powerpoint example with several slide variations · powerpoint example with several slide...
TRANSCRIPT
![Page 1: PowerPoint example with several slide variations · PowerPoint example with several slide variations Author BK10943 Created Date 12/16/2019 2:08:34 PM](https://reader035.vdocuments.site/reader035/viewer/2022071014/5fcc57ceb692ed6711038d0f/html5/thumbnails/1.jpg)
![Page 2: PowerPoint example with several slide variations · PowerPoint example with several slide variations Author BK10943 Created Date 12/16/2019 2:08:34 PM](https://reader035.vdocuments.site/reader035/viewer/2022071014/5fcc57ceb692ed6711038d0f/html5/thumbnails/2.jpg)
![Page 3: PowerPoint example with several slide variations · PowerPoint example with several slide variations Author BK10943 Created Date 12/16/2019 2:08:34 PM](https://reader035.vdocuments.site/reader035/viewer/2022071014/5fcc57ceb692ed6711038d0f/html5/thumbnails/3.jpg)
– Understand the different types of SOC reports and what they cover
– Learn why an organization would request a SOC report
– Recognize the key elements in a SOC report
After attending this
presentation, participants
will be able to:
3
![Page 4: PowerPoint example with several slide variations · PowerPoint example with several slide variations Author BK10943 Created Date 12/16/2019 2:08:34 PM](https://reader035.vdocuments.site/reader035/viewer/2022071014/5fcc57ceb692ed6711038d0f/html5/thumbnails/4.jpg)
![Page 5: PowerPoint example with several slide variations · PowerPoint example with several slide variations Author BK10943 Created Date 12/16/2019 2:08:34 PM](https://reader035.vdocuments.site/reader035/viewer/2022071014/5fcc57ceb692ed6711038d0f/html5/thumbnails/5.jpg)
– Service organization
– User organization
– Service auditor
– User auditor
– Subservice organization
– CUEC
– CSOC
– Type 1
– Type 2
“SOC” report =
System and Organization
Control report
55
![Page 6: PowerPoint example with several slide variations · PowerPoint example with several slide variations Author BK10943 Created Date 12/16/2019 2:08:34 PM](https://reader035.vdocuments.site/reader035/viewer/2022071014/5fcc57ceb692ed6711038d0f/html5/thumbnails/6.jpg)
![Page 7: PowerPoint example with several slide variations · PowerPoint example with several slide variations Author BK10943 Created Date 12/16/2019 2:08:34 PM](https://reader035.vdocuments.site/reader035/viewer/2022071014/5fcc57ceb692ed6711038d0f/html5/thumbnails/7.jpg)
– SOC 1
– SOC 2
– SOC 3
– SOC for cybersecurity
– SOC for supply chain
– SOC 2+
What are the different
types of SOC reports?
7
![Page 8: PowerPoint example with several slide variations · PowerPoint example with several slide variations Author BK10943 Created Date 12/16/2019 2:08:34 PM](https://reader035.vdocuments.site/reader035/viewer/2022071014/5fcc57ceb692ed6711038d0f/html5/thumbnails/8.jpg)
SOC 1
Control objectives and
control activities
relevant to internal
controls over financial
reporting (ICFRs)
8
![Page 9: PowerPoint example with several slide variations · PowerPoint example with several slide variations Author BK10943 Created Date 12/16/2019 2:08:34 PM](https://reader035.vdocuments.site/reader035/viewer/2022071014/5fcc57ceb692ed6711038d0f/html5/thumbnails/9.jpg)
SOC 2
Utilizes the Trust
Services Criteria
9
![Page 10: PowerPoint example with several slide variations · PowerPoint example with several slide variations Author BK10943 Created Date 12/16/2019 2:08:34 PM](https://reader035.vdocuments.site/reader035/viewer/2022071014/5fcc57ceb692ed6711038d0f/html5/thumbnails/10.jpg)
![Page 11: PowerPoint example with several slide variations · PowerPoint example with several slide variations Author BK10943 Created Date 12/16/2019 2:08:34 PM](https://reader035.vdocuments.site/reader035/viewer/2022071014/5fcc57ceb692ed6711038d0f/html5/thumbnails/11.jpg)
![Page 12: PowerPoint example with several slide variations · PowerPoint example with several slide variations Author BK10943 Created Date 12/16/2019 2:08:34 PM](https://reader035.vdocuments.site/reader035/viewer/2022071014/5fcc57ceb692ed6711038d0f/html5/thumbnails/12.jpg)
SOC 3
Similar to a SOC 2,
but for broader
distribution
(uncommon)
12
![Page 13: PowerPoint example with several slide variations · PowerPoint example with several slide variations Author BK10943 Created Date 12/16/2019 2:08:34 PM](https://reader035.vdocuments.site/reader035/viewer/2022071014/5fcc57ceb692ed6711038d0f/html5/thumbnails/13.jpg)
SOC for
cybersecurity
Reports on an
organization’s
cybersecurity program
13
![Page 14: PowerPoint example with several slide variations · PowerPoint example with several slide variations Author BK10943 Created Date 12/16/2019 2:08:34 PM](https://reader035.vdocuments.site/reader035/viewer/2022071014/5fcc57ceb692ed6711038d0f/html5/thumbnails/14.jpg)
SOC for
supply chain
Currently under
development by the
AICPA
14
![Page 15: PowerPoint example with several slide variations · PowerPoint example with several slide variations Author BK10943 Created Date 12/16/2019 2:08:34 PM](https://reader035.vdocuments.site/reader035/viewer/2022071014/5fcc57ceb692ed6711038d0f/html5/thumbnails/15.jpg)
SOC 2+
Allows the addition of
“other suitable criteria”
such as HIPAA,
HITRUST, etc.
15
![Page 16: PowerPoint example with several slide variations · PowerPoint example with several slide variations Author BK10943 Created Date 12/16/2019 2:08:34 PM](https://reader035.vdocuments.site/reader035/viewer/2022071014/5fcc57ceb692ed6711038d0f/html5/thumbnails/16.jpg)
![Page 17: PowerPoint example with several slide variations · PowerPoint example with several slide variations Author BK10943 Created Date 12/16/2019 2:08:34 PM](https://reader035.vdocuments.site/reader035/viewer/2022071014/5fcc57ceb692ed6711038d0f/html5/thumbnails/17.jpg)
Drivers of SOC reports
17
Increased number and complexity
of vendor relationships
Inability to identify relevant
risks by vendor
Increased
momentum for
stronger
vendor risk
management
Key organizational initiatives
involve strategic partnerships
Increased frequency and
magnitude of cyber attacks
Regulatory focus on vendors
as component of enterprise
risk management
Executive accountability by
boards for managing risks
Internal External
![Page 18: PowerPoint example with several slide variations · PowerPoint example with several slide variations Author BK10943 Created Date 12/16/2019 2:08:34 PM](https://reader035.vdocuments.site/reader035/viewer/2022071014/5fcc57ceb692ed6711038d0f/html5/thumbnails/18.jpg)
SOC reporting options
The “best” option is subjective, based on the nature and risks of
outsourced services and user entity requests
Q: Which type of SOC examination report
should a service organization provide?
A: Typically, there isn’t a “right” answer
and the type of report is based on
what their clients are asking for.
18
![Page 19: PowerPoint example with several slide variations · PowerPoint example with several slide variations Author BK10943 Created Date 12/16/2019 2:08:34 PM](https://reader035.vdocuments.site/reader035/viewer/2022071014/5fcc57ceb692ed6711038d0f/html5/thumbnails/19.jpg)
![Page 20: PowerPoint example with several slide variations · PowerPoint example with several slide variations Author BK10943 Created Date 12/16/2019 2:08:34 PM](https://reader035.vdocuments.site/reader035/viewer/2022071014/5fcc57ceb692ed6711038d0f/html5/thumbnails/20.jpg)
![Page 21: PowerPoint example with several slide variations · PowerPoint example with several slide variations Author BK10943 Created Date 12/16/2019 2:08:34 PM](https://reader035.vdocuments.site/reader035/viewer/2022071014/5fcc57ceb692ed6711038d0f/html5/thumbnails/21.jpg)
![Page 22: PowerPoint example with several slide variations · PowerPoint example with several slide variations Author BK10943 Created Date 12/16/2019 2:08:34 PM](https://reader035.vdocuments.site/reader035/viewer/2022071014/5fcc57ceb692ed6711038d0f/html5/thumbnails/22.jpg)
a) We utilize a service provider but they do not provide us with a SOC report
b) We receive a SOC 1 from our service provider
c) We receive a SOC 2 from our service provider
d) We receive both a SOC 1 and SOC 2
e) Not applicable or not sure
Do you utilize a service
provider and do they provide
you with a SOC report?
22
Polling question #2
![Page 23: PowerPoint example with several slide variations · PowerPoint example with several slide variations Author BK10943 Created Date 12/16/2019 2:08:34 PM](https://reader035.vdocuments.site/reader035/viewer/2022071014/5fcc57ceb692ed6711038d0f/html5/thumbnails/23.jpg)
![Page 24: PowerPoint example with several slide variations · PowerPoint example with several slide variations Author BK10943 Created Date 12/16/2019 2:08:34 PM](https://reader035.vdocuments.site/reader035/viewer/2022071014/5fcc57ceb692ed6711038d0f/html5/thumbnails/24.jpg)
![Page 25: PowerPoint example with several slide variations · PowerPoint example with several slide variations Author BK10943 Created Date 12/16/2019 2:08:34 PM](https://reader035.vdocuments.site/reader035/viewer/2022071014/5fcc57ceb692ed6711038d0f/html5/thumbnails/25.jpg)
There are 5 sections
25
![Page 26: PowerPoint example with several slide variations · PowerPoint example with several slide variations Author BK10943 Created Date 12/16/2019 2:08:34 PM](https://reader035.vdocuments.site/reader035/viewer/2022071014/5fcc57ceb692ed6711038d0f/html5/thumbnails/26.jpg)
– Opinion covers:
- Fairness of presentation
- Design of controls
- For Type 2 – test of operating effectiveness over a period of time
– Qualification
- SOC 1 is qualified at the objective level
- SOC 2 is qualified at the criteria level
- Pervasiveness of failure and presence of compensating controls help determine qualification
– Subservice providers
– Reference to Section 5
– CUECs
Section 1 – Opinion
26
![Page 27: PowerPoint example with several slide variations · PowerPoint example with several slide variations Author BK10943 Created Date 12/16/2019 2:08:34 PM](https://reader035.vdocuments.site/reader035/viewer/2022071014/5fcc57ceb692ed6711038d0f/html5/thumbnails/27.jpg)
– Similar to opinion
– Fairness of presentation
– Design
– Operating effectiveness
Section 2 – Management’s
Assertion
27
![Page 28: PowerPoint example with several slide variations · PowerPoint example with several slide variations Author BK10943 Created Date 12/16/2019 2:08:34 PM](https://reader035.vdocuments.site/reader035/viewer/2022071014/5fcc57ceb692ed6711038d0f/html5/thumbnails/28.jpg)
– Overview of operations
– System description/components/transaction processing
– COSO components – relevant aspects of:
- Control environment
- Risk assessment
- Monitoring
- Information and communication
– Complementary user entity controls
– Description criteria (if applicable)
Section 3
28
![Page 29: PowerPoint example with several slide variations · PowerPoint example with several slide variations Author BK10943 Created Date 12/16/2019 2:08:34 PM](https://reader035.vdocuments.site/reader035/viewer/2022071014/5fcc57ceb692ed6711038d0f/html5/thumbnails/29.jpg)
– Includes the service organization’s control activities to address the control objectives (SOC 1) or the Trust Services Principle(s) criteria (SOC 2)
– Includes the service auditor’s tests of controls
– Includes test results
– The “meat” of the report
Section 4 – Controls
matrix, testing, results
29
![Page 30: PowerPoint example with several slide variations · PowerPoint example with several slide variations Author BK10943 Created Date 12/16/2019 2:08:34 PM](https://reader035.vdocuments.site/reader035/viewer/2022071014/5fcc57ceb692ed6711038d0f/html5/thumbnails/30.jpg)
– Management responses to testing exceptions
– Disaster recovery
– Not covered by opinion
– Must be disclaimed in opinion
Section 5 – Other
information provided by
management
30
![Page 31: PowerPoint example with several slide variations · PowerPoint example with several slide variations Author BK10943 Created Date 12/16/2019 2:08:34 PM](https://reader035.vdocuments.site/reader035/viewer/2022071014/5fcc57ceb692ed6711038d0f/html5/thumbnails/31.jpg)