presenting a live minute teleconference with...
TRANSCRIPT
Presenting a live 110‐minute teleconference with interactive Q&A
Preparing SOC 1, SOC 2 or SOC 3 Reports: Best PracticesMeeting Challenges Arising From SSAE 16, ISAE 3402 and Other Service Company Control Standards
1pm Eastern | 12pm Central | 11am Mountain | 10am Pacific
WEDNESDAY, MARCH 7, 2012
Today’s faculty features:
1pm Eastern | 12pm Central | 11am Mountain | 10am Pacific
Suzanne Nersessian, Director, National Service Organization Controls Reporting, Deloitte & Touche, Boston, , g p g, ,
David Palmer, Managing Director, KPMG, Chicago
Nargiz Yusupova, Manager, P&N Consulting, Baton Rouge, La.
Ryan Buckner, Shareholder, BrightLine CPAs & Assoc., Atlanta
For this program, attendees must listen to the audio over the telephone.
Please refer to the instructions emailed to the registrant for the dial-in information.Attendees can still view the presentation slides online. If you have any questions, pleasecontact Customer Service at1-800-926-7926 ext. 10.
Conference Materials
If you have not printed the conference materials for this program, please complete the following steps:
• Click on the + sign next to “Conference Materials” in the middle of the left-hand column on your screen hand column on your screen.
• Click on the tab labeled “Handouts” that appears, and there you will see a PDF of the slides for today's program.
• Double click on the PDF and a separate page will open. Double click on the PDF and a separate page will open.
• Print the slides by clicking on the printer icon.
Continuing Education Credits FOR LIVE EVENT ONLY
Attendees must listen to the audio over the telephone. Attendees can still view the presentation slides online but there is no online audio for this program.
Attendees must stay on the line for at least 100 minutes in order to qualify for a full 2 credits of CPE. Attendance is monitored as required by NASBA.
Please refer to the instructions emailed to the registrant for additional information. If you have any questions, please contact Customer Service at 1-800-926-7926 ext. 10.at 1 800 926 7926 ext. 10.
Tips for Optimal Quality
S d Q litSound Quality
For this program, you must listen via the telephone by dialing 1-866-873-1442and entering your PIN when prompted. There will be no sound over the web connection.co ect o .
If you dialed in and have any difficulties during the call, press *0 for assistance. You may also send us a chat or e-mail [email protected] immediately so we can address the problem.
Viewing QualityTo maximize your screen, press the F11 key on your keyboard. To exit full screen, press the F11 key againpress the F11 key again.
P i SOC SOC SOC Preparing SOC 1, SOC 2 or SOC 3 Reports: Best Practices Seminar
March 7, 2012
David Palmer, [email protected]
Suzanne Nersessian, Deloitte & [email protected]
Ryan Buckner, BrightLine CPAs & [email protected]
Nargiz Yusupova, P & N Consulting [email protected]
Today’s Program
Introduction To SOC Framework[Suzanne Nersessian]
Slide 7 – Slide 10
SOC 1 Review[Suzanne Nersessian]
Slide 11 – Slide 23
SOC 2 Review[David Palmer]
SOC 3 Review Slide 35 – Slide 46
Slide 24 – Slide 34
SOC 3 Review[Nargiz Yusupova]
Considerations In Selecting An Attestation Examination
Slide 35 – Slide 46
Slide 47 – Slide 58[Ryan Buckner]
B k d Wh Th ChBackground: Why The Change
• Original intent of SAS 70
• Growth of service organizations over last 40 years
• SAS 70 used in ways that were never intended
• SAS 70 became a de facto global standardSAS 70 became a de facto global standard.
• Convergence of U.S. and international standards
8
Ch I R i O C lChanges In Reporting On Controls
I.ISAE 3402 led to the development of SSAE 16.
II.SAS 70 split
A AU 402A. AU 402
B. SSAE 16
III.Effective date: Periods ending on or after June 15, 2011. g ,Specific to covering internal control over financial reporting
IV.AICPA Practitioner Guide: Usable for both standards, and for practitioners and service organizations alikepractitioners and service organizations alike
V.Allows for the use of the framework/guidance to perform engagements under another standard (e.g., SOC 2)
9
Reporting Standardsp gAICPA Service Organization Control (SOC) Reports
d dNew Standards & OptionsService Org Control 1
Service Org Control 2
Service Org Control 3Control 1
(SOC 1)
SSAE16 – Service auditor guidance
Control 2 (SOC 2)
AT 101
Control 3 (SOC 3)
AT 101auditor guidance
Generally Restricted Use Report
(Type I or II Report)
General Use Report
(w/ public seal)
Restricted Use Report
(Type I or II Report)
Trust Services Principles & Criteria
Purpose: Reports on controls for F/S audits
Purpose: Reports on controls related to
compliance or operations
Purpose: Reports on controls related to
compliance or operations
10
SOC R t P /I t d d USOC 1 Reports: Purpose/Intended Use
•Purpose
• To provide user entities and their independent auditors with information and a CPA’s opinion about controls at the service organization relevant to user entities’ internal control over financial reporting
• Covers fair presentation, design and operating effectivenessp g p g
•Restricted use report
• Management of the service organization
• User entities of the service organization’s system during some or all of the period covered by the report (for Type 2 reports)
• Independent auditors of user entites
•Indirect users
•Does not include potential users
•Intended use
• Report on controls that are likely to be relevant to user entities’ internal controls over financial reporting
• For use in a financial statement audit
12
ISAE 3402 Relationship To SSAE 16:Notable Differences Notable Differences
SSAE 16 ISAE 3402
Use of report pRequired to include a statement restricting the use of the report to management of the service organization, user entities of the system and user auditors
Required to state that it is only intended for user entities and their auditors, but does not require inclusion of statement restricting the use. Does not prohibit the inclusion of restricted use language
Intentional actsService auditor considers impact of intentional acts on the description of the system, design and operating effectiveness of controls.
Silent on this requirement
U f i l diUse of internal auditProvides for use of internal audit in direct assistance Does not provide for the use of internal audit for direct
assistance; however, is being considered for adoption
Subsequent eventsService auditor to consider Type 2 subsequent events after Limits the service auditor’s disclosure to those events that Service auditor to consider Type 2 subsequent events after the report date
Limits the service auditor’s disclosure to those events that could affect their opinion (i.e. a type 1 subsequent event)
Deviations/exceptionsAll exceptions are reported regardless of whether they Enables a service auditor to conclude that a deviation All exceptions are reported regardless of whether they affect the opinion.
Enables a service auditor to conclude that a deviation identified when performing tests of controls involving sampling is not representative of the population from which the sample was drawn (anomaly)
13
l b lSAS 70 History: Global Environment
•ISAE 3402 - Global
•SSAE 16 – U.S.
•CSAE 3416 - Canada•CSAE 3416 Canada•DE-IDW PS 951 – Germany•HKSAE 3402 “Assurance Reports on Controls at a Service O i ti ” H KOrganization” – Hong Kong•Audit and Assurance Standard (AAF) 1/06 – U.K.•ASAE 3402 “Assurance Reports on Controls at a Service O i ti ” A t liOrganization” - Australia
14
Key Change: Management’s Assertion•Management is required to provide a written assertion.
o It can be included as a separate section of the report, or
o The assertion can be part of the description of the system – appropriately identified as the assertion.
o Assertion most often (and recommended to be) on company letterhead
• Key components of management’s assertion:
o The description of the system fairly presents the system that was designed and implemented throughout the specified period
o The controls were suitably designed to achieve the control objectives throughout the specified period, including identifying the risks that threaten the achievement of the control objectives.
o The controls operated effectively throughout the period to achieve those t l bj ticontrol objectives.
17
Key Change: Management’s Assertion (Cont.)
• Signing the assertion
o No requirement to sign
o However most currently issued reports have been signedo However, most currently issued reports have been signed.
o May be signed by company or by individuals (most have been individuals)
18
Risk assessment
Key Change: Management’s Assertion (Cont.)
• Service organization management must identify risks that threaten the achievement of the control objectives stated in the description of the system.
• May be formal or informal processes, require ongoing monitoring/updating
• Process commonly takes up-front effort to determine risks or Process commonly takes up front effort to determine risks or reassess whether any additional risks may exist (for ongoing reports).
Basis for assertion
• Management needs reasonable basis to provide assertion• Management needs reasonable basis to provide assertion
• No requirements on specific procedures to be performed
• Management may not rely solely on the testing done by the service diauditor.
19
Key Change: Management’s Assertion (Cont.)
Common procedures to support the assertionCommon procedures to support the assertiono Ongoing monitoring activities
― Regular management and supervisory activities
― Sub-certifications― Sub-certifications
― Review of compliant files
o Separate evaluations
l di h l ( i k/ li ) ― Internal auditors or other personnel (risk/compliance) performing specific audits/examinations
― Information from external parties (e.g., regulatory reviews)
C bi ti f b tho Combination of both
Support for assertion• Management support it will need for its written assertion
• No documentation-retention requirement, but is sound practice
20
C i iCriteria•Criteria pertain to services provided to a broad range of users that relate to financial reporting of user entities and include:
• Types of services including classes of transactions
• Procedures by which services are providedProcedures by which services are provided
• Related accounting records
• How the system captures significant events
• Process used to prepare reports and other information
• Specified objectives and controls
Other aspects of the control environment risk assessment • Other aspects of the control environment, risk assessment, information, and communication and monitoring
• Details of changes during the period
• Does not omit or distort information relevant to the system
21
Id l C did P fil /U CIdeal Candidate Profile/Use Case
Determine intended use of the reportConsider SOC 1 if:
• Services relate to internal controls over financial reporting of p gthe users
• Receiving requests from independent auditors
• Users and their auditors want to do testing at the service gorganization
SOC 1 vs. SOC 2• May not be black or white in all cases
• Don’t solely base decisions on user requests; consider the facts and circumstances
• Both reports may be warranted in certain circumstances
22
S i C id iScoping Considerations•Determine services that will be covered and select the criteria
•Identify users of the report
•Understand how will the report be used - in connection with an audit of financial statements
•Choose the type of report (Type 1 vs. Type 2); commonly, a Type 1 report is only undertaken in year 1
•Consider reporting periods of the users, in order to drive the SOC 1 examination period
•Identify sub-service organizations
• Inclusive method
• Carve-out method
•Ascertain whether there are complementary user entity controls
•Determine if management has reasonable basis to provide an assertionDetermine if management has reasonable basis to provide an assertion
23
SOC 2 Reports: Purpose/Intended Use
•To provide management of a service organization, user entities and other specified parties with information and a CPA’s opinion about controls at the service organization
•Focus is on one or more of the following domains:
S it• Security
• Availability
• Processing integrity• Processing integrity
• Confidentiality
• PrivacyPrivacy
25
SOC 2 Reports: Purpose/Intended Use (Cont.)p p / ( )
•Intended use
• Provide user entities with detailed information on the design and operating effectiveness of the service des g a d ope at g e ect ve ess o t e se v ce organization’s controls
•However, a SOC 2 report:
• Is not intended to address controls that are relevant to a user entity’s financial reportingy p g
• Is not intended for general distribution
26
SOC 2 Reports: Applicability/Subject Matter
•Since a SOC 2 report is not linked to financial reporting it can apply to a •Since a SOC 2 report is not linked to financial reporting, it can apply to a wide range of systems.
•For example:
• Data center hosting• Data center-hosting
• Call center operations
• Document managementg
• Marketing services
• Healthcare case management
•It can also be used to provide additional information on systems that are relevant to financial reporting.
•Since there is no link to financial reporting, the boundaries of the system may be less apparent and need to be clearly defined.
27
Overview Of Trust Services Principles
Domain PrincipleDomain Principle
Security The system is protected against unauthorized access (both physical and logical).
Availability The system is available for operation and use asAvailability The system is available for operation and use as committed or agreed.
Confidentiality Information designated as confidential is protected as committed or agreed.committed or agreed.
Processing integrity System processing is complete, accurate, timely and authorized.
Privacy Personal information is collected used retainedPrivacy Personal information is collected, used, retained, disclosed and destroyed in conformity with the commitments in the entity’s privacy notice and with criteria set forth in generally accepted privacy principles (GAPP) issued by the AICPA and CICA.
28
Grouping Of Criteria: Security, Availability,p g y, y,Processing Integrity And Confidentiality
Topic Focus of CriteriaTopic Focus of Criteria
Policies Policies relevant to the selected principle(s) are defined and documented.
Communications Defined policies are communicated to responsibleCommunications Defined policies are communicated to responsible parties and authorized users of the system.
Procedures Procedures have been placed in operation to achieve the service provider’s objectives in accordance with itsthe service provider s objectives in accordance with its defined policies.
Monitoring The service provider monitors the system and takes action to maintain compliance with its defined policies.
29
G i Of C i i P iGrouping Of Criteria: PrivacyTopic Focus of Criteriap
Management The entity defines, documents, communicates and assigns accountability for its privacy policies and procedures.
Notice The entity provides notice about its privacy policies and procedures and identifies the purposes for which personal information is collected, used, retained and disclosed.
Choice and Consent The entity describes the choices available to the individual and obtains implicit or explicit consent with respect to the collection, use and disclosure of personal information.
Collection Personal information is only collected for the purposes identified in the notice.
Use Retention and Limits the use of personal information to the purposes identified in the notice and for which fdisposal the individual has provided implicit or explicit consent. Personal information is retained only
as long as necessary to fulfill the stated purposes or as required by law or regulation, and then appropriately discarded.
Access Individuals are provided access to their personal information for review and update.
Disclosure to third Personal information is only disclosed to third parties for the purposes identified in the notice parties
y p p pand with the implicit or explicit consent of the individual.
Security for privacy Personal information is protected against unauthorized access (both physical and logical).
Quality The entity maintains accurate, complete and relevant personal information for the purposes identified in the notice.
Monitoring and enforcement
The entity monitors compliance with its privacy polices and procedures, and has procedures to address privacy related inquiries, complaints and disputes.
30
fSummary Of SOC2/3 Criteria Topics
Security Availability Confidentiality Processing Integrity Privacy
IT security policy Security awareness and
communication
Availability policy Back-up and
restoration
Confidentiality policy Confidentiality of
inputs
System processing integrity policies
Completeness,
Privacy policies PII classification Risk assessment
Risk assessment Logical access Physical access Environmental controls Security monitoring
Incident Management
Disaster recovery Business continuity
management
Confidentiality of data processing
Confidentiality of outputs
Information
accuracy, timeliness and authorization of inputs, system processing and outputs
Incident and breach management
Provision of notice Choice and consent Collection Security monitoring
User authentication Incident management Asset classification/mgt. Systems development and
Security Change
management Monitoring/complian
ce
disclosures (including third parties)
Confidentiality of Information in systems
Information-tracing, from source to disposition
Incident management
Collection Use and retention Disposal Access Disclosure to third
maintenance Personnel security Configuration mgt. Change management Monitoring/compliance
systems development
Incident management
Security Change
Security Change
management Availability Monitoring
parties Security (logical and
physical) Quality Monitoring and g p Change
management Monitoring
genforcement
31
Id l C did P fil /U CIdeal Candidate Profile/Use Case
•Entities that rely on service organizations and want detailed information on the service organizations controls include:
• Vendor management programsVe do a age e t p og a s
• GRC programs
• Regulatory compliance
• Due diligence
32
E l SOC SM U CExample SOC 2SM Use Cases
Service Provider Scenario Key Risks Principles ReportedService Provider Scenario Key Risks Principles Reported
Healthcare: Advisory and processing of claims
• Privacy, security • HIPAA compliance
• Privacy
Provider of targeted marketing • Timeliness and accuracy in • Processing integrityg gcampaigns
yexecution of marketing campaigns
g g y• Security • Confidentiality
Financial services: SaaS for equity trading
• Timely, accurate quote and trade execution
• Processing integrity• Availabilityequity trading execution
• Data breach• Availability
Communications gateway bridging user entity back office
• Exposure of sensitive data being processed and translated
• Availability • Security
environment and mobile communications carriers
• System downtime • Confidentiality
Document management • Exposure of sensitive case data I t i d i t l i
• Confidentiality P i i t it• Incorrect indexing, cataloging,
storage• Processing integrity
33
S i C id iScoping Considerations
•How will the report be used and by whom?
•Which principle(s) are applicable?•Which principle(s) are applicable?
•Type 1 vs. Type 2 report and period to be addressed
•Are there sub-service organizations?
•Is there a need for complementary user entity controls?
34
A d F Thi S iAgenda For This Section
• Purpose/intended use
• Applicability/subject matter• Applicability/subject matter
• Ideal candidate profile/use cases
• Examination process
• Scoping considerations
• SOC seal and registration process
36
SOC 3 Reports: Purpose And Intended UseReport purpose • Service organization to general public communication
• General use report
• Can be freely distributed/promoted with the AICPA SOC 3 seal on the service organization’s Web site
Intended audience • General publicIntended audience General public
Standards under • AT 101, attestation engagementsStandards under which engagement is performed
AT 101, attestation engagements
• AICPA technical practice aid, trust services principles, criteria and illustrations
37
SOC 3 Reports: Purpose And Intended Use (Cont.)
Included in the report • Statement whether the system achieved the applicable trust services principles, criteria and illustrations
• Addresses one or more of the following key system attributes: Security, availability, processing integrity, confidentiality or privacy
NOT included in the report
• Financial controls related to compliance and operations at a service organization
• Description of the systems• Description of the systems
• Detailed description and results of tests of controls
38
SOC 3 Reports: Applicability/Subject Matter
• Trust services report for service organization
U d fi d it i i t t i i i l d it i• Uses pre-defined criteria in trust services principles and criteria• Security
• Availability
• Confidentiality
• Processing integrity
• Privacyy
• Can be issued on one or multiple trust services principles
39
d l d d lIdeal Candidate/Example Use CasesUsers who want assurance on the controls at a service organization related to security, availability, processing integrity, confidentiality or privacy but do not have the need for or the knowledge necessary to make effective use of a SOC 2 report
K Ri k P i i l R t d P i i l Obj ti
\
Key Risks Principles Reported Principle Objective
Theft of credit card information Security Secure sites for e-commerce
Unavailability of service for a Availability Ability to meet critical needs of \Unavailability of service for a significant period of time
Availability Ability to meet critical needs of business customers
Disclosure of confidential information such as legal documents
Confidentiality Compliance with confidentiality practices
Loss, duplication processing, corruption of electronic business transactions
Processing integrity Business transactions processed completely and accurately
E f l P i C t iExposure of personal information
Privacy Customer privacy
40
E i i PExamination Process
Principle selection and assessmentPrinciple selection and assessment
• Select one or more trust service principles and criteria
• Point-in-time vs. period of time
Reporting
• SOC 3 report
Brief na dited s stem description• Brief unaudited system description
• Auditor’s opinion on compliance with the specified trust services principles and criteria
SOC3 seal
• Compliance with selected criteria
License to display seal on Web site• License to display seal on Web site
41
Scoping Considerations
AICPA, SOC2 [1.19]:
• All applicable trust services criteria must be met.
All li bl b i i ti t b i l d d• All applicable subservice organizations must be included.
• Significance of complementary user-entity controls
42
SOC Seal And Registration Process• SOC3 SysTrust for service organizations• SOC3 SysTrust for service organizations
• Managed between American Institute of CPAs (AICPA) and Canadian
Institute of Chartered Accountants (CICA)
• Complete assessment based on the trust services principles and criteria
• An unqualified attestation report
Valid for one year• Valid for one year
• License to display the seal on Web site
• Licensing fee
43
SOC Seal And Registration Process (Cont.)
Monitoring sealsg
• Seal renewal Valid for one year plus 90 days grace periodo Valid for one year plus 90 days grace period
• Revoking or suspending seals
o Fail to comply with the trust services principles & criteriap y p p
o Fail to renew the seal
• Restoring seals
If lifi d b d do If unqualified report can be rendered
• Suspending a practitioner
o Practitioner’s firm is no longer a member in good standingo Practitioner s firm is no longer a member in good standing
45
SOC Seal And Registration Process (Cont.)
Online trust services page p g
You have arrived here from a SysTrust SM/TM or WebTrust SM/TM certified site. The
applicable SysTrust or WebTrust Seal of assurance symbolizes that this site has
been examined by an independent accountant. Further, the Seal represents the
practitioner’s report (see below) on management's assertion(s) that the entity's
business being relied upon is in conformity with the applicable Trust Services
Principle(s) and Criteria …
Trust services principle(s) and criteria
A dit t li kAudit report link
Trust services and criteria links46
CONSIDERATIONS IN Ryan Buckner, BrightLine CPAs & Assoc.
SELECTING AN ATTESTATION EXAMINATIONEXAMINATION
Obj i F Thi S iObjectives For This Section
• Comparison summary of SOC reporting options
• Recap on the proper use of SOC reports
• Avoiding the common SOC reporting pitfalls
Utili i th tt t ti ti• Utilizing other attestation options
48
C i Of SOC RComparison Of SOC ReportsSOC Report Purpose Typical External Users
SOC 1SM Provide information to users regarding the outsourced services and the controls likely relevant to users entities’ internal control over financial reporting
The information provided is useful for the user entities’
Management of user entities
Financial statement auditors of user entities
The information provided is useful for the user entities financial statement auditors during their risk assessment and financial audit planning.
Always restricted‐use
SOC 2SM Provide information to users regarding the outsourced Current or prospective services and the controls relevant to one or more of the trust service Principles (security, availability, processing integrity, confidentiality and/or privacy)
customers concerned with the TSP
Regulators
Other interested and authorized parties
Generally restricted use
SOC 3SM Provide information to users regarding the outsourced services and assurance on one or more of the trust
Any interested partyservices and assurance on one or more of the trust service principles; similar to SOC 2 but without the controls and tests
General use
49
f ( )Comparison Of SOC Reports (Cont.)
SOC Report Scope (Subject Matter) Period Of CoverageSOC Report Scope (Subject Matter) Period Of Coverage
SOC 1SM
(SSAE 16)
A description of the outsourced services performed by the service organization(s), based on pre‐defined minimum description criteria and the controls that are likely relevant to
Point‐in‐time(Type 1)
d fdescription criteria, and the controls that are likely relevant to users entities’ internal control over financial reporting
Period of time(Type 2)
SOC 2SM
(AT S t 101)
A description of the outsourced services performed by the service organization, based on predefined minimum description
Point‐in‐time(Type 1)
(AT Sect. 101) criteria, and the controls relevant to one or more of the trust service principles (security, availability, processing integrity, confidentiality and/or privacy) and applicable pre‐defined criteria
Additional subject matter is allowed, provided it meets certain
Period of time(Type 2)
Additional subject matter is allowed, provided it meets certain minimum guidelines.
SOC 3SM
(AT Sect. 101)
Provide information to users regarding the outsourced services and assurance on one or more of the trust service principles
Point‐in‐time
Period of time
50
f ( )Comparison Of SOC Reports (Cont.)Report Component SOC 1 SOC 2 SOC 3p p
Opinion letter Management assertion(s) Detailed description of the system
Control objectives and controls Trust services principles criteria and controls Trust services principles criteria and controls selected by the service organization
Tests of controls and results of testing(Type 2 reports only) Optional additional information AICPA logo use Seal(requires AICPA licensing and fee)
51
Ch i Th B RChoosing The Best Report
Key considerations• What needs to be communicated?
• ICFR controls? Privacy controls? Regulatory compliance?
• How will it be communicated?• Seal on Web site? Report only?
Wh i th i t d d di ?• Who is the intended audience?• Existing customer? Regulatory
entity? Everyone?• What are the intended uses?• What are the intended uses?
• Financial statement audit? Due diligence assessment?
52
Understanding Proper Use Of SOC Reports
d f h h hHow To Identify The SOC Report That Is Right For You
Will the report be used by your customers and their auditors to plan and perform an audit or integrated audit of your customer’s financial statements?
Yes SOC 1 reportaudit of your customer s financial statements?
Will the report be used by your customers as part of their compliance with the Sarbanes‐Oxley Act or similar law or regulation?
Yes SOC 1 report
Will th t b d b tWill the report be used by your customers or stakeholders to gain confidence and place trust in a service organization’s systems?
Yes SOC 2 or SOC 3 report
Do you need to make the report generally available or seal? Yes SOC 3 reportor seal?
Do your customers have the need for, and ability to, understand the details of the processing and controls at a service organization, the tests performed by the service auditor and results of
Yes SOC 2 report
No SOC 3 reportperformed by the service auditor and results of those tests?
No SOC 3 report
Source: www.aicpa.org/soc
53
Avoiding Common SOC Reporting PitfallsI.Improper report selection
• RFP pressure from misinformed customers and prospects
• Misinformation based on industry “pundits” (e.g., data centers or cloud providers do not need SOC 1; SOC 2 is “better”)
• Incompatible scope (subject matter) • Incompatible scope (subject matter)
• Non-ICFR controls in SOC 1 report
• Pre-defined TSP criteria incongruent with business operations and controls
• Need to communicate regulatory compliance or other set of benchmarks • Need to communicate regulatory compliance or other set of benchmarks separately from TSP principles and criteria
II.Lack of preparedness
• Lack of understanding of reporting options
• Lack of understanding of SOC reporting requirements
• Immaturity of system and related controls
• Little monitoring of control effectiveness g
• Treatment of related, relevant 3rd parties (inclusive vs. carve-out rep. methods)
54
Avoiding Common SOC Reporting Pitfalls (Cont.)
III.Overly complex or hybrid SOC reports
• “Information not covered by the service auditor’s report” in SOC 1 reports
• “Additional subject matter” in SOC 2 reports
PCI HIPAA CSA CCM• PCI, HIPAA, CSA-CCM
IV.Insufficient review period selection
V.Improper communication of the completion of the SOC engagement
• Unauthorized logos and seals• Unauthorized logos and seals
• “Certifications”
• Press release guarantees or unfounded conclusions
55
I SOC R Th B O i ?Is SOC Report The Best Option?I Key considerationsI.Key considerations
• Applicability of the SOC report
• No ICFR impact
• No ability or desire to effectively benchmark against the TSP
• Specific needs of management
Pre defined analysis procedures• Pre-defined analysis procedures
• Flexibility in reporting
• Specific use of the reportp p
• Single customer demand
• Compliance with regulations, standards, contracts, etc.
56
Non‐SOC Reporting Options: AT Sect. 101
F d ti f ll tt t ti AT Section 101 • Foundation for all attestation engagements
• Allows for increased flexibility and customized scope (subject matter)p ( j )
• Agreed-upon procedures engagements – AT Sect. 201
• Compliance Attestations – AT Sect. AT Section 101601
• General attestationsAttestation
Opinion letter
Management’s assertion letter
Customized subject matter
Optional additional information
57
C l iConclusion
AT Section 101 • Know your options
• Speak with a competent professional regarding your professional regarding your reporting needs and options
• Understand the proper h l f h i g
AT Section 101channels for sharing your report
• When necessary, consider non-attest options as well (e.g., ISO 27001)
58