the audit committee and soc standards
TRANSCRIPT
-
7/31/2019 The Audit Committee and SOC Standards
1/30
Your Audit Committee and the New
SOC Standards
Jeffrey Stefan, CPA
Partner
Douglas Boedeker, CPA, CMA
Partner
September 8, 2011
-
7/31/2019 The Audit Committee and SOC Standards
2/30
Goals for Today
I. Obtain a basic understanding of the new
SOC reports.
II. Understand the differences between the
three types of SOC reports.
III. Understand other reporting options that
may be of interest to Boards and Audit
Committees.
Copyright 2011 Tate & Tryon CPAs and ConsultantsSeptember 8. 2011
-
7/31/2019 The Audit Committee and SOC Standards
3/30
Course Outline
Why the new reporting options?
What is SAS 70?
What are the new options:
SOC 1 the new SAS 70
SOC 2 a SAS 70 report thats interesting!
SOC 3 a SAS 70 report for public
consumption
Copyright 2011 Tate & Tryon CPAs and ConsultantsSeptember 8. 2011
-
7/31/2019 The Audit Committee and SOC Standards
4/30
Course Outline
The Trust Services Principles:
Security
Availability
Processing integrity Confidentiality
Privacy
What else is out there? Integrated Examination of Internal Control
Agreed-Upon Procedures
Copyright 2011 Tate & Tryon CPAs and ConsultantsSeptember 8. 2011
-
7/31/2019 The Audit Committee and SOC Standards
5/30
Why the new reporting options?
SAS 70 became a catch-all for everything!
AICPA was not pleased with terms like:
Were SAS 70 Certified
Were SAS 70 Compliant
The movement to outsourced IT services madethe problem more pronounced.
Copyright 2011 Tate & Tryon CPAs and ConsultantsSeptember 8. 2011
-
7/31/2019 The Audit Committee and SOC Standards
6/30
What was SAS 70?
Statement on Auditing Standards Number 70,Service Organizations.
Designed to address a service organizations
controls affecting user entities financialstatements.
Controls over financial reporting.
Either a Type 1 or a Type 2 report.
Primarily an auditor-to-auditor communication.Copyright 2011 Tate & Tryon CPAs and ConsultantsSeptember 8. 2011
-
7/31/2019 The Audit Committee and SOC Standards
7/30
The New Reporting Options......
September 8. 2011 Copyright 2011 Tate & Tryon CPAs and Consultants
-
7/31/2019 The Audit Committee and SOC Standards
8/30
SOC 1 the new SAS 70
Report content:
Controls at a service organization relevant to a userentities internal control over financial reporting.
Intended audience is: Management of service & user organizations
Auditors of the user organizations
Nature of reports: Type 1 Control description
Type 2 Control description & operatingeffectiveness
September 8. 2011 Copyright 2011 Tate & Tryon CPAs and Consultants
-
7/31/2019 The Audit Committee and SOC Standards
9/30
SOC 2 a more interesting SAS 70
Report Content:
Service organizations controls relevant to:
Security Availability
Processing integrity
Confidentiality
Privacy
There is flexibility in choosing which controls tobe included in the report.
September 8. 2011 Copyright 2011 Tate & Tryon CPAs and Consultants
-
7/31/2019 The Audit Committee and SOC Standards
10/30
SOC 2 a more interesting SAS 70
Intended audience is:
Management of service organizations
Management of user organizations
Nature of reports:
Type 1 Control description
Type 2 Control description & operatingeffectiveness
Note: A SOC 2 report cannot be combined with a
SOC 1 report. They must be separate.September 8. 2011 Copyright 2011 Tate & Tryon CPAs and Consultants
-
7/31/2019 The Audit Committee and SOC Standards
11/30
SOC 3 A SAS 70 for publicconsumption
Report Content:
Service organizations controls relevant to:
Security Availability
Processing integrity
Confidentiality
Privacy
There is flexibility in choosing which controls tobe included in the report.
September 8. 2011 Copyright 2011 Tate & Tryon CPAs and Consultants
-
7/31/2019 The Audit Committee and SOC Standards
12/30
SOC 3 A SAS 70 for publicconsumption
Intended audience is:
Any user with a need for confidence in the serviceorganizations controls.
Nature of reports:
Very short similar to an auditors opinion onfinancial statements.
No detail of the organizations controls
September 8. 2011 Copyright 2011 Tate & Tryon CPAs and Consultants
-
7/31/2019 The Audit Committee and SOC Standards
13/30
SOC 3 A SAS 70 for publicconsumption
Limitations of SOC 3 Reports
An unqualified opinion cannot be issued if:
Controls at subservice organizations have been
carved out.
Complementary user-entity controls are significant.
September 8. 2011 Copyright 2011 Tate & Tryon CPAs and Consultants
-
7/31/2019 The Audit Committee and SOC Standards
14/30
The Trust Services Principles
(The foundation for SOC 2 & 3)
September 8. 2011 Copyright 2011 Tate & Tryon CPAs and Consultants
-
7/31/2019 The Audit Committee and SOC Standards
15/30
The Security Principle
Refers to the protection of the system fromunauthorized access, both logical andphysical.
Criteria to be Tested Policies were security policies defined and documented?
Communications were the policies communicated to theappropriate parties?
Procedures are procedures in operation to achieve the goals ofthe security policies?
Monitoring Is compliance with the policies monitored?
September 8. 2011 Copyright 2011 Tate & Tryon CPAs and Consultants
-
7/31/2019 The Audit Committee and SOC Standards
16/30
The Availability Principle
Refers to the accessibility to the system,products, or services as advertised orcommitted by contract, service-level, or otheragreements.
Criteria to be Tested
Policies were availability policies defined and documented?
Communications were the policies communicated to the
appropriate parties? Procedures are procedures in operation to achieve the goals of
the availability policies?
Monitoring Is compliance with the policies monitored?
September 8. 2011 Copyright 2011 Tate & Tryon CPAs and Consultants
-
7/31/2019 The Audit Committee and SOC Standards
17/30
The Processing Integrity Principle
Refers to the completeness, accuracy,validity, timeliness, and authorization ofsystem processing.
Criteria to be Tested Policies were processing integrity policies defined and
documented?
Communications were the policies communicated to the
appropriate parties? Procedures are procedures in operation to achieve the goals of
the processing integrity policies?
Monitoring Is compliance with the policies monitored?
September 8. 2011 Copyright 2011 Tate & Tryon CPAs and Consultants
-
7/31/2019 The Audit Committee and SOC Standards
18/30
The Confidentiality Principle
Refers to the systems ability to protect theinformation designated as confidential, ascommitted or agreed.
Criteria to be Tested Policies were confidential information policies defined and
documented?
Communications were the policies communicated to the
appropriate parties? Procedures are procedures in operation to achieve the goals of
the processing integrity policies?
Monitoring Is compliance with the policies monitored?
September 8. 2011 Copyright 2011 Tate & Tryon CPAs and Consultants
-
7/31/2019 The Audit Committee and SOC Standards
19/30
The Privacy Principle
Personal information is collected, used,retained, disclosed, and destroyed inconformity with the commitments in theentitys privacy notice and with criteria setforth in generally accepted privacy principles(GAPP) issued by the AICPA and CICA.
September 8. 2011 Copyright 2011 Tate & Tryon CPAs and Consultants
-
7/31/2019 The Audit Committee and SOC Standards
20/30
The Privacy Principle - Criteria
Policies - The entity defines, documents,communicates, and assigns accountability for itsprivacy policies and procedures.
Notice - The entity provides notice about itsprivacy policies and procedures and identifies
the purposes for which personal information iscollected, used, retained and disclosed.
September 8. 2011 Copyright 2011 Tate & Tryon CPAs and Consultants
-
7/31/2019 The Audit Committee and SOC Standards
21/30
The Privacy Principle - Criteria
Choice and Consent The entity describes thechoices available to the individual and obtainsimplicit or explicit consent with respect to thecollection, use, and disclosure of personalinformation.
Collection The entity collects personalinformation only for the purposes identified in thenotice.
September 8. 2011 Copyright 2011 Tate & Tryon CPAs and Consultants
-
7/31/2019 The Audit Committee and SOC Standards
22/30
The Privacy Principle - Criteria
Use, Retention, & Disposal - The entity limitsthe use of personal information to the purposesidentified in the notice and for which theindividual has provided implicit or explicitconsent. The entity retains personal informationfor only as long as necessary to fulfill the statedpurposes or as required by law or regulations
and thereafter appropriately disposes of suchinformation.
September 8. 2011 Copyright 2011 Tate & Tryon CPAs and Consultants
-
7/31/2019 The Audit Committee and SOC Standards
23/30
The Privacy Principle - Criteria
Access - The entity provides individuals withaccess to their personal information for reviewand update.
Disclosure to Third Parties The entitydiscloses personal information to third partiesonly for the purposes identified in the notice andwith the implicit or explicit consent of the
individual.
Security The entity protects personalinformation against unauthorized access.
September 8. 2011 Copyright 2011 Tate & Tryon CPAs and Consultants
-
7/31/2019 The Audit Committee and SOC Standards
24/30
The Privacy Principle - Criteria
Quality The entity maintains accurate,complete, and relevant personal information forthe purposes identified in the notice.
Monitoring & Enforcement The entitymonitors compliance with its privacy policies andprocedures and has procedures to addressprivacy related inquiries, complaints, and
disputes.
September 8. 2011 Copyright 2011 Tate & Tryon CPAs and Consultants
-
7/31/2019 The Audit Committee and SOC Standards
25/30
What else is out there......
September 8. 2011 Copyright 2011 Tate & Tryon CPAs and Consultants
-
7/31/2019 The Audit Committee and SOC Standards
26/30
Integrated Examination of Internal Control
Essentially a SOX 404 report.
Performed in conjunction with a financialstatement audit.
Provides an opinion on the organizationscontrols over financial reporting.
A control criteria must be set.
COSO is the most common criteria used.
Not a restricted use report.
September 8. 2011 Copyright 2011 Tate & Tryon CPAs and Consultants
-
7/31/2019 The Audit Committee and SOC Standards
27/30
Agreed-Upon Procedures
Our favorite option!
Gives maximum flexibility regarding pricingand work to be performed.
However, no professional opinion is actuallyrendered.
Restricted-use report.
September 8. 2011 Copyright 2011 Tate & Tryon CPAs and Consultants
-
7/31/2019 The Audit Committee and SOC Standards
28/30
Additional resources.....
For additional information on the new SOCreporting framework, heres a handy web-site:
http://www.aicpa.org/InterestAreas/FRC/AssuranceAdvisoryServices/Pages/SORHome.aspx
Contact us with questions!
Jeff Stefan, 202-419-5104, [email protected] Doug Boedeker, 202-419-5106,
September 8. 2011 Copyright 2011 Tate & Tryon CPAs and Consultants
http://www.aicpa.org/InterestAreas/FRC/AssuranceAdvisoryServices/Pages/SORHome.aspxhttp://www.aicpa.org/InterestAreas/FRC/AssuranceAdvisoryServices/Pages/SORHome.aspxmailto:[email protected]:[email protected]:[email protected]:[email protected]://www.aicpa.org/InterestAreas/FRC/AssuranceAdvisoryServices/Pages/SORHome.aspxhttp://www.aicpa.org/InterestAreas/FRC/AssuranceAdvisoryServices/Pages/SORHome.aspx -
7/31/2019 The Audit Committee and SOC Standards
29/30
Speaker Biography
September 8. 2011 Copyright 2011 Tate & Tryon CPAs and Consultants
Douglas Boedeker , is a partner within Tate & Tryons Auditand Assurance Services unit and is also actively involved inthe Firm's exempt organization tax services group. He hasmore than 19 years of experience providing an array of audit,tax, and consulting services to a variety of nonprofitorganizations and employee benefit plans. He takesparticular pride that his family has contained at least one CPA
every year since 1923. Doug graduated summa cum laudefrom Susquehanna University in Selinsgrove, Pennsylvaniawith a Bachelor of Science degree in accounting whilesimultaneously completing the coursework for a second majorin arts administration. He was also named as the Universitysrecipient of The Wall Street Journal Outstanding BusinessStudent Award.
Doug is a frequent speaker on a variety of exempt organization tax issues and theForm 990. He recently presented a session on easing the 990 preparation processfor CFOs and auditors at the 2011 AICPA Not for Profit Industry Conference. Dougis a coauthor to Guide to the Newest IRS Form 990: Interpreting and Complyingwith the New Tax Reporting Requirements for Transparency and Accountability,(published by ASAE).
-
7/31/2019 The Audit Committee and SOC Standards
30/30
Speaker Biography
Jeff Stefan, is the partner in charge of Tate & Tryons auditingpractice and has more than 25 years of experience serving thenonprofit sector. In addition to his extensive audit and taxexperience, he has provided consulting services to organizationssuch as The World Bank, Public Company Accounting OversightBoard, and ASAE & The Center for Association Leadership in a
variety of areas, including grant compliance, merger duediligence, and internal controls. He has also been called upon toconsult on a variety of complex issues such as: Fair valueaccounting (FAS 157), Accounting for alternative investments(FAS 133), Split interest agreements, Endowment accounting(UPMIFA / FSP 117-1), and Uncertain tax positions (FIN 48).
Mr. Stefan has presented and authored articles on many recent accounting and auditingissues including: FASB Staff Position (FSP) FAS 117-1, Endowments of Not-for-ProfitOrganizations: Net Asset Classification of Funds Subject to an Enacted Version of theUniform Prudent Management of Institutional Funds Act, and Enhanced Disclosures for AllEndowment Funds, Educating Your Board About Audits, , and A Summary of the NewAudit Risk Standards.