ssae 16 transitions overview
DESCRIPTION
TRANSCRIPT
![Page 1: SSAE 16 Transitions Overview](https://reader034.vdocuments.us/reader034/viewer/2022051411/5479b78d5806b56c048b4722/html5/thumbnails/1.jpg)
Service Organization Control Reports
An Overview
![Page 2: SSAE 16 Transitions Overview](https://reader034.vdocuments.us/reader034/viewer/2022051411/5479b78d5806b56c048b4722/html5/thumbnails/2.jpg)
Agenda
• Service Organization Control Reporting
– Definitions
– Background
– Report Types and Guidance
• Transitioning to SSAE 16/SOC 1
– Similarities to SAS 70
– Key Differences from SAS 70
• SOC 2 and 3 Reporting
• Reporting Options
• Summary
• Questions
![Page 3: SSAE 16 Transitions Overview](https://reader034.vdocuments.us/reader034/viewer/2022051411/5479b78d5806b56c048b4722/html5/thumbnails/3.jpg)
Service Organization Control
Reporting
![Page 4: SSAE 16 Transitions Overview](https://reader034.vdocuments.us/reader034/viewer/2022051411/5479b78d5806b56c048b4722/html5/thumbnails/4.jpg)
What are Service Organizations? • Service Organization – provider of services that may
impact a user’s financial reporting or pose a business risk
Services such as:
Cloud computing
Managed security
Financial services customer accounting
Customer support
Sales force automation
Health care claims management and processing
Enterprise IT outsourcing
![Page 5: SSAE 16 Transitions Overview](https://reader034.vdocuments.us/reader034/viewer/2022051411/5479b78d5806b56c048b4722/html5/thumbnails/5.jpg)
Definition: Service Auditor
• Service auditor – a CPA who examines and
reports on controls at a service organization
![Page 6: SSAE 16 Transitions Overview](https://reader034.vdocuments.us/reader034/viewer/2022051411/5479b78d5806b56c048b4722/html5/thumbnails/6.jpg)
Who are Users?
• Users – typically considered clients of service organization
May need assurance regarding controls over security, availability, processing integrity, confidentiality or privacy
• User Auditor – a CPA who performs a audit on the users financial statements
Needs assurance regarding the controls in place at the service organization that impact user financial statements
![Page 7: SSAE 16 Transitions Overview](https://reader034.vdocuments.us/reader034/viewer/2022051411/5479b78d5806b56c048b4722/html5/thumbnails/7.jpg)
Background
• Why change?
• SAS 70 has become increasingly misused
• Never intended to offer assurance on compliance or
operations
• No such thing as a SAS 70 “certification”
• Convergence with International Standards
• AICPA is seeking to address needs of the marketplace
![Page 8: SSAE 16 Transitions Overview](https://reader034.vdocuments.us/reader034/viewer/2022051411/5479b78d5806b56c048b4722/html5/thumbnails/8.jpg)
Background
• Several important changes
– December 2009
• International Auditing and Assurance Standards Board
issued new International Standards on Assurance
Engagements (ISAE) 3402, Assurance Reports on Controls
of Service Organizations
– April 2010
• AICPA issued SSAE 16 Reporting on Controls of Service
Organizations (SOC 1)
• First significant modification on topic since SAS 70 issued in
1992
• Effective for reporting periods on or after June 15, 2011
![Page 9: SSAE 16 Transitions Overview](https://reader034.vdocuments.us/reader034/viewer/2022051411/5479b78d5806b56c048b4722/html5/thumbnails/9.jpg)
Background
• Several important changes
– May 2011
• AICPA issued a new guide for attestation engagements (AT
101) using Trust Services Principles (SOC 2)
– June 2011
• Anticipated release of SSAE 16(SOC 1) reporting guide
![Page 10: SSAE 16 Transitions Overview](https://reader034.vdocuments.us/reader034/viewer/2022051411/5479b78d5806b56c048b4722/html5/thumbnails/10.jpg)
Service Organization Control Reports SOC 1 SOC 2 SOC 3
Purpose Report on controls
relevant to user
entities ICFR 1
Report on controls
related to
compliance and
operations
Report on controls
related to
compliance and
operations
Use of Report Restricted 2 Restricted 3 General
Report Detail Includes Testing
Detail
Includes Testing
Detail
No Testing Detail
AICPA
Interpretive
Guidance
SSAE 16
and AICPA Guide
(forthcoming in
June)
AT 101 and
AICPA Trust
Services
Principles/AICPA
Guide (SOC 2 just
issued)
AT 101 and
AICPA Trust
Services
Principles
1Internal Control Over Financial Reporting 2Service Organization Management, Users, Users Auditor 3Service Organization Management, Users, Knowledgeable Parties
![Page 11: SSAE 16 Transitions Overview](https://reader034.vdocuments.us/reader034/viewer/2022051411/5479b78d5806b56c048b4722/html5/thumbnails/11.jpg)
Transitioning to SSAE 16
SOC 1 Reporting
![Page 12: SSAE 16 Transitions Overview](https://reader034.vdocuments.us/reader034/viewer/2022051411/5479b78d5806b56c048b4722/html5/thumbnails/12.jpg)
• SSAE 16 continues the focus on
controls likely to be relevant to their user entities’
internal control over financial reporting (ICFR)
• SSAE 16 will have SOC 1 reports similar in
scope to the current SAS 70 reports
– Type 1
– Type 2
• The format of the reports will not be significantly
different
Similarities
![Page 13: SSAE 16 Transitions Overview](https://reader034.vdocuments.us/reader034/viewer/2022051411/5479b78d5806b56c048b4722/html5/thumbnails/13.jpg)
Similarities
• Narrative description of controls: Basis for new description of the system
• Treatment of subservice organizations
Included (inclusive method)
Excluded (carve-out method)
• Intended users of the report
Service organization’s management
Users
User auditors
![Page 14: SSAE 16 Transitions Overview](https://reader034.vdocuments.us/reader034/viewer/2022051411/5479b78d5806b56c048b4722/html5/thumbnails/14.jpg)
Key Differences: SAS vs. SSAE
• Attest standard (Assertion), not an audit
standard (GAAP)
• Consistency with international standards and
existing attestation standards
• Increased focus on service organizations with
services relevant to a user organizations internal
control over financial reporting (ICFR)
• Some SAS 70 reports will move to SOC 2 or
SOC 3 reports
![Page 15: SSAE 16 Transitions Overview](https://reader034.vdocuments.us/reader034/viewer/2022051411/5479b78d5806b56c048b4722/html5/thumbnails/15.jpg)
Key Differences: Management Assertion
A Management Assertion will be included in or attached to the SSAE 16 report
• States*:
System fairly represented
System suitably designed and implemented
The related controls activities were suitably designed to achieve the stated control objectives
That the control activities are operating effectively (Type 2 only)
*The auditor opinion attests to these statements. Type 1 specified date/Type 2 throughout the period
![Page 16: SSAE 16 Transitions Overview](https://reader034.vdocuments.us/reader034/viewer/2022051411/5479b78d5806b56c048b4722/html5/thumbnails/16.jpg)
Key Differences: Management Assertion
• The report will reference that management is responsible for:
Preparing the system description
Providing the stated services
Specifying the control objectives
Identifying the risks
Selecting and stating the criteria for their assertion (e.g. monitoring activities)
Designing, implementing and documenting controls that are suitably designed and operating effectively
![Page 17: SSAE 16 Transitions Overview](https://reader034.vdocuments.us/reader034/viewer/2022051411/5479b78d5806b56c048b4722/html5/thumbnails/17.jpg)
Key Differences: Management Assertion
• Auditor’s Opinion – remains in the role of providing assurance regarding management’s assertions (same but more emphasis)
• Auditor is not the entity responsible for the communication (same but more emphasis)
• Subservice organizations must provide a similar assertion when the inclusive method is used
![Page 18: SSAE 16 Transitions Overview](https://reader034.vdocuments.us/reader034/viewer/2022051411/5479b78d5806b56c048b4722/html5/thumbnails/18.jpg)
Key Differences: System Description
• Currently a narrative description of controls
• SSAE 16 requires a description of the system
Infrastructure
Software
People
Procedures
Data
![Page 19: SSAE 16 Transitions Overview](https://reader034.vdocuments.us/reader034/viewer/2022051411/5479b78d5806b56c048b4722/html5/thumbnails/19.jpg)
Key Differences: System Description
• Components common to existing Descriptions of Controls
Services covered
Period covered
Control objectives and related control activities
Complementary user controls
• For inclusive subservice organizations, add
Related control objectives
Related control activities
![Page 20: SSAE 16 Transitions Overview](https://reader034.vdocuments.us/reader034/viewer/2022051411/5479b78d5806b56c048b4722/html5/thumbnails/20.jpg)
Key Differences: System Description
• Additional elements for the Description of the
System
Classes of transactions and details on related
procedures and accounting records
The capturing and addressing of significant events
other than transactions
![Page 21: SSAE 16 Transitions Overview](https://reader034.vdocuments.us/reader034/viewer/2022051411/5479b78d5806b56c048b4722/html5/thumbnails/21.jpg)
Key Differences: System Description
• Additional elements for the Description of the
System
Report preparation processes
Other relevant aspects of the organization’s:
Control environment
Risk assessment process
Information and communication systems
Control activities and monitoring controls
![Page 22: SSAE 16 Transitions Overview](https://reader034.vdocuments.us/reader034/viewer/2022051411/5479b78d5806b56c048b4722/html5/thumbnails/22.jpg)
Key Differences: Risks Assessment
• Management should:
Identify the risks that threaten the achievement of the stated services
Identify the risks that threaten the achievement of the stated control objectives
Evaluate whether the identified controls sufficiently address the risks to achieving the control objectives
• Risks to Services Control Objectives
• Risks to Control Objectives Control Activities
![Page 23: SSAE 16 Transitions Overview](https://reader034.vdocuments.us/reader034/viewer/2022051411/5479b78d5806b56c048b4722/html5/thumbnails/23.jpg)
Design of Controls: Based on Risk
Risk Assessment Supporting Control Design
Services Provided Assessment of risks to services leads to:
Control Objectives Assessment of risk to control objective leads to:
Control Activities
![Page 24: SSAE 16 Transitions Overview](https://reader034.vdocuments.us/reader034/viewer/2022051411/5479b78d5806b56c048b4722/html5/thumbnails/24.jpg)
Other Key Differences
• Service auditor use of internal audit
– Reliance on / must disclose
– Direct use / no disclosure
• Certain aspects of opinion apply to entire period rather
than a point in time
Narrative
Control design
Control implementation
![Page 25: SSAE 16 Transitions Overview](https://reader034.vdocuments.us/reader034/viewer/2022051411/5479b78d5806b56c048b4722/html5/thumbnails/25.jpg)
Trust Services Principles
SOC 2 and 3 Reporting
![Page 26: SSAE 16 Transitions Overview](https://reader034.vdocuments.us/reader034/viewer/2022051411/5479b78d5806b56c048b4722/html5/thumbnails/26.jpg)
SOC 2 Reporting
• Governed by AT 101 – Attestation service
• Criteria for evaluation is Trust Services Principles (TSP)
• SSAE 16 guidance to be used
• Intended for users seeking assurance around one or
more of control areas not relevant to ICFR of User
• TSP Criteria
• Security
• Availability
• Processing Integrity of the system
• Confidentiality of information processed
• Privacy of information processed
![Page 27: SSAE 16 Transitions Overview](https://reader034.vdocuments.us/reader034/viewer/2022051411/5479b78d5806b56c048b4722/html5/thumbnails/27.jpg)
SOC 2 Reporting
• Limited Use report
– Users generally user entity management not user auditors
– Service Organization
– Knowledgeable parties
• Helps user entity management
– Obtain information about service organization controls
– Assess and address risks
– Carry out its responsibility for monitoring
![Page 28: SSAE 16 Transitions Overview](https://reader034.vdocuments.us/reader034/viewer/2022051411/5479b78d5806b56c048b4722/html5/thumbnails/28.jpg)
SOC 2 Reporting
• Two Types of SOC 2 Reports
– Type 1
• Reports on fairness of presentation of management’s description of
the service organization’s system
• The suitability of design of controls
• Unlikely to provide sufficient information to assess risks
• Provides an understanding system and controls
• May be useful when:
– Organization is new
– Recently made significant changes
– Other reason insufficient time or history to perform Type 2
![Page 29: SSAE 16 Transitions Overview](https://reader034.vdocuments.us/reader034/viewer/2022051411/5479b78d5806b56c048b4722/html5/thumbnails/29.jpg)
SOC 2 Reporting
– Type 2
• Same as Type 1 plus
• Service auditor opinion on operating effectiveness
• A detailed description of service auditor’s tests of controls and
results
• Will be most used of SOC 2
• Both Types 1 and 2 include management’s assertion
– Included
– Attached
![Page 30: SSAE 16 Transitions Overview](https://reader034.vdocuments.us/reader034/viewer/2022051411/5479b78d5806b56c048b4722/html5/thumbnails/30.jpg)
SOC 2 Reporting
• Report Components
– Management’s written assertion about whether in all material
respects and based on suitable criteria, the following:
• Management’s description of the system fairly presents the system
that was designed and implemented
• Controls were suitably designed to meet criteria
• Type 2 controls operated effectively
• If addressing the privacy principle, management complied with the
commitments in its statement of privacy
– All components are for a period of time
– Management must have a reasonable basis for assertion
![Page 31: SSAE 16 Transitions Overview](https://reader034.vdocuments.us/reader034/viewer/2022051411/5479b78d5806b56c048b4722/html5/thumbnails/31.jpg)
SOC 3 Reporting
• Governed by AT 101 – Attestation service
• Criteria for evaluation is Trust Services Principles (TSP)
• Intended for users seeing assurance around one or more
of control areas not relevant to ICFR of User
• TSP Criteria:
• Security
• Availability
• Processing Integrity of the system
• Confidentiality of information processed
• Privacy of information processed
![Page 32: SSAE 16 Transitions Overview](https://reader034.vdocuments.us/reader034/viewer/2022051411/5479b78d5806b56c048b4722/html5/thumbnails/32.jpg)
SOC 3 Reporting
• General use report
– Can be published
– For current and prospective customers
– One Type
• Report components like a SOC 2
– Does include management’s written assertion
– Does include a description of the system and its boundaries
– Is for a period of time
• Differences from SOC 2 Report
– Description of system less detailed and not covered by CPA’s report
– No description of test of effectiveness or results
– If privacy principle is addressed there is no description of compliance
with or test results
![Page 33: SSAE 16 Transitions Overview](https://reader034.vdocuments.us/reader034/viewer/2022051411/5479b78d5806b56c048b4722/html5/thumbnails/33.jpg)
SOC 3 Reporting
• Seal (SysTrust for Service Organizations)
– Can be delivery vehicle for report
– Seal displayed on service organizations website
– SysTrust is registered by AICPA an Canadian Institute of
Chartered Accountants (CICA)
– Practitioners must be licensed with CICA to use seal
![Page 34: SSAE 16 Transitions Overview](https://reader034.vdocuments.us/reader034/viewer/2022051411/5479b78d5806b56c048b4722/html5/thumbnails/34.jpg)
Reporting Options
• Multiple reports combinations
– SOC 1 and SOC 2
• Services impacting ICFR of user and other services with trust
services principles concerns
– SOC 2 and SOC 3
• Services not impacting ICFR and need to use beyond current users
such as marketing to prospects
– SOC 1 and SOC 3
• Services impacting ICFR of user and other services with trust
services principles concerns or marketing needs
![Page 35: SSAE 16 Transitions Overview](https://reader034.vdocuments.us/reader034/viewer/2022051411/5479b78d5806b56c048b4722/html5/thumbnails/35.jpg)
Transition Planning
Action Items for Service Providers
![Page 36: SSAE 16 Transitions Overview](https://reader034.vdocuments.us/reader034/viewer/2022051411/5479b78d5806b56c048b4722/html5/thumbnails/36.jpg)
Transition Planning
• Determine effective date for your organization
• Confirm Type of SOC Report
ICFR – SOC 1 (SSAE 16)
Limited Use / Trust Principles – SOC 2
General Use / Trust Principles – SOC 3
![Page 37: SSAE 16 Transitions Overview](https://reader034.vdocuments.us/reader034/viewer/2022051411/5479b78d5806b56c048b4722/html5/thumbnails/37.jpg)
Transition Planning
• Develop a Communication Plan
Within your organization
To your clients
Client Internal Audit/Risk Management (i.e., other users of
the report)
Marketing material
Web pages
Contractual references
![Page 38: SSAE 16 Transitions Overview](https://reader034.vdocuments.us/reader034/viewer/2022051411/5479b78d5806b56c048b4722/html5/thumbnails/38.jpg)
Transition Planning
• Review Scope
Included/excluded services
Services that impact your client’s financial reporting
Key third parties (sub-service organizations)
Identify all relevant 3rd party service organizations
Existence and use of their SAS 70/SSAE 16/SOC 2 Report
Commitments from 3rd party relative to carve out or inclusive method
Contractual /SLA impacts
![Page 39: SSAE 16 Transitions Overview](https://reader034.vdocuments.us/reader034/viewer/2022051411/5479b78d5806b56c048b4722/html5/thumbnails/39.jpg)
Transition Planning
• Review System Description
Services
Scope
Classes of Transactions
Third parties (inclusive or carve out)
Risks
Objectives
Controls
![Page 40: SSAE 16 Transitions Overview](https://reader034.vdocuments.us/reader034/viewer/2022051411/5479b78d5806b56c048b4722/html5/thumbnails/40.jpg)
Transition Planning
• Assess Control Design
Risk based
Will impact control objectives
Will impact supporting control activities
Consider current SOX or other compliance efforts/
governance models and efforts
![Page 41: SSAE 16 Transitions Overview](https://reader034.vdocuments.us/reader034/viewer/2022051411/5479b78d5806b56c048b4722/html5/thumbnails/41.jpg)
Transition Planning
• Consider Management Assertion
Review basis for assertion
Review sufficiency of current monitoring processes
Need for direct testing of controls not sufficiently
monitored
![Page 42: SSAE 16 Transitions Overview](https://reader034.vdocuments.us/reader034/viewer/2022051411/5479b78d5806b56c048b4722/html5/thumbnails/42.jpg)
In Conclusion
• Develop a project plan
• Assign responsibilities
• Monitor the plan
• See Risk / Seek Help
![Page 43: SSAE 16 Transitions Overview](https://reader034.vdocuments.us/reader034/viewer/2022051411/5479b78d5806b56c048b4722/html5/thumbnails/43.jpg)
Contact Information
Jeffrey Paulette
BKD – IT Risk Services
417.865.8701