Presenting a live 110‐minute teleconference with interactive Q&A

Preparing SOC 1, SOC 2 or SOC 3 Reports: Best PracticesMeeting Challenges Arising From SSAE 16, ISAE 3402 and Other Service Company Control Standards

1pm Eastern | 12pm Central | 11am Mountain | 10am Pacific

WEDNESDAY, MARCH 7, 2012

Today’s faculty features:

1pm Eastern | 12pm Central | 11am Mountain | 10am Pacific

Suzanne Nersessian, Director, National Service Organization Controls Reporting, Deloitte & Touche, Boston, , g p g, ,

David Palmer, Managing Director, KPMG, Chicago

Nargiz Yusupova, Manager, P&N Consulting, Baton Rouge, La.

Ryan Buckner, Shareholder, BrightLine CPAs & Assoc., Atlanta

For this program, attendees must listen to the audio over the telephone.

Please refer to the instructions emailed to the registrant for the dial-in information.Attendees can still view the presentation slides online. If you have any questions, pleasecontact Customer Service at1-800-926-7926 ext. 10.

Conference Materials

If you have not printed the conference materials for this program, please complete the following steps:

• Click on the + sign next to “Conference Materials” in the middle of the left-hand column on your screen hand column on your screen.

• Click on the tab labeled “Handouts” that appears, and there you will see a PDF of the slides for today's program.

• Double click on the PDF and a separate page will open. Double click on the PDF and a separate page will open.

• Print the slides by clicking on the printer icon.

Continuing Education Credits FOR LIVE EVENT ONLY

Attendees must listen to the audio over the telephone. Attendees can still view the presentation slides online but there is no online audio for this program.

Attendees must stay on the line for at least 100 minutes in order to qualify for a full 2 credits of CPE. Attendance is monitored as required by NASBA.

Please refer to the instructions emailed to the registrant for additional information. If you have any questions, please contact Customer Service at 1-800-926-7926 ext. 10.at 1 800 926 7926 ext. 10.

Tips for Optimal Quality

S d Q litSound Quality

For this program, you must listen via the telephone by dialing 1-866-873-1442and entering your PIN when prompted. There will be no sound over the web connection.co ect o .

If you dialed in and have any difficulties during the call, press *0 for assistance. You may also send us a chat or e-mail sound@straffordpub.com immediately so we can address the problem.

Viewing QualityTo maximize your screen, press the F11 key on your keyboard. To exit full screen, press the F11 key againpress the F11 key again.

P i  SOC   SOC     SOC   Preparing SOC 1, SOC 2 or SOC 3 Reports: Best Practices Seminar

March 7, 2012

David Palmer, KPMGdavepalmer@kpmg.com

Suzanne Nersessian, Deloitte & Touchesnersessian@deloitte.com

Ryan Buckner, BrightLine CPAs & Assoc.buckner@brightline.com

Nargiz Yusupova, P & N Consulting nyusupova@pncpa.com

Today’s Program

Introduction To SOC Framework[Suzanne Nersessian]

Slide 7 – Slide 10

SOC 1 Review[Suzanne Nersessian]

Slide 11 – Slide 23

SOC 2 Review[David Palmer]

SOC 3 Review Slide 35 – Slide 46

Slide 24 – Slide 34

SOC 3 Review[Nargiz Yusupova]

Considerations In Selecting An Attestation Examination

Slide 35 – Slide 46

Slide 47 – Slide 58[Ryan Buckner]

INTRODUCTION TO SOC Suzanne Nersessian, Deloitte & Touche

INTRODUCTION TO SOC FRAMEWORK

B k d  Wh  Th  ChBackground: Why The Change

• Original intent of SAS 70

• Growth of service organizations over last 40 years

• SAS 70 used in ways that were never intended

• SAS 70 became a de facto global standardSAS 70 became a de facto global standard.

• Convergence of U.S. and international standards

8

Ch  I  R i  O  C lChanges In Reporting On Controls

I.ISAE 3402 led to the development of SSAE 16.

II.SAS 70 split

A AU 402A. AU 402

B. SSAE 16

III.Effective date: Periods ending on or after June 15, 2011. g ,Specific to covering internal control over financial reporting

IV.AICPA Practitioner Guide: Usable for both standards, and for practitioners and service organizations alikepractitioners and service organizations alike

V.Allows for the use of the framework/guidance to perform engagements under another standard (e.g., SOC 2)

9

Reporting Standardsp gAICPA Service Organization Control (SOC) Reports

d dNew Standards & OptionsService Org Control 1

Service Org Control 2

Service Org Control 3Control 1 

(SOC 1)

SSAE16 – Service auditor guidance

Control 2 (SOC 2)

AT 101

Control 3 (SOC 3)

AT 101auditor guidance

Generally Restricted Use Report 

(Type I  or II Report)

General Use Report

(w/ public seal)

Restricted Use Report 

(Type I  or II Report)

Trust Services Principles & Criteria

Purpose: Reports on controls for F/S audits

Purpose: Reports on controls related to 

compliance or operations

Purpose: Reports on controls related to 

compliance or operations

10

SOC 1 REVIEWSuzanne Nersessian, Deloitte & Touche

SOC 1 REVIEW

SOC   R t  P /I t d d USOC 1 Reports: Purpose/Intended Use

•Purpose

• To provide user entities and their independent auditors with information and a CPA’s opinion about controls at the service organization relevant to user entities’ internal control over financial reporting

• Covers fair presentation, design and operating effectivenessp g p g

•Restricted use report

• Management of the service organization

• User entities of the service organization’s system during some or all of the period covered by the report (for Type 2 reports)

• Independent auditors of user entites

•Indirect users

•Does not include potential users

•Intended use

• Report on controls that are likely to be relevant to user entities’ internal controls over financial reporting

• For use in a financial statement audit

12

ISAE 3402 Relationship To SSAE 16:Notable Differences Notable Differences 

SSAE 16 ISAE 3402

Use of report pRequired to include a statement restricting the use of the report to management of the service organization, user entities of the system and user auditors

Required to state that it is only intended for user entities and their auditors, but does not require inclusion of statement restricting the use. Does not prohibit the inclusion of restricted use language

Intentional actsService auditor considers impact of intentional acts on the description of the system, design and operating effectiveness of controls.

Silent on this requirement

U f i l diUse of internal auditProvides for use of internal audit in direct assistance Does not provide for the use of internal audit for direct

assistance; however, is being considered for adoption

Subsequent eventsService auditor to consider Type 2 subsequent events after Limits the service auditor’s disclosure to those events that Service auditor to consider Type 2 subsequent events after the report date

Limits the service auditor’s disclosure to those events that could affect their opinion (i.e. a type 1 subsequent event)

Deviations/exceptionsAll exceptions are reported regardless of whether they Enables a service auditor to conclude that a deviation All exceptions are reported regardless of whether they affect the opinion.

Enables a service auditor to conclude that a deviation identified when performing tests of controls involving sampling is not representative of the population from which the sample was drawn (anomaly)

13

l b lSAS 70 History: Global Environment

•ISAE 3402 - Global

•SSAE 16 – U.S.

•CSAE 3416 - Canada•CSAE 3416 Canada•DE-IDW PS 951 – Germany•HKSAE 3402 “Assurance Reports on Controls at a Service O i ti ” H KOrganization” – Hong Kong•Audit and Assurance Standard (AAF) 1/06 – U.K.•ASAE 3402 “Assurance Reports on Controls at a Service O i ti ” A t liOrganization” - Australia

14

Notable Changes From SAS 70 To SSAE 16

15

Notable Changes From SAS 70 To SSAE 16 (Cont.)

16

Key Change: Management’s Assertion•Management is required to provide a written assertion.

o It can be included as a separate section of the report, or

o The assertion can be part of the description of the system – appropriately identified as the assertion.

o Assertion most often (and recommended to be) on company letterhead

• Key components of management’s assertion:

o The description of the system fairly presents the system that was designed and implemented throughout the specified period

o The controls were suitably designed to achieve the control objectives throughout the specified period, including identifying the risks that threaten the achievement of the control objectives.

o The controls operated effectively throughout the period to achieve those t l bj ticontrol objectives.

17

Key Change: Management’s Assertion (Cont.)

• Signing the assertion

o No requirement to sign

o However most currently issued reports have been signedo However, most currently issued reports have been signed.

o May be signed by company or by individuals (most have been individuals)

18

Risk assessment

Key Change: Management’s Assertion (Cont.)

• Service organization management must identify risks that threaten the achievement of the control objectives stated in the description of the system.

• May be formal or informal processes, require ongoing monitoring/updating

• Process commonly takes up-front effort to determine risks or Process commonly takes up front effort to determine risks or reassess whether any additional risks may exist (for ongoing reports).

Basis for assertion

• Management needs reasonable basis to provide assertion• Management needs reasonable basis to provide assertion

• No requirements on specific procedures to be performed

• Management may not rely solely on the testing done by the service diauditor.

19

Key Change: Management’s Assertion (Cont.)

Common procedures to support the assertionCommon procedures to support the assertiono Ongoing monitoring activities

― Regular management and supervisory activities

― Sub-certifications― Sub-certifications

― Review of compliant files

o Separate evaluations

l di h l ( i k/ li ) ― Internal auditors or other personnel (risk/compliance) performing specific audits/examinations

― Information from external parties (e.g., regulatory reviews)

C bi ti f b tho Combination of both

Support for assertion• Management support it will need for its written assertion

• No documentation-retention requirement, but is sound practice

20

C i iCriteria•Criteria pertain to services provided to a broad range of users that relate to financial reporting of user entities and include:

• Types of services including classes of transactions

• Procedures by which services are providedProcedures by which services are provided

• Related accounting records

• How the system captures significant events

• Process used to prepare reports and other information

• Specified objectives and controls

Other aspects of the control environment risk assessment • Other aspects of the control environment, risk assessment, information, and communication and monitoring

• Details of changes during the period

• Does not omit or distort information relevant to the system

21

Id l C did  P fil /U  CIdeal Candidate Profile/Use Case

Determine intended use of the reportConsider SOC 1 if:

• Services relate to internal controls over financial reporting of p gthe users

• Receiving requests from independent auditors

• Users and their auditors want to do testing at the service gorganization

SOC 1 vs. SOC 2• May not be black or white in all cases

• Don’t solely base decisions on user requests; consider the facts and circumstances

• Both reports may be warranted in certain circumstances

22

S i  C id iScoping Considerations•Determine services that will be covered and select the criteria

•Identify users of the report

•Understand how will the report be used - in connection with an audit of financial statements

•Choose the type of report (Type 1 vs. Type 2); commonly, a Type 1 report is only undertaken in year 1

•Consider reporting periods of the users, in order to drive the SOC 1 examination period

•Identify sub-service organizations

• Inclusive method

• Carve-out method

•Ascertain whether there are complementary user entity controls

•Determine if management has reasonable basis to provide an assertionDetermine if management has reasonable basis to provide an assertion

23

SOC 2 REVIEWDavid Palmer, KPMG

SOC 2 Reports: Purpose/Intended Use

•To provide management of a service organization, user entities and other specified parties with information and a CPA’s opinion about controls at the service organization

•Focus is on one or more of the following domains:

S it• Security

• Availability

• Processing integrity• Processing integrity

• Confidentiality

• PrivacyPrivacy

25

SOC 2 Reports: Purpose/Intended Use (Cont.)p p / ( )

•Intended use

• Provide user entities with detailed information on the design and operating effectiveness of the service des g a d ope at g e ect ve ess o t e se v ce organization’s controls

•However, a SOC 2 report:

• Is not intended to address controls that are relevant to a user entity’s financial reportingy p g

• Is not intended for general distribution

26

SOC 2 Reports: Applicability/Subject Matter

•Since a SOC 2 report is not linked to financial reporting it can apply to a •Since a SOC 2 report is not linked to financial reporting, it can apply to a wide range of systems.

•For example:

• Data center hosting• Data center-hosting

• Call center operations

• Document managementg

• Marketing services

• Healthcare case management

•It can also be used to provide additional information on systems that are relevant to financial reporting.

•Since there is no link to financial reporting, the boundaries of the system may be less apparent and need to be clearly defined.

27

Overview Of Trust Services Principles

Domain PrincipleDomain Principle

Security The system is protected against unauthorized access (both physical and logical).

Availability The system is available for operation and use asAvailability The system is available for operation and use as committed or agreed.

Confidentiality Information designated as confidential is protected as committed or agreed.committed or agreed.

Processing integrity System processing is complete, accurate, timely and authorized.

Privacy Personal information is collected used retainedPrivacy Personal information is collected, used, retained, disclosed and destroyed in conformity with the commitments in the entity’s privacy notice and with criteria set forth in generally accepted privacy principles (GAPP) issued by the AICPA and CICA.

28

Grouping Of Criteria: Security, Availability,p g y, y,Processing Integrity And Confidentiality

Topic Focus of CriteriaTopic Focus of Criteria

Policies Policies relevant to the selected principle(s) are defined and documented.

Communications Defined policies are communicated to responsibleCommunications Defined policies are communicated to responsible parties and authorized users of the system.

Procedures Procedures have been placed in operation to achieve the service provider’s objectives in accordance with itsthe service provider s objectives in accordance with its defined policies.

Monitoring The service provider monitors the system and takes action to maintain compliance with its defined policies.

29

G i  Of C i i  P iGrouping Of Criteria: PrivacyTopic Focus of Criteriap

Management The entity defines, documents, communicates and assigns accountability for its privacy policies and procedures.

Notice The entity provides notice about its privacy policies and procedures and identifies the purposes for which personal information is collected, used, retained and disclosed.

Choice and Consent The entity describes the choices available to the individual and obtains implicit or explicit consent with respect to the collection, use and disclosure of personal information.

Collection Personal information is only collected for the purposes identified in the notice.

Use Retention and Limits the use of personal information to the purposes identified in the notice and for which fdisposal the individual has provided implicit or explicit consent. Personal information is retained only

as long as necessary to fulfill the stated purposes or as required by law or regulation, and then appropriately discarded.

Access Individuals are provided access to their personal information for review and update.

Disclosure to third Personal information is only disclosed to third parties for the purposes identified in the notice parties

y p p pand with the implicit or explicit consent of the individual.

Security for privacy Personal information is protected against unauthorized access (both physical and logical).

Quality The entity maintains accurate, complete and relevant personal information for the purposes identified in the notice.

Monitoring and enforcement

The entity monitors compliance with its privacy polices and procedures, and has procedures to address privacy related inquiries, complaints and disputes.

30

fSummary Of SOC2/3 Criteria Topics

Security Availability Confidentiality Processing Integrity Privacy

IT security policy Security awareness and

communication

Availability policy Back-up and

restoration

Confidentiality policy Confidentiality of

inputs

System processing integrity policies

Completeness,

Privacy policies PII classification Risk assessment

Risk assessment Logical access Physical access Environmental controls Security monitoring

Incident Management

Disaster recovery Business continuity

management

Confidentiality of data processing

Confidentiality of outputs

Information

accuracy, timeliness and authorization of inputs, system processing and outputs

Incident and breach management

Provision of notice Choice and consent Collection Security monitoring

User authentication Incident management Asset classification/mgt. Systems development and

Security Change

management Monitoring/complian

ce

disclosures (including third parties)

Confidentiality of Information in systems

Information-tracing, from source to disposition

Incident management

Collection Use and retention Disposal Access Disclosure to third

maintenance Personnel security Configuration mgt. Change management Monitoring/compliance

systems development

Incident management

Security Change

Security Change

management Availability Monitoring

parties Security (logical and

physical) Quality Monitoring and g p Change

management Monitoring

genforcement

31

Id l C did  P fil /U  CIdeal Candidate Profile/Use Case

•Entities that rely on service organizations and want detailed information on the service organizations controls include:

• Vendor management programsVe do a age e t p og a s

• GRC programs

• Regulatory compliance

• Due diligence

32

E l  SOC  SM U  CExample SOC 2SM Use Cases

Service Provider Scenario Key Risks Principles ReportedService Provider Scenario Key Risks  Principles Reported

Healthcare: Advisory and processing of claims

• Privacy, security • HIPAA compliance

• Privacy

Provider of targeted marketing • Timeliness and accuracy in  • Processing integrityg gcampaigns 

yexecution of marketing campaigns

g g y• Security  • Confidentiality

Financial services: SaaS for equity trading

• Timely, accurate quote and trade execution

• Processing integrity• Availabilityequity trading execution

• Data breach• Availability 

Communications gateway bridging user entity back office 

• Exposure of sensitive data being processed and translated

• Availability • Security 

environment and mobile communications carriers

• System downtime • Confidentiality

Document management • Exposure of sensitive case data I t i d i t l i

• Confidentiality P i i t it• Incorrect indexing, cataloging, 

storage• Processing integrity 

33

S i  C id iScoping Considerations

•How will the report be used and by whom?

•Which principle(s) are applicable?•Which principle(s) are applicable?

•Type 1 vs. Type 2 report and period to be addressed

•Are there sub-service organizations?

•Is there a need for complementary user entity controls?

34

SOC 3 REVIEWNargiz Yusupova, P & N Consulting

3

A d  F  Thi  S iAgenda For This Section

• Purpose/intended use

• Applicability/subject matter• Applicability/subject matter

• Ideal candidate profile/use cases

• Examination process

• Scoping considerations

• SOC seal and registration process

36

SOC 3 Reports: Purpose And Intended UseReport purpose • Service organization to general public communication

• General use report

• Can be freely distributed/promoted with the AICPA SOC 3 seal on the service organization’s Web site

Intended audience • General publicIntended audience General public

Standards under • AT 101, attestation engagementsStandards under which engagement is performed

AT 101, attestation engagements

• AICPA technical practice aid, trust services principles, criteria and illustrations

37

SOC 3 Reports: Purpose And Intended Use (Cont.)

Included in the report • Statement whether the system achieved the applicable trust services principles, criteria and illustrations

• Addresses one or more of the following key system attributes: Security, availability, processing integrity, confidentiality or privacy

NOT included in the report

• Financial controls related to compliance and operations at a service organization

• Description of the systems• Description of the systems

• Detailed description and results of tests of controls

38

SOC 3 Reports: Applicability/Subject Matter

• Trust services report for service organization

U d fi d it i i t t i i i l d it i• Uses pre-defined criteria in trust services principles and criteria• Security

• Availability

• Confidentiality

• Processing integrity

• Privacyy

• Can be issued on one or multiple trust services principles

39

d l d d lIdeal Candidate/Example Use CasesUsers who want assurance on the controls at a service organization related to security, availability, processing integrity, confidentiality or privacy but do not have the need for or the knowledge necessary to make effective use of a SOC 2 report

K Ri k P i i l R t d P i i l Obj ti

\

Key Risks Principles Reported Principle Objective

Theft of credit card information Security Secure sites for e-commerce

Unavailability of service for a Availability Ability to meet critical needs of \Unavailability of service for a significant period of time

Availability Ability to meet critical needs of business customers

Disclosure of confidential information such as legal documents

Confidentiality Compliance with confidentiality practices

Loss, duplication processing, corruption of electronic business transactions

Processing integrity Business transactions processed completely and accurately

E f l P i C t iExposure of personal information

Privacy Customer privacy

40

E i i  PExamination Process

Principle selection and assessmentPrinciple selection and assessment

• Select one or more trust service principles and criteria

• Point-in-time vs. period of time

Reporting

• SOC 3 report

Brief na dited s stem description• Brief unaudited system description

• Auditor’s opinion on compliance with the specified trust services principles and criteria

SOC3 seal

• Compliance with selected criteria

License to display seal on Web site• License to display seal on Web site

41

Scoping Considerations

AICPA, SOC2 [1.19]:

• All applicable trust services criteria must be met.

All li bl b i i ti t b i l d d• All applicable subservice organizations must be included.

• Significance of complementary user-entity controls

42

SOC Seal And Registration Process• SOC3 SysTrust for service organizations• SOC3 SysTrust for service organizations

• Managed between American Institute of CPAs (AICPA) and Canadian

Institute of Chartered Accountants (CICA)

• Complete assessment based on the trust services principles and criteria

• An unqualified attestation report

Valid for one year• Valid for one year

• License to display the seal on Web site

• Licensing fee

43

SOC S l A d R i i  P  (C )SOC Seal And Registration Process (Cont.)

Authorized provider list p

44

SOC Seal And Registration Process (Cont.)

Monitoring sealsg

• Seal renewal Valid for one year plus 90 days grace periodo Valid for one year plus 90 days grace period

• Revoking or suspending seals

o Fail to comply with the trust services principles & criteriap y p p

o Fail to renew the seal

• Restoring seals

If lifi d b d do If unqualified report can be rendered

• Suspending a practitioner

o Practitioner’s firm is no longer a member in good standingo Practitioner s firm is no longer a member in good standing

45

SOC Seal And Registration Process (Cont.)

Online trust services page p g

You have arrived here from a SysTrust SM/TM or WebTrust SM/TM certified site. The

applicable SysTrust or WebTrust Seal of assurance symbolizes that this site has

been examined by an independent accountant. Further, the Seal represents the

practitioner’s report (see below) on management's assertion(s) that the entity's

business being relied upon is in conformity with the applicable Trust Services

Principle(s) and Criteria …

Trust services principle(s) and criteria

A dit t li kAudit report link

Trust services and criteria links46

CONSIDERATIONS IN Ryan Buckner, BrightLine CPAs & Assoc.

SELECTING AN ATTESTATION EXAMINATIONEXAMINATION

Obj i  F  Thi  S iObjectives For This Section

• Comparison summary of SOC reporting options

• Recap on the proper use of SOC reports

• Avoiding the common SOC reporting pitfalls

Utili i th tt t ti ti• Utilizing other attestation options

48

C i  Of SOC RComparison Of SOC ReportsSOC Report Purpose Typical External Users

SOC 1SM Provide information to users regarding the outsourced services and the controls likely relevant to users entities’ internal control over financial reporting

The information provided is useful for the user entities’

Management of user entities

Financial statement auditors of user entities

The information provided is useful for the user entities  financial statement auditors during their risk assessment and financial audit planning. 

Always restricted‐use

SOC 2SM Provide information to users regarding the outsourced  Current or prospective services and the controls relevant to one or more of the trust service Principles (security, availability, processing integrity, confidentiality and/or privacy)

customers concerned with the TSP

Regulators

Other interested and authorized parties

Generally restricted use

SOC 3SM Provide information to users regarding the outsourced services and assurance on one or more of the trust

Any interested partyservices and assurance on one or more of the trust service principles; similar to SOC 2 but without the controls and tests

General use

49

f ( )Comparison Of SOC Reports (Cont.)

SOC Report Scope (Subject Matter) Period Of CoverageSOC Report Scope (Subject Matter) Period Of Coverage

SOC 1SM

(SSAE 16)

A description of the outsourced services performed by the service organization(s), based on pre‐defined minimum description criteria and the controls that are likely relevant to

Point‐in‐time(Type 1)

d fdescription criteria, and the controls that  are likely relevant to users entities’ internal control over financial reporting

Period of time(Type 2)

SOC 2SM

(AT S t 101)

A description of the outsourced services performed by the service organization, based on predefined minimum description 

Point‐in‐time(Type 1)

(AT Sect. 101) criteria, and the controls relevant to one or more of the trust service principles (security, availability, processing integrity, confidentiality and/or privacy) and applicable pre‐defined criteria

Additional subject matter is allowed, provided it meets certain

Period of time(Type 2)

Additional subject matter is allowed, provided it meets certain minimum guidelines.

SOC 3SM

(AT Sect. 101)

Provide information to users regarding the outsourced services and assurance on one or more of the trust service principles

Point‐in‐time

Period of time

50

f ( )Comparison Of SOC Reports (Cont.)Report Component SOC 1 SOC 2 SOC 3p p

Opinion letter Management assertion(s) Detailed description of the system

Control objectives and controls Trust services principles criteria and controls Trust services principles criteria and controls selected by the service organization

Tests of controls and results of testing(Type 2 reports only) Optional additional information AICPA logo use Seal(requires AICPA licensing and fee)

51

Ch i  Th  B  RChoosing The Best Report

Key considerations• What needs to be communicated?

• ICFR controls? Privacy controls? Regulatory compliance?

• How will it be communicated?• Seal on Web site? Report only?

Wh i th i t d d di ?• Who is the intended audience?• Existing customer? Regulatory

entity? Everyone?• What are the intended uses?• What are the intended uses?

• Financial statement audit? Due diligence assessment?

52

Understanding Proper Use Of SOC Reports

d f h h hHow To Identify The SOC Report That Is Right For You

Will the report be used by your customers and their auditors to plan and perform an audit or integrated audit of your customer’s financial statements?

Yes SOC 1 reportaudit of your customer s financial statements?

Will the report be used by your customers as part of their compliance with the Sarbanes‐Oxley Act or similar law or regulation?

Yes SOC 1 report

Will th t b d b tWill the report be used by your customers or stakeholders to gain confidence and place trust in a service organization’s systems?

Yes SOC 2 or SOC 3 report

Do you need to make the report generally available or seal? Yes SOC 3 reportor seal?

Do your customers have the need for, and ability to, understand the details of the processing and controls at a service organization, the tests performed by the service auditor and results of

Yes SOC 2 report

No SOC 3 reportperformed by the service auditor and results of those tests?

No SOC 3 report

Source: www.aicpa.org/soc

53

Avoiding Common SOC Reporting PitfallsI.Improper report selection

• RFP pressure from misinformed customers and prospects

• Misinformation based on industry “pundits” (e.g., data centers or cloud providers do not need SOC 1; SOC 2 is “better”)

• Incompatible scope (subject matter) • Incompatible scope (subject matter)

• Non-ICFR controls in SOC 1 report

• Pre-defined TSP criteria incongruent with business operations and controls

• Need to communicate regulatory compliance or other set of benchmarks • Need to communicate regulatory compliance or other set of benchmarks separately from TSP principles and criteria

II.Lack of preparedness

• Lack of understanding of reporting options

• Lack of understanding of SOC reporting requirements

• Immaturity of system and related controls

• Little monitoring of control effectiveness g

• Treatment of related, relevant 3rd parties (inclusive vs. carve-out rep. methods)

54

Avoiding Common SOC Reporting Pitfalls (Cont.)

III.Overly complex or hybrid SOC reports

• “Information not covered by the service auditor’s report” in SOC 1 reports

• “Additional subject matter” in SOC 2 reports

PCI HIPAA CSA CCM• PCI, HIPAA, CSA-CCM

IV.Insufficient review period selection

V.Improper communication of the completion of the SOC engagement

• Unauthorized logos and seals• Unauthorized logos and seals

• “Certifications”

• Press release guarantees or unfounded conclusions

55

I  SOC R  Th  B  O i ?Is SOC Report The Best Option?I Key considerationsI.Key considerations

• Applicability of the SOC report

• No ICFR impact

• No ability or desire to effectively benchmark against the TSP

• Specific needs of management

Pre defined analysis procedures• Pre-defined analysis procedures

• Flexibility in reporting

• Specific use of the reportp p

• Single customer demand

• Compliance with regulations, standards, contracts, etc.

56

Non‐SOC Reporting Options: AT Sect. 101

F d ti f ll tt t ti AT Section 101 • Foundation for all attestation engagements

• Allows for increased flexibility and customized scope (subject matter)p ( j )

• Agreed-upon procedures engagements – AT Sect. 201

• Compliance Attestations – AT Sect. AT Section 101601

• General attestationsAttestation

Opinion letter

Management’s assertion letter

Customized subject matter

Optional additional information

57

C l iConclusion

AT Section 101 • Know your options

• Speak with a competent professional regarding your professional regarding your reporting needs and options

• Understand the proper h l f h i g

AT Section 101channels for sharing your report

• When necessary, consider non-attest options as well (e.g., ISO 27001)

58