SOC 1 Type 2 Evaluations for SOX Compliance - ISACA€¦ · SOC 1 Type 2 Evaluations for SOX Compliance ... • Type 1 - A report on management’s description of the service ...

SOC 1 Type 2 Evaluations for SOX Compliance Alan Barnes

Victoria Tudor 8-12-2015

1

AGENDA • What is a SOC Report? • Types of SOC Reports • SOC 1 Report Sections • SOC 1 Evaluation Process Flow • Initial Steps Prior to Evaluation • Subservice Organizations • Bridge Letter Guidance • IT General Controls (ITGC) • Complementary End User Controls (CEUC) • Questions

2

What is a SOC Report? • SOC = Service Organization Controls • An independent CPA examines and reports on the service organization’s

controls in order to meet the needs of their user entities. • The report is an objective evaluation of the effectiveness of controls that

address operations and compliance, as well as financial reporting at those user entities.

• The AICPA has established three SOC reporting options to address the needs of the marketplace and enable CPAs to protect the public:

• SOC 1 • SOC 2 • SOC 3

3

Types of SOC Reports SOC 1 reports on controls at a service organization relevant to a user entities’ internal control over financial reporting (ICFR). • SOC 1 engagements are performed under the AICPA Statement on

Standards for Attestation Engagements (SSAE) 16. • Use of a SOC 1 report is restricted to existing user entities.

• Type 1 - A report on management’s description of the service organization’s system and the suitability of the design of the controls to achieve the related control objectives included in the description as of a specified date.

• Type 2 - A report on management’s description of the service organization’s system and the suitability of the design and operating effectiveness of the controls to achieve the related control objectives included in the description throughout a specified period.

4

Types of SOC Reports SOC 2 reports on controls at a service organization relevant to the five Trust Service principles: • Security, Availability, Processing Integrity, Confidentiality,

and Privacy. • SOC 2 engagements use the Trust Services Criteria, as well

as the requirements and guidance in the AICPA AT Section 101, Attest Engagements.

• A SOC 2 can also be a Type 1 or Type 2 just as with a SOC 1. • Use of a SOC 2 report is generally restricted to existing user

entities. 5

Types of SOC Reports SOC 3 reports on controls at a service organization using the same Trust Service principles that are also used in SOC 2 engagements. • The SOC 3 report is generally is a general-use report that

provides only whether the system achieved the Trust Services.

• SOC 3 reports can be issued on one or more of the Trust Services principles.

• A SOC 3 allows a client to use the SOC 3 seal on its website.

6

SOC 1 Report Sections Section Section Name Responsibility

I Independent Service Auditor’s Report (“opinion”) * Service Auditor

II Management’s Assertion (may also include a subservice

organization’s assertion)

Service Organization

III Description of the System (overall control environment,

control objectives, controls related to system being examined)

Service Organization

IV Control Objectives, Related Controls, and Independent

Service Auditor’s Tests of Controls and Results of Tests (Type

2 only)

Service Auditor

V Supplemental Information Service Organization

7

SOC 1 Evaluation Process Flow

8

Obtain SOC 1 Report

Complete SOC 1

Evaluation Form

SOX PMO/IA Completes

Review.

SOX PMO/IA Provides SOC 1 and Evaluation

to External Auditor.

Yes

Notify SOX PMO/IA

Immediately and Evaluate

potential Impact.

No Submit Evaluation Form to SOX PMO/IA

for Review.

Any Updates?

Any Issues?

Yes

No

Initial Steps Prior to Evaluation • Is the SOC 1 report a Type 2? • Are there any testing exceptions and if so perform a preliminary

assessment and determine if they are significant enough to impact use of the report.

• Is the service auditor’s opinion unqualified? If qualified what is the qualification for and what is the impact on use of the report? (emphasis-of-matter paragraph usually related to a testing exception)

• Is period covered at least nine months of current calendar year? If not alternative procedures are needed at the client level.

• Are there any subservice organizations listed and if so are they included in the report or not (carved out) and thus you may need other SOC1 reports from them?

9

Subservice Organizations • A subservice organization is a service organization

employed by a service organization to process, record and report financial data for its user entities. (aka 4th Party)

• In management’s description of the service organization’s system it may elect to use either the inclusive method or the carve-out method in its discussion of the services provided by a subservice organization.

10

Subservice Organizations Inclusive Method • A method used to describe the services provided by a subservice

organization included within the management’s description of the service organization’s system. The management’s description of the subservice organization‘s system identifies the nature of the services perform by the subservice organization and includes a description of the scope of the service auditor’s engagement and the subservice organization’s relevant control objectives and related controls.

• For the Inclusive Method there should be a separate Management Assertion section for each one.

• The control objectives, controls, and testing results ARE INCLUDED in the 3rd party vendor’s SOC 1 report.

11

Subservice Organizations Carve-out Method • This method permits the management’s description of the service

organization‘s system to identify the nature of the services perform by the subservice organization and excludes from the description and from the scope of the services auditor’s engagement the subservice organization’s relevant control objectives and related controls. In other words, the carve-out method allows the service auditor to exclude subservice organizations from the audit.

• The control objectives, controls, and testing results ARE NOT included in the 3rd party vendor’s SOC 1 report.

• An assessment of the services provided by the 4th party must be assessed as to their significance to the user entity and whether or not a SOC 1 Type 2 report is needed from each of the 4th parties.

12

13

Bridge Letters Guidance continued

Bridge Letter Guidance

14

Period Covered by SOC 1 Type 2 Bridge Letter Required?

SOC 1 covers 9 full months or more of current

year

Yes – Obtain a Bridge Letter by mid-Jan that

covers through end of current year

SOC 1 covers 6 months or less of current year No – Bridge Letter not sufficient to provide

assurance for remaining period of current

year.

Obtain 2nd SOC 1 covering remainder of year.

SOC 1 covers less than 9 full months of current

year but 2nd SOC 1 not available

Maybe – Bridge Letter alone is not sufficient to

provide assurance for remaining period of

current year.

Contact SOX PMO/IA to discuss alternate

procedures.

This bridge letter guidance also pertains to any SOC 1 report required for any sub-service organization based on the current SOX year coverage period.

IT General Controls (ITGC) Here is a typical list of the most common ITGCs • Logical Security (access) • Information Security (password parameters, firewall, intrusion

detection) • Physical Security/Environmental Systems • Application Development • Change Management (OS, database, application, network, etc.) • Computer Operations (job scheduling and monitoring) • Backup Management • Data Transmissions

15

Complementary End User Controls (CEUC)

The 3rd party’s control environment description typically indicates that certain complementary user entity controls (CEUC) must be suitably designed and operating effectively at user entities for related controls at the service organization to be considered suitably designed to achieve the related control objectives.

16

Complementary End User Controls (CEUC)

17

Complementary End User Controls (CEUC) Examples of CEUCs: • Validation of data inputs into vendor systems. • Validation of output reports from vendor systems. • Assurance access and password parameters conform to your

user entity standards. • Do their ITGC controls adhere to your policy and

procedures? • Does the vendor adhere to your privacy and confidentiality

requirements. 18

QUESTIONS?

19