disclaimer - regulatory compliance association...type ii soc 1 report report on controls placed in...

70
PRACTICEDGE™ SERIES DELIVERED BY THE RCA, ITS ENDOWING ORGANIZATIONS AND AFFILIATE LAW SCHOOLS CONSTITUTE A PREVIEW OF A RESPECTIVE CLASS SESSION IN THE LAW & MASTERS CONCENTRATION OR MYUNIVERSITY™. THE PRACTICEDGE™ SERIES IS INTENDED FOR INFORMATIONAL PURPOSES. THE COMMENTS MADE BY EACH MEMBER OF THE SPEAKING FACULTY REPRESENT THEIR PERSONAL VIEW, AND NOT THE POSITION OF THE REGULATORY COMPLIANCE ASSOCIATION (RCA), ITS ENDOWING ORGANIZATIONS, AFFILIATE LAW SCHOOLS OR UNIVERSITIES, OR A SPEAKER’S FIRM OR ORGANIZATION. ADDITIONALLY, THE VIEWS EXPRESSED AND MATERIALS PROVIDED DO NOT CONSTITUTE LEGAL OR PROFESSIONAL ADVICE, OR EVEN A MODEL OF THE SAME, APPLICABLE TO ANY SPECIFIC MATTER. LASTLY, THE RCA AND OUR ENDOWING FIRMS ASSUME NO LIABILITY FOR ANY ACTIONS OR COMMENTS OF THE SPEAKING FACULTY - SUCH INDIVIDUALS REMAIN SOLELY LIABLE FOR THE SAME. Disclaimer

Upload: others

Post on 01-Aug-2020

2 views

Category:

Documents


0 download

TRANSCRIPT

Page 1: Disclaimer - Regulatory Compliance Association...Type II SOC 1 report Report on controls placed in operation and tests of operating effectiveness for a period of time Identifies instances

PRACTICEDGE™ SERIES DELIVERED BY THE RCA, ITS ENDOWING ORGANIZATIONS AND AFFILIATE LAW SCHOOLS CONSTITUTE A PREVIEW OF A RESPECTIVE CLASS SESSION IN THE LAW & MASTERS CONCENTRATION OR MYUNIVERSITY™.

THE PRACTICEDGE™ SERIES IS INTENDED FOR INFORMATIONAL PURPOSES. THE COMMENTS MADE BY EACH MEMBER OF THE SPEAKING FACULTY REPRESENT THEIR PERSONAL VIEW, AND NOT THE POSITION OF THE REGULATORY COMPLIANCE ASSOCIATION (RCA), ITS ENDOWING ORGANIZATIONS, AFFILIATE LAW SCHOOLS OR UNIVERSITIES, OR A SPEAKER’S FIRM OR ORGANIZATION.

ADDITIONALLY, THE VIEWS EXPRESSED AND MATERIALS PROVIDED DO NOT CONSTITUTE LEGAL OR PROFESSIONAL ADVICE, OR EVEN A MODEL OF THE SAME, APPLICABLE TO ANY SPECIFIC MATTER. LASTLY, THE RCA AND OUR ENDOWING FIRMS ASSUME NO LIABILITY FOR ANY ACTIONS OR COMMENTS OF THE SPEAKING FACULTY - SUCH INDIVIDUALS REMAIN SOLELY LIABLE FOR THE SAME.

Disclaimer

Page 2: Disclaimer - Regulatory Compliance Association...Type II SOC 1 report Report on controls placed in operation and tests of operating effectiveness for a period of time Identifies instances

Discover why over 18,000 Asset Management Executives use RCA Curricula and Member Services.

MyUniversity Delivers:• Enterprise Class, Private Labeled Intranet of Knowledge ™;• Over 900 hours of CPE, 600 hours of CLE and 600 hours of Continuing Compliance

Education (updated monthly);• The most timely, relevant, and vetted Course Materials• Dedicated Academic Team with 24/7 service and support.

Curriculum includes over 110 Courses:• Spanning 12 Practice Areas: Asset Management Law, Regulation, Compliance,

Exams, Investigations, Enforcement, Operational Process, Due Diligence, Risk Management, Governance, Fund Accounting and Taxation

• Detailed, comprehensive and unbiased coverage of over 4, 000 subjects• Over 10,000 pages of Textbooks and Course Materials• Practical and actionable guidance, including extensive case studies

MyUniversity™

Page 3: Disclaimer - Regulatory Compliance Association...Type II SOC 1 report Report on controls placed in operation and tests of operating effectiveness for a period of time Identifies instances

Discover why over 18,000 Asset Management Executives use RCA Curricula and Member Services.

PracticEdge Elite™ Delivers:• Enterprise Class, Private Labeled Intranet of Knowledge ™;• Over 110 hours of CPE, 70 hours of CLE and 70 hours of Continuing Compliance

Education (updated monthly);• The most timely, relevant, and vetted Course Materials• Dedicated Academic Team with 24/7 service and support.

Curriculum includes over 35 Courses:• Spanning 12 Practice Areas: Asset Management Law, Regulation, Compliance,

Exams, Investigations, Enforcement, Operational Process, Due Diligence, Risk Management, Governance, Fund Accounting and Taxation

• Detailed, comprehensive and unbiased coverage of over 4, 000 subjects• Over 1,500 pages of Textbooks and Course Materials• Practical and actionable guidance, including extensive case studies

For more information, please contact the RCA at 800.306.6133 or visit www.rcaonline.org

PracticEdge Elite™

Page 4: Disclaimer - Regulatory Compliance Association...Type II SOC 1 report Report on controls placed in operation and tests of operating effectiveness for a period of time Identifies instances

Service Organization Controls (SOC) Reports for Institutional Investors: What You Need to Know™

Page 5: Disclaimer - Regulatory Compliance Association...Type II SOC 1 report Report on controls placed in operation and tests of operating effectiveness for a period of time Identifies instances

SOC report overview

SOC report structure

SOC report section considerations

Agenda

2

Page 6: Disclaimer - Regulatory Compliance Association...Type II SOC 1 report Report on controls placed in operation and tests of operating effectiveness for a period of time Identifies instances

SOC Report Overview

3

Page 7: Disclaimer - Regulatory Compliance Association...Type II SOC 1 report Report on controls placed in operation and tests of operating effectiveness for a period of time Identifies instances

SOC Reporting NeedsWho will use the communication?

Direct consumer

User entity

Business Partner

Management BOD

User service organization

Regulator

Other

User’s areas of interest?

Internal controls over financial

reporting

Security

Availability

Processing Integrity

Confidentiality

Regulatory/Self Regulatory

Contractual Compliance

Privacy

User’s business purpose for the communication

Meet audit needs

Governance/Risk Management

Vendor Management

Regulatory Compliance

Contractual Compliance

Internal report-management

confidence

Enhance trust regarding service

What ‘criteria’ will the report measure

against

Financial statement assertions

Industry standards

Contractually specified

Regulatory requirements

Other

Conclude on the report type and distribution

method?

SOC 1 (AT801)

SOC 2

SOC 3

Agreed Upon Procedures

Findings & recommendations (internal-use, no

assurance provided)

4

Page 8: Disclaimer - Regulatory Compliance Association...Type II SOC 1 report Report on controls placed in operation and tests of operating effectiveness for a period of time Identifies instances

Service organization controls (SOC) reports

Provides information about the service organization’s achievement of the Trust Services criteria

Provides information about internal control at the service organization related to security, availability, processing integrity, confidentiality, or privacy

Type I SOC 1 report Report on controls placed in operation at a specific date

Looks at the design of the controls – not operating effectiveness

Considered for information purposes only

Type II SOC 1 report Report on controls placed in operation and tests of operating effectiveness for a period of time

Identifies instances of non-compliance

‘SOC 3’ reports

‘SOC 2’ reports

‘SOC 1’ reportsProvides information about controls at a service organization relevant to internal control over financial reporting

5

Page 9: Disclaimer - Regulatory Compliance Association...Type II SOC 1 report Report on controls placed in operation and tests of operating effectiveness for a period of time Identifies instances

Key SOC Stakeholders

SOC report(s) SOC 1 SOC 2 SOC 3

Service organization (e.g. Investment Manager, Transfer

Agent, Fund Administrator)

Service auditor

User organization (e.g., Institutional Investor)

Sub-service organization (e.g., Data center provider,

Transaction processor)andVendor organizations

User auditor6

Page 10: Disclaimer - Regulatory Compliance Association...Type II SOC 1 report Report on controls placed in operation and tests of operating effectiveness for a period of time Identifies instances

Professional Standards such as AT801 provide guidance to enable anindependent auditor (service auditor) to issue an opinion on a serviceorganization’s description of internal controls.

The SOC1 Report is for a User Auditor Performing a Financial Audit

User

Service Service organization

User organization User organization User organization

User auditor User auditor User auditor

Service auditor SOC 1Report

SOC 1Report

7

Page 11: Disclaimer - Regulatory Compliance Association...Type II SOC 1 report Report on controls placed in operation and tests of operating effectiveness for a period of time Identifies instances

Benefits of Having a SOC Report

8

Independent evaluationof processes and controls, and gap

identification

Independent evaluation of processes and controls, and gap identification

Customer due diligence process (e.g.

New investor) Existing customer

demands for greater assurance

on controls (e.g. NAV calculation)

Reduction of coordination with your

customers’ auditors

Demonstrate trustworthiness

Service organization

control report benefit

Exte

rnal

Inte

rnal

Page 12: Disclaimer - Regulatory Compliance Association...Type II SOC 1 report Report on controls placed in operation and tests of operating effectiveness for a period of time Identifies instances

SOC Report Elements and Structure of Report

9

Page 13: Disclaimer - Regulatory Compliance Association...Type II SOC 1 report Report on controls placed in operation and tests of operating effectiveness for a period of time Identifies instances

SOC 1 - Elements

System description Services provided Procedures Accounting records Significant events Entity-level controls Reporting User control

considerations

User entities’ financial statement assertions

Control objectives

Risk assessment

Controls

“Reasonable basis” for management asserting controls were consistently applied

Existing testing/validation

On-going monitoring

Limited additionaltesting

Management’swrittenassertion

Serviceauditor’sreport

System People Processes Applications Infrastructure

10

Page 14: Disclaimer - Regulatory Compliance Association...Type II SOC 1 report Report on controls placed in operation and tests of operating effectiveness for a period of time Identifies instances

Section 1: Management assertion

Section 2: Auditor’s report (including opinion)

Section 3: Description of the systems Description of organization and general control environment Description of processes being covered by the report

Section 4: Control matrix Management’s control objectives for areas in scope Controls supporting the control objectives Auditor’s tests of the controls (Type II only) Results of the auditor’s tests (Type II only)

Section 5: Other information provided by management

Typical SOC Report Structure

11

Page 15: Disclaimer - Regulatory Compliance Association...Type II SOC 1 report Report on controls placed in operation and tests of operating effectiveness for a period of time Identifies instances

Overview

Management must provide a written assertion to accompany thedescription of the system as to the completeness and accuracy of theinformation provided and state the criteria used as a basis for makingthe assertion

Considerations Is the system description complete and fairly stated? Have known control deficiencies been identified? Are sub-service organization controls included within the report? Assertions must also be obtained for any “inclusive” sub-service

providers Management is required to do an independent risk assessment.

Section 1 – Management’s Assertion

12

Page 16: Disclaimer - Regulatory Compliance Association...Type II SOC 1 report Report on controls placed in operation and tests of operating effectiveness for a period of time Identifies instances

Evaluating management’s assertions

What is the coverage period? Does it meet your needs? Are the criteria complete? Any sub-service organizations? If so are they carved-out or included? Anything unusual?

Section 1 – Management’s Assertion

13

Page 17: Disclaimer - Regulatory Compliance Association...Type II SOC 1 report Report on controls placed in operation and tests of operating effectiveness for a period of time Identifies instances

Overview

Independent Auditor opinion on design and operating effectiveness ofcontrols

Considerations Type I

Reports on controls placed in operation at a point in time (one date) Looks at the design of controls – not operating effectiveness Considered for information purposes only Not considered of significant use for purposes of reliance by user auditors/organizations Bridge to Type II report

Type II Reports on controls placed in operation and tests of operating effectiveness (for a period

of time) Differentiating factor: Includes Tests of Operating Effectiveness Identifies instances of non-compliance More emphasis on evidential matter (more comprehensive than Type 1 – testing of key

controls) Usually a minimum period of six months will be reviewed for Type 2 Reports

Section 2 – Auditor’s Report

14

Page 18: Disclaimer - Regulatory Compliance Association...Type II SOC 1 report Report on controls placed in operation and tests of operating effectiveness for a period of time Identifies instances

Evaluating the Auditor’s report

What standard is used? Who is this firm? Where was it issued? Any carve-out or unusual items noted in the scope description? Any qualifications? Any inconsistencies with professional standards or unusual items? Maximizing the report coverage

A minimum of 9 months coverage is considered full coverage Sufficiency of the period is professional judgment

If you do not have a sufficient amount of coverage consider: Inquiring of management if any key changes from service organization

have been observed or communicated Requesting an additional report Inquiring of service organization or obtaining a bridge letter Conducting additional procedures at the service organization or user

entity

Section 2-Auditor’s Report

15

Page 19: Disclaimer - Regulatory Compliance Association...Type II SOC 1 report Report on controls placed in operation and tests of operating effectiveness for a period of time Identifies instances

Overview

Description of organization and general control environment Control environment components:

Human resource policies and practices Integrity and ethical values Commitment to competence Management reporting and oversight Management’s philosophy and operating style Organizational structure Assignment of authority and responsibility Internal audit Global compliance

Description of processes being covered by the report Known as the “narratives” Includes a general description of the service organization’s controls, policies

and procedures for each process

Section 3 – Description of the System

16

Page 20: Disclaimer - Regulatory Compliance Association...Type II SOC 1 report Report on controls placed in operation and tests of operating effectiveness for a period of time Identifies instances

Considerations Scope of system

Defined by management Customized to the needs of users Evaluated by the auditor Relevant to the audit of a user’s financial statements

Evaluating scope of system Services, systems, locations covered

Does it cover the areas of concern? What is missing? Map to areas of concern Match to contractual requirements Completeness, accuracy, timeliness, etc.

Section 3 – Description of the System

17

Page 21: Disclaimer - Regulatory Compliance Association...Type II SOC 1 report Report on controls placed in operation and tests of operating effectiveness for a period of time Identifies instances

Evaluating the Description of the system

Start with the results/outputs Identification of key reports and data feeds Completeness and accuracy of reports

Work backwards Description of process Key steps Inputs along the way

Compliance requirements Is it at the right depth? What is missing? What strikes you as curious?

Section 3 – Description of the System

18

Page 22: Disclaimer - Regulatory Compliance Association...Type II SOC 1 report Report on controls placed in operation and tests of operating effectiveness for a period of time Identifies instances

Overview

Specify the control objectives of the system and state those controlobjectives in the description of the system

Specific Identification of Controls To Be Tested Description of Tests Performed Results of Tests

Section 4 – Control Objectives and Test of Controls

19

Page 23: Disclaimer - Regulatory Compliance Association...Type II SOC 1 report Report on controls placed in operation and tests of operating effectiveness for a period of time Identifies instances

What is a control?

A control is an activity that is performed that helps ensure that your procedures were properly performed and that your policies are followed

There is often only one control for multiple procedures There are often multiple attributes examined for

each control: Control was accurately performed Control was completely performed Control was performed timely Control was designed properly

Section 4 – Controls, Control Objectives and Test of Controls

20

Page 24: Disclaimer - Regulatory Compliance Association...Type II SOC 1 report Report on controls placed in operation and tests of operating effectiveness for a period of time Identifies instances

Types of Controls?

Section 4 – Controls, Control Objectives and Tests of Controls

• Involve NO reliance on a system/application and are performed by people:•On a monthly basis, manual incentive allocations are prepared by a staff and

reviewed by a manager using an Excel spreadsheet. After the manager completes the review , the manual allocation file is approved by the client via email.

Manual Controls

•Have both a manual and a system component (typically EAE)•The portfolio holdings report from the investments sub-ledger is manually

reconciled by a staff to the custodian, broker, or counterparty statements. All breaks are researched and investigated. The reconciliation is reviewed by a manager

IT- Dependent Manual (ITDM) Controls

•Are completed automated and either programmed or configured within the application itself•Application X will not allow an unbalanced journal entry to be created/posted

Application Controls

21

Page 25: Disclaimer - Regulatory Compliance Association...Type II SOC 1 report Report on controls placed in operation and tests of operating effectiveness for a period of time Identifies instances

Evaluating controls

Are they what is expected? Map to your risks Map to known risk models Map to contractual requirements

Are they described in sufficient detail to permit you to separatelyevaluate their design?

What processes, technologies, services are missing/weak?

Section 4 – Controls, Control Objectives and Tests of Controls

22

Page 26: Disclaimer - Regulatory Compliance Association...Type II SOC 1 report Report on controls placed in operation and tests of operating effectiveness for a period of time Identifies instances

Evaluating tests of controls Are the tests described in a way that lets you understand the nature of

what was performed?

Are they the “right” test for the control? Responsive to the control What would our financial auditor have done

Are any deviations described sufficiently to permit the evaluation of the impact?

What is the service organization management’s response? Have there been any other communications on the issue?

Section 4 – Controls, Control Objectives and Tests of Controls

23

Page 27: Disclaimer - Regulatory Compliance Association...Type II SOC 1 report Report on controls placed in operation and tests of operating effectiveness for a period of time Identifies instances

What is the control objective?• Control objective is the aim or purpose of specified controls at the

service organization. • Control objectives address the risks that controls are intended to

mitigate

Evaluating control objectives• Identifying information/reports that flow to the financial statements• Identify financial statement assertions impacted by the information

identified• Evaluate control objectives• Underlying process control objectives• Include disclosures• Electronic audit evidence

Section 4 – Controls, Control Objectives and Tests of Controls

24

Page 28: Disclaimer - Regulatory Compliance Association...Type II SOC 1 report Report on controls placed in operation and tests of operating effectiveness for a period of time Identifies instances

What are CUECS? CUECs are controls that management of the service organization

assumes, in the design of the service provided by the serviceorganization, will be implemented by user entities, and which, ifnecessary to achieve the control objectives stated in management’sdescription of the service organization’s system, are identified as such inthat description.

Considerations when evaluating CUECS Are they relevant to internal control or a protection mechanism for the

service organization/auditor? Do they really describe what you should be doing? Is it consistent with documentation/contracts, etc.? Have you implemented them? Have you evaluated their operation?

Section 4 – Controls, Control Objectives and Tests of Controls

25

Page 29: Disclaimer - Regulatory Compliance Association...Type II SOC 1 report Report on controls placed in operation and tests of operating effectiveness for a period of time Identifies instances

Evaluating deviations: Page or control objective number reference Affected control objective Description of deviation (from report) Management’s response, if applicable (this is the response documented

in the SOC report by the service organization) Effect on our use of the report; consider the following:

Relevance of control objective Relevance of systems/locations where issues were identified For deviations, a brief analysis should be performed;

Simply stating “no effect/no risk identified” is not sufficient Management’s response is considered inquiry only – if deviation

wording does not state additional procedures, you can not assumemanagement’s response has been tested*

Section 4 – Controls, Control Objectives and Tests of Controls

26

Page 30: Disclaimer - Regulatory Compliance Association...Type II SOC 1 report Report on controls placed in operation and tests of operating effectiveness for a period of time Identifies instances

Overview Un-audited information provided by management

Examples of information provided: Business Continuity Data Protection Financial and Regulatory Reporting Remediation of control deficiencies

Section 5 – Other Information Provided by Management

27

Page 31: Disclaimer - Regulatory Compliance Association...Type II SOC 1 report Report on controls placed in operation and tests of operating effectiveness for a period of time Identifies instances

SOC Report Common Pitfalls

28

Page 32: Disclaimer - Regulatory Compliance Association...Type II SOC 1 report Report on controls placed in operation and tests of operating effectiveness for a period of time Identifies instances

Report is not the correct report

Location is not correct

Services are different than the services relied on

Application we wish to rely on is not covered in the report

Report is a Type I

Multiple processes are utilized at the service provider that are covered in separate reports (i.e. ADP AutoPay vs. ADP Payroll Tax)

Report period is not sufficient

SOC Report Common Pitfalls

29

Page 33: Disclaimer - Regulatory Compliance Association...Type II SOC 1 report Report on controls placed in operation and tests of operating effectiveness for a period of time Identifies instances

Report is qualified or major exceptions exist and are not fully addressed or considered

Failure to consider and/or evaluate relevant subservice providers

Note: Some large providers may essentially function as their own subservice provider via processes covered in separate reports (i.e. ADP Hosting Services)

Restrictions on the use of the reports

Management response in the unaudited section (i.e. section 5)

Common Pitfalls (cont.)

30

Page 34: Disclaimer - Regulatory Compliance Association...Type II SOC 1 report Report on controls placed in operation and tests of operating effectiveness for a period of time Identifies instances

Inadequate documentation to support that relevant CUECs were tested and operating effectively

Insufficient documentation to support evaluation of IT-related CUECs (i.e. user access)

Reliance on a insufficient report that does not describe the tests and results so offer little to no value for reliance

Use of “N/A” to document response to questions throughout report

All fields on form are applicable and must be completed, or rationale for exclusion should be explained fully

Common Pitfalls (cont.)

31

Page 35: Disclaimer - Regulatory Compliance Association...Type II SOC 1 report Report on controls placed in operation and tests of operating effectiveness for a period of time Identifies instances

IT Considerations

32

Page 36: Disclaimer - Regulatory Compliance Association...Type II SOC 1 report Report on controls placed in operation and tests of operating effectiveness for a period of time Identifies instances

IT General Controls within a SOC report typically include the areas of logical access, change management, and IT operations including job scheduling, back-up and recovery, and incident management.

It is critical to make sure that applications and supporting infrastructure that are significant to relevant business processes and support IT dependent manual or application controls are specifically included within the scope of the ITGC testing in a report.

Applications that are included in scope are typically defined in a table or chart depicting coverage.

ITGCs for applications outsourced to third party sub-service organizations are typically carved-out of the scope of reports. It is important to understand who owns and operates the individual controls.

IT Considerations

33

Page 37: Disclaimer - Regulatory Compliance Association...Type II SOC 1 report Report on controls placed in operation and tests of operating effectiveness for a period of time Identifies instances

IT General Controls (ITGCs) are the support framework of the ITenvironment. Effective ITGCs provide assurance that automated and ITdependent function as intended over time.

IT Considerations

34

Page 38: Disclaimer - Regulatory Compliance Association...Type II SOC 1 report Report on controls placed in operation and tests of operating effectiveness for a period of time Identifies instances

It is critical to make sure that application controls are adequately tested within SOC reports

Application controls are commonly grouped into five categories

IT Considerations

35

Page 39: Disclaimer - Regulatory Compliance Association...Type II SOC 1 report Report on controls placed in operation and tests of operating effectiveness for a period of time Identifies instances

The table below shows the expected testing for the different categories of application controls and the procedures that can be used to test such controls.

IT Considerations

36

Page 40: Disclaimer - Regulatory Compliance Association...Type II SOC 1 report Report on controls placed in operation and tests of operating effectiveness for a period of time Identifies instances

Market Trends and Key Client Issues

37

Page 41: Disclaimer - Regulatory Compliance Association...Type II SOC 1 report Report on controls placed in operation and tests of operating effectiveness for a period of time Identifies instances

Several Market Forces are Driving Changes in Customers’ Information Needs

Customers’needs

Increased dependency on service organizations

Increased focus on vendor risk management

New and modifiedprofessional standards

Heightenedsecurity risks

Evolving law and regulations

Technologicaladvancements

38

Page 42: Disclaimer - Regulatory Compliance Association...Type II SOC 1 report Report on controls placed in operation and tests of operating effectiveness for a period of time Identifies instances

Customers’ Perspectives of Risks and Information Needs Vary Significantly

Confidentiality

Cloud

Does my vendor have the controls and process in

place to protect my reputation?

Can I rely on the services I am

buying?

SOX

GLBA FFIEC

OCCFISMA

Processing integrity

Privacy

Identity theft

Data reliability

SLA’s

Availability

Attack and Pen.

Security

BCP/DR

39

Page 43: Disclaimer - Regulatory Compliance Association...Type II SOC 1 report Report on controls placed in operation and tests of operating effectiveness for a period of time Identifies instances

Regulatory Risks

40

Executive Order 13636, ”Improving Critical Infrastructure Cybersecurity” issued in 2013• Directed the NIST (National Institute of Standards and Technology, an agency of the U.S.

Department of Commerce) to develop a framework for reducing cyber risks to critical infrastructure.

• Many financial service organizations are considered to be part of the “critical infrastructure.”NIST Cybersecurity Framework was issued in February 2014

• Currently the most generally accepted framework available for managing cyber risks• Broken into five functions:

• Identify: Asset management, business environment, governance, risk assessment, risk management strategy

• Protect: Access control, awareness and training, data security, information protection, maintenance, protective technology

• Detect: Anomalies and events, security continuous monitoring, detection processes• Respond: Response planning, communications, analysis, mitigation, improvements• Recover: Recovery planning, improvements, communications

In 2014 and 2015, the SEC Office of Compliance Inspections and Examinations (OCIE) issued Risk Alert Guidance noting their intent to examine the cybersecurity preparedness of (based on NIST Cybersecurity Framework):

Investment advisors, Broker-dealers, and Transfer agencies

In 2015, SIFMA indicated its support of the use of SOC 2 reports to help address cybersecurity risks at third-party vendors; identifies NIST Cybersecurity Framework.

Page 44: Disclaimer - Regulatory Compliance Association...Type II SOC 1 report Report on controls placed in operation and tests of operating effectiveness for a period of time Identifies instances

Customers Are Commonly Asking For

New SOC reports

Changes to existing SOCreports

Questionnaires

Cybersecurity

On-site audits

Significantdecrease Significant

increase

Service organizations have indicated an increase in the volume of inquiries across all of these areas

41

Page 45: Disclaimer - Regulatory Compliance Association...Type II SOC 1 report Report on controls placed in operation and tests of operating effectiveness for a period of time Identifies instances

What Elements of Quality are Customers Focused On?

42

Service organizations have indicated a medium to high volume of inquiries fromcustomers in each of these areas

Completeness and accuracy of data

Completeness and accuracy of reports

Precision of review controls

Level of detail in the systemdescription

Level of detail for deviations

Service organizations are commonly addressing these inquiries by:► Building additional detail

into the SOC report► Ad hoc responses

Low High

Page 46: Disclaimer - Regulatory Compliance Association...Type II SOC 1 report Report on controls placed in operation and tests of operating effectiveness for a period of time Identifies instances

What Are Other Service Organizations Doing?

What reports did other serviceorganizations issue in 2014?

Why?

75%

13%

6%6%

SOC 1 SOC 2 SOC 3 Other

SOC 1: reports are often used to address contractual requirements, for marketing or RFP response, and for vendor risk management programs.SOC 2: additional marketplace education is needed to maximize the value of a SOC 2 report for a vendor risk management program.SOC 3: marketing value is a common driver.

43

Page 47: Disclaimer - Regulatory Compliance Association...Type II SOC 1 report Report on controls placed in operation and tests of operating effectiveness for a period of time Identifies instances

38%

20%

28%

13%

1%

Security AvailabilityConfidentiality Processing integrityPrivacy

How Are Other Service Organizations Utilizing SOC 2 and SOC 3 Reports?

Security is often perceived as the baseline principle for SOC 2 and SOC 3 reports

The Privacy principle has been limited historically, but, is expected to grow with the underlying criteria changing in 2016 to align with the other principles

The application of Processing integrity is often used for a transaction-based service and is expanding to other types of processes

Availability and Confidentiality are commonly included with security

SOC 2 and SOC 3 reports can be effective tools for marketing or RFP response and addressing vendor risk management focus areas

► EY issued more than 150 SOC 2 and SOC 3 reports in 2014

44

Page 48: Disclaimer - Regulatory Compliance Association...Type II SOC 1 report Report on controls placed in operation and tests of operating effectiveness for a period of time Identifies instances

How Can I Maximize My Return On Investment For a SOC 2 Report?

Report Level of effort Opinion from auditor

Trust services principles

Additional framework

SOC 2 Baseline 4

SOC 2 with a mapping to another framework

4

SOC 2+ including another framework

4 4

SOC 2+ reports can be an effective way to consolidate frameworks and compliance with regulatory requirements into a more broadly usable reporting format. These reports offer more flexibility to meet readers’ needs.

45

Page 49: Disclaimer - Regulatory Compliance Association...Type II SOC 1 report Report on controls placed in operation and tests of operating effectiveness for a period of time Identifies instances

SOC 2 Reporting Benefits

Build competitive advantage – Companies can use the SOC 2 reports as a market differentiator.

Assist clients with vendor oversight activities – New and emerging regulations establish vendor management requirements; a SOC 2 report will assist client management with monitoring the services provided by outsourced third-parties.

Enhance client communications – A well described system in a SOC 2 report can increase transparency to clients and enhance their understanding of outsourced internal controls.

Manage client support costs – A SOC 2 report can be used to reduce client audits, due diligence/ vendor risk questionnaires and on-site visits, while providing an added level of assurance.

Satisfy contractual agreements – New clients may request a SOC 2 report as part of their contract; existing clients may amend their contracts.

Improve/lean your processes – SOC 2 assessment activities generate process improvement ideas and opportunities to further centralize and standardize processes and controls.

46

Page 50: Disclaimer - Regulatory Compliance Association...Type II SOC 1 report Report on controls placed in operation and tests of operating effectiveness for a period of time Identifies instances

Appendix: Illustrative Control Objectives for an Investment Manager

47

Page 51: Disclaimer - Regulatory Compliance Association...Type II SOC 1 report Report on controls placed in operation and tests of operating effectiveness for a period of time Identifies instances

Investment ManagerCommon Scope Options

Investment management activities• Security Set-up and Maintenance• Account Set-up and Maintenance• Trade Processing• Trade Confirmation and Settlement• Trade Allocation• Income Processing and Recording• Corporate Actions • Investment Valuation (completeness/recording)• Reconciliations (cash and position)• Fund Expenses/Accruals• Accretion/Amortization of Discounts/Premiums• Realized and Unrealized Gains/Losses• Cash Payments• Client Reporting• Portfolio Compliance• Profit and Loss Allocation• Management fees • Incentive Fees/Performance Allocation• Investor inflows• Investor outflows

Information technology• Change Management• Logical Security• Physical Security • Application Software Maintenance• System Software Maintenance• Computer Operations/Job Scheduling• Backup and Recovery

48

Page 52: Disclaimer - Regulatory Compliance Association...Type II SOC 1 report Report on controls placed in operation and tests of operating effectiveness for a period of time Identifies instances

New account setup and administration Controls provide reasonable assurance that...

new accounts are authorized and set up in accordance with clientinstructions and guidelines in a complete, accurate and timelymanner.

account modifications are authorized and implemented in acomplete, accurate, and timely manner.

new account holdings and cash are reconciled to custodian bankstatements in a complete, accurate, and timely manner.

Security setup Controls provide reasonable assurance that...

new securities and changes to existing securities are authorized andentered in the security master file in a complete, accurate and timelymanner.

Illustrative Control Objectives

49

Presentation title

Page 53: Disclaimer - Regulatory Compliance Association...Type II SOC 1 report Report on controls placed in operation and tests of operating effectiveness for a period of time Identifies instances

Illustrative Control Objectives

Investment transaction processing Controls provide reasonable assurance that...

investment transaction instructions are authorized and entered intothe system in a complete, accurate, and timely manner.

portfolio guidelines are monitored and exceptions are identified andresolved in a complete, accurate, and timely manner.

allocations are approved by portfolio manager. block orders are allocated to clients on a pro-rate basis for equity

trades and a predetermined allocation for fixed income trades.Confirmation, affirmation, or settlement Controls provide reasonable assurance that...

investments are settled in a complete, accurate, and timely manner. custodians are informed of transactions in a complete, accurate, and

timely manner.

50

Presentation title

Page 54: Disclaimer - Regulatory Compliance Association...Type II SOC 1 report Report on controls placed in operation and tests of operating effectiveness for a period of time Identifies instances

Illustrative Control ObjectivesLoans Controls provide reasonable assurance that...

loans and collateral are authorized and processed and recorded in acomplete, accurate, and timely manner.

collateral on loans is invested in accordance with the lenderagreement and recorded and monitored in a complete, accurate,and timely manner.

loan repayments are processed and recorded complete, accurate,and timely manner.

Pricing Controls provide reasonable assurance that...

security prices are received from an authorized source and updatedin a complete, accurate, and timely manner.

price overrides are authorized and processed in complete, accurate,and timely manner.

51

Presentation title

Page 55: Disclaimer - Regulatory Compliance Association...Type II SOC 1 report Report on controls placed in operation and tests of operating effectiveness for a period of time Identifies instances

Illustrative Control ObjectivesCorporate actions Controls provide reasonable assurance that...

Corporate action notices are identified and received from anauthorized source and are updated in the system in a complete,accurate, and timely manner.

Investment income Controls provide reasonable assurance that...

interest, dividend, and other income information is received from anauthorized source and recorded in a complete, accurate, and timelymanner.

cash received for interest and dividends is processed in a complete,accurate, and timely manner.

Money movement Controls provide reasonable assurance that...

money movement (receipts and disbursements) is authorized andprocessed in a complete, accurate, and timely manner.

52Presentation title

Page 56: Disclaimer - Regulatory Compliance Association...Type II SOC 1 report Report on controls placed in operation and tests of operating effectiveness for a period of time Identifies instances

Illustrative Control ObjectivesCustodian reconciliation Controls provide reasonable assurance that...

security positions and cash balances reflected in the portfolio accounting system are reconciled in a complete, accurate, and timely manner.

Fees Controls provide reasonable assurance that...

investment management fees and other expenses are authorized, calculated,and recorded in a complete, accurate, and timely manner.

Net asset valuation Controls provide reasonable assurance that...

net asset values are authorized and calculated in a complete,accurate, and timely manner.

Account statements and client reports Controls provide reasonable assurance that...

account statements and client reports detailing client account holdings andmarket values are complete, accurate, and provided to clients in a timelymanner.

53Presentation title

Page 57: Disclaimer - Regulatory Compliance Association...Type II SOC 1 report Report on controls placed in operation and tests of operating effectiveness for a period of time Identifies instances

Illustrative Control ObjectivesInvestor inflows and outflows Controls provide reasonable assurance that...

Investor subscriptions and redemptions received are processed in acomplete, accurate, and timely manner in accordance with theinvestor requests and the company’s policies and procedures.

Allocations Controls provide reasonable assurance that...

Investor allocations are calculated and recorded in a complete,accurate, and timely manner.

54

Presentation title

Page 58: Disclaimer - Regulatory Compliance Association...Type II SOC 1 report Report on controls placed in operation and tests of operating effectiveness for a period of time Identifies instances

Illustrative Control ObjectivesInformation security Controls provide reasonable assurance that…

logical access to programs, data, and computer resources is restricted toauthorized and appropriate users, and such uses are restricted to performingauthorized and appropriate actions.

physical access to computer and other resources is restricted to authorizedand appropriate personnel.

Change management Controls provide reasonable assurance that…

changes to application programs and related data management systems areauthorized, tested, documented, approved, and implemented to result incomplete, accurate, and timely processing and reporting of transactions andbalances

network infrastructure is configured as authorized to (1) support the effectivefunctioning of application controls to result in valid, complete, accurate, andtimely processing and reporting of transactions and balances and (2) protectdata from unauthorized changes.

55Presentation title

Page 59: Disclaimer - Regulatory Compliance Association...Type II SOC 1 report Report on controls placed in operation and tests of operating effectiveness for a period of time Identifies instances

Computer operations Controls provide reasonable assurance that…

application and system processing are authorized and executed in acomplete, accurate, and timely manner, and deviations, problems,and errors are identified, tracked, recorded, and resolved in acomplete, accurate, and timely manner.

data transmissions between the service organization and its userentities and other outside entities are from authorized sources andare complete, accurate, secure, and timely.

data is backed up regularly and is available for restoration in theevent of processing errors or unexpected processing interruptions.

Illustrative Control Objectives

56

Presentation title

Page 60: Disclaimer - Regulatory Compliance Association...Type II SOC 1 report Report on controls placed in operation and tests of operating effectiveness for a period of time Identifies instances

Carve-out method. Method of addressing the services provided by a subservice organizationwhereby management’s description of the service organization’s system identifies the nature of theservices performed by the subservice organization and excludes from the description and from thescope of the service auditor’s engagement, the subservice organization’s relevant control objectivesand related controls. Management’s description of the service organization’s system and the scope ofthe service auditor’s engagement include controls at the service organization that monitor theeffectiveness of controls at the subservice organization, which may include management of the serviceorganization’s review of a service auditor’s report on controls at the subservice organization.

Complementary user entity controls. Controls that management of the service organizationassumes, in the design of the service provided by the service organization, will be implemented by userentities, and which, if necessary to achieve the control objectives stated in management’s descriptionof the service organization’s system, are identified as such in that description.

Control objectives. The aim or purpose of specified controls at the service organization. Controlobjectives address the risks that controls are intended to mitigate.

Controls at a service organization. The policies and procedures at a service organization likely to berelevant to user entities’ internal control over financial reporting. These policies and procedures aredesigned, implemented, and documented by the service organization to provide reasonable assuranceabout the achievement of the control objectives relevant to the services covered by the serviceauditor’s report.

Controls at a subservice organization. The policies and procedures at a subservice organizationlikely to be relevant to internal control over financial reporting of user entities of the serviceorganization. These policies and procedures are designed, implemented, and documented by asubservice organization to provide reasonable assurance about the achievement of control objectivesthat are relevant to the services covered by the service auditor’s report.

Criteria. The standards or benchmarks used to measure and present the subject matter and againstwhich the service auditor evaluates the subject matter.

Illustrative AICPA Definitions

57

Presentation title

Page 61: Disclaimer - Regulatory Compliance Association...Type II SOC 1 report Report on controls placed in operation and tests of operating effectiveness for a period of time Identifies instances

Inclusive method. Method of addressing the services provided by a subservice organizationwhereby management’s description of the service organization’s system includes a descriptionof the nature of the services provided by the subservice organization as well as the subserviceorganization’s relevant control objectives and related controls.

Inclusive method. Method of addressing the services provided by a subservice organization wherebymanagement’s description of the service organization’s system includes a description of the nature ofthe services provided by the subservice organization as well as the subservice organization’s relevantcontrol objectives and related controls.

Internal audit function. The service organization’s internal auditors and others, for example,members of a compliance or risk department, who perform activities similar to those performed byinternal auditors.

Report on management’s description of a service organization’s system and the suitabilityof the design of controls (referred to in this section as a type 1 report). A report that comprisesthe following: Management’s description of the service organization’s system. A written assertion by management of the service organization about whether, in all material respects, and based

on suitable criteria, management’s description of the service organization’s system fairly presents the service organization’s

system that was designed and implemented as of a specified date. the controls related to the control objectives stated in management’s description of the service

organization’s system were suitably designed to achieve those control objectives as of the specified date. A service auditor’s report that expresses an opinion.

Illustrative AICPA Definitions

58

Presentation title

Page 62: Disclaimer - Regulatory Compliance Association...Type II SOC 1 report Report on controls placed in operation and tests of operating effectiveness for a period of time Identifies instances

Report on management’s description of a service organization’s system and the suitabilityof the design and operating effectiveness of controls (referred to in this section as a type 2report). A report that comprises the following: Management’s description of the service organization’s system. A written assertion by management of the service organization about whether in all material

respects, and based on suitable criteria, management’s description of the service organization’s system fairly presents the service

organization’s system that was designed and implemented throughout the specifiedperiod.

the controls related to the control objectives stated in management’s description of theservice organization’s system were suitably designed throughout the specified period toachieve those control objectives.

the controls related to the control objectives stated in management’s description of theservice organization’s system operated effectively throughout the specified period toachieve those control objectives.

A service auditor’s report that expresses an opinion on the matters. includes a description of the tests of controls and the results thereof.

Service auditor. A practitioner who reports on controls at a service organization. Service organization. An organization or segment of an organization that provides services to user

entities, which are likely to be relevant to those user entities’ internal control over financial reporting. Service organization’s assertion. A written assertion about the matters referred to in part the

definition of Report on management’s description of a service organization’s system and the suitabilityof the design and operating effectiveness of controls, for a type 2 report.

Illustrative AICPA Definitions

59

Presentation title

Page 63: Disclaimer - Regulatory Compliance Association...Type II SOC 1 report Report on controls placed in operation and tests of operating effectiveness for a period of time Identifies instances

Service organization’s system. The policies and procedures designed, implemented, anddocumented, by management of the service organization to provide user entities with the servicescovered by the service auditor’s report. Management’s description of the service organization’s systemidentifies the services covered, the period to which the description relates (or in the case of a type 1report, the date to which the description relates), the control objectives specified by management oran outside party, the party specifying the control objectives (if not specified by management), and therelated controls.

Subservice organization. A service organization used by another service organization to performsome of the services provided to user entities that are likely to be relevant to those user entities’internal control over financial reporting.

Test of controls. A procedure designed to evaluate the operating effectiveness of controls inachieving the control objectives stated in management’s description of the service organization’ssystem.

User auditor. An auditor who audits and reports on the financial statements of a user entity. User entity. An entity that uses a service organization.

Illustrative AICPA Definitions

60

Presentation title

Page 64: Disclaimer - Regulatory Compliance Association...Type II SOC 1 report Report on controls placed in operation and tests of operating effectiveness for a period of time Identifies instances

Conclusion

61

Page 65: Disclaimer - Regulatory Compliance Association...Type II SOC 1 report Report on controls placed in operation and tests of operating effectiveness for a period of time Identifies instances

Speaking Faculty Biographies

62

Page 66: Disclaimer - Regulatory Compliance Association...Type II SOC 1 report Report on controls placed in operation and tests of operating effectiveness for a period of time Identifies instances

Michael E. Cyran is a partner in the New York Financial ServicesOffice with over 22 years of experience in the financial services sector. Hefocuses on asset management organizations, and specializes in working withinvestment advisors, registered investment companies, alternativeinvestment funds, structured products and investment managementoperations.

Mike is the SOC leader for Ernst & Young’s New York FinancialServices Office as well as Ernst & Young’s Global Asset Managementpractice. He leads many of the global fund administration SOCs that the Firmservices.

Mike has extensive experience in the securitization ofcollateralized debt obligations and other asset backed securities, havingworked in E&Y’s Structured Finance Advisory Services group for over twoyears as a senior manager.

Mike possesses deep knowledge in investment management andtransfer agency operations, fund administration, and valuation andaccounting for derivatives, asset-backed and illiquid securities. Mike is afrequent speaker on various technical and operational topics at industryconferences.

Michael E. Cyran, CPA, Partner, EY

63

Page 67: Disclaimer - Regulatory Compliance Association...Type II SOC 1 report Report on controls placed in operation and tests of operating effectiveness for a period of time Identifies instances

Maclar Ampanas, CPA, Senior Manager, Financial Services, EY

Maclar Ampanas is a Senior Manager in EY’s Core Assurance practice with about10 years of experience providing assurance and advisory services to asset managementclients in New York. Her clients include large complex structures as well as start-up andsingle-investor funds. Maclar has extensive experience in the financial statement audits ofhedge funds, mutual funds and private equity funds with diverse investment strategies andproducts including, but not limited to, equities, fixed income, real estate, distressed debtand trade claims, private investments, real estate, derivatives, energy and reinsurance andreinsurance-related products.

In addition to financial statement audits, Maclar also managed the review of themiddle- and back-office and fund administration services of global fund administratorswhere she gained a deeper understanding of fund operations and administration. She hasstrong experience with Sarbanes-Oxley Section 404 testing, compliance reviews, andcomplex accounting analysis involving compensation accounting, securitizations,transfer/sale accounting, netting and consolidation.

Prior to joining the New York Office of EY, Maclar worked for 4 years in EYManila and 3 years in KPMG Manila. Her prior work experiences covered a wide variety ofindustries including manufacturing, real estate, entertainment, broker-dealers, insurance,financial institutions, and asset management, among others.

Maclar is a member of the American Institute of Certified Public Accountantsand the New York State Society of Certified Public Accountants. She graduated cum laudefrom the University of Saint Louis in the Philippines with a degree in Bachelor of Science inAccountancy.

64

Page 68: Disclaimer - Regulatory Compliance Association...Type II SOC 1 report Report on controls placed in operation and tests of operating effectiveness for a period of time Identifies instances

Keith Bispala is a senior manager in EY’s Financial Services Office (FSO) and currently serves as the FSO Advisory service organization control reporting (SOCR) solution leader. He has more than 16 years of experience in information technology risk and controls advisory services and has provided a broad range of IT services to Fortune 500 companies in direct support of their business objectives. He has extensive experience leading large SOCR, financial audit IT (FAIT) support, SOX, and IT internal audit co-sourcing engagements. He also has significant experience leading information security and privacy assessments and independent pre-and post-system implementation reviews.Professional experience Currently leads SOC reporting engagement at top 5 bank with a portfolio of 28 SOC reports

including 8 Wealth and Asset Management specific SOC 1s

Currently leading SOC 2 pre-assessment engagement over Security, Availability, Confidentiality, and Privacy principles at large financial organization

Led SOC reporting and SOX engagements at large Wealth and Asset Management client including several SOC 1s for institutional investor services.

Led multiple SOC2 pre-assessments over Security, Availability, Processing Integrity and Privacy principles at large insurance organization.

Led SOC reporting engagement at top 25 global insurance client with a portfolio of 15 SOC reports

Skills

Certified Public Accountant (CPA) Certified Information Systems Auditor (CISA)

Keith Bispala, CPA, Senior Manager, Financial Services, IT Risk, EY

65

Page 69: Disclaimer - Regulatory Compliance Association...Type II SOC 1 report Report on controls placed in operation and tests of operating effectiveness for a period of time Identifies instances

Jessica DeRosa is a Senior Manager in the Advisory Servicespractice of Ernst & Young LLP. She has over thirteen years of informationsystems auditing experience, specializing in the Financial Services Industry.Jessica has assisted global financial service companies with evaluating theinformation technology internal control environments to determinecompliance with regulatory requirements (SOX 404, ISO 17799:2005, ISO27001/27002, FFIEC IT Handbooks, GLBA) and the effectiveness of theinformation technology control environment.

Jessica is a Certified Information Systems Auditor (CISA). She is amember of the New York Chapter of the Information System Audits andControl Association (ISACA), and the International Association of PrivacyProfessionals

Jessica has a B.S. in Management with dual concentrations inFinance and MIS from the State University of New York College atBinghamton and an executive Masters in Business Administration fromColumbia University.

Jessica DeRosa, Senior Manager, Advisory Services, EY

66

Page 70: Disclaimer - Regulatory Compliance Association...Type II SOC 1 report Report on controls placed in operation and tests of operating effectiveness for a period of time Identifies instances

Elyse Reilly is a New York-based Senior Manager in the Financial ServicesOffice (FSO Assurance practice of Ernst & Young LLP. She has ten years of experience in thefinancial services industry serving asset management clients. Industry exposure includes SOC 1experience, domestic and offshore hedge funds, fund-of funds; SEC, CFTC, CIMA registrants, Irishdomiciled entities and Luxembourg SARL’s.

Elyse is currently the lead senior manager on the largest global hedge fundadministrator, SOC 1. She has been involved in the implementation of ISAE 3402 and SSAE No. 16.Prior to stepping into a managerial role Elyse was the lead business process senior on the SOC 1engagement, Elyse planned and coordinated team logistics, designed tests that suitably fulfill theobjectives of a SOC 1 report, supervised a team of staff and seniors, documented the outcome ofthe test work and concluded on the effectiveness of the controls as prescribed in the SOC 1report. Elyse traveled to the UK, Ireland and India to execute walkthroughs of the significantprocesses on multiple occasions.

Elyse also is the lead senior manager on a $13 billion fund whose strategy primarilyresides in the distressed debt and private investments space. The complex includes 55 fundstructures which include hedge funds, private equity and hybrid funds. There is an extensiveamount of work on ASC 740 as well as rather complex valuation issues with regard to theirprivate investments, CLO’s and bank debt.

Elyse Reilly, Senior Manager, FSO Assurance, EY

67