soc 1 overview


Background & Overview 01



OVERVIEW

• SSAE 16 • SOC 1 • AT Section 801 • ISAE 3402


SERVICE AUDITORS


©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved ©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved

SERVICE PROVIDERS


USER ENTITIES


USER AUDITORS


Overview of the AICPA Framework 02



AICPA SOC FRAMEWORK Applicable SOC-1 SOC-2 SOC-3

Standard/Guidance SSAE 16: AICPA Guide (2013)

AT 101: AICPA Guide (2013)

AT 101: Technical Practice Aid

(2014)

Scope ICFR Security/Systems, Privacy Security/Systems, Privacy

Criteria Control Objectives Trust Services Principles/GAPP

Trust Services Principles/GAPP

Usage of report User auditor, user entity, management of SO Knowledgeable parties Anyone


Purpose & Scope 03



WHY DO YOU NEED AN SOC REPORT?

Regulatory requirements User entity mandates Outsourcing relationships Internal control analysis Independent 3rd party opinion Competition and market


Focused on financial reporting risks


SPECIFIED BY THE SERVICE ORGANIZATION

• Operational/Application • General IT controls


The Boundaries 04



If there is internal control over financial reporting relevance, there is

SOC 1 examination!


BOUNDARIES

• What SOC 1 does cover? • What SOC 1 does cover?


BOUNDARIES

• Limited for specific users • Limited purpose


The Anatomy 05



Service Auditor’s Report – “The Opinion”

Management’s Assertion

Description of the System

Tests of Controls and Corresponding Results

Additional Information – Provided by Service Organization

REPORT STRUCTURE


Unqualified vs. Qualified

SERVICE AUDITOR’S REPORT


• Commitment - suitability and accuracy • SOX Section 302 certification • Subservice organizations

MANAGEMENT’S ASSERTION


Objective description of the services

SYSTEM DESCRIPTION


Management’s objective description of the services provided to user entities.

SYSTEM DESCRIPTION


• Test procedures • Results • Deviations / Exceptions

TEST OF CONTROLS / RESULTS


Information not related to ICFR

ADDITIONAL INFORMATION


Common Challenges and Benefits 05



• Impact on financial reporting • Legal / regulatory compliance • Impact on production /quality

RELEVANCE TO CUSTOMERS’ ICFR



• No financial reporting impact • Misuse of the report



• Accurate use of report • User auditor expectations


• Contracts, RFP, SLA • AICPA website • Training and awareness • Executive communication • Discussion with service auditor

EDUCATION & PREPAREDNESS


EDUCATION & PREPAREDNESS • Insufficient timing • Silos / groups


EDUCATION & PREPAREDNESS • Demonstrates management’s

responsibility and accountability • Promotes successful examination

efforts


CUSTOMER REQUIREMENTS • Document client needs • Client discussions • Decide on report type


CUSTOMER REQUIREMENTS • Choosing the correct report • Trying to meet multiple compliance

efforts as a single deliverable


CUSTOMER REQUIREMENTS • Meet ICFR regulatory or contractual

mandates • Bolster trust and confidence • One exam meets multiple customer requests • Promote a stronger control environment


CARVE-OUT VS INCLUSIVE • Carve-out method emphasis • Subservice organization • Inclusive method requirements


CARVE-OUT VS INCLUSIVE • Obtaining cooperation / documentation

for subservice organization(s)


CARVE-OUT VS INCLUSIVE • Focused and tailored report


• Type 1 • Type 2

REPORT TYPE


• Insufficient coverage • Implementation of controls

REPORT TYPE


• Both attestation reports • Timeliness of report • Report coverage and content

REPORT TYPE


Perform a risk assessment

RISK ASSESSMENT & SCOPE


• Accurate scope • Control identification



• Pre-planning process • Better understanding of environment • Early identification of issues



• Direct assistance • Use work of others

INTERNAL AUDIT ASSISTANCE


• Learning curve • Difference in testing strategies



• Professional fees and time • Understanding of environment • Evidence gathering and management



• Internally • Service auditors

READINESS ASSESSMENT


• Inaccurate description of process • Lack of resources



• Increase success in the audit • Earlier remediation efforts • Better preparation • Documentation of the narrative



• Policies/Procedures • Segregation of duties • Monitoring

REMEDIATION


• Insufficient planning • Resource constraints • Timely remediation

REMEDIATION


• Meet ICFR regulatory or contractual mandates • Bolster confidence • Promote a stronger control environment

REMEDIATION


• Licensed CPA firm • Independent • Single Vendor Approach • Audit Team

AUDIT FIRM SELECTION


• Lack of mature methodology • Remote only testing • Use of offshore resources



• Acceptable auditor to auditor communication

• Value-added controls assessment process



• SOC Overview • Examination Scoping • RFP Template • Sample Report

Download SOC 1 PrepKit

http://info.brightline.com/soc-1-prepkit

soc 1 overview

Business

brightline cpas associates

rights reserved user

rights reserved user

rights reserved overview

rights reserved purpose

soc report

aicpa framework

aicpa guide