1

SOC 1 / SOC 2 Diagnostic, Documentation

and Attestation

2

SAS 70 / SSAE 16 / SOC 1 / SSAE 18 / SOC 2 etc

SAS 70

SSAE 16

SSAE 18

Effective May 1, 2017

SSAE 16 is now SSAE 18

All SOC 1, SOC 2 and

SOC 3 reports are done

under the SSAE 18

standards

SAS 70, SSAE16 are old

terms

3

This logo is worth a lot to YOU….. and us

4

SOC Report

Background

5

What are SOC Reports

“Service Organization Control reports are

designed to help service organizations,

organizations that operate information systems

and provide information system services to other

entities, build trust and confidence in their service

delivery processes and controls through a report

by an independent certified public accountant.”

– American Institute of Certified Public Accountants (AICPA)

6

Types of SOC Reports

SOC 1

• Previously called SSAE 16

• Mainly financial reporting and operations related controls

SOC 2

• Trust Principles

• Defined list of criteria

• Restricted use

SOC 3

• Trust Principles

• Can be shared to general public and on website

7

8

Opinion structure in the attestation report

Scope Of Report/Opinion Type 1 Type 2

Fairness of the presentation of management’s

description of the service organization’s systemAs of a

specified

date

Through out

a specified

periodSuitability of the design of the controls to achieve the

period related control objectives included in the description

Operating effectiveness of the controls to achieve

the related control objectives included in the description

n/a

Two types of Reports for SOC 1 and SOC 2:

• Type 1: A report on the fairness of the presentation of management’s description of the service organization’s

system and the suitability of the design of the controls to achieve the related control objectives included in the

description as of a specified date

• Type 2: Same as type 1 report but also includes 1) the services auditor’s opinion on the operating effectiveness

of the controls and 2) a description of the service auditor’s tests of the operating effectiveness and the results of those

tests through out a specified period.

• In a type 2 engagement, the service auditors opinion covers the period

9

11

SOC Audit

Proposal

13

18

List of Policies and Documents

Organisation Charts

Setup of Committees, Meetings, Charters, roles etc

Roles and Responsibilities, Job Descriptions of all positions

Information Security Policy (various sub policies forming part of Security policies)

Logical and Physical Access procedures

System / network diagrams, boundaries

Change Management Policy, process and formats/logs

Incident Management Policy, Process and formats/Logs

Release Management

Data Classification Policy

Periodic Security monitoring Framework / Dashboards

Risk Identification and Assessment Process

Disaster Recovery

Business Continuity Policy

Code of Conduct

HR Manual

Performance appraisals

Information Security Awareness Training

19

Riskpro’s SSAE / SOC Clients Our ClientsIT

Co

mp

an

ies /

SS

AE

Clien

ts

*Any trademarks or logos used throughout this presentation are the property of their respective owners

20

Riskpro’s SSAE / SOC Clients Our ClientsIT

Co

mp

an

ies /

SS

AE

Clien

ts

*Any trademarks or logos used throughout this presentation are the property of their respective owners

21

Riskpro’s SSAE / SOC Clients Our ClientsIT

Co

mp

an

ies /

SS

AE

Clien

ts

*Any trademarks or logos used throughout this presentation are the property of their respective owners

22

Riskpro’s Network Presence

New Delhi

Mumbai

Bangalore

Ahmedabad

Pune

Agra

Salem

Kolkata

Hyderabad

Chennai

Jaipur

23

Risk Management Advisory Services

Training Recruitment

Basel II/III Advisory Market Risk

Credit Risk

Operational Risk

ICAAP

Corporate Risks Enterprise Risk Assessment

Fraud Risk

Risk based Internal Audit

Operations Risk

Forensic services

IT Risk Advisory IS Audit

IT Service Management

IT Assurance

IT Governance

Operational Risk Process reviews

Policy/ Process Review

Process Improvement

Compliance Risk

Insurance Risk

Governance Corporate Governance

Business Strategic risk

Fraud Risk

Forensic Accounting

Other Risks Business/Strategic Risk

Reputation Risk

Outsourcing Risk

Contractual Risk

Banking – E Learning

Corporate Training

Regular Risk Management Training

Online Training material

Workshops / Events

AML-KYC/ ISO standards- 31000

Independent Directors for Corporates

Virtual Risk Managers

Full Time Risk Professionals

Part time Risk Professionals

Risk Managers on call – free

S E

R V

I C

E S

24

Riskpro Clients Our ClientsB

an

kin

g/

Insu

ran

ce

Ban

kin

g -

Intl

*Any trademarks or logos used throughout this presentation are the property of their respective owners

25

Riskpro Clients Our ClientsC

orp

ora

te

/ M

NC

s

*Any trademarks or logos used throughout this presentation are the property of their respective owners

26

Riskpro Clients Our ClientsC

orp

ora

te

/ M

NC

s

*Any trademarks or logos used throughout this presentation are the property of their respective owners

27

Riskpro Clients Our ClientsIT

Co

mp

an

ies

*Any trademarks or logos used throughout this presentation are the property of their respective owners

28

Riskpro Clients Our ClientsA

cad

em

ics /

Oth

ers

*Any trademarks or logos used throughout this presentation are the property of their respective owners

Co

nsu

ltin

g F

irm

s

29

RESUMES – Our team

Co-Founder - Riskpro

CA, CPA, MBA-Finance (USA), FRM (GARP)

Over 10 years international experience – 6 years in Bahrain and 4 years USA

18 years exp in risk management consulting and internal audits, Specialization in Operational Risk, Basel II, Sox and Control design

Worked for Ernst & Young (Bahrain), Arab Investment Company (Bahrain), Navigant Consulting(USA), Kotak Mahindra Bank (India) and Credit Suisse(India)

Sox Compliance project for Fannie Mae, USA ( $900+ Billion Mortgage Company)

Manoj Jain

Credentials

Co-Founder - Riskpro

PGD (Electrical & Electronics & Computer Programming)

30 years of experience in Information & Communications Technology (ICT) Solutions for Retail, Garments, Manufacturing, Services Industries.

Has created Companies, Divisions, Products, Brands, Teams & Markets.

Consulting in Business, Technology, Marketing & Sales & Strategic Planning.

Advisory, Training, Workshops & Implementation in Systems Thinking, Systems Modeling & Balanced Scorecard

Worked with TIFR, Mahindra, Ambience, Communico-Graphique & Ionidea Inc, USA,

Casper A

bra

ham

30

RESUMES - Our team Credentials

Senior Vice President – Governance, Risk and Compliance

CA, CWA and CISA

15 years experience in manufacturing, Consulting and Finance and Accounting Outsourcing

Specialization in implementation and maintenance of Quality Management Systems, Risk

based Audits and Compliance

Experience in driving Best Practices and process improvement in Finance and Accounting

Outsourcing company.

Past employment include Anand Group Axle manufacturing company and Big 4 Advisory

Ernst & Young

Medha

Kulk

arn

iS

hrira

mG

okte

EVP - Risk Management

BTech MBA (USA)

22 years of work experience, 16 of which were in risk management domain, 11 years of global experience in USA & UK

Ex Chief Risk Officer of Birla Sun Life Insurance & CMS Info System .

Managed Risk & Compliance for two UK based insurance KPOs (Paternoster India & JLT India)

Core expertise in ERM, Capital Valuation, Operational Risk, Information Security, BCM, Governance & Internal Audit

CISA, CIA, CMA, FLMI, MBCI qualified

31

RESUMES - Our team Credentials

EVP- Technology and Banking

30+ years experience in corporate banking, risk management and bankingtechnology project management

Held senior executive positions in banks in India (State Bank of Mysore, ING VysyaBank) and in the Middle East (Banque Saudi Fransi)

Initiated, managed and successfully implemented several information systemprojects in core banking, credit risk management and management reports

Experienced in business process review & re-engineering and change management

Significant experience in Project Management & Vendor ManagementSubra

mania

n A

.

SVP- Audit and Risk Management

Ankit has over 15 years of risk management and internal audit experience, SOX &SSAE compliance, fraud reviews, regulatory compliance reviews, external & taxaudits and supporting ERP implementation to ensure effective control design.

He has headed the audit function for a midsize financial services company and thecaptive offshore unit of ANZ Bank one of the big 4 Australian banks. He has alsoworked in PWC for 8 years and Hewlett Packard for 3 years where he workedacross the industry spectrum including manufacturing, telecom and IT services.

Ankit has extensive experience with internal audit in financial services and backoffice operations and has setup internal audit functions for captive units of fourdifferent companies.

Ankit M

anglik

32

Key Contacts

Corporate Mumbai Mumbai Bangalore

Riskpro India Ventures (P)

Limited

info@riskpro.in

www.riskpro.in

B-44, Glaxo Building,

Near Mt. Mary’s Steps

Bandra West, Mumbai

400050

Manoj JainDirector

M- 98337 67114

manoj.jain@riskpro.in

Shriram Gokte

EVP - Risk Management

M- 98209 94063

shriram.gokte@riskpro.in

Rita Shewakramani

SVP - Risk Advisory

M- 98204 85504rita.s@riskpro.in

Casper AbrahamDirector

M- 98450 61870

casper.abraham@riskpro.in

Ankit ManglikSVP- Audit & Risk Management

M -9880401236

ankit.manglik@riskpro.in

Delhi Pune Chennai Chennai

Manoj JainDirector

M- 98337 67114

manoj.jain@riskpro.in

M. L. Jain

Principal – Strategy Risk

M- 98220 11987mljain@riskpro.in

Vivek Dixit

EVP- Risk and Governancevivek.dixit@riskpro.in

R. Muralidharan

EVP – Risk Management

M- 95660 77326

murali@riskpro.in

A Subramanian

EVP – Risk Management

M- 98400 41764

subra@riskpro.in

PN Venkataraghavan

EVP - Banking & Risk

M - 98840 72990

pnvenkat@riskpro.in

Hyderabad /Kolkata Ahmedabad Agra

Phanindra Prakash (Hyderabad)

Hyderabad@riskpro.in

Kolkata

kolkata@riskpro.in

Manoj Kumar

M – 98983 65320

Gourav Ladha

M- 97129 52955

Alok Kumar Agarwal (Agra)Member Firm

M- 99971 65253