disclaimer - regulatory compliance association...type ii soc 1 report report on controls placed in...
TRANSCRIPT
PRACTICEDGE™ SERIES DELIVERED BY THE RCA, ITS ENDOWING ORGANIZATIONS AND AFFILIATE LAW SCHOOLS CONSTITUTE A PREVIEW OF A RESPECTIVE CLASS SESSION IN THE LAW & MASTERS CONCENTRATION OR MYUNIVERSITY™.
THE PRACTICEDGE™ SERIES IS INTENDED FOR INFORMATIONAL PURPOSES. THE COMMENTS MADE BY EACH MEMBER OF THE SPEAKING FACULTY REPRESENT THEIR PERSONAL VIEW, AND NOT THE POSITION OF THE REGULATORY COMPLIANCE ASSOCIATION (RCA), ITS ENDOWING ORGANIZATIONS, AFFILIATE LAW SCHOOLS OR UNIVERSITIES, OR A SPEAKER’S FIRM OR ORGANIZATION.
ADDITIONALLY, THE VIEWS EXPRESSED AND MATERIALS PROVIDED DO NOT CONSTITUTE LEGAL OR PROFESSIONAL ADVICE, OR EVEN A MODEL OF THE SAME, APPLICABLE TO ANY SPECIFIC MATTER. LASTLY, THE RCA AND OUR ENDOWING FIRMS ASSUME NO LIABILITY FOR ANY ACTIONS OR COMMENTS OF THE SPEAKING FACULTY - SUCH INDIVIDUALS REMAIN SOLELY LIABLE FOR THE SAME.
Disclaimer
Discover why over 18,000 Asset Management Executives use RCA Curricula and Member Services.
MyUniversity Delivers:• Enterprise Class, Private Labeled Intranet of Knowledge ™;• Over 900 hours of CPE, 600 hours of CLE and 600 hours of Continuing Compliance
Education (updated monthly);• The most timely, relevant, and vetted Course Materials• Dedicated Academic Team with 24/7 service and support.
Curriculum includes over 110 Courses:• Spanning 12 Practice Areas: Asset Management Law, Regulation, Compliance,
Exams, Investigations, Enforcement, Operational Process, Due Diligence, Risk Management, Governance, Fund Accounting and Taxation
• Detailed, comprehensive and unbiased coverage of over 4, 000 subjects• Over 10,000 pages of Textbooks and Course Materials• Practical and actionable guidance, including extensive case studies
MyUniversity™
Discover why over 18,000 Asset Management Executives use RCA Curricula and Member Services.
PracticEdge Elite™ Delivers:• Enterprise Class, Private Labeled Intranet of Knowledge ™;• Over 110 hours of CPE, 70 hours of CLE and 70 hours of Continuing Compliance
Education (updated monthly);• The most timely, relevant, and vetted Course Materials• Dedicated Academic Team with 24/7 service and support.
Curriculum includes over 35 Courses:• Spanning 12 Practice Areas: Asset Management Law, Regulation, Compliance,
Exams, Investigations, Enforcement, Operational Process, Due Diligence, Risk Management, Governance, Fund Accounting and Taxation
• Detailed, comprehensive and unbiased coverage of over 4, 000 subjects• Over 1,500 pages of Textbooks and Course Materials• Practical and actionable guidance, including extensive case studies
For more information, please contact the RCA at 800.306.6133 or visit www.rcaonline.org
PracticEdge Elite™
Service Organization Controls (SOC) Reports for Institutional Investors: What You Need to Know™
SOC report overview
SOC report structure
SOC report section considerations
Agenda
2
SOC Report Overview
3
SOC Reporting NeedsWho will use the communication?
Direct consumer
User entity
Business Partner
Management BOD
User service organization
Regulator
Other
User’s areas of interest?
Internal controls over financial
reporting
Security
Availability
Processing Integrity
Confidentiality
Regulatory/Self Regulatory
Contractual Compliance
Privacy
User’s business purpose for the communication
Meet audit needs
Governance/Risk Management
Vendor Management
Regulatory Compliance
Contractual Compliance
Internal report-management
confidence
Enhance trust regarding service
What ‘criteria’ will the report measure
against
Financial statement assertions
Industry standards
Contractually specified
Regulatory requirements
Other
Conclude on the report type and distribution
method?
SOC 1 (AT801)
SOC 2
SOC 3
Agreed Upon Procedures
Findings & recommendations (internal-use, no
assurance provided)
4
Service organization controls (SOC) reports
Provides information about the service organization’s achievement of the Trust Services criteria
Provides information about internal control at the service organization related to security, availability, processing integrity, confidentiality, or privacy
Type I SOC 1 report Report on controls placed in operation at a specific date
Looks at the design of the controls – not operating effectiveness
Considered for information purposes only
Type II SOC 1 report Report on controls placed in operation and tests of operating effectiveness for a period of time
Identifies instances of non-compliance
‘SOC 3’ reports
‘SOC 2’ reports
‘SOC 1’ reportsProvides information about controls at a service organization relevant to internal control over financial reporting
5
Key SOC Stakeholders
SOC report(s) SOC 1 SOC 2 SOC 3
Service organization (e.g. Investment Manager, Transfer
Agent, Fund Administrator)
Service auditor
User organization (e.g., Institutional Investor)
Sub-service organization (e.g., Data center provider,
Transaction processor)andVendor organizations
User auditor6
Professional Standards such as AT801 provide guidance to enable anindependent auditor (service auditor) to issue an opinion on a serviceorganization’s description of internal controls.
The SOC1 Report is for a User Auditor Performing a Financial Audit
User
Service Service organization
User organization User organization User organization
User auditor User auditor User auditor
Service auditor SOC 1Report
SOC 1Report
7
Benefits of Having a SOC Report
8
Independent evaluationof processes and controls, and gap
identification
Independent evaluation of processes and controls, and gap identification
Customer due diligence process (e.g.
New investor) Existing customer
demands for greater assurance
on controls (e.g. NAV calculation)
Reduction of coordination with your
customers’ auditors
Demonstrate trustworthiness
Service organization
control report benefit
Exte
rnal
Inte
rnal
SOC Report Elements and Structure of Report
9
SOC 1 - Elements
System description Services provided Procedures Accounting records Significant events Entity-level controls Reporting User control
considerations
User entities’ financial statement assertions
Control objectives
Risk assessment
Controls
“Reasonable basis” for management asserting controls were consistently applied
Existing testing/validation
On-going monitoring
Limited additionaltesting
Management’swrittenassertion
Serviceauditor’sreport
System People Processes Applications Infrastructure
10
Section 1: Management assertion
Section 2: Auditor’s report (including opinion)
Section 3: Description of the systems Description of organization and general control environment Description of processes being covered by the report
Section 4: Control matrix Management’s control objectives for areas in scope Controls supporting the control objectives Auditor’s tests of the controls (Type II only) Results of the auditor’s tests (Type II only)
Section 5: Other information provided by management
Typical SOC Report Structure
11
Overview
Management must provide a written assertion to accompany thedescription of the system as to the completeness and accuracy of theinformation provided and state the criteria used as a basis for makingthe assertion
Considerations Is the system description complete and fairly stated? Have known control deficiencies been identified? Are sub-service organization controls included within the report? Assertions must also be obtained for any “inclusive” sub-service
providers Management is required to do an independent risk assessment.
Section 1 – Management’s Assertion
12
Evaluating management’s assertions
What is the coverage period? Does it meet your needs? Are the criteria complete? Any sub-service organizations? If so are they carved-out or included? Anything unusual?
Section 1 – Management’s Assertion
13
Overview
Independent Auditor opinion on design and operating effectiveness ofcontrols
Considerations Type I
Reports on controls placed in operation at a point in time (one date) Looks at the design of controls – not operating effectiveness Considered for information purposes only Not considered of significant use for purposes of reliance by user auditors/organizations Bridge to Type II report
Type II Reports on controls placed in operation and tests of operating effectiveness (for a period
of time) Differentiating factor: Includes Tests of Operating Effectiveness Identifies instances of non-compliance More emphasis on evidential matter (more comprehensive than Type 1 – testing of key
controls) Usually a minimum period of six months will be reviewed for Type 2 Reports
Section 2 – Auditor’s Report
14
Evaluating the Auditor’s report
What standard is used? Who is this firm? Where was it issued? Any carve-out or unusual items noted in the scope description? Any qualifications? Any inconsistencies with professional standards or unusual items? Maximizing the report coverage
A minimum of 9 months coverage is considered full coverage Sufficiency of the period is professional judgment
If you do not have a sufficient amount of coverage consider: Inquiring of management if any key changes from service organization
have been observed or communicated Requesting an additional report Inquiring of service organization or obtaining a bridge letter Conducting additional procedures at the service organization or user
entity
Section 2-Auditor’s Report
15
Overview
Description of organization and general control environment Control environment components:
Human resource policies and practices Integrity and ethical values Commitment to competence Management reporting and oversight Management’s philosophy and operating style Organizational structure Assignment of authority and responsibility Internal audit Global compliance
Description of processes being covered by the report Known as the “narratives” Includes a general description of the service organization’s controls, policies
and procedures for each process
Section 3 – Description of the System
16
Considerations Scope of system
Defined by management Customized to the needs of users Evaluated by the auditor Relevant to the audit of a user’s financial statements
Evaluating scope of system Services, systems, locations covered
Does it cover the areas of concern? What is missing? Map to areas of concern Match to contractual requirements Completeness, accuracy, timeliness, etc.
Section 3 – Description of the System
17
Evaluating the Description of the system
Start with the results/outputs Identification of key reports and data feeds Completeness and accuracy of reports
Work backwards Description of process Key steps Inputs along the way
Compliance requirements Is it at the right depth? What is missing? What strikes you as curious?
Section 3 – Description of the System
18
Overview
Specify the control objectives of the system and state those controlobjectives in the description of the system
Specific Identification of Controls To Be Tested Description of Tests Performed Results of Tests
Section 4 – Control Objectives and Test of Controls
19
What is a control?
A control is an activity that is performed that helps ensure that your procedures were properly performed and that your policies are followed
There is often only one control for multiple procedures There are often multiple attributes examined for
each control: Control was accurately performed Control was completely performed Control was performed timely Control was designed properly
Section 4 – Controls, Control Objectives and Test of Controls
20
Types of Controls?
Section 4 – Controls, Control Objectives and Tests of Controls
• Involve NO reliance on a system/application and are performed by people:•On a monthly basis, manual incentive allocations are prepared by a staff and
reviewed by a manager using an Excel spreadsheet. After the manager completes the review , the manual allocation file is approved by the client via email.
Manual Controls
•Have both a manual and a system component (typically EAE)•The portfolio holdings report from the investments sub-ledger is manually
reconciled by a staff to the custodian, broker, or counterparty statements. All breaks are researched and investigated. The reconciliation is reviewed by a manager
IT- Dependent Manual (ITDM) Controls
•Are completed automated and either programmed or configured within the application itself•Application X will not allow an unbalanced journal entry to be created/posted
Application Controls
21
Evaluating controls
Are they what is expected? Map to your risks Map to known risk models Map to contractual requirements
Are they described in sufficient detail to permit you to separatelyevaluate their design?
What processes, technologies, services are missing/weak?
Section 4 – Controls, Control Objectives and Tests of Controls
22
Evaluating tests of controls Are the tests described in a way that lets you understand the nature of
what was performed?
Are they the “right” test for the control? Responsive to the control What would our financial auditor have done
Are any deviations described sufficiently to permit the evaluation of the impact?
What is the service organization management’s response? Have there been any other communications on the issue?
Section 4 – Controls, Control Objectives and Tests of Controls
23
What is the control objective?• Control objective is the aim or purpose of specified controls at the
service organization. • Control objectives address the risks that controls are intended to
mitigate
Evaluating control objectives• Identifying information/reports that flow to the financial statements• Identify financial statement assertions impacted by the information
identified• Evaluate control objectives• Underlying process control objectives• Include disclosures• Electronic audit evidence
Section 4 – Controls, Control Objectives and Tests of Controls
24
What are CUECS? CUECs are controls that management of the service organization
assumes, in the design of the service provided by the serviceorganization, will be implemented by user entities, and which, ifnecessary to achieve the control objectives stated in management’sdescription of the service organization’s system, are identified as such inthat description.
Considerations when evaluating CUECS Are they relevant to internal control or a protection mechanism for the
service organization/auditor? Do they really describe what you should be doing? Is it consistent with documentation/contracts, etc.? Have you implemented them? Have you evaluated their operation?
Section 4 – Controls, Control Objectives and Tests of Controls
25
Evaluating deviations: Page or control objective number reference Affected control objective Description of deviation (from report) Management’s response, if applicable (this is the response documented
in the SOC report by the service organization) Effect on our use of the report; consider the following:
Relevance of control objective Relevance of systems/locations where issues were identified For deviations, a brief analysis should be performed;
Simply stating “no effect/no risk identified” is not sufficient Management’s response is considered inquiry only – if deviation
wording does not state additional procedures, you can not assumemanagement’s response has been tested*
Section 4 – Controls, Control Objectives and Tests of Controls
26
Overview Un-audited information provided by management
Examples of information provided: Business Continuity Data Protection Financial and Regulatory Reporting Remediation of control deficiencies
Section 5 – Other Information Provided by Management
27
SOC Report Common Pitfalls
28
Report is not the correct report
Location is not correct
Services are different than the services relied on
Application we wish to rely on is not covered in the report
Report is a Type I
Multiple processes are utilized at the service provider that are covered in separate reports (i.e. ADP AutoPay vs. ADP Payroll Tax)
Report period is not sufficient
SOC Report Common Pitfalls
29
Report is qualified or major exceptions exist and are not fully addressed or considered
Failure to consider and/or evaluate relevant subservice providers
Note: Some large providers may essentially function as their own subservice provider via processes covered in separate reports (i.e. ADP Hosting Services)
Restrictions on the use of the reports
Management response in the unaudited section (i.e. section 5)
Common Pitfalls (cont.)
30
Inadequate documentation to support that relevant CUECs were tested and operating effectively
Insufficient documentation to support evaluation of IT-related CUECs (i.e. user access)
Reliance on a insufficient report that does not describe the tests and results so offer little to no value for reliance
Use of “N/A” to document response to questions throughout report
All fields on form are applicable and must be completed, or rationale for exclusion should be explained fully
Common Pitfalls (cont.)
31
IT Considerations
32
IT General Controls within a SOC report typically include the areas of logical access, change management, and IT operations including job scheduling, back-up and recovery, and incident management.
It is critical to make sure that applications and supporting infrastructure that are significant to relevant business processes and support IT dependent manual or application controls are specifically included within the scope of the ITGC testing in a report.
Applications that are included in scope are typically defined in a table or chart depicting coverage.
ITGCs for applications outsourced to third party sub-service organizations are typically carved-out of the scope of reports. It is important to understand who owns and operates the individual controls.
IT Considerations
33
IT General Controls (ITGCs) are the support framework of the ITenvironment. Effective ITGCs provide assurance that automated and ITdependent function as intended over time.
IT Considerations
34
It is critical to make sure that application controls are adequately tested within SOC reports
Application controls are commonly grouped into five categories
IT Considerations
35
The table below shows the expected testing for the different categories of application controls and the procedures that can be used to test such controls.
IT Considerations
36
Market Trends and Key Client Issues
37
Several Market Forces are Driving Changes in Customers’ Information Needs
Customers’needs
Increased dependency on service organizations
Increased focus on vendor risk management
New and modifiedprofessional standards
Heightenedsecurity risks
Evolving law and regulations
Technologicaladvancements
38
Customers’ Perspectives of Risks and Information Needs Vary Significantly
Confidentiality
Cloud
Does my vendor have the controls and process in
place to protect my reputation?
Can I rely on the services I am
buying?
SOX
GLBA FFIEC
OCCFISMA
Processing integrity
Privacy
Identity theft
Data reliability
SLA’s
Availability
Attack and Pen.
Security
BCP/DR
39
Regulatory Risks
40
Executive Order 13636, ”Improving Critical Infrastructure Cybersecurity” issued in 2013• Directed the NIST (National Institute of Standards and Technology, an agency of the U.S.
Department of Commerce) to develop a framework for reducing cyber risks to critical infrastructure.
• Many financial service organizations are considered to be part of the “critical infrastructure.”NIST Cybersecurity Framework was issued in February 2014
• Currently the most generally accepted framework available for managing cyber risks• Broken into five functions:
• Identify: Asset management, business environment, governance, risk assessment, risk management strategy
• Protect: Access control, awareness and training, data security, information protection, maintenance, protective technology
• Detect: Anomalies and events, security continuous monitoring, detection processes• Respond: Response planning, communications, analysis, mitigation, improvements• Recover: Recovery planning, improvements, communications
In 2014 and 2015, the SEC Office of Compliance Inspections and Examinations (OCIE) issued Risk Alert Guidance noting their intent to examine the cybersecurity preparedness of (based on NIST Cybersecurity Framework):
Investment advisors, Broker-dealers, and Transfer agencies
In 2015, SIFMA indicated its support of the use of SOC 2 reports to help address cybersecurity risks at third-party vendors; identifies NIST Cybersecurity Framework.
Customers Are Commonly Asking For
New SOC reports
Changes to existing SOCreports
Questionnaires
Cybersecurity
On-site audits
Significantdecrease Significant
increase
Service organizations have indicated an increase in the volume of inquiries across all of these areas
41
What Elements of Quality are Customers Focused On?
42
Service organizations have indicated a medium to high volume of inquiries fromcustomers in each of these areas
Completeness and accuracy of data
Completeness and accuracy of reports
Precision of review controls
Level of detail in the systemdescription
Level of detail for deviations
Service organizations are commonly addressing these inquiries by:► Building additional detail
into the SOC report► Ad hoc responses
Low High
What Are Other Service Organizations Doing?
What reports did other serviceorganizations issue in 2014?
Why?
75%
13%
6%6%
SOC 1 SOC 2 SOC 3 Other
SOC 1: reports are often used to address contractual requirements, for marketing or RFP response, and for vendor risk management programs.SOC 2: additional marketplace education is needed to maximize the value of a SOC 2 report for a vendor risk management program.SOC 3: marketing value is a common driver.
43
38%
20%
28%
13%
1%
Security AvailabilityConfidentiality Processing integrityPrivacy
How Are Other Service Organizations Utilizing SOC 2 and SOC 3 Reports?
Security is often perceived as the baseline principle for SOC 2 and SOC 3 reports
The Privacy principle has been limited historically, but, is expected to grow with the underlying criteria changing in 2016 to align with the other principles
The application of Processing integrity is often used for a transaction-based service and is expanding to other types of processes
Availability and Confidentiality are commonly included with security
SOC 2 and SOC 3 reports can be effective tools for marketing or RFP response and addressing vendor risk management focus areas
► EY issued more than 150 SOC 2 and SOC 3 reports in 2014
44
How Can I Maximize My Return On Investment For a SOC 2 Report?
Report Level of effort Opinion from auditor
Trust services principles
Additional framework
SOC 2 Baseline 4
SOC 2 with a mapping to another framework
4
SOC 2+ including another framework
4 4
SOC 2+ reports can be an effective way to consolidate frameworks and compliance with regulatory requirements into a more broadly usable reporting format. These reports offer more flexibility to meet readers’ needs.
45
SOC 2 Reporting Benefits
Build competitive advantage – Companies can use the SOC 2 reports as a market differentiator.
Assist clients with vendor oversight activities – New and emerging regulations establish vendor management requirements; a SOC 2 report will assist client management with monitoring the services provided by outsourced third-parties.
Enhance client communications – A well described system in a SOC 2 report can increase transparency to clients and enhance their understanding of outsourced internal controls.
Manage client support costs – A SOC 2 report can be used to reduce client audits, due diligence/ vendor risk questionnaires and on-site visits, while providing an added level of assurance.
Satisfy contractual agreements – New clients may request a SOC 2 report as part of their contract; existing clients may amend their contracts.
Improve/lean your processes – SOC 2 assessment activities generate process improvement ideas and opportunities to further centralize and standardize processes and controls.
46
Appendix: Illustrative Control Objectives for an Investment Manager
47
Investment ManagerCommon Scope Options
Investment management activities• Security Set-up and Maintenance• Account Set-up and Maintenance• Trade Processing• Trade Confirmation and Settlement• Trade Allocation• Income Processing and Recording• Corporate Actions • Investment Valuation (completeness/recording)• Reconciliations (cash and position)• Fund Expenses/Accruals• Accretion/Amortization of Discounts/Premiums• Realized and Unrealized Gains/Losses• Cash Payments• Client Reporting• Portfolio Compliance• Profit and Loss Allocation• Management fees • Incentive Fees/Performance Allocation• Investor inflows• Investor outflows
Information technology• Change Management• Logical Security• Physical Security • Application Software Maintenance• System Software Maintenance• Computer Operations/Job Scheduling• Backup and Recovery
48
New account setup and administration Controls provide reasonable assurance that...
new accounts are authorized and set up in accordance with clientinstructions and guidelines in a complete, accurate and timelymanner.
account modifications are authorized and implemented in acomplete, accurate, and timely manner.
new account holdings and cash are reconciled to custodian bankstatements in a complete, accurate, and timely manner.
Security setup Controls provide reasonable assurance that...
new securities and changes to existing securities are authorized andentered in the security master file in a complete, accurate and timelymanner.
Illustrative Control Objectives
49
Presentation title
Illustrative Control Objectives
Investment transaction processing Controls provide reasonable assurance that...
investment transaction instructions are authorized and entered intothe system in a complete, accurate, and timely manner.
portfolio guidelines are monitored and exceptions are identified andresolved in a complete, accurate, and timely manner.
allocations are approved by portfolio manager. block orders are allocated to clients on a pro-rate basis for equity
trades and a predetermined allocation for fixed income trades.Confirmation, affirmation, or settlement Controls provide reasonable assurance that...
investments are settled in a complete, accurate, and timely manner. custodians are informed of transactions in a complete, accurate, and
timely manner.
50
Presentation title
Illustrative Control ObjectivesLoans Controls provide reasonable assurance that...
loans and collateral are authorized and processed and recorded in acomplete, accurate, and timely manner.
collateral on loans is invested in accordance with the lenderagreement and recorded and monitored in a complete, accurate,and timely manner.
loan repayments are processed and recorded complete, accurate,and timely manner.
Pricing Controls provide reasonable assurance that...
security prices are received from an authorized source and updatedin a complete, accurate, and timely manner.
price overrides are authorized and processed in complete, accurate,and timely manner.
51
Presentation title
Illustrative Control ObjectivesCorporate actions Controls provide reasonable assurance that...
Corporate action notices are identified and received from anauthorized source and are updated in the system in a complete,accurate, and timely manner.
Investment income Controls provide reasonable assurance that...
interest, dividend, and other income information is received from anauthorized source and recorded in a complete, accurate, and timelymanner.
cash received for interest and dividends is processed in a complete,accurate, and timely manner.
Money movement Controls provide reasonable assurance that...
money movement (receipts and disbursements) is authorized andprocessed in a complete, accurate, and timely manner.
52Presentation title
Illustrative Control ObjectivesCustodian reconciliation Controls provide reasonable assurance that...
security positions and cash balances reflected in the portfolio accounting system are reconciled in a complete, accurate, and timely manner.
Fees Controls provide reasonable assurance that...
investment management fees and other expenses are authorized, calculated,and recorded in a complete, accurate, and timely manner.
Net asset valuation Controls provide reasonable assurance that...
net asset values are authorized and calculated in a complete,accurate, and timely manner.
Account statements and client reports Controls provide reasonable assurance that...
account statements and client reports detailing client account holdings andmarket values are complete, accurate, and provided to clients in a timelymanner.
53Presentation title
Illustrative Control ObjectivesInvestor inflows and outflows Controls provide reasonable assurance that...
Investor subscriptions and redemptions received are processed in acomplete, accurate, and timely manner in accordance with theinvestor requests and the company’s policies and procedures.
Allocations Controls provide reasonable assurance that...
Investor allocations are calculated and recorded in a complete,accurate, and timely manner.
54
Presentation title
Illustrative Control ObjectivesInformation security Controls provide reasonable assurance that…
logical access to programs, data, and computer resources is restricted toauthorized and appropriate users, and such uses are restricted to performingauthorized and appropriate actions.
physical access to computer and other resources is restricted to authorizedand appropriate personnel.
Change management Controls provide reasonable assurance that…
changes to application programs and related data management systems areauthorized, tested, documented, approved, and implemented to result incomplete, accurate, and timely processing and reporting of transactions andbalances
network infrastructure is configured as authorized to (1) support the effectivefunctioning of application controls to result in valid, complete, accurate, andtimely processing and reporting of transactions and balances and (2) protectdata from unauthorized changes.
55Presentation title
Computer operations Controls provide reasonable assurance that…
application and system processing are authorized and executed in acomplete, accurate, and timely manner, and deviations, problems,and errors are identified, tracked, recorded, and resolved in acomplete, accurate, and timely manner.
data transmissions between the service organization and its userentities and other outside entities are from authorized sources andare complete, accurate, secure, and timely.
data is backed up regularly and is available for restoration in theevent of processing errors or unexpected processing interruptions.
Illustrative Control Objectives
56
Presentation title
Carve-out method. Method of addressing the services provided by a subservice organizationwhereby management’s description of the service organization’s system identifies the nature of theservices performed by the subservice organization and excludes from the description and from thescope of the service auditor’s engagement, the subservice organization’s relevant control objectivesand related controls. Management’s description of the service organization’s system and the scope ofthe service auditor’s engagement include controls at the service organization that monitor theeffectiveness of controls at the subservice organization, which may include management of the serviceorganization’s review of a service auditor’s report on controls at the subservice organization.
Complementary user entity controls. Controls that management of the service organizationassumes, in the design of the service provided by the service organization, will be implemented by userentities, and which, if necessary to achieve the control objectives stated in management’s descriptionof the service organization’s system, are identified as such in that description.
Control objectives. The aim or purpose of specified controls at the service organization. Controlobjectives address the risks that controls are intended to mitigate.
Controls at a service organization. The policies and procedures at a service organization likely to berelevant to user entities’ internal control over financial reporting. These policies and procedures aredesigned, implemented, and documented by the service organization to provide reasonable assuranceabout the achievement of the control objectives relevant to the services covered by the serviceauditor’s report.
Controls at a subservice organization. The policies and procedures at a subservice organizationlikely to be relevant to internal control over financial reporting of user entities of the serviceorganization. These policies and procedures are designed, implemented, and documented by asubservice organization to provide reasonable assurance about the achievement of control objectivesthat are relevant to the services covered by the service auditor’s report.
Criteria. The standards or benchmarks used to measure and present the subject matter and againstwhich the service auditor evaluates the subject matter.
Illustrative AICPA Definitions
57
Presentation title
Inclusive method. Method of addressing the services provided by a subservice organizationwhereby management’s description of the service organization’s system includes a descriptionof the nature of the services provided by the subservice organization as well as the subserviceorganization’s relevant control objectives and related controls.
Inclusive method. Method of addressing the services provided by a subservice organization wherebymanagement’s description of the service organization’s system includes a description of the nature ofthe services provided by the subservice organization as well as the subservice organization’s relevantcontrol objectives and related controls.
Internal audit function. The service organization’s internal auditors and others, for example,members of a compliance or risk department, who perform activities similar to those performed byinternal auditors.
Report on management’s description of a service organization’s system and the suitabilityof the design of controls (referred to in this section as a type 1 report). A report that comprisesthe following: Management’s description of the service organization’s system. A written assertion by management of the service organization about whether, in all material respects, and based
on suitable criteria, management’s description of the service organization’s system fairly presents the service organization’s
system that was designed and implemented as of a specified date. the controls related to the control objectives stated in management’s description of the service
organization’s system were suitably designed to achieve those control objectives as of the specified date. A service auditor’s report that expresses an opinion.
Illustrative AICPA Definitions
58
Presentation title
Report on management’s description of a service organization’s system and the suitabilityof the design and operating effectiveness of controls (referred to in this section as a type 2report). A report that comprises the following: Management’s description of the service organization’s system. A written assertion by management of the service organization about whether in all material
respects, and based on suitable criteria, management’s description of the service organization’s system fairly presents the service
organization’s system that was designed and implemented throughout the specifiedperiod.
the controls related to the control objectives stated in management’s description of theservice organization’s system were suitably designed throughout the specified period toachieve those control objectives.
the controls related to the control objectives stated in management’s description of theservice organization’s system operated effectively throughout the specified period toachieve those control objectives.
A service auditor’s report that expresses an opinion on the matters. includes a description of the tests of controls and the results thereof.
Service auditor. A practitioner who reports on controls at a service organization. Service organization. An organization or segment of an organization that provides services to user
entities, which are likely to be relevant to those user entities’ internal control over financial reporting. Service organization’s assertion. A written assertion about the matters referred to in part the
definition of Report on management’s description of a service organization’s system and the suitabilityof the design and operating effectiveness of controls, for a type 2 report.
Illustrative AICPA Definitions
59
Presentation title
Service organization’s system. The policies and procedures designed, implemented, anddocumented, by management of the service organization to provide user entities with the servicescovered by the service auditor’s report. Management’s description of the service organization’s systemidentifies the services covered, the period to which the description relates (or in the case of a type 1report, the date to which the description relates), the control objectives specified by management oran outside party, the party specifying the control objectives (if not specified by management), and therelated controls.
Subservice organization. A service organization used by another service organization to performsome of the services provided to user entities that are likely to be relevant to those user entities’internal control over financial reporting.
Test of controls. A procedure designed to evaluate the operating effectiveness of controls inachieving the control objectives stated in management’s description of the service organization’ssystem.
User auditor. An auditor who audits and reports on the financial statements of a user entity. User entity. An entity that uses a service organization.
Illustrative AICPA Definitions
60
Presentation title
Conclusion
61
Speaking Faculty Biographies
62
Michael E. Cyran is a partner in the New York Financial ServicesOffice with over 22 years of experience in the financial services sector. Hefocuses on asset management organizations, and specializes in working withinvestment advisors, registered investment companies, alternativeinvestment funds, structured products and investment managementoperations.
Mike is the SOC leader for Ernst & Young’s New York FinancialServices Office as well as Ernst & Young’s Global Asset Managementpractice. He leads many of the global fund administration SOCs that the Firmservices.
Mike has extensive experience in the securitization ofcollateralized debt obligations and other asset backed securities, havingworked in E&Y’s Structured Finance Advisory Services group for over twoyears as a senior manager.
Mike possesses deep knowledge in investment management andtransfer agency operations, fund administration, and valuation andaccounting for derivatives, asset-backed and illiquid securities. Mike is afrequent speaker on various technical and operational topics at industryconferences.
Michael E. Cyran, CPA, Partner, EY
63
Maclar Ampanas, CPA, Senior Manager, Financial Services, EY
Maclar Ampanas is a Senior Manager in EY’s Core Assurance practice with about10 years of experience providing assurance and advisory services to asset managementclients in New York. Her clients include large complex structures as well as start-up andsingle-investor funds. Maclar has extensive experience in the financial statement audits ofhedge funds, mutual funds and private equity funds with diverse investment strategies andproducts including, but not limited to, equities, fixed income, real estate, distressed debtand trade claims, private investments, real estate, derivatives, energy and reinsurance andreinsurance-related products.
In addition to financial statement audits, Maclar also managed the review of themiddle- and back-office and fund administration services of global fund administratorswhere she gained a deeper understanding of fund operations and administration. She hasstrong experience with Sarbanes-Oxley Section 404 testing, compliance reviews, andcomplex accounting analysis involving compensation accounting, securitizations,transfer/sale accounting, netting and consolidation.
Prior to joining the New York Office of EY, Maclar worked for 4 years in EYManila and 3 years in KPMG Manila. Her prior work experiences covered a wide variety ofindustries including manufacturing, real estate, entertainment, broker-dealers, insurance,financial institutions, and asset management, among others.
Maclar is a member of the American Institute of Certified Public Accountantsand the New York State Society of Certified Public Accountants. She graduated cum laudefrom the University of Saint Louis in the Philippines with a degree in Bachelor of Science inAccountancy.
64
Keith Bispala is a senior manager in EY’s Financial Services Office (FSO) and currently serves as the FSO Advisory service organization control reporting (SOCR) solution leader. He has more than 16 years of experience in information technology risk and controls advisory services and has provided a broad range of IT services to Fortune 500 companies in direct support of their business objectives. He has extensive experience leading large SOCR, financial audit IT (FAIT) support, SOX, and IT internal audit co-sourcing engagements. He also has significant experience leading information security and privacy assessments and independent pre-and post-system implementation reviews.Professional experience Currently leads SOC reporting engagement at top 5 bank with a portfolio of 28 SOC reports
including 8 Wealth and Asset Management specific SOC 1s
Currently leading SOC 2 pre-assessment engagement over Security, Availability, Confidentiality, and Privacy principles at large financial organization
Led SOC reporting and SOX engagements at large Wealth and Asset Management client including several SOC 1s for institutional investor services.
Led multiple SOC2 pre-assessments over Security, Availability, Processing Integrity and Privacy principles at large insurance organization.
Led SOC reporting engagement at top 25 global insurance client with a portfolio of 15 SOC reports
Skills
Certified Public Accountant (CPA) Certified Information Systems Auditor (CISA)
Keith Bispala, CPA, Senior Manager, Financial Services, IT Risk, EY
65
Jessica DeRosa is a Senior Manager in the Advisory Servicespractice of Ernst & Young LLP. She has over thirteen years of informationsystems auditing experience, specializing in the Financial Services Industry.Jessica has assisted global financial service companies with evaluating theinformation technology internal control environments to determinecompliance with regulatory requirements (SOX 404, ISO 17799:2005, ISO27001/27002, FFIEC IT Handbooks, GLBA) and the effectiveness of theinformation technology control environment.
Jessica is a Certified Information Systems Auditor (CISA). She is amember of the New York Chapter of the Information System Audits andControl Association (ISACA), and the International Association of PrivacyProfessionals
Jessica has a B.S. in Management with dual concentrations inFinance and MIS from the State University of New York College atBinghamton and an executive Masters in Business Administration fromColumbia University.
Jessica DeRosa, Senior Manager, Advisory Services, EY
66
Elyse Reilly is a New York-based Senior Manager in the Financial ServicesOffice (FSO Assurance practice of Ernst & Young LLP. She has ten years of experience in thefinancial services industry serving asset management clients. Industry exposure includes SOC 1experience, domestic and offshore hedge funds, fund-of funds; SEC, CFTC, CIMA registrants, Irishdomiciled entities and Luxembourg SARL’s.
Elyse is currently the lead senior manager on the largest global hedge fundadministrator, SOC 1. She has been involved in the implementation of ISAE 3402 and SSAE No. 16.Prior to stepping into a managerial role Elyse was the lead business process senior on the SOC 1engagement, Elyse planned and coordinated team logistics, designed tests that suitably fulfill theobjectives of a SOC 1 report, supervised a team of staff and seniors, documented the outcome ofthe test work and concluded on the effectiveness of the controls as prescribed in the SOC 1report. Elyse traveled to the UK, Ireland and India to execute walkthroughs of the significantprocesses on multiple occasions.
Elyse also is the lead senior manager on a $13 billion fund whose strategy primarilyresides in the distressed debt and private investments space. The complex includes 55 fundstructures which include hedge funds, private equity and hybrid funds. There is an extensiveamount of work on ASC 740 as well as rather complex valuation issues with regard to theirprivate investments, CLO’s and bank debt.
Elyse Reilly, Senior Manager, FSO Assurance, EY
67