SSAE 16 and AT Section 101

Similar documents
Information for Management of a Service Organization

Service Organization Control Reports

SSAE 16 for Transportation & Logistics Companies. Chris Kradjan Kim Koch

Baker Tilly refers to Baker Tilly Virchow Krause, LLP, an independently owned and managed member of Baker Tilly International. Understanding SOC 3

Service Organization Control (SOC) Reports Focus on SOC 2 Reporting Standard

Feeley & Driscoll, P.C. Certified Public Accountants / Business Consultants Visit us on the web: Or Call:

Shared Service System Audits: What User Management and Auditors Need to Know

The Changing SAS 70 Landscape Dan Hirstein Director Rebecca Goodpasture Senior Manager Deloitte & Touche LLP January 13, 2011

Goodbye, SAS 70! Hello, SSAE 16!

SECTION I INDEPENDENT SERVICE AUDITOR S REPORT

Reports on Service Organizations Where we ve been?

Effectively using SOC 1, SOC 2, and SOC 3 reports for increased assurance over outsourced operations. kpmg.com

Service Organization Control (SOC) reports What are they?

End of the SAS 70 Era

Service Organization Controls. Managing Risks by Obtaining a Service Auditor s Report

Understanding SOC Reports for Effective Vendor Management. Jason T. Clinton January 26, 2016

SERVICE ORGANIZATION CONTROL REPORTS SM. Formerly SAS 70 Reports

Here comes SSAE 16 SAS 70 EVOLUTION: How will the new standard affect my business? How do I prepare to meet the new requirements?

Farewell to SAS 70. What you need to know about the New Standard for Service Organization Reporting

FAQs New Service Organization Standards and Implementation Guidance

SECURITY AND EXTERNAL SERVICE PROVIDERS

TIS Section 9520, SSAE No. 16, Reporting on Controls at a Service Organization

Update on AICPA Assurance Services Executive Committee Activities

SAS No. 70, Service Organizations

Vendor Management Best Practices

SOC Readiness Assessments. SOC Report - Type 1. SOC Report - Type 2. Building Trust and Confidence in Third-Party Relationships

SSAE 16 and ISAE 3402: Preparing for New Service Company Control Standards Mastering Requirements Governing Your Next Controls Report

Ayla Networks, Inc. SOC 3 SysTrust 2015

Service Organization Control (SOC 3) Report on a Description of the Data Center Colocation System Relevant to Security and Availability

WELCOME TO SECURE

SSAE 16 SOC 1 Type 2

Monitoring Outside Service Providers, Part III: SAS 70 Updates

About the Presenter. Presentation Objectives. SaaS / Cloud Computing Risk Management AICPA Attest Alternatives

SSAE 16 Everything You Wanted To Know But Are Afraid To Ask. Kurt Hagerman CISA, CISSP, QSA Managing Director, Coalfire December 8, 2011

SSAE 16 & SAS 70 A Primer on Changes to Service Organization Audit Standards

Frequently asked questions: SOC 2 and 3

Service Organization Controls. Managing Risks by Obtaining a Service Auditor s Report

At a glance. A provision to require a written assertion from company management is the most notable difference between the two standards.

SOC on Amazon Web Services (AWS) What You Need To Know Understanding the regulatory roadmap for SOC on AWS

Service Organization Control (SOC) Reports

Keeping watch over your best business interests.

Independent Service Auditor s Report

SOC 3 for Security and Availability

Understanding Vendor Risk And Analyzing the SSAE No. 16

3.B METHODOLOGY SERVICE PROVIDER

G24: Audits of Controls at a Service Organization: New Standards SSAE 16 and ISAE 3402 Duff Donnelly and Jeffrey Spivack, Grant Thornton LLP

VENDOR MANAGEMENT. General Overview

MHM S PERSPECTIVE: CHANGES COMING TO SAS 70.KNOW THE FACTS

Third Party Risk Management 12 April 2012

Documentation of Use of a Type 2 Service Auditor s Report In an Audit of an Employee Benefit Plan s Financial Statements

3 rd Party Vendor Risk Management

SOC 3 for Security and Availability

Information Security Management System for Microsoft s Cloud Infrastructure

Report of Independent Accountants. To the Management of Verizon Communications Inc. Verizon Business IP Application Hosting:

CSA Position Paper on AICPA Service Organization Control Reports

Reporting on Controls at a Service Organization

Webtrends Inc. Service Organization Controls (SOC) 3 SM Report on the SaaS Solutions Services System Relevant to Security

HIPAA Compliance and Reporting Requirements

Microsoft s Compliance Framework for Online Services

IAASB Main Agenda (June 2010) Agenda Item. April 28, 2009

ASTRAZENECA GLOBAL POLICY SAFEGUARDING COMPANY ASSETS AND RESOURCES

Understanding changes to the Trust Services Principles for SOC 2 reporting

Asset Manager Guide to SAS 70. Issue Date: October 7, Asset

Chapter 04. Board of Public Accountancy.

13.19 ETHICS REPORTING POLICY AND PROCEDURE

Copyright 2015, American Institute of Certified Public Accountants, Inc. All Rights Re... STATEMENT ON STANDARDS FOR CONSULTING SERVICES

GAO. Government Auditing Standards Revision. By the Comptroller General of the United States. United States Government Accountability Office

RE: PCAOB Rulemaking Docket Matter No. 004 Statement Regarding the Establishment of Auditing and Other Professional Standards

OFFICE OF AUDITS & ADVISORY SERVICES SUNGARD TREASURY MANAGEMENT SYSTEM CONTRACT COMPLIANCE FINAL AUDIT REPORT

G24 - SAS 70 Practices and Developments Todd Bishop

Service Organizations: Auditing Interpretations of Section 324

INTERNATIONAL STANDARD ON ASSURANCE ENGAGEMENTS (ISAE) 3402 ASSURANCE REPORTS ON CONTROLS AT A SERVICE ORGANIZATION

SRI LANKA AUDITING PRACTICE STATEMENT 1013 ELECTRONIC COMMERCE EFFECT ON THE AUDIT OF FINANCIAL STATEMENTS

INTERNATIONAL AUDITING PRACTICE STATEMENT 1013 ELECTRONIC COMMERCE EFFECT ON THE AUDIT OF FINANCIAL STATEMENTS

The silver lining: Getting value and mitigating risk in cloud computing

Role is Broader and More Strategic

COSO s 2013 Internal Control Framework in Depth: Implementing the Enhanced Guidance for Internal Control over External Financial Reporting

INTERNATIONAL STANDARD ON ASSURANCE ENGAGEMENTS 3000 ASSURANCE ENGAGEMENTS OTHER THAN AUDITS OR REVIEWS OF HISTORICAL FINANCIAL INFORMATION CONTENTS

SECURITY AND REGULATORY COMPLIANCE OVERVIEW

GAO. Government Auditing Standards Revision. By the Comptroller General of the United States. United States General Accounting Office.

EPCS Third party audits the CPA perspective. 13 September 2012

PRACTICE NOTE 1013 ELECTRONIC COMMERCE - EFFECT ON THE AUDIT OF FINANCIAL STATEMENTS

Audit, Review, Compilation, and Preparation of Financial Statements

Generally Accepted Recordkeeping Principles

Melissa M. Wolf, CPA (570) Employee Benefit Plan Auditing and Regulatory Update 2012

Information Security: Business Assurance Guidelines

System Description of the Date Center System Relevant to Security and Availability (SOC 3) November 1, 2011 through April 30, 2012

Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement

National Examination Risk Alert

CFPB Readiness Series: Compliant Vendor Management Overview

Last updated: 30 May Credit Suisse Privacy Policy

STATE OF NORTH CAROLINA

Effective Monitoring of Outsourced Plan Recordkeeping and Reporting Functions

How mature is the internal control framework at your service organisation? ISAE 3402 and SSAE 16: Reinforcing confidence through demonstration of

Larry Laine, Deputy Land Commissioner and Chief Clerk. Annual Report on the Internal Audit Quality Assurance and Improvement Program

Reporting on Control Procedures at Outsourcing Entities

PRACTICE GUIDE. Formulating and Expressing Internal Audit Opinions

Understanding ISO and Preparing for the Modern Era of Cloud Security

COMMENTARY Scope & Purpose Definitions I. Education. II. Transparency III. Consumer Control

Certified Identity and Access Manager (CIAM) Overview & Curriculum

Transcription:

call 305 447 6750 800 S. Douglas Road Suite 940N Coral Gables, FL 33134 www.emrisk.com email: info@emrisk.com SSAE 16 and AT Section 101

A Changed Approach to Assurance Since 1992, Statement on Auditing Standard (SAS) 70 has been the source of guidance for service organizations, user entity external auditors, and service auditors. SAS 70 was recently divided and replaced by two new standards. The first standard is SAS Audit Considerations relating to an Entity Using a Service Organization that was developed for user entity external auditors. The Accounting Standards Board (ASB) has finalized this new auditing standard but it does not go into effect until December 15, 2012. Early implementation of this standard is not permitted. The second standard is Statement on Standards for Attestation Engagements (SSAE) 16 Reporting on Controls at a Service Organization, AT section 801 that was developed for the service auditor. SSAE 16 went into effect on June 15, 2011. SAS 70 was changed because external auditors rely on auditing standards to report on the audit of financial statements, whereas SSAE 16 provides guidance to the service auditor for reporting on the service organization s description of the system (including controls and control objectives) as they relate to financial reporting. The major changes between SAS 70 and SSAE 16 included the following: A written assertion by service organization management regarding the design and operating effectiveness of the description of the system (including controls and control objectives); The exclusion of evidence from prior periods on the satisfactory operation of controls to provide a basis for the reduction of testing in the current period; The identification of work performed by the service organization s internal auditors and the service auditor s procedures with respect to that work; and In a type 2 engagement, the service auditor s opinion on the design and operating effectiveness of the description of the system (including controls and control objectives) for a period rather than as of a specified date. The period referenced is the same period in which the description is reviewed (AICPA, 2011). SSAE 16 Guidance Expanded Again In the past, a SAS 70 review was often inappropriately used to report on controls related to compliance, systems, and processes that were clearly unrelated to user entity s internal controls relevant to financial reporting. Because of this confusion and lack of clarity in scope, the nature of a SSAE 16 review has been re-defined and the AICPA has SSAE 16 and AT Section 101 2

issued further guidance on providing assurance on user entity s controls that are unrelated to financial reporting. Reporting on user entity s controls relevant to financial reporting will continue to be performed under SSAE 16 guidance. However, reporting on user entity controls that are unrelated to financial reporting must now be performed under SSAE Attest Engagements, AT section 101. This standard allows a service auditor to report on subject matter other than financial statements. Attestation standards were developed to provide guidance on a growing number of services that CPAs have been requested to report on. The subject matter to be reported on in these services may include such things as: Historical or prospective performance or condition (for example, historical or prospective financial information, performance measurements, and backlog data); Physical characteristics (for example, narrative descriptions, square footage of facilities); Historical events (for example, the price of a market basket of goods on a certain date); Analyses (for example, break-even analyses); Systems and processes (for example, internal control); Compliance with laws, regulations, and contracts; and The effectiveness of controls over privacy (AICPA, 2009). Three New Reporting Options: SOC 1, SOC 2, and SOC 3 Service Organization Control (SOC) 1 Report An engagement conducted under SSAE 16 will now result in a Service Organization Control (SOC) 1 report. A SOC 1 engagement focuses on the reporting of user entity s controls relevant to financial reporting. A type I and II report remain the same where a type I report assesses the fairness of the description and the suitability of the design of controls to achieve control objectives. A type II report continues to include as assessment of the design of controls, but also includes an opinion on controls operating effectiveness, as well as tests of controls and associated results. Both types of assessments require an assertion by management, as defined in SSAE 16, and require that both types of reports be restricted to service organization clients, existing user entities, and user auditors. One of the most significant changes between SOC 1 and SOC 2 engagements pertains to the differentiation in scope and boundaries of the system of internal controls. In a SOC 1 engagement, the controls that achieve control objectives for financial statement assertions remain the same and include the following: Classes of transactions in the user entity s operations that are significant to the user entity s financial statements; Automated and manual procedures in which accounts/transactions are initiated, authorized, recorded, processed, and reported in the financial statements; The capture of other events and conditions that are significant to the financial statements; and The financial reporting process used to prepare the financial statements including significant accounting estimates and disclosures (AICPA, 2011). However, the scope of general computer controls to be defined in the description and assessed by the service auditor must be re-evaluated to ensure that information security, change management, and computer operations control objectives are only related to internal controls relevant to financial reporting and not comingled with overall objectives related to security, availability, processing integrity, confidentiality, or privacy of the system; as this is scope of a SOC 2 engagement. Changes in scope can be readily determined by re-focusing only on the general control objectives and associated controls related to the financial reporting application and the control environment that supports it. SOC 2 Report An engagement that provides assurance on controls at a service organization other than those relevant to user entity s internal controls over financial reporting is now performed under AT section 101 and is specifically called a SOC 2 engagement. A SOC 2 engagement assesses controls over one or more principles relevant to security, availability, processing integrity, confidentiality, or privacy. Assurance is provided on all of the system components of the principle being assessed using the criteria in the AICPA s Trust Services Principles Criteria and Illustrations. SSAE 16 and AT Section 101 3

Like a SOC 1 report, there are two types of SOC 2 reports; i.e. Type I and Type II. A type I report includes the following: Management s description of the service organization s system; A written assertion by management that the description of the system of controls Has been designed and implemented as of a specified date; Was suitably designed to meet the applicable trust services criteria as of a specified date A service auditor s report that expresses an opinion (AICPA, 2011). A type II report is similar to a Type I report except that it also needs to include an opinion on the operating effectiveness of controls, as well as the tests performed and associated results. In addition, when the description of controls addresses the privacy principle, management must include a statement that they complied with the commitments in their statement of privacy practices throughout the period. Specific tests and results related to this compliance must also be included. In both type I and II engagements management s written assertion should be attached to the description of the service organization s system. When the report addresses the privacy principle, the statement of privacy practices should also be attached to the description. Both type I and II SOC 2 reports should be restricted to management of the service organization and other specified parties. As noted previously in this paper, one of the most significant changes between a SOC 1 and SOC 2 engagement pertains to the differentiation in scope and boundaries of the system of internal controls. A SOC 2 engagement assesses controls over one or more principles relevant to security, availability, processing integrity, confidentiality, or privacy of all the system components related to each principle. Whereas, a SOC 1 engagement accesses controls related to financial transaction initiation, authorization, recording, processing, and reporting; and the general computer controls that support the financial reporting system. These boundaries need to be understood. For purposes of illustration, the AICPA provides the following illustration for a SOC 2 engagement: In a SOC 2 engagement that addresses the privacy principle, the system boundaries cover, at a minimum, all the system components, as they relate to the personal information lifecycle, which consists of the collection, use, retention, disclosure, and disposal or anonymization of personal information, within well-defined processes and informal ad hoc procedures, such as emailing personal information to an actuary for retirement benefit calculations. The system boundaries would also include instances in which the personal information is combined with other information (for example, in a database or system), a process that would not otherwise cause the other information to be included in the scope of the engagement. That notwithstanding, the scope of a privacy engagement may be restricted to a business unit or geographical location, as long as the personal information is not commingled with information from, or shared with, other business units or geographical locations (AICPA, 2011). From a SOC 2 perspective, the description of the system may include one or more information system resources that support the principles of security, availability, processing integrity, confidentiality or privacy and can include: The infrastructure the physical and hardware components of a system (facilities, equipment and networks); Software the programs and operating software of a system (systems, applications and utilities); People the personnel involved in the operation and use of system (developers, operators, users and managers); Procedures the automated and manual procedures involved in the operation of a system; and Data the information used and supported by a system (transaction streams, files, databases, and tables) (AICPA, 2011). Finally, guidance for performing a SOC 2 engagement also clarifies the meaning of the term security, and the difference between privacy and security. The term security can be interpreted more narrowly in a SOC 1 engagement versus a SOC 2 engagement. In a SOC 1 engagement, security refers more to the protection of information from unauthorized access or disclosure. However, in a SOC 2 engagement that addresses the privacy or confidentiality principle, security relates more to the authorization, protection, and integrity of SSAE 16 and AT Section 101 4

transactions throughout the system. As it relates to the difference between privacy and security, privacy is perceived to encompass a broader set of activities beyond security that contribute to the effectiveness of a privacy program (AICPA, 2011). SOC 3 Report A SOC 3 engagement is similar to a SOC 2 engagement; however, a SOC 3 report contain a limited description of the system, a written assertion from management, and an opinion. A SOC 3 report is designed to meet the needs of users who do not require the detail provided in a SOC 2 report. It is the AICPA s position that SOC 3 reports address a market need since both current and prospective customers may use them. As in a SOC 2 engagement, the criteria used for evaluating the design and operating effectiveness of controls in a SOC 3 engagement are the Trust Services Principles Criteria and Illustrations. A service organization that receives a SOC 3 engagement may also display the SysTrust for Service Organization seal on their website. SOC 3 reports are considered general use reports and can be distributed to the public including customers, regulators, business partners, suppliers, and management. An assertion by service organization management is required; however a report may still be issued without one. In this case, the form of the report will vary and should be restricted. Confusion All Over Again! Due to increasing internal control breakdowns, fraud and theft of confidential and private information, regulation related to internal controls continues to increase. With the benefits of outsourcing comes the transference of risk. User entity management needs to ensure and feel comfortable that their service organization s system has been updated for the new requirements. Management needs to ensure whether: Risk is sufficiently addressed. Does the service organization s control environment include a risk assessment process, information and communication systems and control and monitoring activities? The control environment is critical since it can have a pervasive impact as a whole as it relates to whether controls were suitably designed and operating effectively; They need to develop and/or implement new complementary controls due to changes in the service organization s description of their system; There is a change to the mix or percentage of operations handled by subservice organizations working with your service provider and whether the service organization s description adequately addresses this through the inclusive or carve out method. Often, relationships with subservice providers are not fully understood and can be minimized unintentionally in the service organization s report. Management must also develop more detailed assertions for SOC 1, 2 and 3 type engagements. This assertion must fully address the design and operating effectives of the description of the system (including controls and control objectives) for the new criteria. Numerous issues related to the service organization s description of the system have also arisen with the implementation of the new standards. Service organization management needs to ensure that: The scope of the description of the system is appropriate and complies with applicable regulatory requirements. General computer controls will differ between SOC 1 and SOC 2 engagements; Control objectives and associated controls address new requirements and criteria defined in the standards. The scope of a SOC 2 engagement addresses controls that are unrelated to financial reporting and include those that support security, availability, processing integrity, confidentiality or privacy principles; The AICPA s Trust Services Principles Criteria have been properly integrated into the description of the system. This criteria is necessary for a service auditor to perform a SOC 2 or SOC 3 engagement; and Risk assessment and management activities are updated and/or expanded as necessary. The AICPA has recently issued an Alert and two study guides on the changing dynamics of providing assurance services related to controls at service organizations. This guidance will help both user and service organization management become aware of the increased requirements and differences between the definition and scope of SOC 1, SOC 2, and SOC 3 engagements. SSAE 16 and AT Section 101 5

References AICPA. (2011). Service Organizations: New Reporting Options Alert, Strengthening Engagement Integrity Safeguarding Reporting. New York, NY: AICPA. AICPA. (2011). Service Organizations: Applying SSAE No. 16, Reporting on Controls at a Service Organization (SOC1). New York, NY: AICPA. AICPA. (2011). Reporting on Controls at a Service Organization (SOC 2). New York, NY: AICPA. Sherinsky, J.M. (2010). Replacing SAS 70 New Standards for Engagements Involving Outsourcing. Journal of Accountancy. Retrieved from http://www.journalofaccountancy.com/issues/2010/aug/20103009.htm Klein, M. (2011). SAS 70, SSAE 16, SOC and Data Center Standards. OTBlog. Retrieved from http://resource.onlinetech.com/sas-70-ssae-16-soc-2-and-soc-3-data-center-standards SSAE 16 and AT Section 101 6

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information