1 | Confidential

Evaluating AICPA SOC Reports

A SECURITY MANAGER'S GUIDE TO UNDERSTANDING SOC REPORTING

June 1, 2018

Cybersecurity is your concern…But it’s our business

2 | Confidential

INTRODUCTION & THANK YOU

3 | Confidential

AGENDA

• Overview of SOC

• What changed recently with SOC?

• What to look for in a SOC report

• Common Q&A

4 | Confidential

KEY TERMS

Service Organization Service Auditor

User Entity User Auditor

SOC Report

5 | Confidential

COMMON SOC REPORTS

OverviewReport over controls relevant to user entity financial reporting (e.g., payroll processing)

RelevanceIf your service impacts financial reporting of your customers.

Intended Users Management of the service organization User entities User auditors

SOC 2 Report (Trust Services Criteria)

SOC 1 Report (Internal Controls for Financial Reporting)

OverviewReport over controls relevant to a service organization system’s security, availability, processing integrity, confidentiality, or privacy

Relevance Meeting governance, risk, and compliance programs Oversight Due diligence

Intended Users Management of the service organization User entities User auditors Regulators

6 | Confidential

COMMON SOC REPORTS (CONT’D)

SOC for CybersecuritySOC 3 Report

OverviewReport on an entity’s Cybersecurity Risk Management Program.

Relevance Shows the Cybersecurity program at a high-level Only 3 sections No testing shown

Intended Users Management of the service organization Board of Directors Investors Regulators

OverviewSOC 3 reports address the same subject matter as SOC 2 engagements; however, use of these reports is not restricted

Relevance Marketing purposes General public information Detail not needed

Intended UsersAny users with need for confidence in the security, availability, processing integrity, confidentiality, or privacy of a service organization’s system

7 | Confidential

SOC REPORT STRUCTURE

• Provides the reader the opinion of the service auditor on the assertion, system description, design, and operating effectiveness to meet the control objectives

Section 1 - Independent Auditor's Report

• Provides the reader the facts and assertions made by management of the service organization related to the system(s) under audit

Section 2 - Management's Assertion

• Provides the detail of the system(s) being reported on (written by management)• Includes boundary, infrastructure, controls, commitments, and other system information• Anything that is included in this section must be able to be audited to meet the control objectives

Section 3 - Description of the System

• Shows four columns of information • Objectives related to the criteria of the report• Controls in place at the service organization to meet the objectives• Auditor's tests of the controls• Results of the tests

Section 4 - Auditor's Tests of Controls and Results of Tests

8 | Confidential

SOC REPORT “TYPES”

Type 1

• Opinion of the system and design of controls

• How it achieves control objectives in the system description

• As of a specific date• Does not show tests of

controls or results

Type 2

• Same opinion as type 1, plus if the controls are operating effectively

• Opinion is throughout a specified period for the report

• Shows descriptions of the service auditor's tests of controls and results of tests

9 | Confidential

WHAT HAS CHANGED RECENTLY?

TerminologySOC = “System and Organization Controls”

SSAE 18Replaces SSAE 16, AT 101, SAS 70

SOC 2Security changesCOSO 2013System description criteriaAll are required by Dec 15, 2018

10 | Confidential

SOC 2 EXAMPLE

Trust Service Category = Security

Trust Service Criteria

11 | Confidential

WHAT TO LOOK FOR IN A SOC REPORT

What is in the Assertion? (Categories in scope, what criteria used,

subservice orgs, etc.)

Audit Firm –Peer Reviewed?

Description Elements(Incidents, scope,

CUECs, etc.)

Controls and Testing

- Any missing criteria?- Exceptions?

- Covers what you need?

Opinion –Unqualified?

Management’s Response

- Response to exceptions- Other information

12 | Confidential

WHAT IS IN THE ASSERTION?

13 | Confidential

REPORT OPINION

14 | Confidential

DIFFERENT REPORT OPINIONS

Nature of Matter Giving Rise to the Modification

Service Auditor’s Professional Judgment About the Pervasiveness of the Effects on the Opinion of the Description, Suitability of Design of Controls, and Operating Effectiveness of Controls

Material but Not Pervasive

Material and Pervasive

Scope Limitation. An inability to obtain sufficient, appropriate evidence.

Qualified Opinion Disclaimer of Opinion

Material Misstatements• Description misstated • Controls not suitably designed to

provide reasonable assurance that the commitments or system requirements were achieved

• Controls not operating effectively

Qualified Opinion Adverse Opinion

15 | Confidential

SYSTEM DESCRIPTION

16 | Confidential

SYSTEM DESCRIPTION (CONT’D)

17 | Confidential

SYSTEM DESCRIPTION (CUECS)

18 | Confidential

SECTION 4 (CONTROL TESTING)

19 | Confidential

BRIDGE LETTERS

Serves a purpose after the report period

Issued by the service organization

States that there were no changes (or if there were, what changes) since the end of the report until the date of the letter

Often used when a you need some assurance, but they haven’t started the next audit yet

20 | Confidential

COMMON Q&A

Question Answers

Is a SOC report a certification? SOC reports are not certifications. The reports are limited distribution reports and can be used by the service organization, user entities, and user auditors only.

How are SOC reports distributed? SOC reports are issued by the service organization for a specific purpose. The audiences for the reports are clearly defined. The reports are generally limited-distribution reports and have specific restrictions on use.

How often do service organizations undergo a SOC examination?

There is no requirement on the frequency of obtaining a SOC report. Typically service organizations undergo SOC examinations on an annual basis.

If the service organization’s data center has a report, can they use the data center report?

*think AWS

The service organization still needs its own report for the system being reported on. The data center (subservice organization) will be listed in the report as complimentary for control purposes.

What is SSAE 16? SSAE 16 is the old standard used for SOC 1’s. As of May 2017, all SOC reports follow SSAE 18 standards.

21 | Confidential

FINAL TALKING POINTS (KEY TAKEAWAYS)

Know what type of SOC report you need from your service provider (vendor) SOC 1, 2, 3, Cyber Type 1 or Type 2

Read the report for key elements Assertions made Auditor and opinion Description elements Testing and Controls Other information (unaudited)

Know if you need a bridge letter from after the audit period

22 | Confidential

AICPA SOC REPORTS

Questions?

Jeff CookPrincipal, SOC Servicesjcook@coalfire.com@jeffcookcpa703.935.2242