Assurance rapporten bij uitbesteding DNB seminar Cloud computing Amsterdam, Netherlands 20 June 2013 Jaap van Beek
Assurance reports regarding service organizations Assurance frame work Suitable for Service Organizations ISAE 3000 ISAE 3402 Other specific assurance standards USA SOC 2/3 SOC 1 International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved. 1
Spectrum of Services Covered by SOC Reports SOC1 SM Financial Reporting Controls SOC2 SM (SOC3 SM) Operational Controls Financial services Custodial services Healthcare claims processing Payroll processing Payment processing Cloud ERP service Data center co-location IT systems management Enterprise cloud email Cloud collaboration SaaS-based HR services Security-as-a-service Any service where third parties primary concern is security, availability or privacy
Service Organization Control (SOC) Reports Report Scope/Focus Summary Applicability Standard SOC1 SM Internal Control Over Financial Reporting Detailed report for customers and their auditors Focused on financial reporting risks and controls specified by the service provider. Most applicable when the service provider performs financial transaction processing or supports transaction processing systems. ISAE 3402 or SSAE 16 SOC2 SM Security, Availability, Processing Integrity, Confidentiality and/or Privacy Detailed report for customers and specified parties Focused on Security, Confidentiality, Availability, Processing Integrity and/or Privacy. Applicable to a broad variety of systems. AT101 under guidance of AAG-SOP March 2012 SOC3 SM Same as SOC2 SM Short report that can be generally distributed, with the option of displaying a web site seal Same as above without disclosing detailed controls and testing. Optionally, the service provider can post a Seal if they receive an unqualified opinion. AT101 and TSP100
Summary of SOC2/3 Principles and Criteria Topics Security IT security policy Logical access Incident management Personnel security Security awareness and communication Risk assessment Physical access Security monitoring User authentication Asset classification and management Systems development and maintenance Configuration management Change management Monitoring and compliance Availability Confidentiality Processing Integrity Privacy Availability policy Backup and restoration Environmental controls Disaster recovery Business continuity management Confidentiality policy Confidentiality of inputs Confidentiality of data processing Confidentiality of outputs Information disclosures (including third parties) Confidentiality of Information in systems development System processing integrity policies Completeness, accuracy, timeliness, and authorization of inputs, system processing, and outputs Information tracing from source to disposition Management Notice Choice and consent Collection Use and retention Access Disclosure to third parties Quality Monitoring and enforcement
HOW TO IDENTIFY THE SOC REPORT THAT IS RIGHT FOR YOU Will the report be used by your customers and their auditors to plan and perform an audit or integrated audit of your customer s financial statements? Will the report be used by your customers as part of their compliance with the Sarbanes-Oxley Act or similar law or regulation? Will the report be used by your customers or stakeholders to gain confidence and place trust in a service organization s systems? SOC 1 Report SOC 1 Report SOC 2 or 3 Report Do you need to make the report generally available or seal? SOC 3 Report Do your customers have the need for and ability to understand the details of the processing and controls at a service organization, the tests performed by the service auditor and results of those tests? No SOC 2 Report SOC 3 Report Bron: http://www.aicpa.org/interestareas/frc/assuranceadvisoryservices/pages/serviceorganization'smanagement.aspx
2013 KPMG Advisory NV, a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG International. KPMG International provides no client services. 26076NSS The information contained herein is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavour to provide accurate and timely information, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act on such information without appropriate professional advice after a thorough examination of the particular situation.