Transcription
Service Organization Control (SOC)Compliance GuideTechnology Risk Services
Table of Contents About SOC ReportsWhy obtain a SOC Report?What are the different types of SOC Reports?Which one to choose?What is the difference between the SOC Reports?When is a SOC Report not applicable?What is the Aronson Methodology?Why choose Aronson as the attestation provider?Case studies 2016 www.aronsonllc.com www.aronsonllc.com/blogs 2
About SOC Reports“Service Organization Controls Reportsare designed to help serviceorganizations, organizations that operateinformation systems and provideinformation system services to otherentities, build trust and confidence intheir service delivery processes andcontrols through a report by anindependent certified public accountant.”– American Institute of Certified PublicAccountants (AICPA) 2016 www.aronsonllc.com www.aronsonllc.com/blogs 3
Why obtain a SOC Report?Why do Service Organizations obtain a SOC Audit?Over time, companies have increased their reliance on third-party service providers to conductbusiness functionsService providers can maintain stakeholder trust and provide transparency through anindependent auditor’s report conducted using AICPA guidance and standardsIt helps Service Organizations differentiate themselves from their competitionSOC audits can reduce or eliminate other customer audits and vendor risk managementquestionnairesWhat are the benefits of obtaining a SOC Audit? Ability to obtain a greater market share and competitive advantage through increasedcustomer confidence Independent assessment of the control environment including people, process andtechnology One audit can satisfy multiple customers and various audit requirements Reduce third-party vendor risk management questionnaires Decrease client costs for other audits/compliance projects by relying on SOC reports 2016 www.aronsonllc.com www.aronsonllc.com/blogs 4
What is SSAE 16 or SOC 1?What is it?Statement on Standards for Attestation Engagements (SSAE) No. 16 is an attestationstandard put forth by the Auditing Standards Board (ASB) of the American Institute ofCertified Public Accountants (AICPA) that addresses engagements undertaken by aservice auditor for reporting on controls at organizations (i.e., service organizations) thatprovide services to user entities, for which a service organization's controls are likely tobe relevant to user entities’ internal control over financial reporting (ICFR).What is thescope?Based on the internal controls over financial reporting of the service provider. Thisincludes control objectives and activities that have been defined by the organization. Services, systems and locations covered Control objectives and activitiesWhat are thedifferent types? Type I report covers the design and implementation of the controls Type II report covers the design, implementation and operating effectiveness of thecontrols 2016 www.aronsonllc.com www.aronsonllc.com/blogs 5
What is AT 101 or SOC 2?What is it?A SOC 2 report is designed to provide various users with assurances regarding internalcontrols related to the Trust Principles of a service provider. The report can apply to anapplication, platform, hosting services, data center infrastructure, and related areas. Theservice provider determines the areas that will be evaluated based on the determined inscope Trust Principles.What is thescope?Based on the five trust principles of: Security Confidentiality Availability Processing Integrity PrivacyWhat are thedifferent types? Type I report covers the design and implementation of the controls Type II report covers the design, implementation and operating effectiveness of thecontrols 2016 www.aronsonllc.com www.aronsonllc.com/blogs 6
What is SOC 3?What is it?SOC 3 report is a general-use report that provides information on whether the systemachieved the trust services criteria (no description of tests and results or opinion on thedescription of the system are provided).What is thescope?Based on the five trust principles of: Security Confidentiality Availability Processing Integrity PrivacyWhat are thedifferent types? Limited environment details Limited description of controls and systems Short report 2016 www.aronsonllc.com www.aronsonllc.com/blogs 7
Which one to choose?HOW TO IDENTIFY THE SOC REPORT THAT IS RIGHT FOR YOU?Will the report be used by your customers and their auditors toplan and perform an audit or integrated audit of yourcustomer’s financial statements?YesSOC 1 ReportWill the report be used by your customers as part of theircompliance with the Sarbanes-Oxley Act or similar law orregulation?YesSOC 1 ReportWill the report be used by your customers or stakeholders togain confidence and place trust in a service organization’ssystems?YesSOC 2 or 3 ReportDo you need to make the report generally available or seal?YesSOC 3 ReportDo your customers have the need for and ability to understandthe details of the processing and controls at a serviceorganization, the tests performed by the service auditor andresults of those tests?YesSOC 2 ReportNoSOC 3 Report 2016 www.aronsonllc.com www.aronsonllc.com/blogs 8
Focus & DistributionReportReport’s FocusFormatIntended UsersDistributionSOC 1Report on a serviceorganization’s internal controlover financial reporting Type I Type II ControlDescriptions Tests Performed& Results Financial StatementAuditors of the user entity(UE) Management of the UE Management of the serviceproviderRestricted use tocurrent customers;can be shared withprospectivecustomers if a thirdparty access letter isobtainedSOC 2Report on Controls at a ServiceOrganization Relevant toSecurity, Availability, ProcessingIntegrity, Confidentiality orPrivacy (Trust Principles) Type I Type II Trust PrincipleControls Tests Performed& Results Management of the UE Management of the serviceprovider Other relevant parties e.g.,regulators, business partiesRestricted use to“customers withsufficient knowledge”e.g., current andprospectivecustomers,regulators, businesspartnersSOC 3Report on Trust Principles butdoes not contain all of the detailsof a SOC 2 report because usersdo not have the requiredknowledge/need for a SOC 2;processing details and controltest results are omitted Brief Report Limited Detailson TestsPerformed &ResultsSame as SOC 2Can be freelydistributed 2016 www.aronsonllc.com www.aronsonllc.com/blogs 9
What is the difference between SOC 1 vs. SOC 2?Similarities Contain an opinion and an assertion Contain Management Representation Letter fromprovider Contain processing environment description Contain control objectives, activities, and testresultsDifferences SOC 2 does not address ICFR and isn’t expectedto support the financial reporting process forcustomers SOC 2 has a wider distribution to include“specified parties,” which includes anyone whounderstands the providers’ operations, internalcontrols, or services SOC 2 can offer more technical informationthrough descriptions and control details 2016 www.aronsonllc.com www.aronsonllc.com/blogs 10
When is a SOC Report not applicable?SOC Reports are not applicable for thefollowing circumstances: Service organization is 100% professionalservices and doesn’t have systems orplatforms that store, process, or transmitcustomer data Customers of the service organization arenot relying upon services to support theirfinancial reporting process 2016 www.aronsonllc.com www.aronsonllc.com/blogs 11
What is the Aronson Methodology?PlanningAssessmentRemediationAuditKey Activities1. Develop project plan2. Confirm system boundary3. Confirm in-scope ICFRobjectives or TrustPrinciples4. Schedule interviews andwalkthroughs1. Conduct interviews andwalkthroughs to assessthe current controlenvironment1. Develop RemediationRoadmap2. Review existingdocuments & conductcontrol analysis3. Develop or reviseprocesses and controlsdepending on the areas ofdeficiency3. Develop Gap Analysis &Recommendations Report2. Develop or update policiesand procedures4. Implement revisedcontrols1. Develop audit plan2. Conduct controls testing fordesign and operationaleffectiveness using AICPASOC Report Audit Protocol3. Develop audit report4. Hold report briefing5. Perform continuous controlimprovement5. Conduct trainings for newor revised processes 2016 www.aronsonllc.com www.aronsonllc.com/blogs 12
Why choose Aronson as the attestation provider? Leading provider of assuranceservices in the Mid-Atlanticregion (peer reviewed,nationally ranked CPA firm)that provides assuranceservices across a broad rangeof industries View of wider businessimplications and not just theimmediate effect Tailored practical approachfocused on the client’sunique environment Collaborative teamingapproach to drive bettercontext and value of auditand knowledge transfer Focused on importance ofknowledge transfer andalignment of cultures Relevant technical skills,practical knowledge andthought leadership 2016 www.aronsonllc.com www.aronsonllc.com/blogs Proven technicalskills andunderstanding ofemerging risks in keyaudit areas13
Case Study 1 – SSAE 16Client IssueABC Company requires a third-party report on ICFR for services/productsprovided to private/public companies. ABC Company recognizes that anSSAE 16 report will provide assurance over in-scope controls to fosterconfidence in its control environment and enhance marketability. Without afavorable SSAE 16 report business opportunities will be limited.TRS Delivery Conduct SSAE 16 audit readiness assessment Conduct SSAE 16 auditTRS Value Understood and clearly articulated emerging risks in key areas Provide guidance on their remediation activities that helped them become‘audit ready’ in a short period of time Focused on wider business implication 2016 www.aronsonllc.com www.aronsonllc.com/blogs 14
Case Study 2 – SOC 2Client IssueABC Company is a pioneer in political technology, servicing many of thelargest grassroots organizations, PACs, and political campaigns in the U.S.and abroad. Their technology processes and stores sensitive client data.Many of their clients (especially large financial institutions) require them to fillout a detailed security questionnaire around the confidentiality, security,integrity, and availability of the data. This is a time-consuming exercise whichhas to be done annually for many of their clients. Instead of repeating thisprocess for each client, they decided to get a SOC 2 Type 2 audit for thefollowing Trust Principles – Security, Confidentiality, Integrity, and Availability.TRS Delivery Conduct SOC 2 audit readiness assessment Conduct SOC 2 auditTRS Value Deep technical skills and use of accelerators that helped jump start theengagement Provided guidance on their remediation activities that helped them become‘audit ready’ in a short period of time Provided guidance on how to reduce time spent on responding to multiplecustomer vendor management questionnaires 2016 www.aronsonllc.com www.aronsonllc.com/blogs 15
compliance with the Sarbanes-Oxley Act or similar law or regulation? Yes SOC 1 Report Will the report be used by your customers or stakeholders to gain confidence and place trust in a service organization's systems? Yes SOC 2 or 3 Report Do you need to make the report generally available or seal? Yes SOC 3 Report
