SOC2 s role in assurance on outsourcers

Transcription

1 SOC2 s role in assurance on outsourcers Mark Russell, EY 5 September 2014

2 Agenda What is SOC2? What does SOC2 give users? Why SOC2? Current market trends How does SOC2 fit with other assurance tools? Experiences around SOC2 Page 1

3 What is SOC2? Owned by American Institute of Certified Public Accountants (AICPA) Designed to provide information on processes and controls at a service organisation, together with an independent service auditor s opinion Processes do not have to be related to financial statement processing unlike SOC1 (ISAE3402 / SSAE16) Based around Principles and Criteria so more of a checklist approach than SOC1 Criteria re-ordered in early Page 2

4 What is SOC2? Trust Services Principles Security Availability Confidentiality Privacy Processing Integrity Must select Common Criteria effectively Security Then add any others you think should be included Must then address ALL criteria for the selected Principles Type 1 design Type 2 operating effectiveness Page 3

5 What is SOC2? System Processing Integrity Security Availability Confidentiality Privacy Scope of SOC1 (AT 801) Scope of SOC 2 and SOC 3 (Trust Services Criteria) Users: User entity controller User entity SOX dept. User auditor Users: User entity security User entity compliance User entity vendor mgmnt Regulators Prospective user entities Users: Anyone Page 4

6 What does SOC2 give users? Management Assertion Independent service auditor s report Description fairly presents the in scope services Controls suitable designed to meet in scope criteria Controls have operated effectively to deliver criteria (Type 2) Description of System Description of Controls, Tests and Results of Tests Page 5

7 What does SOC2 give users? In one word, SOC2 provides INFORMATION Independent assurance on what the service organisation is doing Clear explanation of what was tested, how, so you can assess the relevance of the audit work to your requirements Information on processes and controls so you can better understand what the service organisation is doing Assurance over a defined period of time (Type 2) Page 6

8 Why SOC2? Can cover non financial processes Independent assurance Covers areas not covered by some other standards Availability / Privacy / Confidentiality not explicitly / extensively covered in SOC1 Privacy / Confidentiality not explicitly / extensively covered in ISO SOC2 is more easily tailored to a company s existing control environment Users can more easily benchmark vendors since all must report against the same criteria Page 7

9 How does SOC2 fit with other assurance standards? Map criteria to other frameworks ISO Cloud Security Alliance NIST One set of work can support multiple reports / opinions SOC2 testing is typically thorough and wide-ranging SOC2 Type 2 also covers period of time Page 8

10 Experiences around SOC2 what makes a successful project? Clear understanding of what the users want from the report is SOC2 the right answer? Clear understanding of who does what and how it is recorded i.e. what actually happens, not what is in the procedure manual Single point of contact for the service auditor Understands the service delivery teams Can get things done Pay the service auditor to produce the Description of System Expect deviations and allow time to investigate them Page 9

11 Experiences around SOC2 market reaction Definite increase in demand in Driven by checklist approach Also, availability is seen as better covered Also looking at multiple reports from one set of work SOC1 / SOC2 / SOC3 / HIPAA / ISO27001 Increasing understanding of SOC2 v. SOC1 Your experiences? Page 10

12 Useful links AICPA links for service organisations looking at SOC reports Pages/SOCToolkit_ServiceOrgs.aspx CSA whitepaper on SOC reports in the cloud ohttp:// services/downloadabledocuments/csa-position-paper-onaicpa-service-organization-control-reports.pdf AWS example of presenting certifications to users Page 11

13 Thank you Claus Hansen Mark Russell

14 Disclaimer The information in this pack is intended to provide only a general outline of the subjects covered. It should not be regarded as comprehensive or sufficient for making decisions, nor should it be used in place of professional advice. Accordingly, Ernst & Young LLP accepts no responsibility for loss arising from action taken or not taken by any party using this information. The information will have been supplemented by matters arising from any oral presentation by us, and should be considered in light of this additional information. If you require any further information or explanations, or specific advice, please contact us and we will be happy to discuss matters further. Page 13

15 EY Assurance Tax Transactions Advisory Ernst & Young LLP Ernst & Young LLP. Published in the UK. All Rights Reserved. The UK firm Ernst & Young LLP is a limited liability partnership registered in England and Wales with registered number OC and is a member firm of Ernst & Young Global Limited. Ernst & Young LLP, 1 More London Place, London, SE1 2AF. ey.com