SSAE 16 for Transportation & Logistics Companies Chris Kradjan Kim Koch 1
The material appearing in this presentation is for informational purposes only and should not be construed as advice of any kind, including, without limitation, legal, accounting, or investment advice. This information is not intended to create, and receipt does not constitute, a legal relationship, including, but not limited to, an accountant-client relationship. Although this information may have been prepared by professionals, it should not be used as a substitute for professional services. If legal, accounting, investment, or other professional advice is required, the services of a professional should be sought. 2
TODAY S PRESENTERS Chris Kradjan, CPA, CITP, CRISC National SSAE 16 and IT Audit Practice Leader Partner, Moss Adams chris.kradjan@mossadams.com (206) 302-6511 / (415) 677-8343 Kim Koch, CPA Senior Manager, Moss Adams kim.koch@mossadams.com (509) 777-0107 3
SESSION DESCRIPTION Old SAS 70 compliance requirements are yesterday s news. The latest SSAE 16 requirements include: o SOC 1, SOC 2, and SOC 3 o Other reporting options What are the benefits of having a SSAE 16? How does a SSAE 16 help you get new business? What are the current reporting requirements? What reports do you need when? This session will bring attendees up-to-speed. And include tips for what companies can do to prepare. 4
INTRODUCTION Businesses outsource to service organizations This can impact the businesses operations, financial statements, internal controls, and systems SOC audits: o Are an independent examination of the internal controls of the service organization o Consider the (1) design and (2) operating effectiveness of the relevant internal controls o Serve as regular due diligence of performance 5
OUTSOURCING ARRANGEMENTS Traditional Services Transportation and Logistics Finance Payroll Third Party Administrators Document Management Specialized Services New Services Cloud Providers Software as a Service (SaaS) Infrastructure as a Service (IaaS) Platform as a Service (PaaS) 6
VENDOR MANAGEMENT Financial and performance history Security and availability safeguards Reliable processing integrity Confidential and private records Staff knowledge and expertise Regulatory and operational compliance Compliance with service level agreements Regular due diligence and monitoring 7
TRANSPORTATION & LOGISTICS COMPANIES Revenue management Web-based shipping systems Inventory management Rate management Delivery management Customer service Scheduling Compliance 8
BENEFITS Differentiator from peers Builds trust with user organization Can limit multiple audit requests Offers opportunities for improvement 9
SOC REPORTING 10
OVERVIEW Historical with SAS 70 SAS 70 Reporting New with SSAE 16 SOC 1 Internal Controls Over Financial Reporting SOC 2 Trust Services Principles (Detailed Reporting) SOC 3 Trust Services Principles (SysTrust/WebTrust) 11
SOC COMPARISON SOC 2 1. Auditors report 2. Management assertion 3. Detail system description 4. Management controls 5. Auditor tests of controls SOC 1 and results of those tests criteria 1. Auditors report 2. Management assertion 3. Detail system description 4. Management controls 5. Auditor tests of controls and results of those tests control objectives Source: AICPA SOC 3 1. Auditors report 2. Management assertion 3. Detail system description 4. Management controls 5. Auditor tests of controls and results of those tests 12
SOC 1 13
SOC 1 Effectively known as SSAE 16 (AT 801) was SAS 70 Focus is on internal controls over financial reporting Independent examination of controls Auditor-to-auditor communication Concept of Type 1 and Type 2 reports Structure of the report Testing methods Carve-out and inclusive methods Restricted use distribution of report o Management of the service organization o Customers of service organization o Financial Statement auditors of customers 14
SOC 2 15
SOC 2 AUDITS Well suited for IT and cloud providers o SaaS / IaaS / PaaS o Application service provider o Data centers o Virtualized environments Address principles and criteria related to: o Security o Availability o Processing Integrity o Confidentiality o Privacy 16
SOC 2 The engagement is used to emphasize system reliability Concept of Type 1 and Type 2 reports Report presentation similar to SOC 1 audit Based on a prescribed Trust Services Principles and Criteria Principles o Security o Availability o Processing Integrity o Confidentiality o Privacy Expected to have limited carve outs and complementary user entity controls Restricted use, but intended for a broader range of users, including existing users, prospective users, and regulators 17
SYSTEM BOUNDARY COMPONENTS Infrastructure The physical structures, IT and other hardware (facilities, computers, equipment, mobile devices and telecommunications networks) Software The application programs and IT system software that supports application programs (operating systems, middleware, and utilities) People The personnel involved in the governance, operation and use of a system (developers, operators, entity users, vendor personnel, and managers) Procedures The automated and manual procedures Data Transaction streams, files, databases, and tables and output used or processed by a system 18
TRUST SERVICES PRINCIPLES Trust Services Principles updated in February 2014 Effective for periods ending on or after December 15, 2014 Early adoption is permitted Organized now into Common Criteria o Organization and management o Communications o Risk management and design and implementation of controls o Monitoring of controls o Logical and physical access controls o System operations o Change management 19
Security Availability Confidentiality Processing Integrity Privacy IT security policy Security awareness and communication Logical access Physical access Environmental controls Security monitoring User authentication Incident management Asset classification / mgt. Systems development and maintenance Personnel security Configuration mgt. Change management Monitoring / compliance Availability policy Backup and restoration Incident Management Disaster recovery Business continuity management Security Change Management Monitoring / compliance Confidentiality policy Confidentiality of inputs Confidentiality of data processing Confidentiality of outputs Information disclosures (including third parties) Confidentiality of Information in systems development Incident Management Security Change Management System processing integrity policies Completeness, accuracy, timeliness, and authorization of inputs, system processing, and outputs Information tracing from source to disposition Incident Management Security Change Management Availability Monitoring Privacy Policies PII Classification Risk Assessment Incident & Breach management Provision of notice Choice and consent Collection Use and retention Disposal Access Disclosure to third parties Security for privacy Quality Monitoring and enforcement Monitoring / compliance 20
SOC 3 21
SOC 3 22
SOC 3 Delivered in the form of a seal displayed on websites Registered certification by the AICPA and CICA Only one type of report no type 1 or type 2 Reports may be as of a specified date or for a specified period General use report Service organizations that have undergone a SOC 2 engagement and received a SOC 2 report may meet the requirements for a SOC 3 report if: o SOC 2 report is an unqualified Type 2 report o Report covers at least 2 month period o No carve outs from its system description o Significant complementary user entity controls are involved o Service auditor is licensed by AICPA/CICA to use a SOC 3 seal 23 23
OTHER REPORTING 24
INTERNATIONAL REPORTING ISAE 3402 SSAE 16 (SOC 1/2/3) United States CICA 5970 Canada AAF 01/06 United Kingdom HKCPA 860.2 HK/China AUS 810 Australia Others 25 25
CLOUD SECURITY ALLIANCE Cloud Control Matrix Compliance Data Governance Facility Security Human Resources Information Security Legal Operations Management Risk Management Release Management Resiliency Security Architecture 26
COMBINED AUDITS 27
GUIDANCE 28
GETTING STARTED Determine if there is sufficient demand for the SOC audit Assign SOC lead and commit control owners Understand the process, time and effort involved Select a service auditor Define scope of controls, type of audit, and timing Confirm whether to issue a SOC 1/2/3 and Type 1 or 2 report Determine impact related to subservice organizations Self-assess readiness of controls and remediate gaps Document the system description and controls Plan, prepare for, and participate in the SOC audit 29
CONSIDERATIONS Scope confirmation SOC 1 readiness assessment Remediation efforts Report updates SOC audit Follow-up audits, if necessary 30
TIPS FOR DEFINING CONTROLS Leverage existing sources: o Customer contracts o RFP responses o Due diligence questionnaires o Compliance forms o QC/internal audit o Competitor reports Start with a solid outline, and then expand and formalize Review wording and presentation with your service auditor Isolate control activities from the control descriptions Ensure management has a reasonable basis to assert the controls and monitor that they are operating effectively 31
BRANDING 32
QUESTIONS Chris Kradjan, CPA, CITP, CRISC National SSAE 16 and IT Audit Practice Leader Partner, Moss Adams chris.kradjan@mossadams.com (206) 302-6511 / (415) 677-8343 Kim Koch, CPA Senior Manager, Moss Adams kim.koch@mossadams.com (509) 777-0107 33
The material appearing in this presentation is for informational purposes only and is not legal or accounting advice. Communication of this information is not intended to create, and receipt does not constitute, a legal relationship, including, but not limited to, an accountant-client relationship. Although these materials may have been prepared by professionals, they should not be used as a substitute for professional services. If legal, accounting, or other professional advice is required, the services of a professional should be sought. 34