the audit committee and soc standards

7/31/2019 The Audit Committee and SOC Standards

1/30

Your Audit Committee and the New

SOC Standards

Jeffrey Stefan, CPA

Partner

Douglas Boedeker, CPA, CMA

Partner

September 8, 2011


2/30

Goals for Today

I. Obtain a basic understanding of the new

SOC reports.

II. Understand the differences between the

three types of SOC reports.

III. Understand other reporting options that

may be of interest to Boards and Audit

Committees.

Copyright 2011 Tate & Tryon CPAs and ConsultantsSeptember 8. 2011


3/30

Course Outline

Why the new reporting options?

What is SAS 70?

What are the new options:

SOC 1 the new SAS 70

SOC 2 a SAS 70 report thats interesting!

SOC 3 a SAS 70 report for public

consumption



4/30

Course Outline

The Trust Services Principles:

Security

Availability

Processing integrity Confidentiality

Privacy

What else is out there? Integrated Examination of Internal Control

Agreed-Upon Procedures



5/30

Why the new reporting options?

SAS 70 became a catch-all for everything!

AICPA was not pleased with terms like:

Were SAS 70 Certified

Were SAS 70 Compliant

The movement to outsourced IT services madethe problem more pronounced.



6/30

What was SAS 70?

Statement on Auditing Standards Number 70,Service Organizations.

Designed to address a service organizations

controls affecting user entities financialstatements.

Controls over financial reporting.

Either a Type 1 or a Type 2 report.

Primarily an auditor-to-auditor communication.Copyright 2011 Tate & Tryon CPAs and ConsultantsSeptember 8. 2011


7/30

The New Reporting Options......

September 8. 2011 Copyright 2011 Tate & Tryon CPAs and Consultants


8/30

SOC 1 the new SAS 70

Report content:

Controls at a service organization relevant to a userentities internal control over financial reporting.

Intended audience is: Management of service & user organizations

Auditors of the user organizations

Nature of reports: Type 1 Control description

Type 2 Control description & operatingeffectiveness



9/30

SOC 2 a more interesting SAS 70

Report Content:

Service organizations controls relevant to:

Security Availability

Processing integrity

Confidentiality

Privacy

There is flexibility in choosing which controls tobe included in the report.



10/30

SOC 2 a more interesting SAS 70

Intended audience is:

Management of service organizations

Management of user organizations

Nature of reports:

Type 1 Control description

Type 2 Control description & operatingeffectiveness

Note: A SOC 2 report cannot be combined with a

SOC 1 report. They must be separate.September 8. 2011 Copyright 2011 Tate & Tryon CPAs and Consultants


11/30

SOC 3 A SAS 70 for publicconsumption

Report Content:

Service organizations controls relevant to:

Security Availability

Processing integrity

Confidentiality

Privacy

There is flexibility in choosing which controls tobe included in the report.



12/30


Intended audience is:

Any user with a need for confidence in the serviceorganizations controls.

Nature of reports:

Very short similar to an auditors opinion onfinancial statements.

No detail of the organizations controls



13/30


Limitations of SOC 3 Reports

An unqualified opinion cannot be issued if:

Controls at subservice organizations have been

carved out.

Complementary user-entity controls are significant.



14/30

The Trust Services Principles

(The foundation for SOC 2 & 3)



15/30

The Security Principle

Refers to the protection of the system fromunauthorized access, both logical andphysical.

Criteria to be Tested Policies were security policies defined and documented?

Communications were the policies communicated to theappropriate parties?

Procedures are procedures in operation to achieve the goals ofthe security policies?

Monitoring Is compliance with the policies monitored?



16/30

The Availability Principle

Refers to the accessibility to the system,products, or services as advertised orcommitted by contract, service-level, or otheragreements.

Criteria to be Tested

Policies were availability policies defined and documented?

Communications were the policies communicated to the

appropriate parties? Procedures are procedures in operation to achieve the goals of

the availability policies?




17/30

The Processing Integrity Principle

Refers to the completeness, accuracy,validity, timeliness, and authorization ofsystem processing.

Criteria to be Tested Policies were processing integrity policies defined and

documented?



the processing integrity policies?




18/30

The Confidentiality Principle

Refers to the systems ability to protect theinformation designated as confidential, ascommitted or agreed.

Criteria to be Tested Policies were confidential information policies defined and

documented?



the processing integrity policies?




19/30

The Privacy Principle

Personal information is collected, used,retained, disclosed, and destroyed inconformity with the commitments in theentitys privacy notice and with criteria setforth in generally accepted privacy principles(GAPP) issued by the AICPA and CICA.



20/30

The Privacy Principle - Criteria

Policies - The entity defines, documents,communicates, and assigns accountability for itsprivacy policies and procedures.

Notice - The entity provides notice about itsprivacy policies and procedures and identifies

the purposes for which personal information iscollected, used, retained and disclosed.



21/30


Choice and Consent The entity describes thechoices available to the individual and obtainsimplicit or explicit consent with respect to thecollection, use, and disclosure of personalinformation.

Collection The entity collects personalinformation only for the purposes identified in thenotice.



22/30


Use, Retention, & Disposal - The entity limitsthe use of personal information to the purposesidentified in the notice and for which theindividual has provided implicit or explicitconsent. The entity retains personal informationfor only as long as necessary to fulfill the statedpurposes or as required by law or regulations

and thereafter appropriately disposes of suchinformation.



23/30


Access - The entity provides individuals withaccess to their personal information for reviewand update.

Disclosure to Third Parties The entitydiscloses personal information to third partiesonly for the purposes identified in the notice andwith the implicit or explicit consent of the

individual.

Security The entity protects personalinformation against unauthorized access.



24/30


Quality The entity maintains accurate,complete, and relevant personal information forthe purposes identified in the notice.

Monitoring & Enforcement The entitymonitors compliance with its privacy policies andprocedures and has procedures to addressprivacy related inquiries, complaints, and

disputes.



25/30

What else is out there......



26/30

Integrated Examination of Internal Control

Essentially a SOX 404 report.

Performed in conjunction with a financialstatement audit.

Provides an opinion on the organizationscontrols over financial reporting.

A control criteria must be set.

COSO is the most common criteria used.

Not a restricted use report.



27/30

Agreed-Upon Procedures

Our favorite option!

Gives maximum flexibility regarding pricingand work to be performed.

However, no professional opinion is actuallyrendered.

Restricted-use report.



28/30

Additional resources.....

For additional information on the new SOCreporting framework, heres a handy web-site:

http://www.aicpa.org/InterestAreas/FRC/AssuranceAdvisoryServices/Pages/SORHome.aspx

Contact us with questions!

Jeff Stefan, 202-419-5104, [email protected] Doug Boedeker, 202-419-5106,

[email protected]

http://www.aicpa.org/InterestAreas/FRC/AssuranceAdvisoryServices/Pages/SORHome.aspxhttp://www.aicpa.org/InterestAreas/FRC/AssuranceAdvisoryServices/Pages/SORHome.aspxmailto:[email protected]:[email protected]:[email protected]:[email protected]://www.aicpa.org/InterestAreas/FRC/AssuranceAdvisoryServices/Pages/SORHome.aspxhttp://www.aicpa.org/InterestAreas/FRC/AssuranceAdvisoryServices/Pages/SORHome.aspx


29/30

Speaker Biography


Douglas Boedeker , is a partner within Tate & Tryons Auditand Assurance Services unit and is also actively involved inthe Firm's exempt organization tax services group. He hasmore than 19 years of experience providing an array of audit,tax, and consulting services to a variety of nonprofitorganizations and employee benefit plans. He takesparticular pride that his family has contained at least one CPA

every year since 1923. Doug graduated summa cum laudefrom Susquehanna University in Selinsgrove, Pennsylvaniawith a Bachelor of Science degree in accounting whilesimultaneously completing the coursework for a second majorin arts administration. He was also named as the Universitysrecipient of The Wall Street Journal Outstanding BusinessStudent Award.

Doug is a frequent speaker on a variety of exempt organization tax issues and theForm 990. He recently presented a session on easing the 990 preparation processfor CFOs and auditors at the 2011 AICPA Not for Profit Industry Conference. Dougis a coauthor to Guide to the Newest IRS Form 990: Interpreting and Complyingwith the New Tax Reporting Requirements for Transparency and Accountability,(published by ASAE).


30/30

Speaker Biography

Jeff Stefan, is the partner in charge of Tate & Tryons auditingpractice and has more than 25 years of experience serving thenonprofit sector. In addition to his extensive audit and taxexperience, he has provided consulting services to organizationssuch as The World Bank, Public Company Accounting OversightBoard, and ASAE & The Center for Association Leadership in a

variety of areas, including grant compliance, merger duediligence, and internal controls. He has also been called upon toconsult on a variety of complex issues such as: Fair valueaccounting (FAS 157), Accounting for alternative investments(FAS 133), Split interest agreements, Endowment accounting(UPMIFA / FSP 117-1), and Uncertain tax positions (FIN 48).

Mr. Stefan has presented and authored articles on many recent accounting and auditingissues including: FASB Staff Position (FSP) FAS 117-1, Endowments of Not-for-ProfitOrganizations: Net Asset Classification of Funds Subject to an Enacted Version of theUniform Prudent Management of Institutional Funds Act, and Enhanced Disclosures for AllEndowment Funds, Educating Your Board About Audits, , and A Summary of the NewAudit Risk Standards.

the audit committee and soc standards

Documents