evaluating aicpa soc reports · 1 | confidential evaluating aicpa soc reports a security...
TRANSCRIPT
![Page 1: Evaluating AICPA SOC Reports · 1 | Confidential Evaluating AICPA SOC Reports A SECURITY MANAGER'S GUIDE TO UNDERSTANDING SOC REPORTING June 1, 2018 Cybersecurity is your concern…](https://reader030.vdocuments.us/reader030/viewer/2022040903/5e7639c5e1f52b0e14720922/html5/thumbnails/1.jpg)
1 | Confidential
Evaluating AICPA SOC Reports
A SECURITY MANAGER'S GUIDE TO UNDERSTANDING SOC REPORTING
June 1, 2018
Cybersecurity is your concern…But it’s our business
![Page 2: Evaluating AICPA SOC Reports · 1 | Confidential Evaluating AICPA SOC Reports A SECURITY MANAGER'S GUIDE TO UNDERSTANDING SOC REPORTING June 1, 2018 Cybersecurity is your concern…](https://reader030.vdocuments.us/reader030/viewer/2022040903/5e7639c5e1f52b0e14720922/html5/thumbnails/2.jpg)
2 | Confidential
INTRODUCTION & THANK YOU
![Page 3: Evaluating AICPA SOC Reports · 1 | Confidential Evaluating AICPA SOC Reports A SECURITY MANAGER'S GUIDE TO UNDERSTANDING SOC REPORTING June 1, 2018 Cybersecurity is your concern…](https://reader030.vdocuments.us/reader030/viewer/2022040903/5e7639c5e1f52b0e14720922/html5/thumbnails/3.jpg)
3 | Confidential
AGENDA
• Overview of SOC
• What changed recently with SOC?
• What to look for in a SOC report
• Common Q&A
![Page 4: Evaluating AICPA SOC Reports · 1 | Confidential Evaluating AICPA SOC Reports A SECURITY MANAGER'S GUIDE TO UNDERSTANDING SOC REPORTING June 1, 2018 Cybersecurity is your concern…](https://reader030.vdocuments.us/reader030/viewer/2022040903/5e7639c5e1f52b0e14720922/html5/thumbnails/4.jpg)
4 | Confidential
KEY TERMS
Service Organization Service Auditor
User Entity User Auditor
SOC Report
![Page 5: Evaluating AICPA SOC Reports · 1 | Confidential Evaluating AICPA SOC Reports A SECURITY MANAGER'S GUIDE TO UNDERSTANDING SOC REPORTING June 1, 2018 Cybersecurity is your concern…](https://reader030.vdocuments.us/reader030/viewer/2022040903/5e7639c5e1f52b0e14720922/html5/thumbnails/5.jpg)
5 | Confidential
COMMON SOC REPORTS
OverviewReport over controls relevant to user entity financial reporting (e.g., payroll processing)
RelevanceIf your service impacts financial reporting of your customers.
Intended Users Management of the service organization User entities User auditors
SOC 2 Report (Trust Services Criteria)
SOC 1 Report (Internal Controls for Financial Reporting)
OverviewReport over controls relevant to a service organization system’s security, availability, processing integrity, confidentiality, or privacy
Relevance Meeting governance, risk, and compliance programs Oversight Due diligence
Intended Users Management of the service organization User entities User auditors Regulators
![Page 6: Evaluating AICPA SOC Reports · 1 | Confidential Evaluating AICPA SOC Reports A SECURITY MANAGER'S GUIDE TO UNDERSTANDING SOC REPORTING June 1, 2018 Cybersecurity is your concern…](https://reader030.vdocuments.us/reader030/viewer/2022040903/5e7639c5e1f52b0e14720922/html5/thumbnails/6.jpg)
6 | Confidential
COMMON SOC REPORTS (CONT’D)
SOC for CybersecuritySOC 3 Report
OverviewReport on an entity’s Cybersecurity Risk Management Program.
Relevance Shows the Cybersecurity program at a high-level Only 3 sections No testing shown
Intended Users Management of the service organization Board of Directors Investors Regulators
OverviewSOC 3 reports address the same subject matter as SOC 2 engagements; however, use of these reports is not restricted
Relevance Marketing purposes General public information Detail not needed
Intended UsersAny users with need for confidence in the security, availability, processing integrity, confidentiality, or privacy of a service organization’s system
![Page 7: Evaluating AICPA SOC Reports · 1 | Confidential Evaluating AICPA SOC Reports A SECURITY MANAGER'S GUIDE TO UNDERSTANDING SOC REPORTING June 1, 2018 Cybersecurity is your concern…](https://reader030.vdocuments.us/reader030/viewer/2022040903/5e7639c5e1f52b0e14720922/html5/thumbnails/7.jpg)
7 | Confidential
SOC REPORT STRUCTURE
• Provides the reader the opinion of the service auditor on the assertion, system description, design, and operating effectiveness to meet the control objectives
Section 1 - Independent Auditor's Report
• Provides the reader the facts and assertions made by management of the service organization related to the system(s) under audit
Section 2 - Management's Assertion
• Provides the detail of the system(s) being reported on (written by management)• Includes boundary, infrastructure, controls, commitments, and other system information• Anything that is included in this section must be able to be audited to meet the control objectives
Section 3 - Description of the System
• Shows four columns of information • Objectives related to the criteria of the report• Controls in place at the service organization to meet the objectives• Auditor's tests of the controls• Results of the tests
Section 4 - Auditor's Tests of Controls and Results of Tests
![Page 8: Evaluating AICPA SOC Reports · 1 | Confidential Evaluating AICPA SOC Reports A SECURITY MANAGER'S GUIDE TO UNDERSTANDING SOC REPORTING June 1, 2018 Cybersecurity is your concern…](https://reader030.vdocuments.us/reader030/viewer/2022040903/5e7639c5e1f52b0e14720922/html5/thumbnails/8.jpg)
8 | Confidential
SOC REPORT “TYPES”
Type 1
• Opinion of the system and design of controls
• How it achieves control objectives in the system description
• As of a specific date• Does not show tests of
controls or results
Type 2
• Same opinion as type 1, plus if the controls are operating effectively
• Opinion is throughout a specified period for the report
• Shows descriptions of the service auditor's tests of controls and results of tests
![Page 9: Evaluating AICPA SOC Reports · 1 | Confidential Evaluating AICPA SOC Reports A SECURITY MANAGER'S GUIDE TO UNDERSTANDING SOC REPORTING June 1, 2018 Cybersecurity is your concern…](https://reader030.vdocuments.us/reader030/viewer/2022040903/5e7639c5e1f52b0e14720922/html5/thumbnails/9.jpg)
9 | Confidential
WHAT HAS CHANGED RECENTLY?
TerminologySOC = “System and Organization Controls”
SSAE 18Replaces SSAE 16, AT 101, SAS 70
SOC 2Security changesCOSO 2013System description criteriaAll are required by Dec 15, 2018
![Page 10: Evaluating AICPA SOC Reports · 1 | Confidential Evaluating AICPA SOC Reports A SECURITY MANAGER'S GUIDE TO UNDERSTANDING SOC REPORTING June 1, 2018 Cybersecurity is your concern…](https://reader030.vdocuments.us/reader030/viewer/2022040903/5e7639c5e1f52b0e14720922/html5/thumbnails/10.jpg)
10 | Confidential
SOC 2 EXAMPLE
Trust Service Category = Security
Trust Service Criteria
![Page 11: Evaluating AICPA SOC Reports · 1 | Confidential Evaluating AICPA SOC Reports A SECURITY MANAGER'S GUIDE TO UNDERSTANDING SOC REPORTING June 1, 2018 Cybersecurity is your concern…](https://reader030.vdocuments.us/reader030/viewer/2022040903/5e7639c5e1f52b0e14720922/html5/thumbnails/11.jpg)
11 | Confidential
WHAT TO LOOK FOR IN A SOC REPORT
What is in the Assertion? (Categories in scope, what criteria used,
subservice orgs, etc.)
Audit Firm –Peer Reviewed?
Description Elements(Incidents, scope,
CUECs, etc.)
Controls and Testing
- Any missing criteria?- Exceptions?
- Covers what you need?
Opinion –Unqualified?
Management’s Response
- Response to exceptions- Other information
![Page 12: Evaluating AICPA SOC Reports · 1 | Confidential Evaluating AICPA SOC Reports A SECURITY MANAGER'S GUIDE TO UNDERSTANDING SOC REPORTING June 1, 2018 Cybersecurity is your concern…](https://reader030.vdocuments.us/reader030/viewer/2022040903/5e7639c5e1f52b0e14720922/html5/thumbnails/12.jpg)
12 | Confidential
WHAT IS IN THE ASSERTION?
![Page 13: Evaluating AICPA SOC Reports · 1 | Confidential Evaluating AICPA SOC Reports A SECURITY MANAGER'S GUIDE TO UNDERSTANDING SOC REPORTING June 1, 2018 Cybersecurity is your concern…](https://reader030.vdocuments.us/reader030/viewer/2022040903/5e7639c5e1f52b0e14720922/html5/thumbnails/13.jpg)
13 | Confidential
REPORT OPINION
![Page 14: Evaluating AICPA SOC Reports · 1 | Confidential Evaluating AICPA SOC Reports A SECURITY MANAGER'S GUIDE TO UNDERSTANDING SOC REPORTING June 1, 2018 Cybersecurity is your concern…](https://reader030.vdocuments.us/reader030/viewer/2022040903/5e7639c5e1f52b0e14720922/html5/thumbnails/14.jpg)
14 | Confidential
DIFFERENT REPORT OPINIONS
Nature of Matter Giving Rise to the Modification
Service Auditor’s Professional Judgment About the Pervasiveness of the Effects on the Opinion of the Description, Suitability of Design of Controls, and Operating Effectiveness of Controls
Material but Not Pervasive
Material and Pervasive
Scope Limitation. An inability to obtain sufficient, appropriate evidence.
Qualified Opinion Disclaimer of Opinion
Material Misstatements• Description misstated • Controls not suitably designed to
provide reasonable assurance that the commitments or system requirements were achieved
• Controls not operating effectively
Qualified Opinion Adverse Opinion
![Page 15: Evaluating AICPA SOC Reports · 1 | Confidential Evaluating AICPA SOC Reports A SECURITY MANAGER'S GUIDE TO UNDERSTANDING SOC REPORTING June 1, 2018 Cybersecurity is your concern…](https://reader030.vdocuments.us/reader030/viewer/2022040903/5e7639c5e1f52b0e14720922/html5/thumbnails/15.jpg)
15 | Confidential
SYSTEM DESCRIPTION
![Page 16: Evaluating AICPA SOC Reports · 1 | Confidential Evaluating AICPA SOC Reports A SECURITY MANAGER'S GUIDE TO UNDERSTANDING SOC REPORTING June 1, 2018 Cybersecurity is your concern…](https://reader030.vdocuments.us/reader030/viewer/2022040903/5e7639c5e1f52b0e14720922/html5/thumbnails/16.jpg)
16 | Confidential
SYSTEM DESCRIPTION (CONT’D)
![Page 17: Evaluating AICPA SOC Reports · 1 | Confidential Evaluating AICPA SOC Reports A SECURITY MANAGER'S GUIDE TO UNDERSTANDING SOC REPORTING June 1, 2018 Cybersecurity is your concern…](https://reader030.vdocuments.us/reader030/viewer/2022040903/5e7639c5e1f52b0e14720922/html5/thumbnails/17.jpg)
17 | Confidential
SYSTEM DESCRIPTION (CUECS)
![Page 18: Evaluating AICPA SOC Reports · 1 | Confidential Evaluating AICPA SOC Reports A SECURITY MANAGER'S GUIDE TO UNDERSTANDING SOC REPORTING June 1, 2018 Cybersecurity is your concern…](https://reader030.vdocuments.us/reader030/viewer/2022040903/5e7639c5e1f52b0e14720922/html5/thumbnails/18.jpg)
18 | Confidential
SECTION 4 (CONTROL TESTING)
![Page 19: Evaluating AICPA SOC Reports · 1 | Confidential Evaluating AICPA SOC Reports A SECURITY MANAGER'S GUIDE TO UNDERSTANDING SOC REPORTING June 1, 2018 Cybersecurity is your concern…](https://reader030.vdocuments.us/reader030/viewer/2022040903/5e7639c5e1f52b0e14720922/html5/thumbnails/19.jpg)
19 | Confidential
BRIDGE LETTERS
Serves a purpose after the report period
Issued by the service organization
States that there were no changes (or if there were, what changes) since the end of the report until the date of the letter
Often used when a you need some assurance, but they haven’t started the next audit yet
![Page 20: Evaluating AICPA SOC Reports · 1 | Confidential Evaluating AICPA SOC Reports A SECURITY MANAGER'S GUIDE TO UNDERSTANDING SOC REPORTING June 1, 2018 Cybersecurity is your concern…](https://reader030.vdocuments.us/reader030/viewer/2022040903/5e7639c5e1f52b0e14720922/html5/thumbnails/20.jpg)
20 | Confidential
COMMON Q&A
Question Answers
Is a SOC report a certification? SOC reports are not certifications. The reports are limited distribution reports and can be used by the service organization, user entities, and user auditors only.
How are SOC reports distributed? SOC reports are issued by the service organization for a specific purpose. The audiences for the reports are clearly defined. The reports are generally limited-distribution reports and have specific restrictions on use.
How often do service organizations undergo a SOC examination?
There is no requirement on the frequency of obtaining a SOC report. Typically service organizations undergo SOC examinations on an annual basis.
If the service organization’s data center has a report, can they use the data center report?
*think AWS
The service organization still needs its own report for the system being reported on. The data center (subservice organization) will be listed in the report as complimentary for control purposes.
What is SSAE 16? SSAE 16 is the old standard used for SOC 1’s. As of May 2017, all SOC reports follow SSAE 18 standards.
![Page 21: Evaluating AICPA SOC Reports · 1 | Confidential Evaluating AICPA SOC Reports A SECURITY MANAGER'S GUIDE TO UNDERSTANDING SOC REPORTING June 1, 2018 Cybersecurity is your concern…](https://reader030.vdocuments.us/reader030/viewer/2022040903/5e7639c5e1f52b0e14720922/html5/thumbnails/21.jpg)
21 | Confidential
FINAL TALKING POINTS (KEY TAKEAWAYS)
Know what type of SOC report you need from your service provider (vendor) SOC 1, 2, 3, Cyber Type 1 or Type 2
Read the report for key elements Assertions made Auditor and opinion Description elements Testing and Controls Other information (unaudited)
Know if you need a bridge letter from after the audit period
![Page 22: Evaluating AICPA SOC Reports · 1 | Confidential Evaluating AICPA SOC Reports A SECURITY MANAGER'S GUIDE TO UNDERSTANDING SOC REPORTING June 1, 2018 Cybersecurity is your concern…](https://reader030.vdocuments.us/reader030/viewer/2022040903/5e7639c5e1f52b0e14720922/html5/thumbnails/22.jpg)
22 | Confidential
AICPA SOC REPORTS
Questions?
Jeff CookPrincipal, SOC [email protected]@jeffcookcpa703.935.2242