1
SOC 1 / SOC 2 Diagnostic, Documentation
and Attestation
2
SAS 70 / SSAE 16 / SOC 1 / SSAE 18 / SOC 2 etc
SAS 70
SSAE 16
SSAE 18
Effective May 1, 2017
SSAE 16 is now SSAE 18
All SOC 1, SOC 2 and
SOC 3 reports are done
under the SSAE 18
standards
SAS 70, SSAE16 are old
terms
3
This logo is worth a lot to YOU….. and us
4
SOC Report
Background
5
What are SOC Reports
“Service Organization Control reports are
designed to help service organizations,
organizations that operate information systems
and provide information system services to other
entities, build trust and confidence in their service
delivery processes and controls through a report
by an independent certified public accountant.”
– American Institute of Certified Public Accountants (AICPA)
6
Types of SOC Reports
SOC 1
• Previously called SSAE 16
• Mainly financial reporting and operations related controls
SOC 2
• Trust Principles
• Defined list of criteria
• Restricted use
SOC 3
• Trust Principles
• Can be shared to general public and on website
7
8
Opinion structure in the attestation report
Scope Of Report/Opinion Type 1 Type 2
Fairness of the presentation of management’s
description of the service organization’s systemAs of a
specified
date
Through out
a specified
periodSuitability of the design of the controls to achieve the
period related control objectives included in the description
Operating effectiveness of the controls to achieve
the related control objectives included in the description
n/a
Two types of Reports for SOC 1 and SOC 2:
• Type 1: A report on the fairness of the presentation of management’s description of the service organization’s
system and the suitability of the design of the controls to achieve the related control objectives included in the
description as of a specified date
• Type 2: Same as type 1 report but also includes 1) the services auditor’s opinion on the operating effectiveness
of the controls and 2) a description of the service auditor’s tests of the operating effectiveness and the results of those
tests through out a specified period.
• In a type 2 engagement, the service auditors opinion covers the period
9
11
SOC Audit
Proposal
13
18
List of Policies and Documents
Organisation Charts
Setup of Committees, Meetings, Charters, roles etc
Roles and Responsibilities, Job Descriptions of all positions
Information Security Policy (various sub policies forming part of Security policies)
Logical and Physical Access procedures
System / network diagrams, boundaries
Change Management Policy, process and formats/logs
Incident Management Policy, Process and formats/Logs
Release Management
Data Classification Policy
Periodic Security monitoring Framework / Dashboards
Risk Identification and Assessment Process
Disaster Recovery
Business Continuity Policy
Code of Conduct
HR Manual
Performance appraisals
Information Security Awareness Training
19
Riskpro’s SSAE / SOC Clients Our ClientsIT
Co
mp
an
ies /
SS
AE
Clien
ts
*Any trademarks or logos used throughout this presentation are the property of their respective owners
20
Riskpro’s SSAE / SOC Clients Our ClientsIT
Co
mp
an
ies /
SS
AE
Clien
ts
*Any trademarks or logos used throughout this presentation are the property of their respective owners
21
Riskpro’s SSAE / SOC Clients Our ClientsIT
Co
mp
an
ies /
SS
AE
Clien
ts
*Any trademarks or logos used throughout this presentation are the property of their respective owners
22
Riskpro’s Network Presence
New Delhi
Mumbai
Bangalore
Ahmedabad
Pune
Agra
Salem
Kolkata
Hyderabad
Chennai
Jaipur
23
Risk Management Advisory Services
Training Recruitment
Basel II/III Advisory Market Risk
Credit Risk
Operational Risk
ICAAP
Corporate Risks Enterprise Risk Assessment
Fraud Risk
Risk based Internal Audit
Operations Risk
Forensic services
IT Risk Advisory IS Audit
IT Service Management
IT Assurance
IT Governance
Operational Risk Process reviews
Policy/ Process Review
Process Improvement
Compliance Risk
Insurance Risk
Governance Corporate Governance
Business Strategic risk
Fraud Risk
Forensic Accounting
Other Risks Business/Strategic Risk
Reputation Risk
Outsourcing Risk
Contractual Risk
Banking – E Learning
Corporate Training
Regular Risk Management Training
Online Training material
Workshops / Events
AML-KYC/ ISO standards- 31000
Independent Directors for Corporates
Virtual Risk Managers
Full Time Risk Professionals
Part time Risk Professionals
Risk Managers on call – free
S E
R V
I C
E S
24
Riskpro Clients Our ClientsB
an
kin
g/
Insu
ran
ce
Ban
kin
g -
Intl
*Any trademarks or logos used throughout this presentation are the property of their respective owners
25
Riskpro Clients Our ClientsC
orp
ora
te
/ M
NC
s
*Any trademarks or logos used throughout this presentation are the property of their respective owners
26
Riskpro Clients Our ClientsC
orp
ora
te
/ M
NC
s
*Any trademarks or logos used throughout this presentation are the property of their respective owners
27
Riskpro Clients Our ClientsIT
Co
mp
an
ies
*Any trademarks or logos used throughout this presentation are the property of their respective owners
28
Riskpro Clients Our ClientsA
cad
em
ics /
Oth
ers
*Any trademarks or logos used throughout this presentation are the property of their respective owners
Co
nsu
ltin
g F
irm
s
29
RESUMES – Our team
Co-Founder - Riskpro
CA, CPA, MBA-Finance (USA), FRM (GARP)
Over 10 years international experience – 6 years in Bahrain and 4 years USA
18 years exp in risk management consulting and internal audits, Specialization in Operational Risk, Basel II, Sox and Control design
Worked for Ernst & Young (Bahrain), Arab Investment Company (Bahrain), Navigant Consulting(USA), Kotak Mahindra Bank (India) and Credit Suisse(India)
Sox Compliance project for Fannie Mae, USA ( $900+ Billion Mortgage Company)
Manoj Jain
Credentials
Co-Founder - Riskpro
PGD (Electrical & Electronics & Computer Programming)
30 years of experience in Information & Communications Technology (ICT) Solutions for Retail, Garments, Manufacturing, Services Industries.
Has created Companies, Divisions, Products, Brands, Teams & Markets.
Consulting in Business, Technology, Marketing & Sales & Strategic Planning.
Advisory, Training, Workshops & Implementation in Systems Thinking, Systems Modeling & Balanced Scorecard
Worked with TIFR, Mahindra, Ambience, Communico-Graphique & Ionidea Inc, USA,
Casper A
bra
ham
30
RESUMES - Our team Credentials
Senior Vice President – Governance, Risk and Compliance
CA, CWA and CISA
15 years experience in manufacturing, Consulting and Finance and Accounting Outsourcing
Specialization in implementation and maintenance of Quality Management Systems, Risk
based Audits and Compliance
Experience in driving Best Practices and process improvement in Finance and Accounting
Outsourcing company.
Past employment include Anand Group Axle manufacturing company and Big 4 Advisory
Ernst & Young
Medha
Kulk
arn
iS
hrira
mG
okte
EVP - Risk Management
BTech MBA (USA)
22 years of work experience, 16 of which were in risk management domain, 11 years of global experience in USA & UK
Ex Chief Risk Officer of Birla Sun Life Insurance & CMS Info System .
Managed Risk & Compliance for two UK based insurance KPOs (Paternoster India & JLT India)
Core expertise in ERM, Capital Valuation, Operational Risk, Information Security, BCM, Governance & Internal Audit
CISA, CIA, CMA, FLMI, MBCI qualified
31
RESUMES - Our team Credentials
EVP- Technology and Banking
30+ years experience in corporate banking, risk management and bankingtechnology project management
Held senior executive positions in banks in India (State Bank of Mysore, ING VysyaBank) and in the Middle East (Banque Saudi Fransi)
Initiated, managed and successfully implemented several information systemprojects in core banking, credit risk management and management reports
Experienced in business process review & re-engineering and change management
Significant experience in Project Management & Vendor ManagementSubra
mania
n A
.
SVP- Audit and Risk Management
Ankit has over 15 years of risk management and internal audit experience, SOX &SSAE compliance, fraud reviews, regulatory compliance reviews, external & taxaudits and supporting ERP implementation to ensure effective control design.
He has headed the audit function for a midsize financial services company and thecaptive offshore unit of ANZ Bank one of the big 4 Australian banks. He has alsoworked in PWC for 8 years and Hewlett Packard for 3 years where he workedacross the industry spectrum including manufacturing, telecom and IT services.
Ankit has extensive experience with internal audit in financial services and backoffice operations and has setup internal audit functions for captive units of fourdifferent companies.
Ankit M
anglik
32
Key Contacts
Corporate Mumbai Mumbai Bangalore
Riskpro India Ventures (P)
Limited
www.riskpro.in
B-44, Glaxo Building,
Near Mt. Mary’s Steps
Bandra West, Mumbai
400050
Manoj JainDirector
M- 98337 67114
Shriram Gokte
EVP - Risk Management
M- 98209 94063
Rita Shewakramani
SVP - Risk Advisory
M- 98204 [email protected]
Casper AbrahamDirector
M- 98450 61870
Ankit ManglikSVP- Audit & Risk Management
M -9880401236
Delhi Pune Chennai Chennai
Manoj JainDirector
M- 98337 67114
M. L. Jain
Principal – Strategy Risk
M- 98220 [email protected]
Vivek Dixit
EVP- Risk and [email protected]
R. Muralidharan
EVP – Risk Management
M- 95660 77326
A Subramanian
EVP – Risk Management
M- 98400 41764
PN Venkataraghavan
EVP - Banking & Risk
M - 98840 72990
Hyderabad /Kolkata Ahmedabad Agra
Phanindra Prakash (Hyderabad)
Kolkata
Manoj Kumar
M – 98983 65320
Gourav Ladha
M- 97129 52955
Alok Kumar Agarwal (Agra)Member Firm
M- 99971 65253