the challenge your benefits kpmg approach credentials contact … · the challenge your benefits...

THE CHALLENGE KPMG APPROACH CREDENTIALSYOUR BENEFITS CONTACT

• New IT technologies (virtualization, cloud computing,mobile computing)arebecomingincreasinglypartofyourserviceofferingand/orsupportingyouroperationalprocesses

• Yourclientsarebecomingincreasinglydemandingtothemeasurestakentoprotecttheirprivateand/orconfidentialinformationandtoensureavailabilityoftheirsystems

• Deficienciesinthesecurityofferedbyyoumayresultinthereleaseofclientinformationandleadtoreputationaldamagebothtoyouandyourclients

• Realorperceivedsecuritybreachesmaycauseyourclientstobelievethatyourorganizationisunabletoconductbusinesssecurelyandresponsibly

• Yourclients’assuranceneedsarenotfullysatisfiedbycurrentlyemployedcertifications(e.g.,ISO27001).

• Clients are demanding additional insight into the system and relatedcontrols,designandcontrolimplementation,aswellasassuranceregardingtheoperatingeffectivenessofthesecontrols

• You are confronted with multiple visits from your clients’ auditors andrequeststocompletedetailedsecurityquestionnairesorchecklistsaboutyourcontrolsenvironment

• Youmustdemonstrateyourabilitytomeetyourclients’complianceneedsandstrengthentheirconfidenceinyourabilityinanincreasinglycompetitiveenvironment.

IT ADVISORYKPMGADVISORY

THE CHALLENGE

How to effectively use Service Organization Control (SOC 2 and SOC 3) Reports for increased Assurance over Outsourced Controls regarding Security, Availability, Processing Integrity, Confidentiality and Privacy

You are a service organization managing critical systems, storing and processing private and/or confidential client information, and/or processing transactions for multiple clients.

KPMG APPROACH

CREDENTIALS

Diagnostic Review

ForserviceorganizationsthatarenewtotheSOC2examinationprocess,werecommendthata“SOC2DiagnosticReview”beperformed.ThepurposesofthereviewaretofocusonkeyareasthatwillbecoveredintheupcomingSOC2examinationandidentifythecontrolweaknessesthatmayneedtobecorrectedbeforetheattestationengagementperiodbegins.

In addition, during the Diagnostic Review, we will assist you in identifyingand documenting your controls. This is ordinarily a significant component ofmanagement’seffortduringthepreparationofthefirstsuchreport.

Type I report

ATypeI reportcontainsadescriptionoftheserviceorganization’ssystemataspecificpoint intime.InaTypeIreport,theserviceauditorwillexpressanopinionon(1)whethermanagement’sdescriptionofitssystemfairlypresentsthesystemthatwasdesignedandimplementedasofaspecificdateand(2)whether thecontrolsstated inmanagement’sdescriptionof itssystemweresuitablydesignedtomeettheapplicabletrustservicescriteriaasofaspecifieddate.AninitialTypeIreportnormallyservesasthestartingpointforsubsequentTypeIIexaminations.

Type II report

ATypeIIreportcontainsadescriptionoftheserviceorganization’scontrolsforadefinedperiodoftime.InaTypeIIreport,theserviceauditorwillexpressanopiniononthetwoitemsincludedinaTypeIreport.He/shewillalsoconcludewhether the controlswereoperatingwith sufficienteffectiveness toprovidereasonableassurancethattheapplicabletrustservicescriteriaweremetduringtheexaminedperiod.ATypeIIreportalsoincludesdetailedresultsoftestingoftheserviceorganization’scontroloverthespecifiedperiodoftime.

KPMG is a global leader in delivering Service Organization Control (SOC)reporting services. KPMG’s IT Attestation practice consists of a globallyaccreditednetworkofpartnersandprofessionalstaffwhoprovidearangeofITattestationservicestohelporganizationssatisfytheirthird-partyassurancerequirements.Wehaveestablishedaglobalaccreditationprocesstohelpensureconsistency andquality in thedeliveryof attestation and assurance servicesincludingSOC1,SOC2andSOC3examinationsandAgreedUponProcedures.Wehaveover1,000professionalsfullytrainedintheSOCexaminationprocessthroughourglobalITAttestationInstructornetwork.

YOUR BENEFITS• A traditional SOC 1 report (ISAE 3402 report, formerly known as SAS

70 report) is designed to meet your clients’ related needs for financialstatement audits, but does not necessarily meet needs related tooperationsandcompliance.ASOC2reportthatfocusesononeormoreofthetrustservicesprinciples–security,availability,processing,integrity,confidentialityandprivacy–does

• ASOC2reporthasthesamelookandfeelasaSOC1reportandprovidesyour clients with sufficient information (independent service auditor’sopinion,management assertion, systemdescription, tests performed byserviceauditorandtestresults)tosatisfytheirassuranceneeds

• Under certain conditions, a short form report (a SOC 3 report) may begenerallydistributed,withtheoptionofdisplayingawebsiteseal

CompetitiveAdvantage/Necessity

ReducedEffortSupportingClient-SpecificSecurity

Questionnaires/Audits

IncreasedInternalAssurance

RegardingSecurityandRelatedControls

ProactiveResponsetoCustomerOversightof

Security,Privacy,andDataRisks

©2012KPMGAdvisory, aBelgiancivilCVBA/SCRLandamemberfirmof theKPMGnetworkof independentmemberfirmsaffiliatedwithKPMGInternationalCooperative (“KPMGInternational”),aSwissentity.All rightsreserved.PrintedinBelgium.

CONTACT

Stephan Claes Partner

KPMGITAdvisory

T:+32)27084850E:sclaes3@kpmg.com

Dirk Timmerman

Executive Director

KPMGITAdvisory

T:+3227084359E:dtimmerman@kpmg.com