Recent Changes to SOC Reporting Standards: What You Should Know and How to Prepare
June 28, 2018Troy Fine - Manager, Risk Advisory Services
Scott Walton - Manager, Risk Advisory Services
Housekeeping Items
• To obtain CPE for this event:– Respond to the 3 polling questions.– Complete the evaluation form that will be emailed to you
approximately one hour after the conclusion of the program.
• CPE Certificates will be emailed out to those that completed the polling questions and online evaluation.
2
Who Is Schneider Downs?
• One of the top 60 largest accounting and business advisory firms in the United States
• Established in 1956; offices in Pittsburgh, PA and Columbus, OH• Largest regional independently owned, registered public
accounting and business advisory firm in Western Pennsylvania. Approximately 450 personnel in total, including more than 45 shareholders
• Registered with the PCAOB• Risk Advisory Services
– SOC Reports– Cybersecurity/Penetration Testing– SOX Section 404 Compliance– Internal Audit Outsourcing/Co-sourcing– Risk Assessments– Internal Control/Business Process Reviews
3
Troy Fine
• Manager, Risk Advisory Services• CPA/CITP, CISA• Joined Schneider Downs in 2011• Areas of expertise:
– SOC 1 and 2 assurance services– SOC 2+ assurance services (HITRUST)– SOC for Cybersecurity assurance services– SOX Section 404 compliance– Internal control assessments– HIPAA assessments
• Industry experience: Cloud Computing/Software-as-a-Service, Higher Education, Banking, Financial Services, Healthcare, Manufacturing, Nonprofit
• AICPA CITP Credential Committee Member• Pennsylvania’s CPA Journal Editorial Board Member
4
Scott Walton
• Manager, Risk Advisory Services• Joined Schneider Downs in 2008• CISA, CIA (Certified Internal Auditor)• 10 + years of experience in Internal Audit / IT Audit• Experience in delivering information technology general
control reviews, security assessments, enterprise risk assessments, internal audit co-sourcing services and process improvement engagements
• Industry Experience: Data Centers, Software-as-a-Service, Higher Education, Financial Services, Healthcare, Manufacturing, Nonprofit, Insurance
• Manage the SOC practice for the Columbus office
5
Agenda
• Nomenclature Update• Brief Overview of SOC Reports• SSAE 18 Updates and Impacts• SOC 2 Updates and Impacts• SOC for Cybersecurity Overview
6
SOC Nomenclature
SOC - System and Organization Controls(No longer Service Organization Controls)
SSAE 18 Attestation Standard(supersedes SSAE 16 Attestation Standard)
SOC Suite of Services
7
Timeline of Change
• 1992 – SAS 70 – Service Organizations• 2003 – Trust Services Principles and Criteria
(Merger between SysTrust and Webtrust)• 2010 – SSAE 16 Reporting on Controls at a Service
Organization• 2011 – SOC 1, SOC 2, SOC 3• 2016 – SSAE 18 (AT-C105, AT-C205 (SOC 1 & 2),
AT-C Section 320 (SOC 1))• 2017 – SOC for Cybersecurity• In the near future – SOC for Vendor Supply Chain
8
System and Organization Controls (SOC)
(New) (Under Development)
9
System and Organization Controls (SOC)
SOC for Service Organizations SOC for Cybersecurity
SOC for Vendor Supply Chain
SOC Suite of Services
SOC 1
SOC 3
SOC 2
Polling Question #1
10
Overview of SOC Reports
11
Overview of SOC Reports
SOC for Service Organizations• SOC 1:
A report on controls at a Service Organization that are relevant to user entities' internal control over financial reporting.
• SOC 2: A report on a business's nonfinancial reporting controls as they relate to the Trust Services Criteria security, availability, processing integrity, confidentiality and/or privacy of a system.
• SOC 3: A report that is based on the Trust Services Criteria, like the SOC 2, but is intended for a general audience and is therefore shorter and includes less detail than a SOC 2.
12
Overview of SOC Reports
SOC for Cybersecurity• Report on an entity’s effectiveness of its
cybersecurity risk management programs.
SOC for Vendor Supply Chain• Internal controls report on a vendor’s manufacturing
processes for customers of manufacturers and distributors to better understand cybersecurity risks in their supply chains. (Under Development by the AICPA)
13
Overview of SOC Reports
Types of SOC Reports
• Type I:An attestation of controls at a service organization at a specific point in time. Attests on the design of controls.
• Type II:An attestation of controls at a service organization over a period of time. Attests on the design and operating effectiveness of controls.
14
Components of a SOC Report
Section I: Independent Auditor’s Report
Section II: Management Assertion
Section III: Management’s Description of the System
Section IV: Description of Testing Performed and the Results of Testing for a Type II Examination.
Section V: Other Information Provided by the Service Organization
15
Components of SOC Reports
Service Auditor’s Report
• On the fairness of the presentation of the system description (except SOC 3)
• The suitability of design and operating effectiveness of the controls to achieve the objectives of the system or program
16
Components of SOC Reports
Management’s Assertion
• Management’s fair presentation of the system description (except SOC 3)
• The suitability of design and operating effectiveness of the controls to achieve the objectives of the system or program
17
Components of SOC Reports
Management’s Description of the System
• Of the service organization’s system – (SOC 1, SOC 2 and SOC for Vendor Supply Chain)
• Of the entity’s cybersecurity risk management program – (SOC for Cybersecurity)
18
SSAE 18 Updates and Impacts
19
SSAE 18 Updates and Impacts
Statement on Standards for Attestation Engagements • SSAE 18 (supersedes SSAE 16)
• Significantly restructures the attestation standards into the following sections:– AT-C 105 - Common Concepts: matters that relate to
all attestation engagements. – AT-C 205 - Examinations: the performance and
reporting requirements and application guidance.– AT-C 320 - Reporting on an Examination of Controls
at a Service Organization Relevant to User Entities' Internal Control Over Financial Reporting
20
SSAE 18 Updates and Impact
SSAE 18 vs SSAE 16 Differences (cont.)Requires the service organization to include two sets of control detail related to subservice organizations.
– Complementary User Entity Controls– Complementary Subservice Organization Controls– Both need to be included in management’s description
of the system– The service organization needs to monitor the
effectiveness of the controls at the subservice organization.
21
Polling Question #2
22
SOC 2 Updates
23
SOC 2 Updates – What Changed?
• April 2017 – SOC 2 Trust Services Criteria (TSC) Updated
• April 2018 – SOC 2 System Description Criteria Updated (DC Section 200)
24
Effective Dates
• Report periods ending on or after 12/16/2018– Must use updated 2017 TSC and 2018 Description
Criteria
• Report periods ending on or prior to 12/15/2018– Can use current versions of TSC and Description Criteria
25
2017 TSC Updates
• Codified in TSP 100 - 2017 Trust Services Criteria for Security, Availability, Processing Integrity Confidentiality, and Privacy– Restructured and aligned the TSC with the COSO Internal
Control Framework– Added supplemental criteria to better address
cybersecurity risks– Expanded requirements for existing criteria– Added Points of Focus– Removed the term “Principles” and renamed to
“Categories”
26
Organization of 2017 TSC
27
2018 Description Criteria Updates
• Codified in DC Section 200 - Description Criteria for a Description of a Service Organization’s System in a SOC 2 Report– New disclosures about the service organization’s
principal service commitments and system requirements– New disclosures about certain security incidents
28
How to Prepare for SOC 2 Updates
29
How to Prepare for 2017 TSC
• If you issued a SOC 2 Report Using the 2016 TSC in 2017:– If SOC 2 examination period end date is on or before 12/15/18:
• Perform examination using 2016 TSC and 2015 DC• Simultaneously, perform a readiness assessment using the 2017 TSC and
2018 DC• Review and update system description to ensure it meets the 2018 DC
– If SOC 2 examination period end date is on or after 12/16/18:• Must perform examination using 2017 TSC and 2018 DC• Risk having pervasive exceptions that could cause the report to be qualified• Consider ending examination period prior to 12/16/18
30
How to Prepare for 2017 TSC
• If you did not issue a SOC 2 Report in 2017 and have completed a readiness assessment based on the 2016 TSC:– If SOC 2 examination period end date is on or before to 12/15/18:
• Perform examination using 2016 TSC and 2015 DC• Simultaneously, perform a readiness assessment using the 2017 TSC and
2018 DC• Review and update system description to ensure it meets the 2018 DC.
– If SOC 2 examination period end date is on or after 12/16/18:• Must perform examination using 2017 TSC and 2018 DC.• Risk having pervasive exceptions that could cause the report to be
qualified.• Consider ending examination period prior to 12/16/18 or;• Consider moving examination period start date back and perform a
readiness assessment using the 2017 TSC and 2018 DC.
31
How to Prepare for 2017 TSC
• If you are in the process of engaging a CPA firm to perform a SOC 2 for the first time:– Determine customer requirements
• Services to include• Contractual requirements• Consider deadlines for providing reports to customers
– Determine scope of report– Engage a CPA firm to perform a readiness assessment
using the 2017 TSC and 2018 DC
32
SOC for Cybersecurity
33
Polling Question #3
34
Why SOC for Cybersecurity?
• Boards of Directors and other stake holders require information about cybersecurity risks and controls.
• No framework existed for a CPA firm to assess the effectiveness of an entity’s cybersecurity risk management program.
35
Potential Users of the Report
• Board of Directors• Analysts and Investors• Business Partners• Industry Regulators• Customers
36
What Is a Cybersecurity Risk Management Program?An entity’s cybersecurity risk management program is the set of policies, processes, and controls designed to protect information and systems from security events and to detect, respond to, mitigate, and recover from security events that are not prevented.
37
What Is a SOC for Cybersecurity Report?
• Two Subject Matters– Management’s description of the entity’s cybersecurity
risk management program– The effectiveness of controls within that program to
achieve the entity's cybersecurity objectives
• Will cover a specific time period– Can be point in time (i.e. design-only exam) under
certain circumstances
38
Components of a SOC for Cybersecurity Report
• Management's description of the entity's cybersecurity risk management program
• Management’s Assertion• Practitioner’s Report and opinion on whether:
– the description is presented in accordance with the description criteria and
– the controls within the entity's cybersecurity risk management program were effective to achieve the entity's cybersecurity objectives based on the control criteria.
39
Components of a SOC for Cybersecurity Report (Cont.)• Practitioner's tests of controls and test results are
not included.– General-use report
40
What Are the Control Criteria?
• Control Criteria – Benchmark used by the practitioner when evaluating the effectiveness of controls.– Suitable Criteria:
• The criteria for the security, availability, and confidentiality categories (2017 Trust Services Criteria)
– Other potential suitable control criteria (requires practitioner judgment):
• NIST Cybersecurity Framework• ISO 27001
41
What Are the Description Criteria?
• Description Criteria – A set of benchmarks to be used when preparing and evaluating the presentation of a description of the entity’s cybersecurity risk management program.– Assurance Services Executive Committee (ASEC) of the
AICPA published “Description Criteria for Management’s Description of the Entity’s Cybersecurity Risk Management Program”
42
Categories of the Description Criteria
• Nature of Business and Operations• Nature of Information at Risk• Cybersecurity Objectives• Factors That Have a Significant Effect on Inherent Cybersecurity Risks• Cybersecurity Risk Governance Structure• Cybersecurity Risk Assessment Process• Cybersecurity Communications and the Quality of Cybersecurity
Information• Monitoring of the Cybersecurity Risk Management Program• Cybersecurity Control Processes
– Illustrative SOC for Cybersecurity is available and includes an example description (https://www.aicpa.org/content/dam/aicpa/interestareas/frc/assuranceadvisoryservices/downloadabledocuments/illustrative-cybersercurity-risk-management-report.pdf)
43
How to Prepare for a SOC for Cybersecurity Exam• Understand the intended users of the report.• Determine if scope will be entity-wide or over a
specific business unit.• Determine if the examination will cover a period of
time or a point in time (design only).• Write the system description based on the
description criteria.• Determine the control criteria to be used.• Engage a CPA firm to perform a readiness.
44
Questions?
Contact InformationTroy Fine – [email protected] - 412-697-5238
Scott Walton– [email protected] - 614-586-7238
Visit our blog for more information on SOC Reports: https://www.schneiderdowns.com/our-thoughts-on
SOC Report FAQs:https://www.schneiderdowns.com/soc-report-faq
45
Top Related