Evaluating AICPA SOC Reports · 1 | Confidential Evaluating AICPA SOC Reports A SECURITY MANAGER'S...
Transcript of Evaluating AICPA SOC Reports · 1 | Confidential Evaluating AICPA SOC Reports A SECURITY MANAGER'S...
1 | Confidential
Evaluating AICPA SOC Reports
A SECURITY MANAGER'S GUIDE TO UNDERSTANDING SOC REPORTING
June 1, 2018
Cybersecurity is your concern…But it’s our business
2 | Confidential
INTRODUCTION & THANK YOU
3 | Confidential
AGENDA
• Overview of SOC
• What changed recently with SOC?
• What to look for in a SOC report
• Common Q&A
4 | Confidential
KEY TERMS
Service Organization Service Auditor
User Entity User Auditor
SOC Report
5 | Confidential
COMMON SOC REPORTS
OverviewReport over controls relevant to user entity financial reporting (e.g., payroll processing)
RelevanceIf your service impacts financial reporting of your customers.
Intended Users Management of the service organization User entities User auditors
SOC 2 Report (Trust Services Criteria)
SOC 1 Report (Internal Controls for Financial Reporting)
OverviewReport over controls relevant to a service organization system’s security, availability, processing integrity, confidentiality, or privacy
Relevance Meeting governance, risk, and compliance programs Oversight Due diligence
Intended Users Management of the service organization User entities User auditors Regulators
6 | Confidential
COMMON SOC REPORTS (CONT’D)
SOC for CybersecuritySOC 3 Report
OverviewReport on an entity’s Cybersecurity Risk Management Program.
Relevance Shows the Cybersecurity program at a high-level Only 3 sections No testing shown
Intended Users Management of the service organization Board of Directors Investors Regulators
OverviewSOC 3 reports address the same subject matter as SOC 2 engagements; however, use of these reports is not restricted
Relevance Marketing purposes General public information Detail not needed
Intended UsersAny users with need for confidence in the security, availability, processing integrity, confidentiality, or privacy of a service organization’s system
7 | Confidential
SOC REPORT STRUCTURE
• Provides the reader the opinion of the service auditor on the assertion, system description, design, and operating effectiveness to meet the control objectives
Section 1 - Independent Auditor's Report
• Provides the reader the facts and assertions made by management of the service organization related to the system(s) under audit
Section 2 - Management's Assertion
• Provides the detail of the system(s) being reported on (written by management)• Includes boundary, infrastructure, controls, commitments, and other system information• Anything that is included in this section must be able to be audited to meet the control objectives
Section 3 - Description of the System
• Shows four columns of information • Objectives related to the criteria of the report• Controls in place at the service organization to meet the objectives• Auditor's tests of the controls• Results of the tests
Section 4 - Auditor's Tests of Controls and Results of Tests
8 | Confidential
SOC REPORT “TYPES”
Type 1
• Opinion of the system and design of controls
• How it achieves control objectives in the system description
• As of a specific date• Does not show tests of
controls or results
Type 2
• Same opinion as type 1, plus if the controls are operating effectively
• Opinion is throughout a specified period for the report
• Shows descriptions of the service auditor's tests of controls and results of tests
9 | Confidential
WHAT HAS CHANGED RECENTLY?
TerminologySOC = “System and Organization Controls”
SSAE 18Replaces SSAE 16, AT 101, SAS 70
SOC 2Security changesCOSO 2013System description criteriaAll are required by Dec 15, 2018
10 | Confidential
SOC 2 EXAMPLE
Trust Service Category = Security
Trust Service Criteria
11 | Confidential
WHAT TO LOOK FOR IN A SOC REPORT
What is in the Assertion? (Categories in scope, what criteria used,
subservice orgs, etc.)
Audit Firm –Peer Reviewed?
Description Elements(Incidents, scope,
CUECs, etc.)
Controls and Testing
- Any missing criteria?- Exceptions?
- Covers what you need?
Opinion –Unqualified?
Management’s Response
- Response to exceptions- Other information
12 | Confidential
WHAT IS IN THE ASSERTION?
13 | Confidential
REPORT OPINION
14 | Confidential
DIFFERENT REPORT OPINIONS
Nature of Matter Giving Rise to the Modification
Service Auditor’s Professional Judgment About the Pervasiveness of the Effects on the Opinion of the Description, Suitability of Design of Controls, and Operating Effectiveness of Controls
Material but Not Pervasive
Material and Pervasive
Scope Limitation. An inability to obtain sufficient, appropriate evidence.
Qualified Opinion Disclaimer of Opinion
Material Misstatements• Description misstated • Controls not suitably designed to
provide reasonable assurance that the commitments or system requirements were achieved
• Controls not operating effectively
Qualified Opinion Adverse Opinion
15 | Confidential
SYSTEM DESCRIPTION
16 | Confidential
SYSTEM DESCRIPTION (CONT’D)
17 | Confidential
SYSTEM DESCRIPTION (CUECS)
18 | Confidential
SECTION 4 (CONTROL TESTING)
19 | Confidential
BRIDGE LETTERS
Serves a purpose after the report period
Issued by the service organization
States that there were no changes (or if there were, what changes) since the end of the report until the date of the letter
Often used when a you need some assurance, but they haven’t started the next audit yet
20 | Confidential
COMMON Q&A
Question Answers
Is a SOC report a certification? SOC reports are not certifications. The reports are limited distribution reports and can be used by the service organization, user entities, and user auditors only.
How are SOC reports distributed? SOC reports are issued by the service organization for a specific purpose. The audiences for the reports are clearly defined. The reports are generally limited-distribution reports and have specific restrictions on use.
How often do service organizations undergo a SOC examination?
There is no requirement on the frequency of obtaining a SOC report. Typically service organizations undergo SOC examinations on an annual basis.
If the service organization’s data center has a report, can they use the data center report?
*think AWS
The service organization still needs its own report for the system being reported on. The data center (subservice organization) will be listed in the report as complimentary for control purposes.
What is SSAE 16? SSAE 16 is the old standard used for SOC 1’s. As of May 2017, all SOC reports follow SSAE 18 standards.
21 | Confidential
FINAL TALKING POINTS (KEY TAKEAWAYS)
Know what type of SOC report you need from your service provider (vendor) SOC 1, 2, 3, Cyber Type 1 or Type 2
Read the report for key elements Assertions made Auditor and opinion Description elements Testing and Controls Other information (unaudited)
Know if you need a bridge letter from after the audit period
22 | Confidential
AICPA SOC REPORTS
Questions?
Jeff CookPrincipal, SOC [email protected]@jeffcookcpa703.935.2242