Transcription
IGNITING GROWTHWhy a SOC ReportMakes All the Difference
Many service organizations depend on the integrity of theircontrol environment to protect their business as well as thatof their customers. With new technologies being unveiled atrecord speeds and the increasing prevalence of third-partyvendors, that integrity is more complicated to secure.One way to ensure internal controls are in place andoperating effectively is to conduct a system and organizationcontrol (SOC) audit. While these reports aren’t required,financial statement auditors use them to reduce auditprocedures, and sophisticated service organizations push forthem as confirmation that their data is protected.IGNITING GROW TH: SOC Reporting 3
WHY ISSUE A SOC REPORT?WHO NEEDS SOC?More and more companies areoutsourcing services. Ideally, a thirdparty vendor would exert the samelevel of internal controls you would.To make sure everyone is on the samepage, it’s important to know what yourvendors are doing when it comes to:SOC examinations aren’t just fortechnology corporations. Theybenefit a range of different clientsfrom financial institutions to benefitplan administrators and health careorganizations. Traditional outsourcingarrangements apply to: Financial and performance history Financial institutions Security and availability safeguards Bank trust departments Reliable processing integrity Credit unions Confidential and private records Collection agencies Regulatory and operationalcompliance Hedge fund accounting services Compliance with service levelagreements Payroll bureaus Regular due diligence andmonitoring Benefit plan administratorsNew services within outsourcingarrangements that drive SOCadoption include: Software as a service (SaaS) Data analysts Third-party administratorsThe Evolution of SOC5The Evolution of SOC6SOC 1, 2 & 3: The Differences14What Drives a SOC Examination?18 How to Prepare for a SOC Audit20 Aim for Success: Tips to CombatSOC Audit Challenges21 We’re Here to Help22About Our Technology PracticePrior to 2011, service organization reportswere completed under Statement on AuditingStandards (SAS) No. 70. The AmericanInstitute of Certified Public Accountants(AICPA) then moved to Statement onStandards for Attestation Engagements(SSAE) No. 16 to account for limitationswithin SAS 70, keep pace with changes inregulatory compliance, and more closelymirror international auditing standards.naming convention, vendor management,complementary subservice organizationcontrols, service auditor risk assessment,and written assertion requirements.The terms SSAE 18 and SOC 1 areinterchangeable.In addition to SOC 1, which focuses oninternal controls over financial reporting,there’s also SOC 2 for a broader range ofservice providers with internal controlsthat can cover any combination ofsecurity, availability, processing integrity,confidentiality, and privacy. SOC 3 is asmaller scale SOC 2.After the SAS 70 report was retired, SSAENo. 16 was implemented to help technologyservice providers address their growingassurance needs. In April 2016, it wasreplaced by SSAE No. 18, which affects Document management Specialized servicesSAS 70SSAE 16SSAE 18SOC 1Addresses internal controlsover financial reporting Infrastructure as a service (IaaS) Platform as a service (PaaS) Cloud providersSOC 2Addresses trust services principles throughdetailed reporting involving security, availability,processing integrity, confidentiality, and privacySOC 3Simplified SOC 2 for unrestricteddistributionIGNITING GROW TH: SOC Reporting 5
SOC 1, 2 & 3: The DifferencesSOC audits aren’t formally required, but they’re increasingly being requestedas part of doing business. The purpose of a SOC engagement is to report onthe effectiveness of a company’s internal controls and safeguards they havein place while providing feedback that’s both independent and actionable.Increase in demand:There are three kinds of SOC reports and two types within each kind.Each has a specific use. Which is right for you?Most requestedMajority of reports use theSOC 2 REQUESTSTRUST SERVICES PRINCIPLES:CARVE-OUT METHOD.are increasing in tandemwith the IT industry’s growth.Security, availability, andprocessing integrity.Learn more on page 9.If this continues, demand for SOC 2audits will eventually overtake SOC 1.Demand for privacy may changewith AICPA revisions. See page 10.Choose the Right ReportSOC 1Assesses internal controls forfinancial reportingCONTROL DOMAINSAUDIT FOCUSDISTRIBUTION}} TransactionprocessingService provider–defined:RESTRICTED}} Supporting ITgeneral controlsCONTROL OBJECTIVESto users and auditorsVary depending on thetype of service providedChoose the Right TypeEach kind of SOC engagement has two types of report. See pages 8 and 9 for details.EX AMINATION PERIODSOC 2SOC 3Assesses internal controls forcompliance or operationsA smaller scale SOC 2 reportfor marketing purposes}} InfrastructureStandardized:}} SoftwareTRUST SERVICES PRINCIPLES}} People Security}} Procedures Availability}} Data Processing integrity ConfidentialityRESTRICTEDto users, auditors,and specified partiesUNRESTRICTEDSOC REPORTSTESTING COVERAGESOC 1SOC 2SOC 3DesignTYPE 1POINT in timeüüüTYPE 2PERIOD of timeüüüOperatingEffectivenessResults ofTestsüü PrivacyPrinciples covered are selectedby the service providerIGNITING GROW TH: SOC Reporting 7
SOC 2SOC 1SOC 1 looks at internal controls forfinancial reporting. For example, a financialservices provider that provides transactionprocessing may request a report to look atits transaction processing and operations.Once an organization defines the controlsit would like examined, there’s a lot of workthat goes into an independent examinationto assess if those controls are in place andoperating efficiently. SOC 1 is considered anauditor-to-auditor communication, whichmeans an auditor provides it and then handsit to the auditor requesting it.There are two types of reports for theseengagements:Type 1This looks at the design andimplementation of internal controls ata certain point in time, which gives thisexamination a so-called as-of date.Distribution of SOC 1 examination details isrestricted to management, customers, andfinancial statement auditors in order to keepsensitive information confidential. However,you can look for the AICPA seal to see if acompany completed its examination.This is the report you want. It looks atdesign and operating effectiveness ofinternal controls over a period of time,usually a 12-month period, which givesa much more meaningful perspectivecompared with Type 1.Most technology companies have a needfor SOC 2 audits, regardless of their line ofservice, because they use or are themselvesthird-party vendors that store, process, ormaintain data. Platform as a service (PaaS)There’s been huge growth in the numberof SOC 2 examinations performed—and it’santicipated to continue. This is in large partdue to increased security concerns that riseproportionally as the IT industry promotesnew products and services in the cloud. IT-hosted servicesSOC 2 examinations emphasize systemreliability by measuring the effectivenessof internal controls related to five trustservices ialityProcessing integrityPrivacyEach of these trust principles has predefinedcriteria (see page 11).Type 2Even when you may not have accessto a SOC 1 or 2 report because ofdistribution restrictions, you canlook for a SOC compliant seal on acompany’s Web site or other materials.SOC 3SOC 2 reports are now considered abase requirement for technology serviceproviders. They’re embraced by: Software as a service (SaaS) Cloud-based providers Data centers and colocation facilities IT-managed services companies Business intelligence softwareSOC 3 reports are essentially a smallerscale SOC 2 report and used primarily forpublic distribution. Companies generallymust complete a SOC 2 audit beforerequesting a SOC 3 report. While demandis extremely low for these reports, thedistribution element can often be compellingfor companies.Similar to a SOC 1 report, there aretwo types within SOC 2:CARVE-OUT VERSUS INCLUSIVE METHODType 1This looks at management’s descriptionof a service provider’s system and thesuitability of the design of controls.Type 2This looks at management’s descriptionof a service provider’s system and thesuitability of the design and operatingeffectiveness of controls.Also like SOC 1, SOC 2 examination detailscan be distributed only to management,current and prospective customers, andfinancial statement auditors.Many service providers prefer thecarve-out method, which includesthe services performed by a vendororganization in the service provider’ssystem description but excludes thecontrol objectives and related controlsof the subservice organization.The inclusive method looks at theservices performed by a vendor in theservice provider’s system descriptionas well as the control objectivesand related controls of the vendor’sorganization. Start-ups that have mostof their functions in house, or biggercompanies that have a large numberof in-house processes, may opt for theinclusive method. Infrastructure as a service (IaaS)IGNITING GROW TH: SOC Reporting 9
The Trust Services PrinciplesINFRASTRUCTUREPhysical structures, IT, and other hardware, includingfacilities, computers, equipment, mobile devices, andtelecommunications networksSOFTWAREApplication programs and IT system software thatsupport application programs, such as operating systems,middleware, and utilitiesPEOPLEThe personnel involved in the governance, operation, anduse of a system—namely developers, operators, entityusers, vendor personnel, and managersPROCEDURESAutomated and manual proceduresDATATransaction streams, files, databases, tables, and outputused or processed by a systemEvery report includes security as part ofthe common SING INTEGRATIONManagement can choose which of theother trust services principles they’d liketo include in the examination.For instance, if you believe a service provideris dealing with confidential information,then you should push for that trust servicesprinciple to be included.Those trust services principlesapply to these system componentsduring an examination:PRIVACYRevisions & AdvancementsAICPA PRIVACY REVISIONSKey revisions to the privacy principle create a newset of privacy criteria to better reflect the changingtechnology and business environment. It also addsillustrative risk and controls related to privacy andother clarifications. These changes are effectivefor periods ending on or after December 16, 2016,with early implementation permitted.ADVANCEMENTS IN THE PIPELINETrust services principles will beupdated to align with the Committee ofSponsoring Organizations of the TreadwayCommission’s (COSO) 2013 framework.The adoption date is expected to be within2017, with early adoption permitted.Implementation ofSOC 2 will include theHealth Information TrustAlliance (HITRUST) orother criteria.Data integrity may beadded as a sixth trustservices principle.IGNITING GROW TH: SOC Reporting 11
Criteria Topics by PrincipleEven when you may not haveaccess to a SOC 1 or 2 reportbecause of distributionrestrictions, you can lookfor the seal indicating SOCcompliance on a company’sWeb site or other SSING INTEGRATIONPRIVACY IT security policy Availability policy Confidentiality policy Backup and restoration Confidentiality of inputs System processingintegrity policies Privacy policies Security awarenessand communication Risk assessment Incident management Disaster recovery Confidentiality of dataprocessing Logical access Physical access Business continuitymanagement Environmental controls Security Security monitoring Change management User authentication Monitoring andcompliance Incident management Confidentiality ofoutputs Information disclosures(including third parties) Confidentiality ofinformation in systemsdevelopment Asset classification andmanagement Incident management Systems developmentand maintenance Change management Personnel security Security Monitoring andcompliance Completeness,accuracy, timeliness,and authorizationof inputs, systemprocessing, and outputs Information tracingfrom source todisposition Personally identifiableinformation (PII)classification Risk assessment Incident and breachmanagement Provision of notice Choice and consent Incident management Collection Security Use and retention Change management Disposal Availability Access Monitoring Disclosure to thirdparties Configurationmanagement Security for privacy Change management Monitoring andenforcement Monitoring andcompliance QualityIGNITING GROW TH: SOC Reporting 13
MONITORING CONTROLDEVELOP INTERNAL CONTROLSREDUCE AUDITOR PROCEDURESWhat Drives a SOC Examination?SOC 1 and SOC 2 are now being used byservice providers in a host of industries, buttechnology, financial institutions, and healthcare IT are particular growth sectors.For technology companies, the mainissues driving adoption of SOC reportinginclude the rapid rate of cloud adoption,cybersecurity threats, and complianceinvolving the Cloud Security Alliance(CSA), International Organization forStandardization, and the National Instituteof Standards and Technology. Complianceissues for technology in health care relatedto the Health Insurance Portability andAccountability Act of 1996 (HIPAA) andHITRUST are powerful drivers when itcomes to trust principles within security,confidentiality, and privacy of information.Here are some other drivers, in no particularorder of prevalence:CLIENTS AND DUE DILIGENCEService providers don’t conduct a SOCexamination just because they wantone; they request a report becauseuser entities and user entities’ auditorsdemand them—this is the primarydriver. When you use a third-partyservice organization, you’re hiring itto do work completely and accuratelyfor the right fee. Part of due diligenceand evaluating the completeness andaccuracy of the work your serviceprovider performs is to look at itsSOC report.A company can significantly reducethe effort required by auditors andcustomers when evaluating a serviceorganization with an effectivelystructured SOC audit and welldesigned controls supported bymeaningful test procedures. As such,the better the SOC report, the greaterthe reliance on testing with fewerauditor procedures needed by thereport users.COMPETITIVE MEASUREIn some cases, having a SOC auditis the minimum requirement forcompanies looking to enter a givenmarket or to gain or retain customers.A number of organizations requestingSOC audits are start-ups—emergingentities with five to 50 employees.While raising funds or going public,they’re looking to develop theirinternal controls, set up a riskassessment infrastructure, or createsophisticated documentation controls.In these cases, issuing a SOC reportcan increase the organization’scredibility and boost confidence inits management by validating anorganization’s control environment.Like formal vendor due diligence,SOC reports can help highlightspecific controls in place at a serviceorganization. This helps customersunderstand the core controls they’reable to leverage to better monitorperformance. By understanding theseautomated and manual controls, aninformed customer is empowered tomaintain much tighter oversight ofthird-party vendors.REGULATORY CHANGESCOMPLIANCEOrganizations also conduct SOC auditsto comply with the requirements ofSection 404 of the Sarbanes-Oxley Act(SOX 404) or other financial or businessaudit requirements. Organizationsfunded by external financiers may alsorequire the issuance of a SOC report.Similarly, regulatory authoritiesoftentimes request that companiesundertake SOC audits.The implementation of the AffordableCare Act (ACA) in 2010 added ahost of regulatory and compliancerequirements, including measuresto ensure the privacy of patient data.Health care organizations are requiredto maintain more stringent controls onprivacy and confidentiality, consideringthe type of information they maintain.This, in turn, has increased the demandfor SOC 2 audits on the part of healthcare organizations. Similarly, HIPAAand HITRUST are driving a rapidincrease in demand for SOC reports.TECHNOLOGY IN FOCUS: SOC Reporting 15
SERVICE PROVIDERS DON’T CONDUCT A SOCEXAMINATION JUST BECAUSE THEY WANT ONE.THEY REQUEST A REPORT BECAUSE USER ENTITIESAND THEIR RESPECTIVE AUDITORS DEMAND THEM.IGNITING GROW TH: SOC Reporting 17
How to Prepare for a SOC AuditThe process for getting a technology service provider started with SOC 1 and SOC 2 isrelatively straightforward. Once this preliminary readiness assessment is complete,a timeline can be put in place for the engagement that will be driven based upon theresults of the assessment.010203040506}} Determine impact relatedto subservice organizations.07Determine if there’sAssign aUnderstand theSelect aChoose which report toPlan and prepareParticipate in theissue—for the}} Self-assess readiness ofcontrols and remediate gaps.for the SOC audit.from control owners.sufficient demandSOC leadand solicit commitmentprocess,time, and effort involved.service auditor.SOC 1, 2, or 3and a Type 1 or 2 report.SOC audit.}} Document the system descriptionsand controls for the audit.examination.A Note On ControlsThere’s no ideal ratio in terms of IT controlsversus business controls assessed duringa SOC examination. In SOC 2 audits, ITcontrols make up the majority of controls.For SOC 1, the number of controls variesfrom 15 to 20, or, in some cases, over 200,with IT controls representing up to one-thirdof the total controls.In designing these controls, serviceproviders need to have:Technology service providers should avoidusing a universal benchmark for the numberof controls; instead, they should focus ona clear understanding of the nature andspecificity of the controls required for theirunique operating environments and theexpectations of their customers given thesolutions being brought to market.Neglecting this analysis can lead to anunclear definition of controls, which canthen result in unneeded delays in the auditprocess itself. A clear understanding of the controlsthey currently have and what additionalcontrols they need to have The time frame necessary toimplement the additional controlsREMEMBER:TIPS FOR DEFINING CONTROLSThe SOC process takes timeand effort.}} Leverage existing sources:Select the right service auditorto help you define the scope ofcontrols, the type of audit, andthe timing.Put in place an effectiveinternal team to help supportthe audit effort. Customer contracts Request for proposal responses Due diligence questionnaires Compliance forms Quality control and internalaudits Competitor reports}} Start with a solid outline from whichyou can expand and formalize.}} Review wording and presentation ofcontrols with your service auditor.}} Isolate control activities from thecontrol descriptions.}} Ensure management has areasonable basis to assert controlsand monitor that they’re operatingeffectively.IGNITING GROW TH: SOC Reporting 19
Aim for Success:Tips to Combat SOCAudit ChallengesThe challenges faced by organizationsconducting SOC audits vary depending ontheir operational maturity.Generally, service providers that are moreoperationally mature have ample experiencein the SOC audit process and look for waysto improve efficiency and reduce cost.Less operationally mature organizationscommonly struggle with up-front issuessuch as failing to properly prepare for aSOC audit and underestimating theformality needed to generate consistentaudit evidence.In contrast, even larger organizationscan be susceptible to risks such asunderengineering controls to avoiddealing with complex networks of internalstakeholders. Or they may have highlydistributed operations that can makeit difficult to implement an
within SAS 70, keep pace with changes in regulatory compliance, and more closely mirror international auditing standards. After the SAS 70 report was retired, SSAE No. 16 was implemented to help technology service providers address their growing assurance needs. In April 2016, it wa
