Presenting a live 110 minute teleconference with interactive Q&A SSAE 16 and ISAE 3402: Preparing for New Service Company Control Standards Mastering Requirements Governing Your Next Controls Report WEDNESDAY, FEBRUARY 16, 2011 1pm Eastern 12pm Central 11am Mountain 10am Pacific Today s faculty features: Scott Price, Director, A-lign CPAs, Tampa, Fla. Daniel Schroeder, Partner, Habif Arogeti & Wynne, Atlanta George Fallon, Partner, Clifton Gunderson, Calverton, Maryland Victor Eckstein, Principal, Grant Thornton, New York For this program, attendees must listen to the audio over the telephone. Please refer to the instructions emailed to the registrant for the dial-in information. Attendees can still view the presentation slides online. If you have any questions, please contact Customer Service at1-800-926-7926 ext. 10.
Continuing Education Credits FOR LIVE EVENT ONLY Attendees must listen to the audio over the telephone. Attendees can still view the presentation slides online but there is no online audio for this program. Please refer to the instructions emailed to the registrant for additional information. If you have any questions, please contact Customer Service at 1-800-926-7926 ext. 10.
Tips for Optimal Quality Sound Quality For this program, you must listen via the telephone by dialing 1-866-873-1442 and entering your PIN when prompted. There will be no sound over the web connection. o If you dialed in and have any difficulties during the call, press *0 for assistance. You may also send us a chat or e-mail sound@straffordpub.com immediately so we can address the problem. Viewing Quality To maximize your screen, press the F11 key on your keyboard. To exit full screen, press the F11 key again.
SSAE 16 and ISAE 3402: Preparing for New Service Company Control Standards Webinar Feb. 16, 2011 George Fallon, Clifton Gunderson george.fallon@cliftoncpa.com Scott Price, A-lign CPAs scott.price@aligncpa.com Daniel Schroeder, Habif Arogeti & Wynne dan.schroeder@hawcpa.com Victor Eckstein, Grant Thornton victor.eckstein@us.gt.com
Today s Program Historical Perspective On Service Company Controls [George Fallon] Slide 6 Slide 10 Key Terms Of SSAE 16 And ISAE 3402 [Daniel Schroeder and Scott Price] Slide 11 Slide 31 Other Legal And Regulatory Developments [Victor Eckstein] Slide 32 Slide 38 Preparing Type I And Type II Reports Going Forward [George Fallon And Daniel Schroeder] Slide 39 Slide 60
George Fallon, Clifton Gunderson HISTORICAL PERSPECTIVE ON SERVICE COMPANY CONTROLS
History Of SAS No. 70 Issued by AICPA in 1992 Represents an in-depth audit of a third-party service organization Service organization defines scope of audit 7
Historical Uses To reduce internal control testing of service providers by user auditors Comply with contractual obligation Comply with regulatory requirements 8
Misuses And Misconceptions SAS S 70 audit is for marketing SAS 70 audit is a certification SAS 70 audit is a security audit SAS 70 audit is mandatory under the Sarbanes-Oxley Act of 2002 (SOX) 9
Factors For Change Uses of SAS 70 straying from intent Globalization Growth in outsourcing New technologies Sarbanes-Oxley Sect. 404 Convergence: International Standard on Assurance Engagements g (ISAE) 3402 10
Daniel Schroeder, Habif Arogeti & Wynne Scott Price, A lign CPAs KEY TERMS OF SSAE 16 AND ISAE 3402
SSAE 16 is replacing SAS 70. Released April 2010 Effective June 15, 2011 Early adoption permitted 12
SSAE 16 Changes From SAS 70 ICFR controls focus Alignment with International Standards on Attestation Engagements (ISAE) 3402 Attestation standard, no longer an auditing standard Auditor evaluation is based on suitable criteria relative to written management assertions which are included in the report. Suitability of design opinion (point in time vs. entire period) Materiality Use of internal audit more info provided in report as to role of IA Opinion format 13
SSAE 16 Focused On Financial Reporting SSAE 16, like SAS No. 70 before it, is focused on controls likely to be relevant to user entities internal control over financial reporting. Intended for limited specific users User auditors User entities Limited purpose User entity financial audits Examinations of internal control over financial reporting of user entities integrated with a financial audit User entity evaluation of internal control over financial reporting (e.g., Sarbanes-Oxley Act compliance) Use beyond the intended purpose is likely to create misunderstanding 14
SSAE 16: Management Assertion We confirm, to the best of our knowledge and belief, that... : 1. The description fairly present the [system name] made available to user entities from [date 1] to [date 2] Description includes relevant details of changes... 2. Controls were suitably designed throughout the period to achieve control objectives. 3. Controls operated effectively throughout the specified period to achieve the control objectives. 15
SSAE 16: Assessing Suitability Of Criteria Service auditor should assess whether, in all material respects, management has used suitable criteria: 1. In preparing description of service organization system, i.e., Opinion on Fair Presentation of Managements description of Service Organization s System 2. In evaluating whether controls were suitably designed to achieve stated control objectives, i.e., Opinion on Suitability of Design 3. For Type 2 reports, in evaluating whether controls operated effectively throughout the period to provide reasonable assurance that control objectives are achieved, i.e., Opinion on Operating Effectiveness 16
SSAE 16: Fair Presentation Criteria Description of the system should present how system was designed and implemented, including: Types of services provided and classes of transactions processed Procedures (automated and manual) for transaction flow Related accounting records How system captures and addresses significant events and conditions other than transactions Process used to prepare reports and other info for user entities Specified control objectives and controls and, as applicable, complementary user entity controls Other aspects of the service organization s control environment, risk assessment, info and communication systems, control activities and monitoring that are relevant to the services provided 17
SSAE 16: Fair Presentation Criteria cont d Management s description of the system is fairly presented if it: Provides details of changes to the service organization system during the period (in the case of Type 2 report) Does not omit or distort information relevant to the system, while meeting common needs of a broad range of user entity/user auditor needs 18
Evidence Regarding Fair Presentation Of Management s System Description Service auditor considerations include: Are all major aspects of the service provided d that t could reasonably be expected to be relevant to common needs of broad range of user auditors, included in the scope of the engagement? Are control objectives reasonable in circumstances: Do they relate to assertions of financial statements for users that services could be expected to affect? Have all controls identified d been implemented? Have complementary user entity controls, if any, been adequately described? Are services provided by sub-service organization(s), if any, adequately described, including whether the inclusive or carve-out method has been used? 19
SSAE 16: Suitability Of Design Criteria Controls are suitably designed to achieve the control objectives stated in management s description of the service organization system if: 1. Management has identified the risks that threaten the achievement of the stated control objectives. 2. The controls would (if operating as described) provide reasonable assurance that those risks would be mitigated. 20
Evidence Regarding Suitability Of The Design of Controls Service auditor considerations include: Assess which of the controls at the service organization are necessary to achieve the control objectives Identify risks that threaten the achievement of the control objectives Evaluate the linkage between the controls defined in management s description and the identified risks User auditor perspective Reasonable assurance that material misstatement prevented, or detected and corrected Service auditor perspective Reasonable assurance that control objectives are achieved 21
Operating Effectiveness Criteria Criteria should include at a minimum, whether: The controls were consistently applied as designed throughout the specified period, and Manual controls were applied by individuals having appropriate competence and authority. 22
Evidence Regarding Operational Effectiveness Controls Service auditor considerations include: Test controls necessary to achieve control objectives Understand changes to system during the period Designing and performing tests of control: Perform other procedures in combination with inquiry to obtain evidence o How the control was applied o Consistency of control application o By whom or what means control applied Determine e whether e control o depends ds on other controls o Determine effective method for selecting items to be tested; e.g., AU Sect. 350 (audit sampling) 23
Using Work Of Internal Audit Function When planning the engagement, service auditor needs to determine whether work of IA function is likely to be adequate. To use the work from the IA function, the service auditor should evaluate and perform procedures on that work to determine its adequacy for the service auditor s purposes. 24
Effects Of Internal Audit Work On Service Auditor s Report No reference to internal audit in the opinion Service auditor has sole responsibility for the opinion expressed, regardless of whether IA is involved. If internal audit work used in performing tests of controls (for Type 2 report), the description of tests should include description of IA s work and service auditor s procedures with respect to that work. 25
Role In Reducing Audit Risk Type I Report Does not provide the user auditor with a basis for reducing the assessed level of control risk and thereby reducing substantive ti procedures Type I report is intended to assist user auditors in obtaining a sufficient understanding of the user organization s internal control, in order to plan the financial statement audit. Type II Report A user auditor may be able to reduce risk below max for certain financial statement assertions and may therefore be able to reduce the extent of substantive testing performed for those assertions. A user auditor should not use only the service auditor s report as a basis for assessing the control risk below max. The user auditor should read the service organization s description of controls as well as the service auditor s tests of operating and effectiveness the results of those tests, and relate this information to assertions in the user organizations financial statements. 26
Changes To Service Organization s Responsibilities Unchanged from current standards Specifying the control objectives Designing, implementing and maintaining controls Complementary user organization controls Control environment elements Changes in new standards Written assertion by management is required and must include the suitable criteria used for its assessment. Audit report must include a written assertion by the sub-service organization, if inclusive method is used. Description of systems/processes, as opposed to description of controls Identifying risks that threaten the achievement of the control objectives For Type II reports, fair presentation of the system and suitability of design is for the period covered by the report. Subsequent events disclosure following date of service auditor s report 27
Changes To Service Auditor s Responsibilities Unchanged from current standards Opinion on fairness of management s description of the system (formerly controls) Opinion as to suitability of the design and operating effectiveness of controls to achieve the control objectives Perform tests of controls and present an opinion on operating effectiveness Changes in new standards Standards move from audit standards to assurance/attestation standards For Type II reports, fair presentation of the system and suitability of design is for the period covered by the report. Meant to improve clarity of guidance Suggested wording for control objectives Additional considerations on using the work of internal audit Requires description of the internal auditor s work Description of service auditor s procedures with respect to the work 28
ISAE 3402 Introduction ISAE 3402 - Assurance Reports on Controls at a Service Organization Work began in March 2006 to develop the standard. ISAE would enhance the consistency of service auditor performance, and consequently the consistency of user auditor performance when a service auditor s report is used as audit evidence in an audit of financial statements. Need for substitute global standard rather than US SAS 70, for IFRS purposes p Issued by the International Auditing and Assurance Standards Board in December 2009 Effective for service organization s reports ending on or after Dec. 15, 2011 Complements ISA 402 Audit Considerations Relating to an Entity using a Service Organization 29
Differences Between SSAE 16 And ISAE 3402 Deviations can be treated as anomalies, and not testing exceptions, under certain circumstances. SSAE 16 requires an assessment of the risk and impact on deviations if they were intentional, while ISAE 3402 does not. Must disclose only events that take place after the period of the audit but before the date of the service auditor s report Requires disclosure of subsequent events that have a significant effect on the report; however, SSAE 16 requires disclosure after the report has been issued, if they existed as of the report date. Users of the report are more clearly defined in the SSAE 16 than ISAE 3402. 30
Differences Between SSAE 16 And ISAE 3402 (Cont.) SSAE 16 permits the use of direct assistance of internal audit, while ISAE 3402 does not address it. SSAE 16 requires engagement documentation to be completed on a timely basis after the date of the report and no later than 60 days following the report release date. ISAE 3402 notes engagement documentation is to be completed timely, but does not specify a date. Engagement acceptance and continuance procedures require that the service organization s management acknowledge and accept responsibility for providing written representations to the service auditor under SSAE 16, while ISAE 3402 requires only written representations and not acknowledgement. If service organization management doesn t provide written representations, the service auditor must disclaim an opinion under ISAE 3402, while under SSAE 16 the service auditor may also withdraw from the engagement. 31
Victor Eckstein, Grant Thornton OTHER LEGAL AND REGULATORY DEVELOPMENTS
(A) Anticipated AICPA Audit Guide AICPA guide to cover non financial reporting controls is to be made available in early 2011. Relevant topics covered o Security o Availability o Processing integrity o Confidentiality or privacy 33
(B) Changes To SEC Rule 206(4) 2 On Custody Of Assets The amendments modernize the rule by conforming the rule to modern custodial practices and requiring advisers that have custody of client funds or securities to maintain those assets with broker dealers, banks or other qualified custodians. Key changes o Surprise examinations o Internal control reports (e.g., SAS 70) o Delivery ofaccountstatements o Form ADV changes 34
(C) Dodd Frank Act And Push For Greater Transparency With final approval of Dodd Frank Wall Street Reform and Consumer Protection Act in July of 2010, Congress took historic steps to ensure greater transparency and give investors and citizens new tools to hold companies and governments accountable for their actions. The Act will greatly affect the following major topics: Derivatives transparency Clearing trading and reporting of swaps Investment tadvisor di registration it ti Credit rating agencies Executive compensation 35
(D) AT Standards In Lieu Of SSAE 16 The AICPA issued an interpretation under AT Sect. 101 letting service auditors issue reports that are not focused on financial reporting controls, but rather include tests of controls similar to a service auditor s report. Controls at the service organization are relevant to security, availability, processing integrity, confidentiality orprivacy. AICPA Guide for AT 101 engagements is to be published in April 2011. Examples of engagements 36
(E) Service Organization Controls SOC reports introduced by the AICPA There are three different engagements: SOC 1, SOC 2 and SOC 3 SOC 1 reports are performed under SSAE 16 SOC 2 and SOC 3 relate to AT Sect. 101 attest engagements 37
(E) AICPA Guidance On SSAE 16 AICPA Guide, Applying SSAE No. 16, Reporting on Controls at a Service Organization AICPA Alert Service Organizations: New Reporting Options AICPA FAQ AICPA executive summary 38
George Fallon, Clifton Gunderson Daniel Schroeder, Habif Arogeti & Wynne PREPARING TYPE I AND TYPE II REPORTS GOING FORWARD
AICPA SOC Reporting Options AICPA SOC 1: Report on Controls at a Service Organization Relevant to User Entities Internal Control over Financial Reporting Service Auditors: See Statement on Standards for Attestation Engagements (SSAE) No. 16, Reporting on Controls at a Service Organization User Auditors: See clarified statement on auditing standards, Audit Considerations Relating to an Entity Using a Service Organization AICPA SOC 2: Report on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality ty and/or Privacy AICPA SOC 3: Trust Services Report 40
SOC 2 (Applying TS P&C In A SSAE 16 Framework) Examination report performed in accordance with AT Sect. 101 attest engagements Structure and content consistent with SSAE 16/SOC 1 Scope: System and controls associated with one or more trust services principles No co-mingling/bundled reports for both ICFR and non-icfr scenarios (ICFR is exclusive to SSAE 16) Management assertion Service auditor s report 41
SOC 2 Management Assertion Description of system (using criteria similar to SSAE 16) Control objectives (specified in forthcoming guide, based on trust services criteria) Control activities Leverage trust services criteria as foundation Test of controls Risk assessment as basis for asserting controls internal controls were applied 42
SOC 2 Differences With SOC 1 (SSAE 16) Subject matter Trust services principles (security, availability, processing integrity, confidentiality, privacy) Boundaries of the system Defined by service provided Broader than SSAE 16 (e.g., privacy includes information life cycle, processing integrity includes the purpose of the service other than financial transaction processing) May relate to operations Control objectives proscribed Reasonable in the circumstances Provides comparability, even though h subject matter is highly hl flexible Not intended to provide assurance on controls, as they relate to user entity ICFR 43
SOC 3: TS P&C Engagements Performed in accordance with AT Sect. 101 attest engagements g Examination report that includes opinion as to whether controls over a defined system were operating effectively to meet the criteria for security, confidentiality, processing integrity, availability or privacy Practitioner may report on either: Management s assertion, or The subject matter of the engagement. 44
SOC 3: Management Assertion 1. Management asserts that, during the period covered by the report and based on the AICPA trust services criteria, it maintained effective controls over the system under examination to satisfy the stated trust services principle(s) and criteria. 2. Addresses the principles covered by the engagement 3. For engagements covering an entity s compliance with its commitments, those commitments covered by the report should be indentified in management s assertion. 45
SOC 1 And SOC 2 Opinion Structure Scope Of Report/Opinion Type 1 Type 2 Fairness of the presentation of management s description of the service organization s system Suitability of the design of the controls to achieve the related control objectives included in the description As of a specified date Throughout a specified period Operating effectiveness of the controls to achieve the related control objectives included in the description n/a SOC 1 reports are restricted-use reports intended for the service organization, user entities of the service organization, and auditors of the user entities. SOC 2 reports may also be restricted-use reports in that the criteria used to evaluate or measure the subject matter are available only to specified parties, who have an adequate understanding of the criteria. 46
SOC 3: Opinion Based On Assertion 47
SOC 3 Opinion Based On Subject Matter 48
Service Organization Controls: Decision Approach Services Service Organization Inherent Risks User Entity Governance &Assurance Reporting Needs Service Organization Effective controls to ensure integrity of services Fulfill control needs and requirements of users Provide reporting to user entities and prospective user entities that conveys assurance User Entity (And Prospects) Can the service organization be trusted? Do we understand how the service is delivered? Do we understand inherent risks? Are risks effectively mitigated? Is reporting available that would, if needed, provide a basis for reliance? Is provider complying with specified agreed-upon procedures? 49
Service Organization Controls: Decision Approach Service Organization User Entity Inherent Risks From services Pertain To: ICFR Operational/compliance: (Service organization designed controls) Security Confidentiality Availability Processing integrity Pi Privacy Compliance with user specified agreed-upon procedures Governance & Assurance Reporting Alternatives TYPE I AICPA SOC 1 TYPE II AICPA SOC 2 AICPA SOC 3 TYPE I TYPE II AICPA AT 201 agreed-upon procedure (AUP) engagements 50
Converting To SSAE 16 SSAE 16 reinforces significance of fair presentation and suitability of design, which too often were overlooked in SAS 70. SSAE 16 emphasizes: Management s description of system (complete and accurate for all services provided) Appropriateness of control objectives in circumstances Risk basis for design of controls 51
Job #1: Establish Solid Foundation For Fair Presentation Opinion Thorough understanding/documentation of system to which report (would) apply Sub-service organizations identified? Inclusive or carve-out? Is the system description complete/accurate? Are control objectives appropriate in circumstances? Do one or more control objectives pertain to financial statement assertions? If not, SSAE 16 may not be appropriate report Just because something was reported under SAS 70 is not a basis for reporting under SSAE 16. Are defined controls placed in operation? 52
#2: Establish Strong Basis For Suitability of Design Opinion Conduct/confirm risk assessment that identifies inherent risks that would impede fulfillment of control objectives Has the company established control activities that would prevent, detect and correct inherent risks associated with control objectives? Are user entity controls identified? 53
Preparation: Step 1 Review existing monitoring and/or testing processes Sufficient to support the written management assertion required by SSAE 16 Suitable criteria as basis of assertion? 54
Preparation: Step 2 Select and document criteria to support assertion Review system description, control objectives and control descriptions User organizations encouraged to be involved in the process 55
Preparation: Step 3 Identify risks to control objective achievement May need to revisit scope of controls to be covered by report Evaluate risk management Document consideration of risks Determine if controls address risks 56
Preparation: Step 4 Determine if sub-service organization assertions are required Inclusive vs. carve-out method Discuss requirements and timing with sub-service organization(s) 57
Preparation: Step 5 Review existing SAS 70 control descriptions and make adjustments if needed Description of the services provided d Description of the procedures by which services are provided Description of the process used to prepare reports provided to customers Other aspects of COSO Any changes that occur during the audit period 58
Preparation: Step 6 Develop a communication plan For customers Internally 59
Preparation: Step 7 Review existing contracts and templates Revise to account for transition to new standards 60