Upload
others
View
1
Download
0
Embed Size (px)
Citation preview
6/19/2017
1
CPAs & ADVISORS
WHICH SOC REPORT IS RIGHT FOR YOUR CLIENT?
Cindy Boyle
STRATEGIC ALLIANCE WEBINAR SERIESJune 20, 2017
• Participate in entire webinar• Answer polls when they are provided• If you are viewing this webinar in a group Complete group attendance form with
• Title & date of live webinar• Your company name• Your printed name, signature & email address
All group attendance sheets must be submitted to [email protected] within 24 hours of live webinar
Answer polls when they are provided• If all eligibility requirements are met, each participant will be emailed their CPE
certificates within 15 business days of live webinar
TO RECEIVE CPE CREDIT
6/19/2017
2
Jason JobgenDirectorAlliance Services
Cindy BoylePartnerIT Risk Services
6/19/2017
3
AGENDACommon TerminologyTypes of ReportsRecent ChangesQuestions?
6/19/2017
4
COMMON TERMINOLOGYService organization – performs services outsourced by companies/auditeeService auditor – CPA who examines & reports on controls at a service organization used in lieu or practitioner Users – typically considered clients of service organizationUser auditor – CPA who performs an audit on the users’ financial statements
COMMON TERMINOLOGY
SOC – service organization control reports but AICPA moving to system & organization control reports
Broader category of SOC suite of servicesSOC 2 +Will include additional attestations
6/19/2017
5
WHAT ARE SERVICE ORGANIZATIONS?
Service organization – provider of services that may impact a risk to a user’s financial reporting or that poses a business or compliance risk
Services such as Cloud computing (SaaS, IaaS, PaaS)Managed security providersAR /AP/Payroll/Tax outsourcingCore financial IT system processing or hostingCustomer supportHealth care claims management & processing
TYPES OF REPORTS
6/19/2017
6
SOC 1 SOC 2 SOC 3
Controls affect user entities …
Financial statement –ICFR
Compliance & operations
Compliance & operations
Use of report Restricted Restricted General
AICPA interpretive guidance & reporting vehicle
SSAE No. 18 which includes AT-C section 320,AICPA Guide
SSAE No. 18 which includes AT-C section 105 & AT-C section 205, AICPA GuideTSP section 100, AICPA, 2017 Trust Services Criteria
SSAE No. 18 which includes AT-C section 105 & AT-C section 205,TSP section 100AICPA, 2017 Trust Services Criteria
PRIMARY TYPES OF REPORTS
Information obtained from AICPA.org
SOC 1 SOC 2 SOC 3
Contents of the report
• Description of service organization’s system
• Management’s written assertion
• Service auditor’s report
• Type 2 includes a description of tests of controls & results of the tests
• Description of service organization’s system
• Management’s written assertion
• Service auditor’s report
• Type 2 includes a description of tests of controls & results of the tests
Service auditor’s opinion on whether the entity maintained effective controls over its system
PRIMARY TYPES OF REPORTS
Information obtained from AICPA.org
6/19/2017
7
SOC 2 REPORTINGTrust Services Principles (TSP) criteria
Security (common criteria): system is protected against unauthorized access, use or modificationAvailability: system is available for operation & use as committed or agreedProcessing Integrity: system processing is complete, valid, accurate, timely & authorized
SOC 2 REPORTINGTrust Services Principles (TSP) criteria
Confidentiality: information designated as confidential is protected as committed or agreedPrivacy: system’s collection, use, retention, disclosure & disposal of personal information in conformity with the commitments in the entity’s privacy notice & with criteria set forth in generally accepted privacy principles issued by AICPA & Canadian Institute of Chartered Accountants
6/19/2017
8
SOC 3 REPORTINGPublic reportVery abbreviated report – essentially a “SOC 2 light”Assertion & opinion only on
Suitability of design Operating effectiveness of controlsNot on system description
SOC 3 REPORTINGNo longer has a required seal
There is a SOC logo that an organization can display from AICPA
Essentially must do SOC 2 in order to issue a SOC 3
SOC 2 report must have an unqualified opinionMust cover at least a two-month period
6/19/2017
9
SOC 3 REPORTINGCurrently cannot issue a SOC 3 unqualified opinion if
There are carved out subservice organizations in the SOC 2There are significant complementary user-entity controls necessary to achieve the applicable trust services principles’ criteria
TWO SUB-TYPES OF SOC 1 & SOC 2 REPORTS
6/19/2017
10
SUBTYPES OF REPORTS – TYPE 1Reports on fairness of presentation of management’s description of the service organization’s systemSuitability of design of controls Point in time reportingMay be useful when
Organization is newUnderstanding system & controls is neededRecently made significant changesInsufficient time or history to perform Type 2
SUBTYPES OF REPORTS – TYPE 2
Same as Type 1, plusReports on fairness of presentation, suitability of design & operating effectivenessIncludes a description of service auditor’s tests of controls & resultsCovers a period of time
6/19/2017
11
REPORTING TO MULTIPLE AUDIENCESMultiple reports scenarios
SOC 1 & SOC 2Services impacting ICFR of user & other services with TSP concerns
SOC 2 & SOC 3Services not impacting ICFR & need to use beyond current users such as marketing to prospects
SOC 1 & SOC 3Services impacting ICFR of user & other services with TSP concerns or marketing needs
Note – must be separate reports
RECENT CHANGES
SSAE 18SOC for Cybersecurity Engagements
6/19/2017
12
RECENT CHANGES – SSAE 18Subservice organizationsSignificant changes to service organization management responsibilityService auditor changes
SUBSERVICE ORGANIZATIONS
Introduces complimentary subservice organization controls (CSOC)Service organization must identify risks that subservice organization controls are not in placeService auditor must consider CSOC as part of risk assessment process & assess how management addressed the risks
6/19/2017
13
SIGNIFICANT CHANGES TO SERVICE ORGANIZATION MANAGEMENT RESPONSIBILITY
Previously, service auditor identified risks; now they are to obtain an understanding of how management identified risksPreviously, service auditor was to determine which controls were necessary; now they are to understand which controls are necessaryEmphasizes service organization management’s responsibility for the narrative, objectives & controls
SERVICE AUDITOR CHANGES
Service auditor is now required to understand internal audit’s role in the service organizations systemMust obtain evidence of the accuracy & completeness of information like populationsService auditor must more clearly define intended users of the report
6/19/2017
14
RECENT CHANGES – SOC FOR CYBERSECURITY ENGAGEMENTS
AICPA Guide June 1, 2017 – Reporting on an Entity’s Cybersecurity Risk Management Program & ControlsIn a cybersecurity risk management examination, the practitioner opines on: (a) management’s description of the entity’s cybersecurity risk management program & (b) effectiveness of controls within that program to achieve entity’s cybersecurity objectivesExamination results in issuance of a general use cybersecurity report designed to meet the needs of a variety of potential users
UNDER DEVELOPMENT: SOC FOR VENDOR SUPPLY CHAINS
An internal controls report on a vendor’s manufacturing processes for customers of manufacturers & distributors to better understand the cybersecurity risk in their supply chains
6/19/2017
15
PEER REVIEWSOC EXAMS ARE NOW REQUIRED SELECTIONS
6/19/2017
16
The information contained in these slides is presented by professionals for your information only. Applying specific information to your situation requires careful consideration of facts & circumstances. Consult your BKD advisor before acting on any matters covered herein or in these seminars.
BKD, LLP is registered with the National Association of State Boards of Accountancy (NASBA) as a sponsor of continuing professional education on the National Registry of CPE Sponsors. State boards of accountancy have final authority on the acceptance of individual courses for CPE credit. Complaints regarding registered sponsors may be submitted to the National Registry of CPE Sponsors through its website: www.nasbaregistry.org.
CPE CREDIT
CPE credit may be awarded upon verification of participant attendanceFor questions, concerns or comments regarding CPE credit, please email the BKD Learning & Development Department at [email protected]
6/19/2017
17
THANK YOU
FOR MORE INFORMATION // For a complete list of our offices & subsidiaries, visit bkd.com or contact:
Cindy Boyle, CPA, CIA®, CITP, CISA // [email protected] // 501.372.1040