moss adams ssae 16 soc audits
DESCRIPTION
Overview of SOC reporting, Scope and coverage of SOC audits for AIS, Background about Moss Adams, Key terminology, Customers’ responsibilitiesTRANSCRIPT
![Page 1: Moss Adams SSAE 16 SOC Audits](https://reader033.vdocuments.site/reader033/viewer/2022061206/54827f08b47959d30c8b47af/html5/thumbnails/1.jpg)
MOSS ADAMS LLP | 1
SOC AuditsService Organization Reporting
![Page 2: Moss Adams SSAE 16 SOC Audits](https://reader033.vdocuments.site/reader033/viewer/2022061206/54827f08b47959d30c8b47af/html5/thumbnails/2.jpg)
MOSS ADAMS LLP | 2SLIDE 2
INTRODUCTION
Chris Kradjan, CPA, CITP, CRISC
Chris Kradjan is the National SSAE 16 Leader for Moss Adams. He has been with Moss Adams since 1994, and has been auditing and consulting since 1992. He works routinely with a wide range of complex service organizations to meet their needs. His practice areas include SSAE 16 SOC 1/2/3 auditing, PCI-DSS compliance services, internal controls reviews, Sarbanes-Oxley compliance services, SysTrust/WebTrust audits, and independent technology assessments. Furthermore, Chris is regularly involved with technology and financial controls assessments based on the COSO, COBIT, PCI-DSS, NIST, FISMA, and ISO 27002 frameworks. He serves on the AICPA SOC 2 Task Force and was recently appointed to the AICPA Assurance Services Executive Committee.
![Page 3: Moss Adams SSAE 16 SOC Audits](https://reader033.vdocuments.site/reader033/viewer/2022061206/54827f08b47959d30c8b47af/html5/thumbnails/3.jpg)
MOSS ADAMS LLP | 3SLIDE 3
• Overview of SOC reporting• Scope and coverage of SOC audits for AIS• Background about Moss Adams as your auditors• Key terminology• Customers’ responsibilities• AIS internal contact
OBJECTIVES
![Page 4: Moss Adams SSAE 16 SOC Audits](https://reader033.vdocuments.site/reader033/viewer/2022061206/54827f08b47959d30c8b47af/html5/thumbnails/4.jpg)
MOSS ADAMS LLP | 4SLIDE 4
• Increased competition• Sarbanes-Oxley – SEC/publicly traded companies• HIPAA Security and Privacy Rules – Healthcare• GLBA – Financial services• FERPA – Education• PCI-DSS – Payment card data• State and local security and privacy laws• NIST 800-53 – Federal compliance• ISO 27001 – Security• Safe Harbor – International
MARKET / REGULATORY PRESSURES
![Page 5: Moss Adams SSAE 16 SOC Audits](https://reader033.vdocuments.site/reader033/viewer/2022061206/54827f08b47959d30c8b47af/html5/thumbnails/5.jpg)
MOSS ADAMS LLP | 5SLIDE 5
• Represents that AIS has been through an in-depth audit of its system/controls
• For business unit(s) or entire organization• Discloses controls relevant to customers• Demonstrates design and operating effectiveness of
controls in place• Follows AICPA standards - can only be issued by CPAs• Even more important given Sarbanes-Oxley, heightened
regulatory conditions, and increasing competition
SOC AUDITS
![Page 6: Moss Adams SSAE 16 SOC Audits](https://reader033.vdocuments.site/reader033/viewer/2022061206/54827f08b47959d30c8b47af/html5/thumbnails/6.jpg)
MOSS ADAMS LLP | 6SLIDE 6
• Provide customers independent assurance about AIS’ controls
• Satisfy multiple customers through a single audit • Help AIS differentiate itself from its competition• Provide independent feedback to management to
define and monitor adherence to established operational metrics
• Identify potential opportunities to strengthen the business practices and operating environment at AIS
VALUE OF SOC AUDITS
![Page 7: Moss Adams SSAE 16 SOC Audits](https://reader033.vdocuments.site/reader033/viewer/2022061206/54827f08b47959d30c8b47af/html5/thumbnails/7.jpg)
MOSS ADAMS LLP | 7SLIDE 7
RELEVANT PARTIES
User Entities
American Internet Services
UserAuditors
UserAuditors
UserAuditors
UserAuditors
User Entities
User Entities
User Entities
Moss Adams
![Page 8: Moss Adams SSAE 16 SOC Audits](https://reader033.vdocuments.site/reader033/viewer/2022061206/54827f08b47959d30c8b47af/html5/thumbnails/8.jpg)
MOSS ADAMS LLP | 8SLIDE 8
• Audit of “system”/controls (vs. financial audit)
• AIS performs services (as “service organization”) for its own customers
• In turn, its customers (“user entities”) and their auditors (“user auditors”) want assurance over the AIS systems/controls
• AIS then hired Moss Adams (“service auditor”) to opine on AIS’ systems/controls
RELEVANT PARTIES - DEFINED
![Page 9: Moss Adams SSAE 16 SOC Audits](https://reader033.vdocuments.site/reader033/viewer/2022061206/54827f08b47959d30c8b47af/html5/thumbnails/9.jpg)
MOSS ADAMS LLP | 9SLIDE 9
• 11th largest accounting and consulting firm• Reputable and nationally recognized, celebrating 100 years• Over 1,800 professionals and 240 partners in 22 offices• Strong acceptance to relevant customers and industries/markets• Well established in the tech and data center space• Professionals serving in important leadership roles through the
AICPA, COSO, and other national committees • Proven technical expertise and industry credentials • Established SOC auditing and testing processes• Practical, solution-oriented approach
MOSS ADAMS
![Page 10: Moss Adams SSAE 16 SOC Audits](https://reader033.vdocuments.site/reader033/viewer/2022061206/54827f08b47959d30c8b47af/html5/thumbnails/10.jpg)
MOSS ADAMS LLP | 10SLIDE 10
Leads• Chris Kradjan, Partner• Francis Tam, Partner• JP Langlois, Supervisor
Highlights• Lead by SSAE 16 National Practice Leader• Comprised of seasoned SOC team• Security, operations and controls advisors• SOC, Sarbanes-Oxley, HIPAA, PCI, internal controls specialist• CPA, CISA, CISM, CITP, CRISC, PCI QSA
AUDIT TEAM
![Page 11: Moss Adams SSAE 16 SOC Audits](https://reader033.vdocuments.site/reader033/viewer/2022061206/54827f08b47959d30c8b47af/html5/thumbnails/11.jpg)
MOSS ADAMS LLP | 11SLIDE 11
Reports• SOC 1 Type 2 Audit (SSAE 16 and ISAE 3402)• SOC 2 Type 2 Audit• SOC 3 Type 2 Audit
Audit Period Ending: April 30, 2012, April 30, 2013, etc.
Sites• Lightwave Data Center (LWDC)• San Diego Tech Center (SDTC) • Fiber Alley Data Centers #1/#2/#3 (FADC)• One Wilshire Point of Presence (OWPOP)• Van Buren Data Center (VBDC)
SCOPE
![Page 12: Moss Adams SSAE 16 SOC Audits](https://reader033.vdocuments.site/reader033/viewer/2022061206/54827f08b47959d30c8b47af/html5/thumbnails/12.jpg)
MOSS ADAMS LLP | 12SLIDE 12
SOC 1/ISAE 3402
Control Areas:• Service Delivery• Solutions Design• Computer Operations• Logical and Physical Security• Change Management• Incident Management• Disaster Recovery Planning• Business Continuity Planning
CONTROL AREAS
SOC 2 and SOC 3
Principles:• Security• Availability
Control Areas:• Policies• Communication• Procedures• Monitoring
![Page 13: Moss Adams SSAE 16 SOC Audits](https://reader033.vdocuments.site/reader033/viewer/2022061206/54827f08b47959d30c8b47af/html5/thumbnails/13.jpg)
MOSS ADAMS LLP | 13SLIDE 13
Historical with SAS 70SAS 70 Reporting AU 324
New with SSAE 16• SOC 1 – Internal Controls Over Financial Reporting AT
801
• SOC 2 – AT 101 and Trust Services Principles (Detailed Reporting) AT 101
• SOC 3 – Trust Services Principles (SysTrust/WebTrust) AT 101
Type 1 and 2 reporting both still applicable
ALPHABET SOUP
![Page 14: Moss Adams SSAE 16 SOC Audits](https://reader033.vdocuments.site/reader033/viewer/2022061206/54827f08b47959d30c8b47af/html5/thumbnails/14.jpg)
MOSS ADAMS LLP | 14SLIDE 14
• AICPA SOC 2 ReportAT 101 Attest Engagements
Report on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality and/or Privacy(Type 1 and 2 Reports)
• AICPA SOC 3 ReportTrust Services ReportTrust Services Principles, Criteria and Illustrations (Including WebTrust® and SysTrust®)
SOC 2 AND 3 REPORTING
![Page 15: Moss Adams SSAE 16 SOC Audits](https://reader033.vdocuments.site/reader033/viewer/2022061206/54827f08b47959d30c8b47af/html5/thumbnails/15.jpg)
MOSS ADAMS LLP | 15SLIDE 15
• Follows Trust Services Principles, Criteria and Illustrations (Including WebTrust® and SysTrust®)
• The engagement is used to emphasize system reliability
• Based on a prescribed set of control objectives and criteria
Principleso Securityo Availabilityo Processing Integrityo Confidentialityo Privacy
• Intended audience is system stakeholders
• No restrictions on report distribution
TRUST SERVICES
Control Areaso Policieso Communicationo Procedureso Monitoring
![Page 16: Moss Adams SSAE 16 SOC Audits](https://reader033.vdocuments.site/reader033/viewer/2022061206/54827f08b47959d30c8b47af/html5/thumbnails/16.jpg)
MOSS ADAMS LLP | 16SLIDE 16
ISAE 3402
SSAE 16United States
CICA 5970Canada
HKCPA 860.2HK/China
AUS 810Australia
AAF 01/06United Kingdom Others
![Page 17: Moss Adams SSAE 16 SOC Audits](https://reader033.vdocuments.site/reader033/viewer/2022061206/54827f08b47959d30c8b47af/html5/thumbnails/17.jpg)
MOSS ADAMS LLP | 17SLIDE 17
REPORT COMPARISON
Source: AICPA © 2011
SOC 1/ISAE 3402
1. Auditors report2. Detail system description 3. Management assertion4. Management controls5. Auditor tests of controls and
results of those tests – control objectives
SOC 3
1. Auditors report2. Detail system description 3. Management assertion4. Management controls5. Auditor tests of controls
and results of those tests
SOC 2
1. Auditors report2. Detail system description 3. Management assertion4. Management controls5. Auditor tests of controls and
results of those tests – criteria
![Page 18: Moss Adams SSAE 16 SOC Audits](https://reader033.vdocuments.site/reader033/viewer/2022061206/54827f08b47959d30c8b47af/html5/thumbnails/18.jpg)
MOSS ADAMS LLP | 18SLIDE 18
CUSTOMERS’ FIDUCIARY RESPONSIBILITY
• Periodically monitor AIS in formal manner• Obtain and maintain an understanding of AIS operations• Assess policies, procedures and controls in place• Identify recent changes and reportable issues• Use the latest SOC Type 2 reports to reduce their own
compliance efforts• Obtain a gap letter/negative assurance letter between reports
![Page 19: Moss Adams SSAE 16 SOC Audits](https://reader033.vdocuments.site/reader033/viewer/2022061206/54827f08b47959d30c8b47af/html5/thumbnails/19.jpg)
MOSS ADAMS LLP | 19SLIDE 19
CUSTOMERS’ BENEFITS OF SOC REPORTS
• Streamlined way to obtain detailed and regular input on the performance of the service organization
• Provides a clear description of the controls in place• Independently affirms the controls were (1) designed
appropriately, and (2) operating effectively.• Simplifies ability to fulfill fiduciary responsibilities• Helps focus on exceptions and issues• May provide them cost savings through reduced audit fees
![Page 20: Moss Adams SSAE 16 SOC Audits](https://reader033.vdocuments.site/reader033/viewer/2022061206/54827f08b47959d30c8b47af/html5/thumbnails/20.jpg)
MOSS ADAMS LLP | 20SLIDE 20
REVIEWING AN SSAE 16 REPORT
• Audit period covered and whether it is a SOC Type 2 report• Firm engaged to perform the SOC audits• Nature of the opinion and if there are any modifications• Any subservice organizations included or carved out• Scope of controls and level of detail within control description• Coverage and sufficiency of the specified control activities• Extent of changes since prior report• Nature, timing and extent of testing performed by service auditor• Nature and extent of exceptions, and their significance• Review and consideration of the user control considerations
![Page 21: Moss Adams SSAE 16 SOC Audits](https://reader033.vdocuments.site/reader033/viewer/2022061206/54827f08b47959d30c8b47af/html5/thumbnails/21.jpg)
MOSS ADAMS LLP | 21SLIDE 21
AIS INTERNAL CONTACT
Frank GaffVP Service Assurance & Chief Compliance Officer(858) 576-4272 [email protected]
“In successfully completing its current suite of SOC 1, SOC 2 and SOC 3 Type 2 audit reports, AIS has reinforced its strong commitment to the security and availability of its data center facilities and operations.”
Chris Kradjan, Partner, National IT/SOC Practice Leader, Moss Adams
![Page 22: Moss Adams SSAE 16 SOC Audits](https://reader033.vdocuments.site/reader033/viewer/2022061206/54827f08b47959d30c8b47af/html5/thumbnails/22.jpg)
MOSS ADAMS LLP | 2222
The material appearing in this presentation is for informational purposes only and is not legal or accounting advice. Communication of this information is not intended to create, and receipt does not constitute, a legal relationship, including, but not limited to, an accountant-client relationship. Although these materials may have been prepared by professionals, they should not be used as a substitute for professional services. If legal, accounting, or other professional advice is required, the services of a professional should be sought.
Chris Kradjan, CPA, CITP, CRISCPartner , SSAE 16 National Practice Leader (206) [email protected]