world (e.g. IT), but not necessarily well understood

� Are you “SAS70 Certified?”

Slide 10

Why Change? (cont)

� ISAE 3402/SSAE16 (SOC1) for ICFR

� International Standard on Assurance Engagements (ISAE) 3402

issued in December of 2009

� AICPA issued SSAE No. 16 shortly afterwards as a US Standard

in alignment with ISAE 3402

� Minor differences between the two

� Drafted to help correct misuses of the SAS70

� SOC2 for matters other than ICFR

� Specifically, for Security, Availability, Processing Integrity,

Confidentiality, and Privacy

� SOC3, similar to SOC2, but with a general use report

� All three based on AT101 (SSAE 16 became AT801)




Page 6

Slide 11

Overview of AT 101,SSAE 16/SOC 1, SOC 2, and SOC 3

Slide 12

Attestation Standards Section 101

� Section provides a framework for attestation engagements that are completed by practitioners

� SOC 1, SOC 2 and SOC 3 reports are completed in accordance with AT Section 101

� The subject matter of an attest engagement may take many forms, for example:

� Physical characteristics (for example, narrative descriptions, square footage of facilities)

� Historical events (for example, the price of a market basket of goods on a certain date)

� Systems and processes (for example, internal control)

� Suitability and Availability of Criteria

� Subject matter must be capable of evaluation against criteriathat are suitable and available to users




Page 7

Slide 13

Attestation Standards

� SSAE = Statement on Standards for Attestation Engagements

� SSAE 10, issued in 2001, established:

� AT 101 - Attest Engagements

� AT 201 - Agreed-Upon Procedures Engagements

� AT 301 - Financial Forecasts and Projections

� AT 401 - Reporting on Pro Forma Financial Information

� AT 601 - Compliance Attestation

� AT 701 - Management's Discussion and Analysis

Slide 14

Other SSAEs

� SSAE 11 - Attest Documentation – Updated AT 101, 201, and 301

� SSAE 12 - Amendment to Statement on Standards for Attestation

Engagement No. 10, Attestation Standards: Revision and

Recodification – Updated AT 101

� SSAE 13 - Defining Professional Requirements in Statements on

Standards for Attestation Engagements – Created AT 20: “Defining

Professional Requirements for SSAE Engagements”

� SSAE 14 - SSAE Hierarchy – Created AT 50: “SSAE Hierarchy”

� SSAE 15 - An Examination of an Entity’s Internal Control Over

Financial Reporting That Is Integrated With an Audit of Its

Financial Statements – Created AT 501 (issued in 2008)

� SSAE 17 - Reporting on Compiled Prospective Financial Statements

When the Practitioner’s Independence is Impaired – Updated AT

301




Page 8

Slide 15

NOTE: - SAS 130 withdrew AT 501

� SAS 130 – An Audit of Internal Control Over Financial Reporting

That Is Integrated With an Audit of Financial Statements (AICPA,

Professional Standards, AU-C sec. 940) - Issued in October 2015

� AICPA Auditing Standards Board (ASB) determined it is

appropriate to move the content of AT section 501 from the

attestation standards into generally accepted auditing

standards (GAAS).

� The ASB will consider developing, at a later date, an attestation

standard addressing examinations of internal control other than

internal control over financial reporting that is integrated with

an audit of financial statements.

� SAS No. 130 is effective for integrated audits for periods

ending on or after December 15, 2016, at which time AT 501

will be withdrawn.

Slide 16

What Changed moving from SAS to AT?

� Attestation Standard vs. Auditing Standard

� Management Assertion

� An assertion is any declaration or set of declarations about whether the subject

matter is based on or in conformity with the criteria selected.

� Description of “System” vs. Controls

� Use of suitable criteria

� Suitability of design opinion

� SAS70: point in time

� SSAE 16(SOC 1)/SOC 2: entire period

� Materiality

� “deviations” (not exceptions)

� Use of Internal Audit

� Must identify testing by IA in the report

� Opinion Format




Page 9

Slide 17

What is a “System”?

� TSP sec. 100 paragraph .01 defines a “system” as follows:

� A system is designed, implemented, and operated to achieve specific business

objectives (for example, delivery of services, production of goods) in accordance

with management-specified requirements. System components can be classified

into the following five categories:

� Infrastructure. The physical structures, IT, and other hardware (for example,

facilities, computers, equipment, mobile devices, and telecommunications

networks).

� Software. The application programs and IT system software that supports

application programs (operating systems, middleware, and utilities).

� People. The personnel involved in the governance, operation, and use of a

system (developers, operators, entity users, vendor personnel, and managers).

� Processes. The automated and manual procedures.

� NOTE: SOC 2 Guide, par. 1.26a(ii)(4) uses “Procedures” rather than “Processes”

� Data. Transaction streams, files, databases, tables, and output used or

processed by a system.

Slide 18

SSAE 16 / SOC 1

� SSAE 16 - Reporting on Controls at a Service Organization

� Created AT 801

� As an attestation standard, it is built upon AT 101

� Established requirements for attestation engagements to report on

controls at organizations that provide services to user entities when those

controls are likely to be relevant to user entities' internal control over

financial reporting (ICFR)

� Effective for reports issued on or after June 15, 2011

� SOC 1 Audit Guide released May 2011, updated May 2013, new update

just released January 2017

� Two report types:

� SOC 1 Type I = SSAE 16 Type I Report

� SOC 1 Type II = SSAE 16 Type II Report

� “Branded” by AICPA as a SOC 1 - Service Organization Control Report 1

� AICPA now prefers “SOC 1” vs. “SSAE16”




Page 10

Slide 19

SOC 2 Reports

� Reports on Controls at a Service Organization over Security, Availability, Processing Integrity, Confidentiality, or Privacy

� Can report again just one Principle, or any combination of the five

� SOC 2 Guide released May 2011, updated March 2012 and July 2015 – new update expected soon

� Report format designed to match the SSAE 16

� SOC 2 Type I

� SOC 2 Type II

� Criteria is prescribed: Must use TSP 100 - Trust Services Principles

Slide 20

SOC 3 Reports

� Similar to a SOC 2

� Uses TSP100 – Trust Service Principles

� Primary Differences

� Does not contain a description of the practitioner’s tests of controls and results of those tests

� Is a general use report rather than a restricted use report

� Unqualified Opinion allows use of SOC Seal (SysTrust for Service Organizations ) on Service Provider’s website, if the Service Auditor is licensed by CPA Canada (formerly CICA)

� SOC 3 Guide was planned for release in Q4, 2014 . . . . but we’re still waiting . . .




Page 11

Slide 21

Reports Comparison

Slide 22

Attestation Standards Updates /SSAE 18 Overview




Page 12

Slide 23

Attestation Clarity Project

� Designed to addressed concerns over the clarity, length, and

complexity of Attestation Standards

� Objective: to make AT sections easier to read, understand and

apply

� Redrafted standards utilizing “clarity drafting conventions”

� Resulted in SSAE 18 “Attestation Standards: Clarification and

Recodification”

� Desire to converge with standards of the International Audit and

Assurance Standards Board (IAASB)

� International Standard on Assurance Engagements (ISAE) 3000

(Revised), Assurance Engagements Other Than Audits or

Reviews of Historical Financial Information served as the

foundation for the common concepts, examination, and review

sections of SSAE 18

Slide 24

Clarity Drafting Conventions

� SSAE 18 was drafted utilizing clarity drafting conventions, including:

� Establishing objectives for each AT-C section

� Including a definitions section, where relevant, in each AT-C section

� Separating requirements from application and other explanatory material

� Numbering application and other explanatory material paragraphs using an A-

prefix and presenting them in a separate section that follows the requirements

section

� Using formatting techniques, such as bulleted lists, to enhance readability

� Including, when appropriate, special considerations relevant to audits of

smaller, less complex entities within the text of the AT-C section

� Including, when appropriate, special considerations relevant to examination,

review, or agreed-upon procedures engagements for governmental entities

within the text of the AT-C section

� The identifier “AT-C” is used to differentiate the sections of the clarified

attestation standards (“AT-C" sections) from the sections of the

attestation standards that are superseded by SSAE 18 (“AT” sections)




Page 13

Slide 25

SSAE 18

� Supersedes SSAEs 10-17, except:

� SSAE 10, Chapter 7 (AT 701) - Management’s Discussion and Analysis

� Renamed AT-C 395

� SSAE 15 (AT 501 and 9501) - An Examination of an Entity’s Internal Control Over Financial Reporting That Is Integrated With an Audit of Its Financial Statements, and related interpretation no. 1

� However, SAS 130 withdrew AT 501 and related

interpretations for integrated audits for periods ending on

or after December 15, 2016

� Effective for reports dated on or after May 1, 2017

Slide 26

Contents of SSAE 18� AT-C Preface

� AT-C Section 100 - Common Concepts

� AT-C Section 105 - Concepts Common to All Attestation Engagements

� AT-C Section 200 - Level of Service

� AT-C Section 205 - Examination Engagements

� AT-C Section 210 - Review Engagements

� AT-C Section 215 - Agreed Upon Procedures Engagements

� AT-C Section 300 - Subject Matter

� AT-C Section 305 - Prospective Financial Information

� AT-C Section 310 - Reporting on Pro Forma Financial Information

� AT-C Section 315 - Compliance Attestation

� AT-C Section 320 - Reporting on an Examination of Controls at a Service

Organization Relevant to User Entities’ Internal Control Over Financial

Reporting

� AT-C Section 395 - Management’s Discussion and Analysis




Page 14

Slide 27

What’s New in SSAE 18?� Separate discussion of review engagements

� AT 101 combined the discussion of examinations and reviews

� Required representation letters

� AT 101 allowed, but did not require, representation letters

� Risk assessment for examination engagements

� Requires obtaining a more in-depth understanding of the development of the

subject matter than currently required in order to better identify the risks of

material misstatement in an examination engagement

� Incorporation of detailed requirements

� Similar to SASs, specifies additional requirements (e.g. the need for an

engagement letter, or the need to obtain written representations)

� Scope limitation imposed by the engaging party or the responsible

party

� Now allows for a qualified opinion, not only disclaiming an opinion or

withdrawing from the engagement

Slide 28

Mapping AT to AT-CAT Sections Superseded by SSAE No. 18 AT-C Sections Designated by SSAE No. 18

AT Section Title AT-C Section Title

20 Defining Professional Requirements in Statements on Standards for Attestation Engagements

105 Concepts Common to All Attestation Engagements

50 SSAE Hierarchy 105 Concepts Common to All Attestation Engagements

101 Attest Engagements 105 Concepts Common to All Attestation Engagements

205 Examination Engagements

210 Review Engagements

201 Agreed-Upon Procedures Engagements 215 Agreed-Upon Procedures Engagements

301 Financial Forecasts and Projections 305 Prospective Financial Information

401 Reporting on Pro Forma Financial Information 310 Reporting on Pro Forma Financial Information

501 An Examination of an Entity's Internal Control Over Financial Reporting That Is Integrated With an Audit of Its Financial Statements

Statement on Auditing Standards No. 130, An Audit of Internal Control Over Financial Reporting That Is Integrated With an Audit of Financial Statements, withdraws AT section 501

601 Compliance Attestation 315 Compliance Attestation

701 Management’s Discussion and Analysis 395 Management’s Discussion and Analysis

801 Reporting on Controls at a Service Organization 320 Reporting on an Examination of Controls at a Service Organization Relevant to User Entities’ Internal Control Over Financial Reporting




Page 15

Slide 29

Mapping AT-C to ATAT-C Sections Designated by SSAE No. 18 AT Sections Superseded by SSAE No. 18

AT-C Section Title AT Section Title

Preface Preface to the Attestation Standards Introduction Attestation Standards—Introduction

100 Common Concepts

105 Concepts Common to All Attestation Engagements

20 Defining Professional Requirements in Statements on Standards for Attestation Engagements

50 SSAE Hierarchy

101 Attest Engagements

200 Level of Service

205 Examination Engagements 101 Attest Engagements

210 Review Engagements 215 Agreed-Upon Procedures Engagements 201 Agreed-Upon Procedures Engagements 300 Subject Matter

305 Prospective Financial Information 301 Financial Forecasts and Projections 310 Reporting on Pro Forma Financial Information 401 Reporting on Pro Forma Financial Information 315 Compliance Attestation 601 Compliance Attestation 320 Reporting on an Examination of Controls

at a Service Organization Relevant to User Entities’Internal Control Over Financial Reporting

801 Reporting on Controls at a Service Organization

395 Management’s Discussion and Analysis 701 Management’s Discussion and Analysis

Slide 30

What’s new with SOC Reports




Page 16

Slide 31

SOC 2 ® + Additional Subject Matter

� Introduced in (approximately) 2015

� Allows for addressing additional criteria, additional subject matter

using additional suitable criteria, or both

� E.g. In addition to addressing the Security Principle, also address the

HIPAA Security Rule

� Mappings created from 2014 version of the Trust Services Principle

to:

� CSA Cloud Controls Matrix

� HITRUST CSF

� COBIT 5

� COSO 2013

� ISO 27001

� NIST SP 800-53 R4

Slide 32

Underlying Standard has Changed

� SOC 1

� Old Standard – AT 801 (with attestation guidance provided by

the SOC 1 Guide)

� New Standards – AT-C 105, AT-C 205, AT-C 320 (and a brand

new SOC 1 Guide!)

� SOC 2 / SOC 3

� Old Standard – AT 101 (with attestation guidance provided by

the SOC 2 Guide issued in July 2015)

� New Standards – AT-C 105, AT-C 205 (and the existing SOC 2

Guide)

� For all three SOC Reports, any dated on or after May 1, 2017, must follow the new AT-C standards (SSAE 18)




Page 17

Slide 33

But that not all!

� SOC Report = Service Organization Control Report

� NO LONGER!!!

� SOC has been redefined to mean “System and Organization Controls”

� According to the AICPA:

� “By redefining that acronym, the AICPA enables the introduction of new internal control examinations that may be performed (a) for other types of organizations, in addition to service organizations and (b) on either system-level or entity-level controls of such organizations.”

Slide 34

SOC Suite of Services

� SOC 1® – SOC for Service Organizations: ICFR

� AT-C 320 (and AT-C 105 / AT-C 205) plus a new SOC 1 Guide

� SOC 2 ® – SOC for Service Organizations: Trust Services Criteria

� AT-C 205 (and AT-C 105) plus existing SOC 2 Guide

� SOC 3 ® – SOC for Service Organizations: Trust Services Criteria

for General Use Report

� AT-C 205 (and AT-C 105) plus existing SOC 2 Guide

� SOC for Cybersecurity (coming soon!)

� AT-C 205 (and AT-C 105) plus forthcoming Guide “Reporting on an

Entity’s Cybersecurity Risk Management Program and Controls”

� SOC for vendor supply chains (planned for 2018)




Page 18

Slide 35

SOC for Cybersecurity

� Called a “Cybersecurity Examination,” it will include:

� A description of the entity’s cybersecurity risk management program

� An assessment of the effectiveness of the controls within that program to

achieve the entity’s cybersecurity objectives

� Management is responsible for selecting both the description criteria and

the control criteria to be used in the engagement

� Proposed Description Criteria for Management’s Description of the Entity’s

Cybersecurity Risk Management Program

� Issued 9/15/16; Comment period closed 12/5/16

� Currently the only option for description criteria

� Proposed Revision of Trust Services Principles and Criteria for Security,

Availability, Processing Integrity, Confidentiality, and Privacy


� Includes updates to better address Cybersecurity risks

� Other cybersecurity control criteria may be used

Slide 36

BREAK (?)




Page 19

Slide 37

Trust Services PrinciplesOverview and Updates

Slide 38

The Trust Services Principles

� Security

� Availability

� Processing Integrity

� Confidentiality

� Privacy




Page 20

Slide 39

Trust Service Principles (TSP) Revisions

� AICPA, Technical Practice Aids, TSP sec. 100

� Originally released in 2006, then updated in 2009

� Major Revision to TSP sec. 100 in March/April 2014

� Removed significant redundancies in wording between the

Principles

� Reorganized in a set “Common Criteria” applicable to all

Principles, plus addition principle-specific criteria� Criteria Common to All [Security, Availability, Processing Integrity,

and Confidentiality] Principles – 28 criteria statements

� Availability – 3 more criteria statements

� Processing Integrity – 6 more criteria statements

� Confidentiality – 6 more criteria statements

� Mandatory adoption for reporting periods ending on or after

Dec. 15, 2014

� Privacy was updated separately

Slide 40

2016 Revisions to theTrust Service Principles

� New version released mid-year 2016

� Minor and clarifying updates to various criteria

� Two additional confidentiality criteria were added to address the retention and disposal of confidential information (total of 8 criteria statements now)

� Incorporated new criteria for Privacy to bring it back into TSP framework (removing the cross references to Generally Accepted Privacy Principles)

� Early adoption permitted, mandatory use beginning with reports ending on or after December 15, 2016




Page 21

Slide 41

Even more Trust Services Revisions!� Proposed Revision of Trust Services Principles and Criteria for

Security, Availability, Processing Integrity, Confidentiality, and

Privacy


� The proposed revision indicates these are expected to become

mandatory by 6/15/2018 with early adoption permitted. However, a

final version has not yet been issued.

� Significant Changes

� Renaming:

� “trust services principles and criteria” are now “trust services criteria”

� the five principles (security, availability, processing integrity,

confidentiality, and privacy) are now “trust services categories”

� Aligns the Trust Services Criteria to the COSO 2013 Framework

� Includes updates to better address Cybersecurity risks

� Adds points of focus to all criteria (in a similar manner as COSO 2013)

Slide 42

TSP – Common Criteria

� Criteria Common to All [Security, Availability, Processing Integrity, and

Confidentiality] Principles

� CC1.0 - Common Criteria Related to Organization and Management

� CC2.0 - Common Criteria Related to Communications

� CC3.0 - Common Criteria Related to Risk Management and Design and

Implementation of Controls

� CC4.0 - Common Criteria Related to Monitoring of Controls

� CC5.0 - Common Criteria Related to Logical and Physical Access

Controls

� CC6.0 - Common Criteria Related to System Operations

� CC7.0 - Common Criteria Related to Change Management

� Additional Criteria when reporting on Availability, Processing Integrity, or

Confidentiality




Page 22

Slide 43

What’s new with SOC2

Slide 44

Contents of a SOC 2 Report

� Auditor’s Report –What Does It Cover:

� Fairness of Presentation of the Description

� Suitability of Design of the Controls

� Operating Effectiveness of Controls (Type 2 only)

� Criteria related to the auditor’s evaluation

� Test of Controls and Results (Type 2 only)

� Whether carve out or inclusive was used

� Other Information from Service Organization (unaudited)




Page 23

Slide 45

SOC 2 Guide� Updated SOC 2 Guide Released

July 1, 2015

� Provides how-to guidance for service

auditors performing examinations

under AT section 101

� Incorporates TSP sec. 100 updates

from 2014

� Updated guide expected in 2017(?)

� Other updates fall into two major categories

� Scoping Updates - Drive changes to

the examination process

� Language Updates - Will be reflected

in reporting deliverables

Slide 46

Scoping Updates

� Non-Continuous exam periods

� Recommendation to either expand the period to cover the gap

period or evaluate the potential effect of the excluded time

period to users of the report [ref. par. 2.26]

� If addressing Confidentiality or Privacy

� System boundary must include information life cycle:

collection, use, retention, disclosure, and disposal or

anonymization of personal information [ref. par. 1.39 and 3.05]

� Monitoring of a Service Organization

� Regardless of subservice organization (carve-out or inclusive)

approach, controls to monitor services provided by third parties

should be included in the description. [ref. par. 1.26a(iv)(2)

and 3.5]




Page 24

Slide 47

Scoping Updates (cont)

� Complementary User Entity Controls (CUECs) and User Entity Responsibilities

� CUECs - Now emphasized as controls necessary to meet one or

more criteria

� Otherwise, considered a User Entity Responsibility (new

concept introduced in the current guide)

� User Entity Responsibilities are not required to be included in

the system description.

� Ref. par. 3.32 through 3.37

Slide 48

Language Updates

� Representation Letter

� Additional representations by Management to the Service

Auditor [ref. par. 3.151]

� Communications from regulators and others have been disclosed

� Acknowledge responsibility for the subject matter

� Effect of uncorrected misstatements are immaterial

� System Description

� Additional guidance to the service auditor on evaluating what

“fair presentation” is [ref. par. 3.02]




Page 25

Slide 49

Language Updates (cont)

� Control Activities

� Additional guidance to the service auditor on describing

controls, including [ref. par. 3.07]

� What – The subject matter to which the control applies

� Who – The party responsible for performing the control

� How – The nature of the activity performed, including sources of

information used in performing the control

� When – The frequency with which the control is performed or the

timing of its occurrence

� Control Testing Conclusions

� Example wording for greatly clarity in particular situations

� Sampling Size, when there are deviations [ref. par. 4.09]

� Controls with no activity during the period [ref. par. 4.50]

Slide 50

SOC 2 Guide - Other Useful Information

� Appendix C – Illustrative Management Assertion and Related Service Auditor’s Report

� Appendix D – Illustrative Type 2 Service Organization Controls Report

� Appendix E – Information for Management of a Service Organization

� Generally a restatement of Management’s responsibilities from

various other portions of the guide, but pulled together in one

place, and in a more reader-friendly format and writing style.




Page 26

Slide 51

SOC 2 Guide - Other Useful Information

� Appendix F – Service Auditor Considerations in Performing SOC 2 or SOC 3 Engagements for Cloud Service Organizations (CSOs)

� Provides an overview of CSOs, deployment models, and

challenges unique to CSOs and their impact on performing a

SOC 2 / SOC 3 engagement

� Appendix H – Additional Considerations for the Service Auditor Regarding the Trust Services Criteria

� Provides explanatory information on the seven Common

Criteria categories and the additional criteria for Availability,

Processing Integrity, and Confidentiality

� Adds additional context beyond the illustrative risk and controls

provided in TSP sec. 100, Appendix B

Slide 52

User Auditor Requirements




Page 27

Slide 53

User Auditor Requirements

� Read the report!!!

� Does it cover the relevant services?� Service Auditor’s Opinion

� Unqualified? (Good)

� Qualified? (Not as good, but can be okay)

� Adverse? (Typically bad)

� Disclaim an opinion? (Typically very bad)

� Any deficiencies/deviations?� If so, how does is affect the User Entity?

� SAS 122 / AU-C Section 402 - Audit Considerations Relating to an Entity Using a Service Organization

� Outlines various requirements for User Auditors when evaluating attestation reports

� Particularly important when evaluating in support of ICFR

Slide 54

User Auditor Requirements (cont)

� Understand the Service Organization / Evaluate appropriateness of

the report in support of the User Organization audit (Ref. AU-C 402

par. .13-.14, .17)

� Service Auditor’s Professional Competence

� Adequacy of Standards utilized

� Time period covered

� Sufficiency and appropriateness of the evidence provided for the

understanding of the user entity's internal control

� Description of the system sufficient/understandable?

� Control Objectives/Criteria relevant, sufficient, understandable?

� Controls relevant, sufficient, understandable?

� Sufficiency and appropriateness of the tests of controls performed by

the Service Auditor

� Evaluate complementary user entity controls for relevance, design and

implementation




Page 28

Slide 55


� Complementary User Entity Controls

� From AU-C 402, par. .08: “Controls that management of the

service organization assumes, in the design of its service, will

be implemented by user entities, and which, if necessary to

achieve the control objectives stated in management's

description of the service organization's system, are identified

as such in that description.”

� User auditor should determine which are relevant to the user entity audit, then evaluate the User Entity for design and implementation of those controls

� One way is to map Complementary User Entity Controls to User

Entity Controls

Slide 56


� What if the report is insufficient for the audit need?

� Contact the service organization, through the user entity, to

obtain specific information

� Visit the service organization and perform procedures that will

provide the necessary information about the relevant controls

at the service organization

� Use another auditor to perform procedures that will provide the

necessary information about the relevant controls at the

service organization

� Refer to AU-C 402 par. .12 for additional information




Page 29

Slide 57

Common Issues / Lessons Learned

� SOC 1

� Control Objectives included which are not relevant to ICFR

� System Descriptions insufficient to understand flow of

transactions/processes

� Description of control insufficient to understand control activity

� Report only covers ITGC, but services provided include transaction or

other information processing, etc.

� SOC 2

� Description includes controls that have not been implemented.

� Descriptions of processes and related controls are incomplete and user

unable to understand processing flow through system (who?, what?,

where?, when?, how?)

� Applicable trust services criteria are intended to be met by controls at

the subservice organization and description does not identify the

controls expected to be implemented at a carved-out service

organization

Slide 58

Questions?




Page 30

Slide 59

References and Sources:� AICPA.org – Links to all current SAS and SSAEs, including SSAE 18 (AT-C 105, AT-C 205, AT-C 320, etc.)

� http://www.aicpa.org/Research/Standards/AuditAttest/Pages/SAS.aspx

� http://www.aicpa.org/Research/Standards/AuditAttest/Pages/SSAE.aspx

� AICPA SOC Reports home page

� http://www.aicpa.org/InterestAreas/FRC/AssuranceAdvisoryServices/Pages/SORHome.aspx

� AICPA Guides, Alerts (available in a variety of formats for purchase), and Information

� SOC 1: http://www.aicpastore.com/AST/Main/CPA2BIZ_Primary/SOC/PRDOVR~PC-0127910/PC-0127910.jsp

� SOC 2: http://www.aicpastore.com/AST/Main/CPA2BIZ_Primary/SOC/PRDOVR~PC-0128210/PC-0128210.jsp

� SOC 2+: http://www.aicpa.org/InterestAreas/FRC/AssuranceAdvisoryServices/Pages/SOC2AdditionalSubjectMatter.aspx

� Trust Services Principles and Criteria (2016) (download or online subscription):http://www.aicpastore.com/AuditAttest/TopicSpecificGuidance/trust-services-principles-and-criteria/PRDOVR~PC-TSPC13/PC-TSPC13.jsp

� Proposed Trust Services Criteria Updates

� Exposure Draft http://www.aicpa.org/interestareas/frc/assuranceadvisoryservices/downloadabledocuments/exposuredrafts/asec_ed_rev_trust_services.pdf

� Mapping proposed criteria to existing (2016) criteria http://www.aicpa.org/interestareas/frc/assuranceadvisoryservices/downloadabledocuments/cybersecurity/mapping_proposed_tsc_current_tspc.pdf

� Cloud Security Alliance Position Paper on AICPA SOC Reports

� https://cloudsecurityalliance.org/research/collaborate/#_aicpa

� Brief History of all SAS with links to full text for many

� http://en.wikipedia.org/wiki/Statements_on_Auditing_Standards_(United_States)

� AICPA Cybersecurity Resources

� AICPA Cybersecurity Initiative: http://www.aicpa.org/interestareas/frc/assuranceadvisoryservices/pages/aicpacybersecurityinitiative.aspx

� AICPA Cybersecurity Resource Center: http://www.aicpa.org/interestareas/frc/assuranceadvisoryservices/pages/cyber-security-resource-center.aspx

Thank You!

Jeff Pershing, CISA, CISM, CISSP

[email protected]