Presentatin: The Demise f SAS 70 - What s Next? September 15, 2011 1 Presenters: Jeffrey Ziplw - Partner BlumShapir Jennifer Gerasimv Senir Manager Delitte.
SAS 70 Backgrund and Overview Purpse f a SAS 70 SAS 70 Myths AICPA Trust Services SSAE 16 Terminlgy Similarities Between SAS 70 & SSAE 16 Differences Between SAS 70 & SSAE 16 SOC 2 & 3 Principles & Reprting Overview 2
The Demise f SAS 70 The Death f SAS 70 The Birth f SSAE 16 A Realignment f SAS 70 t SSAE 16 3
An auditing standard develped by the American Institute f Certified Public Accuntants (AICPA) Audit standard adpted by AICPA in 1992 End prduct is SAS 70 Reprt - With an pinin Allws 3rd Party service rganizatins t demnstrate they have adequate cntrls/safeguards Between 1992 2002, Limited use Sarbanes-Oxley Act f 2002 revived SAS 70 Auditing Standard Since 2002, mst widely recgnized and used internal cntrls auditing standard 4
SAS N. 70 prvides the requirements and guidance fr CPAs reprting n cntrls at service rganizatins and fr user auditrs auditing the financial statements f user entities that use a service rganizatin. 5
Type I Audit Reprt n design f cntrls Cntrls are fr a pint in time (e.g. 9/15/2010) Limited value Type II Audit Reprt n tests f perating effectiveness Cntrls tested ver an agreed perid (6 mnths) Mst rganizatins want this type f reprt 6
SAS 70 is prduced as a result f an audit perfrmed by a CPA t reprt n the prcessing f transactins by a service rganizatin Over time the use f a SAS 70 reprt has changed Used as a marketing tl Prvides an independent validatin/assurances f a service rganizatin t ptential clients It allws the third-party service prviders t have ne audit and share the results with all f its clients.but this was nt the riginal purpse r intentin! 7
The classes f transactins in the entity s peratins that are significant ifi t financial i statements. The prcedures, bth autmated and manual, by which the entity s transactins are initiated, recrded, prcessed and reprted are under the cntrl f an rganizatin separate frm the reprting entity. The ccurrence f a transactin that is included in the entity s financial statements des nt begin and cnclude under the entity s cntrl. The relevant accunting recrds, whether electrnic r manual, supprting infrmatin, and specific accunts in the financial statements invlved in initiating, recrding, prcessing and reprting the entity s transactins are under the cntrl f the utsurcer. 8
It s a technlgy audit nly I have t d a Type I befre a Type II It s an audit with a Pass/Fail status I nly need t d a SAS 70 Audit nce Shuld be used fr all types f service rganizatins i in all situatins i SAS 70 is a Certificatin 9
SysTrust WebTrust Trust Services Security Availability Prcessing Integrity Cnfidentiality Privacy 10
The glbalizatin f infrmatin technlgy and increase in business prcess utsurcing. A highly demanding and changing gregulatry envirnment. U.S. cnvergence with internatinal standards. Better structure with mre cnsistent standards** 11
Tpic Terminlgy SSAE 16 SSAE 16 Guidance Reprts n cntrls at service rganizatins will nw be perfrmed and issued under SSAE 16. A SAS 70 reprt will n lnger exist. Effective Date Perids ending n r after June 15, 2011. Scpe Specific t cvering internal cntrl ver financial reprting. Additinal Guidance AICPA Practitiner Guide issued June 2011. Practitiner guide will be usable fr bth the US and Internatinal standards and prvide infrmatin fr practitiners and service rganizatins. 12
New Standards d & Optins Service Org Cntrl l1 (SOC 1) SSAE16 Service auditr guidance Restricted Use Reprt (Type I r II Reprt) Purpse: Reprts n cntrls fr F/S audits Service Org Cntrl l2 (SOC 2) AT 101 Generally Restricted Use Reprt (Type (yp I r II Reprt) Purpse: Reprts n cntrls related t cmpliance r peratins Service Org Cntrl l3 (SOC 3) AT 101 General Use Reprt (w/ public seal) Purpse: Reprts n cntrls related t cmpliance r peratins Histrically SAS 70 Reprts Trust Services Principles & Criteria 13
Issuance f Type 1 and Type 2 reprts Management is respnsible fr the descriptin i f the system Management t specify cntrl bjectives Requirement fr management t design and implement cntrls that achieve the cntrl bjectives Disclsure f cmplementary user entity cntrls (UCCs) Carve ut and inclusive methd f reprting fr subservice rganizatins i Management t prvide representatin letter Restricted Use Reprt Ability t include infrmatin in a separate sectin (i.e. Sectin 4) 14
Change Result f the Change 1. Frm f Standard - Auditing Standard t an Attest Standard 2. Applicability f Reprt - Specific t internal cntrl ver financial i reprting 3. Type 2 Reprt t cver a perid rather than pint tin time 4. Cannt use prir-year evidence t determine perating effectiveness f cntrls - The pinin will nw include cverage thrughut the perid dfr design (new), implementatin ti (new), and perating effectiveness - Auditr may nt reduce tests f cntrls belw the minimum standards (AU350) based n the results frm the prir year 5. Clearly identify wrk perfrmed by Internal Audit functin in descriptin f tests f cntrls - Descriptin f tests f perating effectiveness needs t include descriptin f Internal Audit s wrk and Service Auditr s prcedures ver Internal Audit s wrk (nt applicable fr direct assistance) 15
Change 6. Service Auditr t investigate the nature and cause f any deviatins and whether these were caused by intentinal acts. Cannt disclaim deviatin as islated. Result f the Change - Previus standard allwed disclaiming f deviatins as islated incidents - New cnsideratin f intentinal acts 7. Identify risks that threaten the achievement f cntrl bjectives - Management needs t identify risks that are included in the evaluatin f the design f cntrls and develpment f cntrl bjectives [refer t sample at Appendix C] 8. Requirement t assess suitability f criteria - Management needs t select suitable criteria t prepare descriptin f systems and t evaluate whether cntrls have been designed, implemented and perating effectively. 9. Management is required t prvide a written assertin - Management needs t have a basis t supprt their assertin [refer t sample at Appendix A] 10. Subservice rganizatins i are required t - Inclusive subservice rganizatin i needs t als prvide an prvide a similar assertin when the assertin that is included in the reprt (inclusive methd nly) inclusive methd is used 16
One f the mst significant changes is the requirement fr management t prvide a written assertin Assertin will be included in the reprt - either attached t r part f the descriptin f the service rganizatin's system. Management will need t have a reasnable basis fr making the assertin. The Standards prvide sme flexibility in actual prcedures perfrmed by management. Risk Assessment-Service rganizatin management must identify risks that threaten the acheivement f the cntrl bjective. 17
f Assertin Level N Basis Onging Mnitring Reasnable basis fr managements assertin* Separate Evaluatins SOX Testing Example Service auditr Management reprting and ther Internal Audit testing/mnitring Management r Prcedures perfrms testing versight activities Independent regulatry exam independent and issues reprt Management risk assessment assessment f Independent risk assessment perating effectiveness Supprting Dcumentatin Nne Management mnitring dcumentatin Management risk assessment dcumentatin Regulatry reprting Internal Audit reprting Independent risk assessment results Testing evidence fr the perating effectiveness 18
Use f Internal Audit When using the supprt f Internal Audit fr cntrls testing, there are new requirements related t the reprting f the use f Internal Audit within Sectin 3 f the reprt. Subservice Organizatins Carve Out - It s expected that the Service Organizatin will d smething they can t just turn a blind eye. Inclusive - Subservice rganizatin has t prvide bth an assertin (t be included in the reprt) and representatin letter. User Entities / User Auditrs Educatin and ntice t user entities Ptential fr refinement f user cntracts An SOC 1 reprt is strictly fr the prcessing f transactins related t ICFR Recmmended Reading frm ISACA: New Service Auditr Standard A User Entity Perspective Changes t the SOC 1 Opinin The pinin references management s assertin and their respnsibility fr identifying risks that threaten achievement f the cntrl bjectives. The pinin des NOT include a statement n whether management had a reasnable basis fr prviding their assertin. 19
New Standards & Optins Service Org Service Org Service Org Cntrl 1 Cntrl 2 Cntrl 3 (SOC 1) (SOC 2) (SOC 3) SSAE16 Service auditr guidance Restricted Use Reprt (Type I r II Reprt) Purpse: Reprts n cntrls fr F/S audits AT 101 Generally Restricted Use Reprt (Type I r II Reprt) Purpse: Reprts n cntrls related t cmpliance r peratins AT 101 General Use Reprt (w/ public seal) Purpse: Reprts n cntrls related t cmpliance r peratins Trust Services Principles & Criteria 20
Security IT security plicy Physical access Incident management Persnnel security Security awareness and cmmunicatin Risk assessment Lgical access Envirnmental cntrls Security mnitring i User authenticatin Asset classificatin and management Systems develpment and maintenance Cnfiguratin management Change management Mnitring and cmpliance Availability Cnfidentiality Prcessing Integrity Privacy Availability plicy Backup and restratin Disaster recvery Business cntinuity management Cnfidentiality plicy Cnfidentiality f inputs Cnfidentiality f data prcessing Cnfidentiality f utputs Infrmatin disclsures (including third parties) Cnfidentiality i f Infrmatin in systems develpment System prcessing integrity plicies Cmpleteness, accuracy, timeliness, and authrizatin f inputs, system prcessing, and utputs Infrmatin tracing frm surce t dispsitin Management Ntice Chice and cnsent Cllectin Use and retentin Access Disclsure t third parties Quality Mnitring and enfrcement 21
SOC 2 has a similar structure and general apprach t SAS 70 / SOC 1 A SOC 2 reprt des nt need t cver prcessing related t financial reprting, nr is it intended t supprt financial reprting fr yur users. SOC 2 can be supplied t a wider audience. Intended users are management f the service rganizatin, user entities, and ther specified parties. Specified parties can be anyne wh understands the nature f the services being prvided by the service rganizatin, hw the service rganizatin perates, and internal cntrls. Mst practitiners wh have lked at SOC 2 feel it will prvide mre detail thrughut the reprt; narrative sectin, cntrl activities, tests, etc. than the existing reprts. SOC 3 allws fr unlimited distributin Public Seal and Certificatin Hwever, a SOC 3 des nt include the testing detail r descriptin f the cntrls 22
SOC 1 Reprt SOC 2 Reprt SOC 3 Reprt Prfessinal standard used SSAE 16 AT 101 AT 101 Used by auditrs t plan and perfrm financial audits Used by user entities t gain cnfidence and place trust in service rganizatin i systems Obtain details f the prcessing perfrmed and related cntrls, the tests perfrmed by the service auditr and results f thse tests Reprt generally available - can be freely distributed r psted n a website as a SysTrust fr Service Organizatins seal Yes N N N Yes Yes Yes Yes N N N Yes 23
Prvider f Clud Cmputing Services Example: Outsurced Email Services Nt significant frm a financial reprting standpint; therefre, SOC 1 may nt be the right ptin. Call Center Services User Organizatins may be cncerned abut handling f endcustmer infrmatin and a SOC 2 reprt may demnstrate that there are cntrls encmpassing the security, cnfidentiality, and privacy f infrmatin Medical Claims Prcessing Service Prvider A SOC 2 reprt fcused n prcessing integrity (cmpleteness, accuracy, timelines, etc.) culd prvide custmers with cmfrt regarding the cntrls ver transactins in claims prcessing. This may be prepared in additin t a SOC 1 reprt leveraging existing cntrls and testing. 24
Jennifer Gerasimv, MPH, CISA Senir Manager Delitte. 860-725-3149 Wrk 860-805-0838805 0838 - Cll Cell jgerasimv@delitte.cm Jeffrey Ziplw, MBA, CISA, CGEIT Partner BlumShapir 860-561-6815 Wrk 860-712-9555 - Cll Cell Jziplw@blumshapir.cm 25