SOC Reporting: What is New in the Audit Guides?

March 6, 2012

SOC Reporting: What is New in the Audit Guides?

Introduction

Nick Wedel, CISSP, CISA

McGladrey – Technology Risk Advisory Services (Kansas City)

Background (SAS70 to SOC)

Overview of SOC Reporting Options

Trust Services Principles & Criteria

Key differences between SOC 2 and SOC 3 reports

What is Included in the Audit Guides?

SOC 1 Audit Guide Highlights

SOC 2 Audit Guide Highlights

Frequently Asked Questions

Other Questions?

Agenda

Background (SAS70 to SOC)

Reasons for Change Mis-understandings, Mis-applications, and Mis-uses of SAS70

New Technologies-Virtualization -Mobile Computing-Cloud Computing

Need for greater international consistency -Alignment with International Standards on Attestation Engagements (ISAE 3402)

3

Overview of Service Organization Control (SOC) Reporting Options

4

SOC1 SOC2 SOC3 Other Reports

AICPA Attest Standards(SSAE 16)

AICPA Attest Standards (AT101)

Trust Services Principles

AICPA Attest Standards (AT101)

Trust Services Principles

AICPA Attest Standards (AT101)

• Auditor to auditor opinion report for financial reporting controls

• Audit entity meets definition of service organization

• CPA firm responsible for the adequacy of the procedures

• Opinion report on system security, availability, processing integrity and confidentiality/or privacy

• Detailed like SOC1• CPA firm responsible for

the adequacy of the procedures

• Opinion report on system security, availability, processing integrity and confidentiality/or privacy

• Client description is not audited

• CPA firm responsible for the adequacy of the procedures

• Doesn’t fall under SSAE 16 or Trust Services Principles

• Reporting on the design of internal controls

• CPA firm responsible for the adequacy of the procedures

• Report distribution to service organization users

• Restricted use report• Issued by licensed CPA

• Intended for non-auditor audience (e.g., CIO)

• Restricted use report• Issued by licensed CPA

• Intended for non-auditor audience (e.g., CIO)

• General use report• Issued by licensed CPA

• May be issued for general or restricted use

• Issued by licensed CPA

FOC

US

RE

PO

RT

DIS

TRIB

UTI

ON

GU

IDA

NC

E

SOC2/SOC3: Trust Services Principles & Criteria

Five Trust Services Principles Availability – The system is available for operation and use as

committed or agreed. Confidentiality – Information designated as confidential is

protected as committed or agreed. Privacy – Personal information is collected, used, retained,

disclosed, and destroyed in conformity with the commitments in the entity’s privacy notice and with criteria set forth in Generally Accepted Privacy Principles (GAPP).

Processing integrity – System processing is complete, accurate, timely, and authorized.

Security – The system is protected against unauthorized access (both physical and logical).

5

SOC2/SOC3: Trust Services Principles & Criteria

Four Trust Services Criteria Domains Policies – The entity has defined and documented its policies

relevant to the particular principle. Communications – The entity has communicated its defined

policies to responsible parties and authorized users of the system.

Procedures – The entity placed in operation procedures to achieve its objectives in accordance with its defined policies.

Monitoring – The entity monitors the system

6

Key Differences: SOC2 and SOC3 Reports

7

SOC2 SOC3

Includes detailed description of the service organization’s system prepared by management which the service auditor opines on

Includes a high level description that the service auditor does not opine on

Intended for parties who are knowledgeable about: • Nature of the services• How the service organization interacts with its users• Internal control and its limitations• Trust principles, criteria and risks• Complementary user-entity controls and how they

interact with controls at the service organization

Intended for a general audience that is not presumed to have specific knowledge about the report and its contents

Restricted use report General distribution report

Can use “carve-out” method Carve-out method not allowed

Can have significant user control considerations Cannot have significant user control considerations

Not intended for marketing purposes Use allowed for marketing purposes

No seal available Availability of seal

What is Included in the Audit Guides?

The two audit guides follow the same general format and address similar topics, including: Introduction and Background Use of the Report Planning the SOC Engagement Performing the SOC Engagement Reporting Appendices

- Illustrative representation letters- Illustrative management assertions- Illustrative control objectives (SOC1 Audit Guide)- Trust Service Principles and Criteria for Security Availability, Processing

Integrity, Confidentiality, and Privacy (SOC2 Audit Guide)- Illustrative Reports

8

SOC1 Audit Guide Highlights

Examples of using detailed criteria for developing the description of controls (as presented in SSAE16)

Concept that management’s thoughtfulness in developing control objectives constitutes an informal risk assessment

Illustrative control objectives for various types of service organizations are included in Appendix D:

9

- General computer controls- Application service provider- Claims processor- Credit card payment processor- Investment manager- Payroll processor

- Transfer agent

SOC2 Audit Guide Highlights

Detailed outline of what information should be included in management’s description

Definition of “system” for the purposes of scoping the report

Detailed trust services principles and criteria

Dealing with criteria that is not applicable

The guide largely mirrors what is outlined in the SOC1 Audit guide, except for information specific to the trust service principles

10

Frequently Asked Questions

11

Question 1: Can service organizations market that they are “SOC certified”? No. A popular misconception is that a service organization

becomes “certified” after completing and issuing a SOC report. No such certification exists; however, the AICPA does allow for the below logo to be displayed on Service Organization websites upon completion of a SOC attestation and registration with the AICPA.

Frequently Asked Questions

12

Question 2: How do I determine which SOC report is best for me?

First, you need to determine who will be using the report and for what purposes, that will guide which report is most appropriate. In some cases you might decide to issue multiple reports. If a client’s financial statement auditor is going to use the report, most of the time that will result in the need for a SOC 1 report. If it is client management (e.g., CIO) requesting the report for their operational assessment and monitoring of your processing, a SOC2 or SOC3 might better serve their needs.

Frequently Asked Questions

13

Question 3: What do I need to do to prepare for the new SOC reports?

The answer will depend upon a couple of items. First, what type of report will you be needing and second have you previously issued this type of report before. If the answer to the second question is “no” there is quite a bit of work that needs to be done to get ready for the SOC attestation.

Other Questions?

14

Resources

AICPA.org/publicationsmcgladrey.com/Events/Service-Organization-Control-Reports

Nick Wedel816.751.4051

[email protected]

McGladrey & Pullen, LLPCertified Public Accountants

www.mcgladrey.com