copyright © 2011 deloitte development llc. all rights reserved. navigating guidance changes for...

Copyright © 2011 Deloitte Development LLC. All rights reserved.

Navigating Guidance Changes forService Organization Control (SOC) Reports

NSAA 2011 Annual ConferenceDeloitte & Touche LLPJune 16, 2011


Agenda

• Overview

• Consideration of Changes to SSAE 16

• Key Changes

o Management’s Assertion and Risk Assessment

• Additional Considerations

• Other Service Organization Control Reports

o Overview and Background

o Using SSAE 16 as a Model to Report on non-financial reporting controls (i.e., security, privacy, etc.)

o SOC 2 – Example of Services Provided By User Organization

o Which SOC is right for your purpose?

• Questions

2


Overview• Control Reports have become increasingly prevalent in the marketplace since the

issuance of the Statements on Auditing Standards No. 70, Services Organizations (SAS 70) in 1992.

• SAS 70 was originally designed as an auditor to auditor communication - however, SAS 70 evolved and reports were being viewed more broadly.

• New Standards represent the first significant modifications since it was issued nearly two decades ago. o The American Institute of Certified Public Accountants (AICPA) approved the Statement on

Standards for Attestation Engagements (SSAE 16)

o International Auditing and Assurance Standards Board (IAASB) issued the new International Standard on Assurance Engagements (ISAE 3402), Assurance Reports on Controls at a Third Party Service Organization

• New standards not significantly different from each other, nor from SAS 70, however they do present changes that should be considered

3


AICPA Service Organization Control (SOC) Reports

Trust Services Principles & Criteria

New Standards & OptionsService Org Control 1

(SOC 1)

SSAE16 – Service auditor guidance

Purpose: Reports on controls for F/S audits

Service Org Control 2

(SOC 2)

Generally Restricted Use Report

(Type I or II Report)

AT 101

Purpose: Reports on controls related to

compliance or operations


(SOC 3)

General Use Report

(w/ public seal)

AT 101



Restricted Use Report


Historically SAS 70 Reports

Overview: Changes in Reporting Standards

4


Overview: Notable Similarities with SAS 70 for Service Organizations• Issuance of Type 1 and Type 2 reports

• Management is responsible for the description of the system

• Management to specify control objectives

• Requirement for management to design and implement controls that achieve the control objectives

• Disclosure of complementary user entity controls (UCCs)

• Carve out and inclusive method of reporting for subservice organizations

• Management to provide representation letter

• Restricted Use Report

• Ability to include information in a separate section (i.e. Section 4)

5


Overview: Notable Similarities with SAS 70 for Service Auditors

• Testing aligned with AU 350

• Use of Internal Audit – Direct Assistance & Using their Work

• Reporting of Test Procedures

• Reporting of Qualifications

6


Overview: Key Terminology

Topic SSAE 16 Guidance

Terminology – SSAE 16

Reports on controls at service organizations will now be performed and issued under SSAE 16 (AT801) (also referred to as a SOC 1 report)

A ‘SAS 70’ report will no longer exist.

Effective Date Periods ending on or after June 15, 2011 (early adoption allowed)

Scope Specific to covering internal control over financial reporting

Additional Guidance

AICPA Practitioner Guide expected to be issued June 2011

Practitioner guide will be usable for both the US and International standards and provide information for all involved (Service Auditors, Service Organizations, User Entities, User Auditors)

7


Consideration of Changes to SSAE 16

Change Result of the Change

1. Form of Standard - Auditing Standard to an Attest Standard

2. Applicability of Report - Specific to internal control over financial reporting

3. Management is required to provide a written assertion

- Management needs to have a basis to support their assertion

4. Identify risks that threaten the achievement of control objectives

- Management’s responsibility to identify risks and include them in the evaluation of the design of controls and development of control objectives.

5. Service Auditor required to assess suitability of criteria

- Management needs to select suitable criteria to prepare description of systems and to evaluate whether controls have been designed, implemented and operating effectively.

6. Type 2 Report to cover a period for D&I, rather than point in time

- The opinion will now include coverage throughout the period for design (new), implementation (new), and operating effectiveness.

8 Discussed in further detail on following slides


Consideration of Changes to SSAE 16

Change Result of the Change

7. Cannot use prior-year evidence to conclude on operating effectiveness of controls

- Auditor may not reduce tests of controls below the minimum standards (AU350) based on the results from the prior year.

8. Clearly identify work performed by Internal Audit function in description of tests of controls

- Description of tests of operating effectiveness needs to include description of Internal Audit’s work and Service Auditor’s procedures over Internal Audit’s work (not applicable for direct assistance)

9. Service Auditor to investigate the nature and cause of any deviations and whether these were caused by intentional acts. Cannot disclaim deviation as isolated.

- Previous standard allowed disclaiming of deviations as isolated incidents.

- New consideration of intentional acts

10. Subservice organizations are required to provide a similar assertion when the inclusive method is used

- Assertion will be included in the report

- Inclusive method only

- Continues to require a management representation letter as well

9


Key Change - Management’s Assertion

Management's written assertion – most significant change:• Management is required to provide a written assertion:

o It can be included as a separate section of the report, or

o The assertion can be part of the description of the system –appropriately identified as the assertion.

• Key components of management’s assertion:o The description of controls fairly presents the system that was designed and

implemented throughout the specified period;

o The controls were suitably designed to achieve the control objectives throughout the specified period, including identifying the risks that threaten the achievement of the control objectives; and

o The controls operated effectively throughout the period to achieve those control objectives.

• There is no requirement for the assertion to be signed – it’s at the option of the service organization.

10


Risk Assessment • Service organization management must identify risks that threaten the achievement of the

control objectives stated in the description of the system.• Management may consider the following for each objective:

o Identify risk statement(s) that threaten the achievement of the objectiveo Document control activities in place to mitigate risk(s) identifiedo Document assertion(s) satisfied by the control activity (consider each assertion – e.g.

Authorization, Completeness, Accuracy and Timeliness) • These may be formal or informal processes and require ongoing monitoring/updating.• This process may take some upfront effort to determine whether any additional risks may

exist (for ongoing reports).

Basis for Assertion • Management needs to have a reasonable basis to provide the assertion.• Standards provide flexibility in the actual procedures performed by management.• Management may not rely solely on the testing done by the service auditor.

Key Change - Management’s Assertion (Continued)


Procedures to Support the Assertion• Management’s activities such as monitoring or separate evaluations may provide

evidence of the design, implementation, and operating effectiveness of controls in support of management’s assertion. These may be accomplished through:o Ongoing monitoring activities

‒ Regular management and supervisory activities‒ Sub-certifications‒ Review of compliant files

o Separate evaluations

‒ Internal auditors or other personnel (risk/compliance) performing specific audits /examinations

‒ Information from external parties (e.g. Regulatory reviews)o Combination of both

Support for Assertion• Management considers what support it will need for its written assertion• There is no requirement to retain documentation – however, this is a prudent and sound

governance practice.

Key Change - Management’s Assertion (Continued)

12


Lev

el o

f A

sser

tio

n

SeparateEvaluations

SOX/MAR Testing

OngoingMonitoring

No Basis

Example Procedures

• Service auditor performs testing and issues report

• Management reporting and other oversight activities

• Management risk assessment

• Internal Audit testing/monitoring

• Independent regulatory exam

• Independent risk assessment

• Management or independent assessment of operating effectiveness

Supporting Documentation

• None • Management monitoring documentation

• Management risk assessment documentation

• Regulatory reporting

• Internal Audit reporting

• Independent risk assessment results

• Testing evidence for the operating effectiveness

* A combination of ongoing monitoring and separate evaluations will usually help ensure that internal control maintains its effectiveness over time.

Reasonable basis for managements assertion*

Management’s Written Assertion: Example Activities

13


Additional Considerations – Subservice Organizations

Carve Out• It’s expected that the Service Organization will do something – they can’t just turn a blind

eye.• Monitoring Procedures:

o Obtain SSAE 16 reports(if they exist) and review the report

o Consider IA or others to perform testing

o Perform other monitoring procedures – periodic discussions/review of reports

• Apply User Entity Control Considerations• Consider the impact to service organization's report if a qualification is identified at the

sub.

Inclusive• Subservice organization has to provide both an assertion (to be included in the report)

and representation letter.• Control environment, control objectives and controls are included in the report and

tested by service auditor.• The expected use will mainly be related party entities (e.g. investment adviser uses an

affiliated custodian or affiliated IT organizations).

14


Additional Considerations – User Entities / User Auditors

• Education and notice to user entitieso What is different in the report?o Are there any changes to scope?o Was internal audit leveraged? If so, how and to what extent?o Consider other types of reports to satisfy changes to scope (e.g. SOC 2).

• Potential for refinement of user contracts - Is the current contract specific to SAS 70?

• An SSAE 16 report is strictly for the processing of transactions related to ICFR.

• “No relevant exceptions noted” has been changed to “No exceptions noted”.

• Recommended Reading from ISACA: New Service Auditor Standard – A User Entity Perspective

15


Additional Considerations – User Entities / User Auditors (Continued)• Understand the effect of the service organization(s) on your financial statement

assertions and specific accounts• Understand and consider management’s assertion• Understand if the service organization intends to use the inclusive method (more

complete picture) or carve-out method. Is the scope of the report sufficient for your needs?

• Are you receiving a Type 1 or Type 2 Report?• Understand and consider the period of coverage for Type 2 reports• Understand and evaluate completeness of the control objectives for your state’s

needs• Understand how/if your state is addressing the user entity controls included in the

report• Understand the tests performed by the service auditor and how the test results

impact specific assertions and accounts• Understand the changes to the Opinion (see next slide)

16


Additional Considerations - Changes to the SSAE 16 Opinion

17

• The opinion references management’s assertion and their responsibility for identifying risks that threaten achievement of the control objectives.

• The opinion continues to cover the subject matter:o Fair presentation of the description of the system; design and implementation of

controls; and operating effectivenesso Includes the entire period, rather than as of a point in time, for a Type 2 report

• The opinion does NOT include a statement on whether management had a reasonable basis for providing their assertion.


AICPA Service Organization Control (SOC) Reports:

Trust Services Principles & Criteria

New Standards & OptionsService Org Control 1

(SOC 1)

SSAE16 – Service auditor guidance

Purpose: Reports on controls for F/S audits


(SOC 2)

Generally Restricted Use Report


AT 101




(SOC 3)

General Use Report

(w/ public seal)

AT 101



Restricted Use Report


Historically SAS 70 reports

Other Service Organization Control Reports: Overview and Background

18


• An AICPA report that allows service auditor to provide an opinion on the security, availability, processing integrity, confidentiality or privacy of a service organization’s controls. o Can include one or more of the above Trust Services principles

• Similar in structure and general approach to SAS 70 (SSAE 16):o An option for a Type 1 or Type 2 report. o An opinion o A section describing the processing environmento Description of control objectives, control activities, and tests

SOC 2 – What is it?


• A SOC2 report does not need to cover processing related to financial reporting, nor is it intended to support financial reporting for your users.

• It can potentially be supplied to a wider audience. Intended users are management of the service organization, user entities, and other “specified parties.” Specified parties can be anyone who understands the nature of the services being provided by the service organization, how the service organization operates, and internal controls.

SOC 2 – Differences from SAS 70 / SSAE 16


• In a SOC 2 report, the AICPA has supplied the criteria, where in a SAS 70/SSAE 16, management specifies the objectives and controls. So, SOC 2 reports should be much more consistent across the marketplace. o Exception is for SOC 2 reports which cover privacy. These reports would also need

to include the service organization’s privacy policy, which would obviously vary from organization to organization.

• Most practitioners who have looked at SOC 2 feel it will provide more detail throughout the report; narrative section, control activities, tests, etc. than the existing reports.

SOC 2 – Differences from SAS 70 / SSAE 16


Provider of Cloud Computing Serviceso A SOC2 report is an excellent way to show customers and others

that the service organization is meeting the specified criteria for a particular Trust Services Principle.

o Example: Outsourced Email Services are critical to user organization (client) daily operations; however, they may not be significant from a financial reporting standpoint; therefore, SSAE 16 may not be the right mechanism. However, SOC 2 can show that a service organization has controls to protect the security of information, availability of services, and privacy of information.

SOC 2 – Possible Users of Attestation Report


Call Center Serviceso SSAE 16 may not be a good fit because while call center services

are important from a business perspective, the processes executed may not be financially significant for customers of a service provider

o User Organizations may be concerned about handling of end-customer information and a SOC 2 report may demonstrate that there are controls encompassing the security, confidentiality, and privacy of information

Medical Claims Processing Service Providero A SOC 2 report focused on processing integrity (completeness,

accuracy, timelines, etc.) could provide customers with comfort regarding the controls over transactions in claims processing.

SOC 2 – Possible Users of Attestation Report


AICPA Guidanceo Guidance is still being finalized.o SOC 2 is built upon the following components:

• AT 101 – known as the “bedrock” – outlines the guidance around the basic attest service

• Audit Guide “Reporting on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy” – (currently under development).

• Technical Practice Aid (TPA) Trust Services Principles, Criteria, and Illustrations – provides much of the detail involved for a SOC 2 engagement. This supplies the detailed criteria that will be used for all engagements. It is available from the AICPA at http://www.aicpa.org/InterestAreas/InformationTechnology/Resources/TrustServices/Pages/Trust%20Services%20Principles%e2%80%94An%20Overview.aspx

SOC 2 – Where is the guidance?

http://www.webtrust.net/downloads/WT.TrustServices.pdf

http://www.aicpa.org/InterestAreas/InformationTechnology/Resources/TrustServices/Pages/Trust%20Services%20Principles%E2%80%94An%20Overview.aspx





SOC 1 Report

SOC 2 Report

SOC 3 Report

Professional standard used SSAE 16 (AT 801)

AT 101 AT 101

Used by auditors to plan and perform financial audits

Yes No No

Used by user entities to gain confidence and place trust in service organization systems

No Yes Yes

Obtain details of the processing performed and related controls, the tests performed by the service auditor and results of those tests

Yes Yes No

Report generally available - can be freely distributed or posted on a website as a “SysTrust for Service Organizations” seal

No No Yes

Other Service Organization Control Reports: Which SOC is right for your purpose?

25


QUESTIONS?

For more information:Sue NersessianDirectorDeloitte & Touche LLPNational SOC [email protected]

Brian LanePartnerDeloitte & Touche LLPNational SOC [email protected]

Eric BowlinSenior ManagerDeloitte & Touche LLP

[email protected]

mailto:[email protected]




This presentation contains general information only and Deloitte is not, by means of this presentation, rendering accounting, business, financial, investment, legal, tax, or other professional advice or services. This presentation is not a substitute for such professional advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified professional advisor. Deloitte, its affiliates, and related entities shall not be responsible for any loss sustained by any person who relies on this presentation.

About DeloitteDeloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee, and its network of member firms, each of which is a legally separate and independent entity. Please see www.deloitte.com/about for a detailed description of the legal structure of Deloitte Touche Tohmatsu Limited and its member firms. Please see www.deloitte.com/us/about for a detailed description of the legal structure of Deloitte LLP and its subsidiaries. Certain services may not be available to attest clients under the rules and regulations of public accounting.

http://www.deloitte.com/about

http://www.deloitte.com/us/about

copyright © 2011 deloitte development llc. all rights reserved. navigating guidance changes for...

Documents