SOC 2 Reporting and Requirements February 13, 2019 Presented by Cathy Patton Director of Process, Risk and Governance HPG.com
SOC 2 Reporting and Requirements
February 13, 2019Presented by Cathy Patton
Director of Process, Risk and Governance
HPG.com
EDUCATIONOnline Training, Webinars and Customized Workshop
CONSULTINGProfessional servicesto help you with your Compliance needs
WHO WE ARE …
Assist healthcare organizations to develop and implement practices to secure IT systems and comply with
HIPAA/HITECH regulations
2
DISCLAIMERConsult your attorney
3
ALL WEBINARS ARE RECORDED AND AVAILABLE AS AN “ON DEMAND” SUBSCRIPTION
This webinar has been provided for educational and informational purposes only and is not intended and should not be construed to constitute legal advice.
Please consult your attorneys in connection with any fact-specific situation under federal law and the applicable state or local laws that may impose additional obligations on you and your company.
4
• Director of Hughes Pittman & Gupton, LLP (“HPG”) Process Risk and Governance (“PRG”) Practice
• 25 years of experience including over 20 years of experience in public accounting
• She was previously finance officer with Triangle Transit Authority• McCall Service, Inc., Board of
Directors• Second Chance Pet Adoptions,
Board of Directors• Eastern NC National Multiple
Sclerosis Society, former Treasurer and Trustee
Cathy Patton
HPG
HPG.com
SOC Examinations
SOC – System & Organization Controls
Designed to help service organizations, organizations that operate information systems and provide information services to other entities, build trust and confidence in their service delivery processes and controls.
HPG.com
Benefits of a SOC Report
For the Service Organization (“Issuer”)
• Differentiator from your peers / competition: Demonstrates Compliance!
• Builds trust with consumers which can boost revenues – larger customers/ satisfy RFP requirements
• May result in opportunities for improvements to existing control environment
• “Easy” response to audit requests from customers and their auditors with consistent information
• Evaluate sub-service providers
For the User Organization (“Consumer”)
• Valuable to assessing the risk associated with an outsourcing relationship. (Enhanced with Type 2)
• May indicate the need to enhance or reduce internal controls
• Can reduce the professional fees associated with financial statement attestation work
• May be a requirement for onboarding new third-party organizations (i.e. Vendor Risk Management)
HPG.com
The Path to New SOC Reporting for 2019
Statement on Auditing Standards (SAS70)
• AICPA
• 1992 (10 years before SOX)
• Auditor-to-Auditor communication
• Control design OR effectiveness of financial statement controls outsourced to a service organization
Sarbanes-Oxley Act (SOX)
• U.S. Congress
• 2002
• Required attestation disclosure with financials
• Protect investors from the possibility of fraudulent accounting activities by public entities
Statement on Standards for Attestation Engagements
(SSAE) No. 18
• AICPA
• SSAE 16 - Issued 2010 / Effective June 2011
• SOC 1, 2 and 3
• SSAE18 – Issued April 2016 / Effective May 2017
HPG.com
SOC 2 Framework… What Changed?
• The most significant change is to the Security Trust Service Category which has been expanded from 23 to 33 required Common Criteria.
• AICPA Illustrative risks/controls have been replaced with COSO 2013 “Points of Focus”• Points of Focus represent important characteristics of the criteria to help users apply the
criteria and assist management and auditors in evaluating the criteria.• These are not to be included in SOC reports, but intended for guidance purposes in
developing controls to address the Trust Criteria.
• Report framework changes are required for SOC 2 reports dated on or after December 15, 2018.
SOC 1, 2 & 3 Reports…
What’s the Difference?
HPG.com
HPG.com
SOC 1, 2 & 3 Reports … At a Glance
Report Definition Use Consumers
SOC 1Report on the design (Type 1) and/or effectiveness (Type 2) of controls at a service organization that impact their clients internal controls over financial reporting.
Audit of Financial Statements
• Management• User entities• Indirect/downstream user entities• Independent auditors of user entities
SOC 2
Report on design (Type 1) and/or effectiveness (Type 2) of controls at a service organization related to the Trust Service Principles and Criteria of information privacy, security, confidentiality, availability and processing integrity.
Internal Control Programs, RegulatoryCompliance, Due Diligence
• Management• User entities• Indirect/downstream user entities• Independent auditors of user entities• Regulators
SOC 3Same as SOC 2; However, a SOC 3 can be used in a service organization’s marketing efforts…publicly available.
Marketing MaterialPublic users with need for confidence in the service organization’s controls
HPG.com
Types of SOC Examinations
• Type 1-Suitability of control design
• Type 2-Assessments to determine if controls are operational over a defined period of time
• Minimum period two months• Recommend at least six months• Annual reporting requirement
HPG.com
SOC 2 Report ContentReport Content Type 1 Type 2
Management's description of the system Yes Yes
A written assertion by management:
• Fairly presents the service organization's system that was designed and implemented
• Controls were suitably designed to achieve the Trust Service Category control objectives
• Controls operated effectively to achieve the Trust Service Category control objectives
Yes
• “As of” a specific date
• “As of” a specific date
• No
Yes
• “Throughout a specific period”
• “Throughout a specific period”
• “Throughout a specific period”
A written assertion from management of a subservice organization Yes – Inclusion Method Only Yes – Inclusion Method Only
Description of the tests of controls and results• Disclosure of tests performed by Internal Audit
NoNo
YesYes
Service auditor’s opinion• Reference reliance on internal audit
YesNo
YesNo
Statement restricting use of report to management, user entities, indirect/downstream user entities & independent auditors of user entities
Yes - as of the end of the period covered
Yes - during some or all of the period covered
HPG.com
SOC 2 Report Content
SecurityThe System is protected against unauthorized physical & logical access
“Online” PrivacyPII is collected, used, disclosed & retained as committed or agreed
ConfidentialityInformation designated as confidential is protected as committed or agreed
AvailabilityThe System is available for operation & use as committed or agreed
Processing IntegritySystem processing is complete, accurate, authorized and timely (CAAT)
Trust Service Categories – a set of professional assurance services based on a common framework, comprised of a core set of principles and criteria, designed to
address the risk and opportunities associated with information technology.
HPG.com
AICPA SOC Logos
HPG.com
SOC 2 Examinations – Who Needs One?
• Health Care Claims Management and Processing
• Cloud Computing
• Data Centers & Hosting
• Providers/Facilities
• Management Services
• Managed IT Providers
• Managed Security Service Providers
• Customer Support
• Sales Force Automation
HPG.com
SOC 2 Maturity – Cost/BenefitC
ost
Maturity
Security
Availability
Confidentiality
Processing Integrity
Privacy
SOC 2 Category The addition of a SOC 2 category should be carefully weighed against the value for the business.
Progression along SOC 2 maturity scale may result in potential increase of remediation efforts and costs.
COSO Risk, Strategy, and Objective-Setting Component - Principle 10: Considers Risk while Establishing Business Objectives
Remediation efforts represented by size of bubble
In Scope for new SOC2
Consideration for scope
For future consideration
HPG.com
SOC 2 Trust Services Categories & Criteria The Trust Services Categories contain Criteria. A SOC 2 Report must include the Security Category and
required Common Criteria, and may include any or all of the Additional Categories.
Security
• System is protected against unauthorized access, use or modification
• 33 Required Common Criteria (previously 23)
Availability
• System is available for operation and use as committed or agreed
• 3 Additional Criteria (no change)
Confidentiality
• Information designated as confidential is protected as agreed
• 2 Additional Criteria (previously 8)
Processing Integrity
• System processing is complete, valid, accurate, timely and authorized
• 5 Additional Criteria (previously 5)
Privacy
• The system's collection, use, retention, disclosure and disposal of PII is in accordance with commitments and system requirements
• 18 Additional Criteria (previously 20)
HPG.com
SSAE 18 - Impacts to SOC 2 Issuers• If you already issue a SOC 2
• Be prepared for additional controls that may be required to address the additional required Common Criteria. Changes will also impact your existing system description.
• Consider executing a gap assessment of “old” to “new” SOC 2 framework to identify areas of potential remediation prior to SOC examination.
• Additional focus on oversight, risk assessments and subservice provider (vendor) management
• If you are considering/planning a SOC 2• Ensure your service auditor uses the appropriate framework based on the examination
period end date.• Evaluate with your service auditor the inclusion of appropriate additional Trust Service
Categories.
SOC Reporting…
How to prepare?
HPG.com
HPG.com
SOC Security Policies and Procedures
• Enterprise Security Policy • Network Access/Configuration Policy • Encryption Policy • Cellular Phone and BYOD Policy • Password Policy • Change Management Policy • Remote Access/VPN Policy • Router/Server Security Policy • Software Policy • Logical Security• Privileged Access• Account Administration
• Code of Conduct• Physical Security• Hiring Policy• Employee Handbook• Vendor Management Policy • Risk Assessment• Monitoring• Penetration Testing• Vulnerability Scanning• System Backups• Disaster Recovery Plan• Wireless Communication Policy
HPG.com
Readiness Assessment
• Provide organizations with an assessment of risks and an inventory of potential control weaknesses related to the processing environment
• Assess development, processing practices and standards
• Identify gaps and weaknesses in the processes and controls
• Develop the capability to quickly and succinctly respond to requests for information, audit requests, or questionnaires while minimizing the time the client resources must dedicate to audit and review activities
• Position the client to remediate weaknesses and begin a SOC examination with a greater degree of comfort
HPG.com
Readiness Assessment Phases• Scoping
• Determine the requirements of the SOC examination• Identify and document applicable trust principle criteria
• Document and Assess• Evaluate the design of the controls throughout the environment• Identify and report potential weaknesses in the design or implementation of controls• Provide specific actionable recommendations
• Deliverables• Trust principle criteria in scope defining the content of the SOC report• A set of control matrices indicating controls that meet the trust principles identified• Detailed observations and recommendations related to the results
• Control gaps• Control weaknesses• Enhancement opportunities
• Remediation
SOC Reporting…
What does the future hold?
HPG.com
HPG.com
SSAE18 – Required Subservice Provider Monitoring
• SOC 2 to replace individual on-site audits and questionnaires
• SOC 2 to replace aspects of regulatory exams
• Marketplace is embracing the product
• Security principal is being used extensively
• Software as a Service (SAAS) providers are taking advantage of “full” reports by covering all 5 areas
• Smaller service organizations are issuing SOC 2 reports due to client requirements
Q&A
HPG.com
Where to Get More Information
Cathy Patton, Director of Process Risk and GovernanceHughes Pittman & Gupton, LLP
www.hpg.com
HPG.com
CALL US
866-276 8309SERVICE
150, Cornerstone Dr. Cary, NC
SOCIALIZE
FacebookTwitter
FIND US
Twitter: @ehr_20 Facebook: ehr2027
Upcoming Events
❑MIPS/MACRA Security Risk Assessment Requirements – Feb’ 28 @ 1 p.m. ET
❑OSHA Assessment for Healthcare Organizations –Mar’ 13 @ 1 p.m. ET
29
Please don’t hesitate to ask
Questions
30
for your attention!
Thank You
Thank you for joining us today
31
To purchase reprints of this document, please email [email protected].