SSAE 16Replacing the SAS 70 Standard

AASCIF Super ConferenceAudit and Statistics

October 3, 2012

Presenter

2

Marc Smith, CPA, CPCU is a partner in Johnson Lambert’s RedBank, New Jersey office where he is responsible for managing the New Yorkmetropolitan area audit practice. In that role, Marc is responsible for thestrategic growth of that practice; including client development, engagementmanagement and personnel recruiting. Johnson Lambert & Co. LLP provides,audit, advisory and tax services to over 400 insurance entities and is nationallyrecognized in this industry. He has 17 years of public accounting experiencewhere he has provided audit and SOC services to insurance and relatedindustries such as third party administrators and program benefit managers.Marc is a speaker on accounting and audit topics for insurance companies. Heserves on the Board of Directors for Delaware Captive Insurance Associationand is also active in the Insurance Accounting and Systems Association.

Today’s Objectives

• Background on SAS 70• Drivers of Change• Overview of New Control Report Options

– SOC 1– SOC 2– SOC 3

3

Overview of SAS 70

• History: – Statement on Auditing Standards 70 (SAS70) – Issued by the AICPA in 1992

• Purpose:– Provide information to user entities and their financial statement auditors– Focus on controls at services organizations that are likely to be relevant to

user entities’ internal control over financial reporting

• Intended use of report:– Management of the service organization– Entities that used the organization during the period – Used by user entity auditors to assist in their assessment of outsourced

financial controls while performing a financial statement audit

4

Common Service Organizations• Third Party Administrators (i.e., claims processing

or managing general agents/underwriters) • Payroll processors• Internet service providers (ISPs),

data centers and Web hosting• Organizations that develop and maintain

software used by client organizations• Financial institutions that serve as trustees

and record keepers over employee benefit plans (401K & retirement plans)

5

SAS 70 Types of Reports• Type I Report

– Includes the auditors opinion, management’s description of controls and summary of testing that ensures controls are effectively designed

– Type I reports are as of a specific date in time (i.e. as of December 31, 2010)

• Type II Report – Includes the auditors opinion, management’s description of controls and

highlights testing that ensures controls are effectively designed and operating effectively

– Type II reports are for a specified period of time (i.e. January1, 2012 through September 30, 2012)

– Cannot cover less than six months

6

SAS 70 Marketed Heavily as “Certification” or “Compliance” Report

7

Drivers of Change• Significant growth in service organizations

and outsourcing over the last 20 years.

• International convergence prompted the AICPA to work on a new standard.

• In June of 2011, the AICPA introduces the concept of Service Organization Control Reporting

• SAS 70 reports no longer exist

8

New Standards and Options

9

SERVICE ORGCONTROL 1 (SOC 1)

SERVICE ORGCONTROL 2 (SOC 2)

SERVICE ORGCONTROL 3 (SOC 3)

SSAE 16 – Service auditor guidance AT 101 AT 101

Restricted Use Report (Type I or I report)

Generally a Restricted Use Report (Type I or II

report)

General Use Report(with a public seal)

Purpose: reports on controls for F/S audits

Purpose : Reports on controls related to

compliance or operations

Purpose: Reports on controls related to

compliance or operations

Trust Services Principles & Criteria*

SOC 1 Standard

• What’s staying the same

• Purpose: – Provide information to user entities and their financial statement auditors– Focus on controls at services organizations that are likely to be relevant to

user entities’ internal control over financial reporting• Intended use of report:

– Management of the service organization– Entities that used the organization during the period – Used by user entity auditors to assist in their assessment of outsourced

financial controls while performing a financial statement audit

10

SOC 1 - What’s Staying the Same• Service Organization

– Choice of a Type 1 and Type 2 Report– Management to specify control objectives– Management to design and implement controls that achieve the control

objectives– User control considerations– Similar sections to report – opinion, description, tests/results, other

information

• Service Auditor– Opinion continues to cover fair presentation, suitability of

design/implementation of the controls and (Type 2) operating effectiveness of controls related to control objectives

– Ability to use internal audit and/or their work

11

SOC 1- What’s Changing• Internal Audit

– Expanded definition of internal audit to include members of compliance or risk departments performing similar duties

– When Service Auditor relies on the work of Internal Audit, disclosure in the report of those test of controls is required

– No disclosure necessary when Internal Audit provides direct assistance under supervision of Service Auditor

• Most Significant Change - Management’s assertion• Risk Assessment

– Concept of risk assessment not addressed in SAS 70

12

SOC 1 Standard• Management’s Assertion

– Management must provide a written assertion that is included or attached to the description of the system

• A description of system (SAS 70 concept) specifies control objectives and related controls

– Key Components of Management’s Assertion• The description of controls fairly presents the system that was

designed and implemented throughout the specified period• The controls were suitably designed to achieve the control objectives

throughout the specified period• The controls operated effectively throughout the period to achieve

those control objectives

• No requirement for assertion to be signed – at the option of the service organization

13

SOC 1 Standard• Risk Assessment

– Management must identify risks that threaten the achievement of control objectives stated in the objectives

– Consider the following for each objective• Identify risks for each of the control objectives• Document control activities in place to mitigate risks identified• Document assertions satisfied by the control activity

14

SOC 2 and SOC 3 Standards

• Significant increase in volume and sophistication of outsourcing arrangements and use of third parties– Proliferation of data centers and cloud computing

• Expanding the need for governance reach outside of the user organization

• User perspective – Greater demand for detailed understanding of processes and controls at

user organizations– Service organizations have controls designed and operating effectively

over compliance and operational risks

15

SOC 2 and SOC 3 Standards

• Based on Attestation 101 Standard• SOC 2 Report Content

– Auditors report– Management’s assertion– Management’s detailed description of its system– Management’s listing of the relevant Trust Services Criteria and the

controls designed to achieve the criteria

• SOC 3 Report Content– Auditors report– Management’s assertion– Management’s description of its system and the boundaries of the system

16

Who Why What

SOC 1 Users’ controller’s office and user auditors

Audit Controls relevant to user financial reporting

SOC 2 User departments other than accounting RegulatorsOthers

Government regulators’ programs OversightDue diligence

Concerns regarding security, availability, processing integrity, confidentiality,and/or privacy

SOC 3 Any users with need for confidence in service organization’s controls

Marketing “confidencewithout the detail”

Seal and easy to read report on controls

Comparing SOC Reports

17

Trust Services Principles and Criteria

18

Domain Principle

Security The system is protected against unauthorized access (both physical and logical).

Availability The system is available for operation and use as committed or agreed.

Confidentiality Information designated as confidential is protected as committed or agreed.

Processing Integrity System processing is complete, accurate, timely, and authorized.

Privacy Personal information is collected, used, retained, disclosed, and destroyed in conformity with the commitments in the entity’s privacy notice and with criteria set forth in generally accepted privacy principles (GAPP) issued by the AICPA

Example of SOC 2 and 3 ScenariosService Provider Scenario Key Risks Principles ReportedHealthcare – advisory and processing of claims

• Privacy, security • HIPAA compliance

PrivacySecurityConfidentiality

Document Management • Exposure of sensitive case data

• Incorrect indexing, cataloging, storage

Processing Integrity

Financial services: SaaS for Equity Trading

• Timely, accurate quote and trade execution

• Data breach

• Processing Integrity• Availability

Communications gateway bridging user entity back office environment and mobile communications carriers

• Exposure of sensitive data being processed and translated

• System downtime

• Availability • Security • Confidentiality

19

20

Contact Information

21

Marc Smith, CPAEngagement Partner

Direct Phone: (732) 236-9930Email: msmith@johnsonlambert.com