achieving ssae 16 certification

ACHIEVING SSAE 16 CERTIFICATION

1

SSAE 16 (SOC 1) Audits - Overview

January 14, 2015

SSAE 16 Professionals – Presenters• Jim Jimenez, CPA – Managing Partner

• Former Partner with Grant Thornton• Over 250 SAS 70, SSAE 16 or SOC 2 Audits• Strength includes Business Process & Financial Reporting Controls

• Tim Roncevich, CISA – Partner and National SSAE 16 & SOC Audit Practice Leader• Former Senior Manager with Grant Thornton• Over 250 SAS 70, SSAE 16 or SOC 2 Audits• Strength includes IT General Computer Controls

3

SSAE 16 Professionals, LLP Firm Overview • Founded by Grant Thornton alumni

• PCAOB registered CPA firm

• Specialty – SSAE 16 (SOC 1) & SOC 2 audits & readiness assessments

• Clients across the country with international capabilities

• All professionals have 10+ years experience

4

History of SAS 70 & SSAE 16• Statement on Auditing Standards (SAS) No. 70, Service Organizations,

was issued by the AICPA and implemented as of April 1, 1993.

o Provided “auditor to auditor” communication

o Focused on financially-related controls (ICFR), including IT GCC

o Sample industries include: Payroll Companies, Escrow Companies, Title Companies, TPA’s, Collection Agencies

5

History of SAS 70 & SSAE 16 (continued)

• Statement on Standards for Attestation Engagements (SSAE) No. 16, Reporting on Controls at a Service Organization, replaced the SAS 70o All engagements ending after June 15, 2011

o Referred to as Service Organization Controls (SOC) audits

6

Types of SOC Audits• SOC = Service Organization Control

o SSAE 16 (SOC 1) AuditType I

Type II

o SOC 2 AuditType I

Type II

7

SSAE 16 Audits Defined

• SSAE 16 audits are specifically focused on internal controls over financial reporting (ICFR)oNOT a Financial Statement Audit

o IT Controls Tested

oBusiness Process Controls Tested

oRisk-Based Approach

o Industry Specific ControlsEIC

ALTA

8

SOC 2 Audits Defined

• SOC 2 audits focus on controls at a service organization relevant to the following principles:o Security

oAvailability

oProcessing Integrity

oConfidentiality

oPrivacy

9

Impact of the CFPB Requirements?

• On April 13, 2012 the Consumer Financial Protection Bureau (CFPB) issued Bulletin 2012-03 titled "Service Providers".

• The CFPB bulletin included expectations around supervised banks and lenders in satisfying their responsibility to manage third party vendors.oPossible trickle-down effect: CFPB > Lenders > 3rd Party Vendors (e.g. title &

escrow companies)

10

Which Framework to Choose

• EIC Model Policies and Procedures

• ALTA Best Practices Framework

11

EIC Model Policies and Procedures• The EIC Model Policies and Procedures are made up of the following

six sections:1. Licensing

2. Insurance & Bonding

3. Policy for Personnel Development

4. Trust Accounting Procedures

5. Privacy Policy

6. Consumer Complaints Procedures

12

ALTA Best Practices Framework• The ALTA Best Practices Framework has been developed to assist lenders in satisfying

their responsibility to manage third party vendors. The ALTA Best Practices Framework consists of the following seven pillars:

1. Licensing

2. Trust Accounting Procedures

3. Information and Data Privacy Procedures

4. Policy for Personnel Training

5. Title Policy Production, Delivery, Reporting and Premium Remittance;

6. Insurance and Bonding

7. Consumer Complaints Procedures

13

Comparing EIC to ALTAEIC’s MPP Revised January, 2014 ALTAs Best Practices version 2.0 published July 19,

2013

#1 – Licensing #1 - Licensing

#2 – Insurance & Bonding #6 – Insurance & Bonding

#3 – Policy for personnel development #4 – Policy for personnel training

#4 - Trust Accounting procedures #2 - Trust Accounting procedures

#5 – Privacy Policy (protection of NPPI) (SOC 2) #3 – Information and Data Privacy Procedures (SOC 2)

#6 – Consumer complaints procedures #7 – Consumer complaints procedures

Note that ALTA #5 is omitted from comparison as that element strictly pertains to a Title Company procedure, not escrow or settlement.

14

Choosing the Right Framework – EIC vs. ALTA• EIC is geared for independent escrow companies

• ALTA is geared for title companies

• Controls will be customized based on services provided

15

SSAE 16 & SOC 2: Which Audit to Choose?• Some companies are choosing to perform both audits

o SOC 2 audit covering the EIC #5 & ALTA pillar #3 and an SSAE 16 covering the remaining requirements

oNot cost effective

oUnless you are being absolutely forced to perform both audits, only choose to undergo the SSAE 16 audit. Given the flexibility the SSAE 16 audit provides, you can include the ALTA pillar #3/EIC #5 as a control objective within the SSAE 16 audit report.

o This approach will save both time and money when undergoing the audit.

• CONCLUSION: SSAE 16 is the compliance vehicle of choice

16

SSAE 16 Audit Key Considerations• Internal Controls Are A Major Component & Make The Process

Simpler

• Not All Internal Control Areas IncludedoClient Facing Focus

• Three Major Audit PhasesoReadiness Assessment

o Type I

o Type II (Annual Audit Thereafter)

17

Readiness Assessment

• The readiness assessment allows our firm to: oAssist management in preparation for the audit

o Identify risks related to services provided by the service organization

oGain critical knowledge of key processes and applicable internal controls

• Readiness assessments:oAre an efficient use of management’s time

oReduces soft costs to management

18

Type I & Type II Audits Defined

• Both SSAE 16 and SOC 2 audits have Type I and Type II audits

• Type I audit – audit as of a specified “POINT IN TIME”o Think of a picture (snapshot in time)

• Type II audit – audit over a “PERIOD OF TIME”o Think of a movie (period of time)

19

Benefits of the SSAE 16 Audit• SSAE 16 audits can add value to Service Organizations

o Meets financial service/lender requirements

o Enhances Marketing Effectiveness

o Establishes credibility

o Competitive advantage

o An invite to the dance – can respond to RFP’s

o Help reduce regulatory compliance efforts

o Improves service organization’s internal control environment

o Return on Investment (ROI)

20

Costs Of SSAE 16 Audits• Cost will vary according to the:

o Type of audit (Type 1 or Type 2)

o Size and complexity of the service organization

Number of locations in scope

o Number of control objectives and control activities

o Bundled pricing discounts

21

RBJ’s Experience• RBJ’s experience with the audit…

oWhich services were performed?

oWere audit reports (Type I & Type II) delivered timely?

oWas there a major impact on company resources?

oWas there enough guidance provided during the audit?

oHow would you describe the benefits RBJ received compared with the cost?

22

SSAE 16 Professionals Background & Qualifications• Hundreds of SOC Audits Performed Annually

• Independence & Quality Control

• Peer Review – Highest Rating

• Experienced Personnel (minimum 10+ years of experience)

• Client Service Focus

23

SSAE 16 Professionals Background & Qualifications (continued)

• PCAOB Registered

• Core Focus – SOC Audits

• National Client Base

• Personal Touch & Responsiveness

• Streamlined/Efficient Methodology

• Fair & Competitive Pricing – Fixed Fee

24

Questions

25

Contact Us• E-mail

o Jim.Jimenez@SSAE16Professionals.com o Tim.Roncevich@SSAE16Professionals.com

• Phone: 866-480-9485o Jim Jimenez – Ext. 210 o Tim Roncevich – Ext. 215

• Free Whitepaper: www.SSAE16Professionals.com > Industries > Title & Escrow Companies

26