Service Organizations and the Internal Audit function 2015 conference Institute of Internal Auditors in Israel
Proprietary This work product/document is intended solely for the information and use of the 2015 IIA Israel conference and is not intended to be and should not be used by anyone other than the participants. Do not distribute without written permission. Page 2
Contact info Olivier Mandel CISA, Macc, CRISC, PMP Executive Director Advisory Services Kost Forer Gabbay & Kasierer 3 Aminadav St. Tel-Aviv 67067, Israel Office: +972-3-627-0500 Mob: +972-544-635-081 Olivier.Mandel@il.ey.com www.ey.com Page 3
Agenda What is a service organization? Objectives and risks of outsourcing SOC / AUP reports Using reports Checklist Page 4
What is a service organization? Objectives and risks of outsourcing SOC / AUP reports Using reports Checklist Page 5
What is outsourcing? Service organization: An organization or segment of an organization that provides services to user entities, which are likely to be relevant to those user entities internal control over financial reporting. Page 6
Regulatory landscape SOX PCAOB HIPAA FISMA/NIST FedRAMP PCI OCC 2001-47 Cloud FFIEC ISO Israeli SOX 357 257 Data protection Page 7
So? Your responsibility does not change, if you use a vendor to perform some business functions Page 8
What is a service organization? Objectives and risks of outsourcing SOC / AUP reports Using reports Checklist Page 9
Outsourcing: Objectives Vs. Risks Objectives Improve business focus Improve capabilities Improve use of capital/resources Improve operations Reduce cost Improve compliance Reduce risk/share risk with others Risks Financial reporting Operational Cost Processing integrity Data security/confidentiality Lack of availability Failure to deliver on requirements Compliance / Regulatory Page 10
Industry trends for outsourcing are evolving, but questions around benefits realization remain Outsourcing has its own set of issues, but effectively managing an increasingly complex and specialized supplier landscape is fraught with challenges. Many of these apply to both the suppliers and the retained organization. Without effective control of these areas, delivery costs can spiral out of control. 10 challenges facing the multi-sourced technology environment Business implications 1 Contract compliance without value 2 Poor performance visibility 3 4 Impotent governance Lack of data/information access Lack of direction and innovation Out-of-control costs 5 Poor architectural and system integration 6 Convoluted and labor-intensive reporting and analytics 7 8 Unclear delineation of responsibilities and accountability Insufficient collaboration across suppliers Low customer satisfaction Damage to brand reputation 9 Ineffective and tactical contract terms/slas 10 Incompatible delivery culture Companies that take a strategic and service-focused approach to service management can reduce delivery costs by as much as 30% and the application footprint for service management by as much as 33%. High-profile service outages Page 11
What is a service organization? Objectives and risks of outsourcing SOC / AUP reports Using reports Checklist Page 12
The relationship of the parties Entity s processes & controls Service organization s processes & controls Internal OR Financial statement auditors Service auditor Page 13
Summary of the different reporting types Report type Intended users Format Distribution limitations Example SOC 1 (SSAE 16, required after 6/15/11, replaces SAS 70) Customers financial statement auditors Long -form report Description of controls and systems Tests performed and results of testing Restricted to current customers Payroll processing Credit card transaction processing Claims processing SOC 2 Users seeking assurance over information handling SOC1 look-alike report : Long -form report Description of controls /systems Tests performed &results Scope relates to information handling objectives (security, availability, processing integrity, confidentiality and/or privacy ) Organization reports controls in place to meet prescribed principles/criteria Restricted to users with sufficient knowledge e.g., current and prospective customers, business partners, regulators, employees Supply chain information handler reporting on processing integrity Data center outsourcer reporting on security and availability Organization s alignment with ISO 27001 or Cloud Security Alliance framework SOC 3 Same as SOC 2 Short-form report Limited description of controls/systems No restrictions (e.g., mass distribution, website, current and prospective customers) Bank reporting on security and availability of an e-banking application AUP (Agreed Upon Report) Page 14 AT Section 201 The specified parties take Restricted to the two responsibility for the sufficiency of parties the agreed-upon procedures for their purposes Payroll outsourcing
What is a service organization? Objectives and risks of outsourcing SOC / AUP reports Using reports Checklist Page 15
Checklist 7 steps in the checklist Not the best and final, but includes all the relevant elements Page 16
1. Identify the What Can Go Wrongs (WCGWs) The WCGWs should cover the entire process What s done by the entity What s done by the service organization What s done by relevant subservice organizations The WCGWs for the service and subservice organizations should be the inverse of the control objectives Page 17
2. Identify the controls that address the WCGWs The controls will be At the entity and At the service organization and At the subservice organization, if used and relevant Document Business controls IT general controls Page 18
3. Identify the controls that address the WCGWs CUECs Complementary User Entity Controls (CUECs) These are the controls the service organization expects your organization (user organization) to have in order for the service organization's controls to achieve the control objectives CUECs relevant to your organization s financial statement risks need to be matched to entity (user organization) controls May include IT general controls under the entity s control (e.g., user set-up) All relevant user organization controls need to be tested in order to conclude on the effectiveness of controls Document Page 19
4. Testing Perform tests of key controls at your organization and evaluate the results Read the testing performed by the service auditor of the key controls at the service organization (and subservice organizations) identified by the service auditor Testing must be appropriate Just as we would not only inquire, the service auditor testing should not consist solely of inquiry for all controls related to a relevant control objective Exceptions (a.k.a., deviations) noted in the performance of the testing are required to be reported in the SOC 1 report Page 20
5. Factors to consider to address differences between SOC 1 reporting period & audit period The additional audit evidence to be obtained for the remaining period is based on the following factors The influence of the control environment The risk associated with the controls Whether the entity has designed and implemented controls that monitor the effective functioning of the transaction-level controls The effectiveness of ITGCs when we intend to rely on automated aspects of controls for application or IT-dependent manual controls The length of the remaining period The degree to which we intend to rely on the controls Control exceptions identified during the interim period Changes to controls tested in the interim period Substantive procedures to be performed in the remaining period Audit evidence obtained during the interim period. Page 21
6. Steps to consider related to SOC 1 report period and audit period difference Inquire of management as to changes in accuracy or timeliness of the service organization's processing Inquire of service organization as to changes in the processes and controls reported on in the SOC 1 report Commonly called a 'bridge letter' Request additional walkthroughs or tests of controls at the service organization be performed by the service auditor Perform walkthrough and/or tests of controls at the service organization Page 22
7. Other requirements Read the service auditor s opinion for Existence of subservice organizations Complementary user entity controls The auditing standard(s) used in the work The opinion on whether (paraphrased) Management s description of the service organization s system fairly presents the service organization s system that was designed and implemented throughout the period The controls related to the control objectives stated in management s description were suitably designed The controls tested were the appropriate controls to be tested and whether they operated effectively throughout the period Unusual restrictions on the use of the report Page 23
7. Other requirements (continued) What standard is used? Who is this firm? What is the timing? Where was it issued? Any carve-out or unusual items noted in the scope description? Any qualifications? For SOC 2 reports, are there any opinions on subject matter other than internal control (e.g., compliance)? Any inconsistencies with professional standards or unusual items? Page 24
Checklist 1 Identify the What Can Go Wrongs 2 Identify the controls that address the WCGWs 3 Identify the controls that address the WCGWs CUECs 4 Testing 5 Factors to consider to address differences between SOC 1 reporting period & audit period 6 Steps to consider related to SOC 1 report period and audit period difference 7. Other requirements Page 25
One minute recap Page 26
Thank you