American Society of Military Comptrollers (ASMC) – PDI June 2, 2017 Office of the Under Secretary of Defense (Comptroller) Office of the Deputy Chief Financial Officer Using DoD SSAE 16/18 Service Organization Control (SOC) Reports (to Support Your Audit and A-123 Compliance) Bradley Keith Director PwC Public Sector, LLP James Davila Accountant, FIAR Directorate, Office of the Deputy Chief Financial Officer, OUSD(C)
38
Embed
Using DoD SSAE 16/18 Service Organization Control (SOC ...pdi2017.org/wp-content/uploads/2017/06/76-Keith-Davila.pdf · Reporting Entity team or Service Organization management addresses
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
American Society of Military Comptrollers (ASMC) – PDI
June 2, 2017
Office of the Under Secretary of Defense (Comptroller)
Office of the Deputy Chief Financial Officer
Using DoD SSAE 16/18
Service Organization Control (SOC) Reports (to Support Your Audit and A-123 Compliance)
Bradley Keith
Director
PwC Public Sector, LLP
James Davila
Accountant, FIAR
Directorate, Office of the
Deputy Chief Financial
Officer, OUSD(C)
Discussion Topics
2
Using DoD SSAE 16/18 Service Organization Control (SOC) Reports
1) Service Organization Relationships Key Concepts• End-to-End Process Relationships
• Service Organization Identification
2) Addressing Service Organization Controls• Available Options
• Available SOC 1 Reports
• Relevant SOC 1 Reports
3) Using the Service Organization Controls Report• Desired Outcomes
• SOC 1 Report Sections
• Areas for Consideration
• CUECs and CSOCs
• Reliability of Data (and Reports)
• Common Evaluation Pitfalls
• Reporting / User Entity Responsibilities
4) OUSD(C) FIAR Support and Available Resources
Service Organization Relationships Key Concepts
The Reporting Entity is responsible for internal controls over financial reporting.4
End to End Business Process
Parts of audit relevant Reporting Entity business process are
performed by one or more Third Parties.
Reporting
Entity
Third
Party
Financial
Statements
Initiate / Execute
Initiate / Execute
5
What is the specific nature of the relationship (i.e., who does what)?
End to End Business Process
It is critical to determine which Third Parties meet the definition
of a “Service Organization” for A-123 and audit purposes (and which do not).
“Service Organizations”
“Service Providers”“Vendors”
“Third Parties”
“Working Capital Funds”
“Trading Partners”
6
The Financial Statement Auditor will follow the Auditing Standards
End to End Business Process
AU-C 402: Audit Considerations Relating to an Entity Using a Service Organization
.A7 The significance of the controls at the service organization to the user entity's internal control also
depends on the degree of interaction between the service organization's activities and those of
the user entity. The degree of interaction refers to the extent to which a user entity is able to and elects
to implement effective controls over the processing performed by the service organization.
For example, a high degree of interaction exists between the activities of the user entity and those at
the service organization when the user entity authorizes transactions and the service organization
processes and accounts for those transactions. In these circumstances, it may be practicable for
the user entity to implement effective controls over those transactions.
On the other hand, when the service organization initiates or initially records, processes, and
accounts for the user entity's transactions, a lower degree of interaction exists between the two
organizations. In these circumstances, the user entity may be unable to, or may elect not to, implement
effective controls over these transactions at the user entity and may rely on controls at the service
organization.
? and
Accounting Processing
and
InitiatesExecutes / Internally
Records
? ?
Who Does What?
7
You and / or your auditor can’t ignore / assume what happens inside the “Black Box”.
End to End Business Process
Why is this so important?
If a Service Organization relationship / dependency exists….
• The Reporting Entity must address Service Organization (and
Sub-service Organization) controls for OMB Circular A-123
(Appendix A) / ICOFR.
• The Reporting Entity financial statement auditor will also need to
address the Service Organization (and Sub-service Organization)
controls in financial statement audits and examinations.
Service
Organization
Controls
?
“Service Organizations”
“Service Providers”“Vendors”
“Third Parties”
“Working Capital Funds”
“Trading Partners”
8
If a Service Organization relationship exists, all of the pieces need to fit.
Roles and responsibilities must be aligned.
End to End Business Process
Sub-Service
Organizations
User
Auditors
Reporting /
User
Entities
Service
Organizations
Addressing Service Organization Controls
10
It is very inefficient for each / every Reporting Entity and their auditor to
redundantly test Service Organization controls versus relying on the SOC 1 Reports.
Addressing Service Organization Controls
How do I do this?
Financial Statement Audit (must comply with audit independence requirements)
• Reporting Entity financial statement auditors (User Auditor) documents and tests Service Organization
on the design and operating effectiveness of internal controls over financial
reporting at Service Organizations (and Sub-service Organizations).
There are a few options.
11
Addressing Service Organization ControlsHow do I do this? What SOC 1 reports are available?
Significant progress has been achieved but much remains to be done.
DFAS Contract Pay
DFAS Standard
Disbursing
DFAS Financial
Reporting
DFAS FBWT Treasury
Distribution
DISA (ATAAPS)
DCMA Contract Pay
2013 2013
2014 20142014
2015
2016
DFAS FBWT Treasury
Reconciliation
DLA SOIDC
DFAS Vendor Pay
U.S. Army
GFEBS
2014
DFAS Military Pay
2013
DLA iRAPT
DMDC DTS
2014
2015
DMDC DCPDS US Bank SYNCADA
2013 2013
AT&L / DLA DPAS
2012
Retail Payment
Processing
2016
2016
2018
2017
DISA (EIS) DFAS Civilian Pay
2005 2005
FY
2018
FY
2018+
FY
2005
FY
2012
FY
2013
FY
2014
FY
2015
FY
2016
FY
2017
DLA DAAS
27
0
DLA DAI
U.S. Army
Conventional Munitions
2017
Treasury
Funds Management
Total Systems
Services
Elavon, Inc.
20162016 2016
2015
US Bank AXOL
2016
Compensation Benefit
& Payment
2016
(OWCP) Bill
Processing
2016
Citigroup Technology
Infrastructure (CTI)
2016
Treasury Admin
Resource Center
2016
Treasury Invest &
Borrowings
TBD
Unqualified /
Unmodified
Opinion
Qualified /
Modified
Opinion
Legend
12Multiple SOC 1s are underway or planned.
Addressing Service Organization ControlsHow do I do this? What SOC 1 reports are available?
Civilian Pay DCPS KPMG Unmodified Oct 2013 - Jun 2014 KPMG Unmodified Oct 2014 - Jun 2015 Yes KPMG Unmodified Oct 2015 - Jun 2016 Aug 12, 2016 Yes KPMG TBD Oct 2016 - Jun 2017 Aug 15, 2017
Military Pay DJMS-AC, DJMS-RC, DMO (Web) KPMG Unmodified Oct 2013 - Jun 2014 KPMG Modified Oct 2014 - Jun 2015 Yes KPMG Modified Oct 2015 - Jun 2016 Aug 17, 2016 Yes KPMG TBD Oct 2016 - Jun 2017 Aug 17,2017
Standard Disbursing Service
ADS, ADS IPAC MegaWizard
22 MicroApps:
DD 2657 Statement of Accountability, State Tax
Access Database, State Tax Microsoft Excel workbook,
(Excel), DIT Tracker Workbook (Excel), IPAC Tracking
Workbook (Excel), Kansas City Central Site IPAC
Wizard (Access)
KPMG Unmodified Oct 2013 - Jun 2014 KPMG Unmodified Oct 2014 - Jun 2015 Yes KPMG Unmodified Oct 2015 - Jun 2016 Aug 15, 2016 Yes KPMG TBD Oct 2016 - Jun 2017 Aug 15, 2017
ERMPGT Unmodified Nov 2013 - Apr 2014 GT Unmodified Oct 2014 - Jun 2015 Yes GT Unmodified Oct 2015 - Jun 2016 Aug 15, 2016 Yes GT TBD Oct 2016 - Jun 2017 Aug 15, 2017
Vendor PayOnePay, CAPS-W, CAPS-W Data Center, ODS,
DCD/DCW, STARS, BAM, APVMNA NA NA NA NA NA No NA NA NA NA Yes GT TBD Feb 2017 - Jul 2017 Sep 15, 2017
FBWT - Transaction Distribution DCAS, SAMS NA NA NA NA NA NA Yes KPMG Modified Mar 2016 - Sep 2016 Nov 14, 2016 Yes KPMG TBD Oct 2016 - Jun 2017 Aug 15, 2017
FBWT - Treasury Reconciliation DRRT, CMR NA NA NA NA NA NA No NA NA NA NA No NA NA NA NA
Kearney Modified Mar 2014 - Nov 2014 Kearney Modified Dec 2014 - Jul 2015 Yes Kearney Modified Oct 2015 - Jul 2016 Sept 15, 2016 Yes Kearney TBD Oct 2016 - Jul 2017 Sept 15, 2017
GT = Grant Thornton
PwC - Price Waterhouse Coopers
Kearney = Kearney & Company
WACO= Williams Adley & Co.
E&Y = Ernst & Young
CBH = Cherry, Bekaert & Holland
RMA = RMA Associates
RESJ = Robins, Eskew, Smith & Jordan
FY 15
OpinionReporting PeriodIPA Firm
IPA
FirmReporting PeriodReporting PeriodIPA FirmAssessable Unit
Service
Provider
FY 14
Opinion
DFAS
DoD SSAE 16/18s as of May 2017
FY 2017
SSAE 16
for FY 17?
IPA
Firm
FY 17
Opinion
Projected
Reporting Period
for FY 17
Expected
Report
Issuance Date
FY 2014SSAE 16/18 FY 2016
SSAE 16 for
FY 16?
Report Issuance
Date / Expected
Issuance Date
System(s)
Included
FY 2015
FY 16
Opinion
13Multiple SOC 1s are underway or planned.
Addressing Service Organization ControlsHow do I do this? What SOC 1 reports are available?
Defense Civilian Personnel Data System (DCPDS) DCPDS PwC Modified Oct 2013 - Jun 2014 KPMG Unmodified Oct 2014 - Jun 2015 Yes KPMG Unmodified Oct 2015 - Jun 2016 Aug 15, 2016 Yes KPMG TBD Oct 2016 - Jun 2017 Aug 15, 2017
Defense Travel System (DTS) DTS N/A N/A N/A WACO Modified Oct 2014 - Jun 2015 Yes WACO Modified Oct 2015 - Jun 2016 Sep 08, 2016 Yes KPMG TBD Oct 2016 - Jun 2017 Aug 15, 2017
DCMA Contract Pay MOCAS, eTools GT Modified Feb 2014 - Oct 2014 GT Modified Feb 2015 - Sept 2015 Yes GT Modified Jan 2016 - June 2016 Aug 15, 2016 Yes GT TBD Oct 2016 - Jun 2017 Aug 15,2017
Wide Area Work Flow - Invoices Receipt Acceptance
and Property Transfer (WAWF - iRAPT)iRAPT RMA Modified Mar 2014 - Aug 2014 WACO Modified Oct 2014 - Jun 2015 Yes GT Modified Oct 2015 - Jun 2016 Aug 15, 2016 Yes RMA TBD Oct 2016 - Jun 2017 Aug 15, 2017
Defense Agency Initiative (DAI) DAI WACO Modified Jan 2014 - Jun 2014 WACO Unmodified Oct 2014 - Jun 2015 Yes GT Modified Oct 2015 - Jun 2016 Aug 15, 2016 Yes RMA TBD Oct 2016 - Jun 2017 Aug 15, 2017
Defense Automatic Addressing System (DAAS) DAAS E&Y Modified Sep 2013 - Feb 2014 WACO Modified Oct 2014 - Jun 2015 Yes GT Modified Oct 2015 - Jun 2016 Aug 15, 2016 Yes RMA TBD Oct 2016 - Jun 2017 Aug 15, 2017
Service Owned Items in DLA Custody (SOIDC) DSS NA NA NA NA NA NA Yes Kearney Modified Jan 2016 - Sept 2016 Apr 28, 2017 No NA NA NA NA
Defense Property Accountability System (DPAS) DPAS CBH Unmodified Oct 2013 - Jun 2014 CBH Unmodified Jul 2014 - Jun 2015 Yes CBH Unmodified Oct 2015 - Jun 2016 Aug 26, 2016 Yes CBH TBD Oct 2016 - Jun 2017 Aug 15, 2017
Operations Center (FY 15-16 Scope) Mechanicsburg, Ogden, Oklahoma City, Montgomery KPMG Unmodified Oct 2013 - Jun 2014 E&Y Unmodified Oct 2014 - Jun 2015 Yes E&Y Unmodified Oct 2015 - Jun 2016 15-Aug-16 Yes E&Y TBD Oct 2016 - Jun 2017 Aug 15, 2017
Automated Time Attendance and Production System
(ATAAPS)ATAAPS N/A N/A N/A E&Y Modified Oct 2014 - Jun 2015 Yes E&Y Modified Oct 2015 - Jun 2016 15-Aug-16 Yes E&Y TBD Oct 2016 - Jun 2017 Aug 15, 2017
Conventional Ammunition LMP, WARS-NT, SAAS-MOD Yes KPMG TBD Oct 2016 - Mar 2017 TBD
General Fund Enetrprise Business System (GFEBS) GFEBS No NA NA NA NA
Corporate Payment Systems (CPS)
U.S. Bank Freight Payment Transaction Procerssing
System
Syncada E&Y Unmodified Oct 2013 - Sept 2014 E&Y Unmodified Oct 2014 - Sept 2015 Yes E&Y Unmodified Oct 2015 - Jul 2016 Sept 19,2016 Yes E&Y TBD Aug 2016 - Jul 2017 Sept 15, 2017
Total Systems Services (TSYS), Subservice Org to
CPS, for credit management processingTS1 & TS2 Yes KPMG Unmodified Jan 2016 - Sep 2016 Oct 31, 2016 Yes KPMG TBD Jan 2017 - Sep 2017 Oct 2017
Elavon, Inc., Subservice Org to CPS, for daily
processing services related to carrier billingMerchant Processing System (MPS) Yes E&Y Unmodified Nov 2015 - Oct 2016 Dec 19, 2016 Yes E&Y TBD Nov 2016 - Oct 2017 Dec 2016
Retail Payment Processing (RPS), Subservice Org to
CPS, for processing check, electronic payments &
research payment discrepancies
Integrated Card System, Triad, ACAPS, Falcon,
SeQual, CASPER, CME, SAR, CA Web Viewer, IVR,
ARMS
Yes E&Y Unmodified Nov 2015 - Oct 2016 Dec 19, 2016 Yes E&Y TBD Nov 2016 - Oct 2017 Dec 2016
Commercial Card Transaction Processing System
(ELAN)
Access Online, SeQual, Corporate Payments Mgt
Information System (CPMIS), Automated Credit
Application Processing System (ACAPS)
N/A N/A N/A E&Y Unmodified Nov 2014 - Oct 2015 Yes E&Y Unmodified Nov 2015 - Oct 2016 Dec 15, 2016 Yes E&Y TBD Nov 2016 - Oct 2017 Dec 15, 2017
Addressing Service Organization ControlsHow do I do this? What SOC 1 reports are available?
Compensation Benefit & Payment for Medical
Services for Federal Civilian Employees
Integrated Federal Employees' Compensation System
(iFECS)
Office of the Assistant Secretary for Administration and
Management (OASAM) General Support System (GSS)
Yes KPMG Unmodified Oct 2015 - Jun 2016 Rec'd Oct 13 2016 Yes KPMG TBD Oct 2015 - Jun 2016 Early Sept
Office of Workers' Compensation Program (OWCP)
Bill Processing / Central Bill Processing SystemCentral Bill Processing System Yes RESJ Unmodified Oct 2015 - Mar 2016 Rec'd Oct 13 2016 Yes RESJ TBD Oct 2015 - Mar 2016 Early Sept
Citi
Travel Card
Citigroup Technology Infrastructure (CTI), Global
Information Security (GIS), Global Identity Admin
(GIDA)
Mainframe Systems Include: IBM z/OS, Unisys
ClearPath
Midrange include: Stratus, Nonstop Tandem, & IBM
series and various types of physical & virtual UNIX,
Linux Windows operating systems)
Yes KPMG Unmodified Jan 2016 - Sep 2016 Rec'd Jan 26, 2017 Yes KPMG TBD Jan 2017 - Sep 2017 Dec 2017
The User Auditor’s ability to rely on internal controls
directly affects audit and audit support costs
21
Read the report and assess the impact on your risk of financial misstatement.
A SOC 1 Report typically includes the following sections:
Section 1Independent Service Auditor’s Report
Section 2Assertion Provided by Management of the Service Organization
Section 3Description of the Service Organization, including an overview of relevant operations and applications
• Complementary User Entity Controls (CUECs)
• Subservice Organizations and Complementary Subservice Organization Controls CSOCs
Section 4Service Organization’s Control Objectives and Related Controls (Control Objectives, Controls, and Test of
Operating Effectiveness)
Section 5Other Information Provided by Service Organization Management (UNAUDITED)
How do I use the SOC 1 report?SOC 1 Report Structure
22
Your auditor will consider these …. So should you.
How do I use the SOC 1 report?Areas for Consideration
Evaluation of relevant controlsService auditor competency
5
1
2
3
4 9
6
7
8
10
Scope exclusions
Carve-outs
CUECs
CSOCs
Reliability of data
Results of tests
Opinion
Gap Periods
23
Appropriate controls need to be in place at the Reporting Entity, Service Organization(s),
and Sub-service Organization(s) to achieve the Control Objective.
How do I use the SOC 1 report?What are CUECs and CSOCs
Example DFAS Control Objective:Controls provide reasonable assurance that logical access to DCPS programs and data is
restricted to authorized users.
DFAS ControlsDesigned & Operating Effectively
User Entity ControlsDISA Controls
CUECs (SAS 70, SSAE 16, and SSAE 18)
DFAS controls were designed assuming
certain controls were in place at the
customer (Reporting Entity).
These assumptions have been and will
continue to be included in Management’s
Description.
Some basis is needed for the assumptions
but DFAS is not responsible for monitoring
customers.
CSOCs (SSAE 18)
DFAS controls were designed assuming
certain controls were in place at the Sub-
service Organization (DISA).
These assumptions will now be included in
Management’s Description for each Sub-
service Organization.
Some basis is needed for the assumptions
and DFAS is responsible for monitoring
Sub-service providers.
24
Appropriate controls need to be in place at the Reporting Entity, Service Organization(s),
and Sub-service Organization(s) to achieve the Control Objective.
How do I use the SOC 1 report?What are CUECs and CSOCs
Controls
Controls
DISA Hosting
Services
SOC 1
Reporting
Entity / User
Auditors
Reporting /
User
Entities
DFAS Civilian
Pay Service
SOC 1
CUECs
CSOCs
CUECs
Controls
Controls
Controls
CUECs (SSAE 16 & 18)
DFAS controls were designed assuming
certain controls were in place at the
customer (Reporting Entity).
CUECs (SSAE 16 & 18)
DISA controls were designed assuming
certain controls were in place at the
customer (DFAS).
CSOCs (SSAE 18)
DFAS controls were designed assuming
certain controls were in place at the Sub-
service Organization (DISA).
25
User Entities should understand what reports are being generated by the Service Organization and
then confirm whether those reports are included in the SOC 1.
How do I use the SOC 1 report?Reliability of Data (and Reports)
Background:• The clarified standards require the service auditor to evaluate
whether system generated information is sufficiently reliable for the
service auditor’s purposes “by obtaining evidence about its
accuracy and completeness and evaluating whether the
information is sufficiently precise and detailed.”
• They also require the service auditors and the service organization
to validate system generated information and reports by detailing
how they are generated, who prepares such reports and ensuring
the requisite level of detail in such reports.
Classes of system generated information:The following are the types of data that should be evaluated as part of the SOC 1 attestation:
• Information used in the execution of controls within the SOC 1 report.
• Information provided by the service organization to the service auditor to perform testing of
controls.
• Information provided to the user entity.
Effectiveness of
controls depends in part
on the controls over the
accuracy and
completeness of the
system-generated data
or reports.
26
User Entities should understand what reports are being generated by the Service Organization and
then confirm whether those reports are included in the SOC 1.
How do I use the SOC 1 report?Reliability of Data (and Reports)
Translation:
1. Reports / data that are relied upon by the Service Organization to perform
controls in their SOC 1 (e.g., user access list, reconciliation reports,
spreadsheets, etc.)
2. Reports / data that are used by the Service Auditor to perform SOC 1
testing (e.g., user access listings, transaction populations).
3. Reports / data that are provided to the User Entity and are relied upon in
your financial reporting (e.g., reporting package, external outputs).
27
Your auditor will consider these …. So should you.
How do I use the SOC 1 report?Common Evaluation Pitfalls
• Certain applications, interface programs used by some user
entities might not be included in the scope of the report and / or
important IT controls may be scoped out.
• The report may be directed at only a limited number of user
entities or the coverage is only for certain locations.
• Relevant reports from the Service Organization may not be
included within the scope of the procedures performed by the
Service Auditor.
• All exceptions (not just those within qualified objectives) are not
considered for relevance and impact to the User Entity.
• Subservice Organization SOC 1 reports are not obtained and
reviewed.
Sub-Service
Organizations
User
Auditors
Reporting /
User
Entities
Service
Organizations
Reporting Entity Responsibilities for
Service Organization Controls
1. Identify all Service Organizations (Service Providers) that impact the
Reporting Entity’s internal controls over financial reporting.
2. Document an understanding of the Service Providers impact on the
Reporting Entity’s Financial Reporting and Associated Risks.
3. Document the Reporting Entity’s Understanding of Service Provider
Controls in Place to Mitigate Financial Reporting Risks.
4. Evaluate the Design and Operating Effectiveness of Service Provider
Controls in Place to Mitigate Financial Reporting Risks.
5. Address Complementary User Entity Controls (CUECs) Identified by
the Service Provider (i.e., implement effective controls within the
Reporting Entity).
6. Establish Regular Communications with Service Providers to Monitor
Performance and Identify Events that may Impact Internal Controls Over
Financial Reporting.
28
Establish MOUs that clearly identify who is responsible for what.
D
O
C
U
M
E
M
T
Attend and actively participate in the Service Provider Working Group meetings.
29
Communication Protocols Must be Established and Maintained
• Update the FIAR System Database (FSD) to reflect changes. At a minimum,
this should be completed to support the bi-annual FIAR Plan Status Report.
• Notify OUSD(C) FIAR of needed SOC 1s
• Notify OUSD(C) FIAR if points of contact for SOC 1 distribution have
changed.
• Distribute SOC 1 reports within your own organization, in a timely manner, to
all personnel who need them.
Reporting Entity Responsibilities for
Service Organization Controls
Other Important Responsibilities
OUSD(C) FIAR Support and Available Resources
31
User / Reporting Entity participation is essential.
• Service Provider Working Group Meetings (January, May, and August)• Dates / timing requested by User Auditor’s performing financial statement audits.
• Updates provided on SOC 1 scope changes, CUEC changes, status of NFRs, progress on
current SOC 1s, etc.
• IPA Roundtable Meetings• Periodic meetings with GAO, DOD IG, and IPA firms performing financial statement audits,
audit readiness examinations, and SOC 1 engagements to solicit input on SOC 1 report
usability and other audit relevant topics.
• CUEC Workshops• Nine separate workshops were conducted covering audit relevant SOC 1 reports.
• Included participants from User/Reporting Entities and Service Organizations.
• MILSTRIP workshops with DLA and customer entities.• Detailed walkthroughs of multiple MILSTRIP buy / sell scenarios.
• Focus on financial statement audit impacting roles and responsibilities.
OUSD(C) FIAR Support
& Available Resources
OUSD(C) FIAR Support Activities
Deputy Chief Financial Officer Policy Memo Issued in February 2016
Identified Ten Required Changes to SOC 1 Reports
1. SOC 1 Reports to be Issued by August 15th of each year.
2. Nine Month Attestation Period (October 1 – June 30).
3. Bridge Letters to be Issued by October 8th of each year.
4. CUECs to be Aligned to Control Objectives
5. Describe Service Provider Controls in Place to Monitor Subservice Providers and Identify Service Provider Controls in
Place to Address Subservice Provider CUECs.
6. Establish an Interim Milestone of April 30th to Obtain Service Auditor Feedback.
7. Identify Key Inputs and Management’s Rationale / Approach.
8. Identify Edit Checks and Management’s Rationale / Approach.
9. Identify Interfaces and Management’s Rationale / Approach.
10. Identify Outputs and Management’s Rationale / Approach.
32
Action has been taken on IPA feedback and status updates provided.
OUSD(C) FIAR Support
& Available Resources
Available Resources – SOC 1 Improvement Policy Memo