soc 1 overview
TRANSCRIPT
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
Background & Overview 01
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
OVERVIEW
• SSAE 16 • SOC 1 • AT Section 801 • ISAE 3402
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
SERVICE AUDITORS
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved ©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
SERVICE PROVIDERS
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved ©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
USER ENTITIES
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved ©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
USER AUDITORS
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved ©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
Overview of the AICPA Framework 02
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
AICPA SOC FRAMEWORK Applicable SOC-1 SOC-2 SOC-3
Standard/Guidance SSAE 16: AICPA Guide (2013)
AT 101: AICPA Guide (2013)
AT 101: Technical Practice Aid
(2014)
Scope ICFR Security/Systems, Privacy Security/Systems, Privacy
Criteria Control Objectives Trust Services Principles/GAPP
Trust Services Principles/GAPP
Usage of report User auditor, user entity, management of SO Knowledgeable parties Anyone
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
Purpose & Scope 03
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
WHY DO YOU NEED AN SOC REPORT?
Regulatory requirements User entity mandates Outsourcing relationships Internal control analysis Independent 3rd party opinion Competition and market
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
SPECIFIED BY THE SERVICE ORGANIZATION
• Operational/Application • General IT controls
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
The Boundaries 04
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
If there is internal control over financial reporting relevance, there is
SOC 1 examination!
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
BOUNDARIES
• What SOC 1 does cover? • What SOC 1 does cover?
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
BOUNDARIES
• Limited for specific users • Limited purpose
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
The Anatomy 05
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
Service Auditor’s Report – “The Opinion”
Management’s Assertion
Description of the System
Tests of Controls and Corresponding Results
Additional Information – Provided by Service Organization
REPORT STRUCTURE
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
Unqualified vs. Qualified
SERVICE AUDITOR’S REPORT
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
• Commitment - suitability and accuracy • SOX Section 302 certification • Subservice organizations
MANAGEMENT’S ASSERTION
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
Objective description of the services
SYSTEM DESCRIPTION
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
Management’s objective description of the services provided to user entities.
SYSTEM DESCRIPTION
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
• Test procedures • Results • Deviations / Exceptions
TEST OF CONTROLS / RESULTS
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
Information not related to ICFR
ADDITIONAL INFORMATION
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
Common Challenges and Benefits 05
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
• Impact on financial reporting • Legal / regulatory compliance • Impact on production /quality
RELEVANCE TO CUSTOMERS’ ICFR
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved ©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
RELEVANCE TO CUSTOMERS’ ICFR
• No financial reporting impact • Misuse of the report
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved ©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
RELEVANCE TO CUSTOMERS’ ICFR
• Accurate use of report • User auditor expectations
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
• Contracts, RFP, SLA • AICPA website • Training and awareness • Executive communication • Discussion with service auditor
EDUCATION & PREPAREDNESS
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved ©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
EDUCATION & PREPAREDNESS • Insufficient timing • Silos / groups
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved ©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
EDUCATION & PREPAREDNESS • Demonstrates management’s
responsibility and accountability • Promotes successful examination
efforts
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
CUSTOMER REQUIREMENTS • Document client needs • Client discussions • Decide on report type
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved ©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
CUSTOMER REQUIREMENTS • Choosing the correct report • Trying to meet multiple compliance
efforts as a single deliverable
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved ©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
CUSTOMER REQUIREMENTS • Meet ICFR regulatory or contractual
mandates • Bolster trust and confidence • One exam meets multiple customer requests • Promote a stronger control environment
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
CARVE-OUT VS INCLUSIVE • Carve-out method emphasis • Subservice organization • Inclusive method requirements
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved ©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
CARVE-OUT VS INCLUSIVE • Obtaining cooperation / documentation
for subservice organization(s)
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved ©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
CARVE-OUT VS INCLUSIVE • Focused and tailored report
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved ©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
• Insufficient coverage • Implementation of controls
REPORT TYPE
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved ©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
• Both attestation reports • Timeliness of report • Report coverage and content
REPORT TYPE
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
Perform a risk assessment
RISK ASSESSMENT & SCOPE
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved ©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
• Accurate scope • Control identification
RISK ASSESSMENT & SCOPE
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved ©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
• Pre-planning process • Better understanding of environment • Early identification of issues
RISK ASSESSMENT & SCOPE
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
• Direct assistance • Use work of others
INTERNAL AUDIT ASSISTANCE
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved ©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
• Learning curve • Difference in testing strategies
INTERNAL AUDIT ASSISTANCE
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved ©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
• Professional fees and time • Understanding of environment • Evidence gathering and management
INTERNAL AUDIT ASSISTANCE
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
• Internally • Service auditors
READINESS ASSESSMENT
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved ©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
• Inaccurate description of process • Lack of resources
READINESS ASSESSMENT
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved ©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
• Increase success in the audit • Earlier remediation efforts • Better preparation • Documentation of the narrative
READINESS ASSESSMENT
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
• Policies/Procedures • Segregation of duties • Monitoring
REMEDIATION
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved ©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
• Insufficient planning • Resource constraints • Timely remediation
REMEDIATION
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved ©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
• Meet ICFR regulatory or contractual mandates • Bolster confidence • Promote a stronger control environment
REMEDIATION
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
• Licensed CPA firm • Independent • Single Vendor Approach • Audit Team
AUDIT FIRM SELECTION
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved ©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
• Lack of mature methodology • Remote only testing • Use of offshore resources
AUDIT FIRM SELECTION
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved ©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
• Acceptable auditor to auditor communication
• Value-added controls assessment process
AUDIT FIRM SELECTION
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
• SOC Overview • Examination Scoping • RFP Template • Sample Report
Download SOC 1 PrepKit