soc reporting overview & the clarified attestation ... · pdf filesoc reporting overview...

SOC Reporting Overview & the Clarified Attestation Standards – SSAE 18October 25, 2017

2© 2017 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. NDPPS 642096

With You Today

Michelle RossAdvisory DirectorO: 858-750-7332M: 619-755-9661E: [email protected]

DJ WilkinsAdvisory PartnerO: 858-750-7217M: 619-990-3217E: [email protected]


CPE Guidelines

This training is CPE-worthy

In order to receive CPE credit

Attend for entire session

Participate in exercises and activities

Must respond to a minimum of three questions per 50 minutes


Learning Objectives

Understand the basic purpose and history of SOC reporting, including the intent of the clarified attestation standards

Determine the relevant components of a SOC report and general responsibilities of the service organization versus service auditor

Recognize how the revisions to the auditing standard affect SOC 1 reporting, the impact to service organizations, and the potential level of effort needed to comply with the revised standards


Page

SOC Reporting Overview 6

Clarified Attestation Standards – SSAE18 16

SOC for Cybersecurity 38

Questions and Discussion 42

What We are Covering Today

SOC Reporting Overview

What is a SOC report?


History of SOC Reporting

Organizations are increasingly outsourcing systems, business processes, and data processing to service providers in an effort to focus on core competencies, reduce costs, and more quickly deploy new application functionality.

Many organizations have historically relied upon Statement on Auditing Standards (SAS) 70 reports to gain broad comfort over outsourced activities. SAS 70 was intended to focus specifically on risks related to internal control over financial reporting (ICOFR), and not broader objectives such as system availability and security.

With the retirement of the SAS 70 report in 2011, Service Organization Control (SOC) reports have been defined by the American Institute of Certified Public Accountants (AICPA) to replace SAS 70 reports and more clearly address the assurance needs of the users of outsourced services.

Three types of SOCreports—SOC 1, SOC 2, and SOC 3—have been defined to address a broader set of specific user needs.


A Few Quick Definitions…

Service Organization Controls (SOC) Reports – reports designed to help service organizations, organizations

that operate information systems and provide information system services to other entities, build trust and

confidence in their service delivery processes and controls through a report by an independent Certified Public

Accountant.

Service Organization – An organization or segment of an organization that provides services to user entities,

which are likely to be relevant to those user entities’ internal control over financial reporting.

Service Auditor – A practitioner who reports on controls at a service organization.

User Auditor – An auditor who audits and reports on the financial statements of a user entity.

User Entity – An entity that uses a service organization.

Subservice Organization – A service organization used by another service organization to perform some of the

services provided to user entities that are likely to be relevant to those user entities’ internal control over financial

reporting.


There are 3 types of SOC reports designed for service organizations to meet user needs:

Overview of SOC 1, SOC 2, and SOC 3 reports

SOC1 SOC2 SOC3

— Internal control over financial reporting — Operational controls

Summary — Detailed report for users and their auditors

— Detailed report for users, their auditors, and specified parties

— Short report that can be more generally distributed

Defined Scopeof System

— Classes of transactions— Procedures for processing and

reporting transactions— Accounting records of the system— Handling of significant events and

conditions other than transactions— Report preparation for users— Other aspects relevant to processing

and reporting user transactions

— Infrastructure— Software— Procedures— People— Data

ControlDomain Options

— Transaction processing controls— Supporting information technology

general controls

— Security— Availability— Confidentiality— Processing integrity— Privacy— SOC 2+ additional criteria

Level ofStandardization

— Control objectives are defined by the service provider, and may vary depending on the type of service provided

— Principles are selected by the service provider.— Specific predefined criteria are evaluated against rather

than control objectives


Type 1 vs. Type 2 SOC reports

— SOC reports most commonly cover the presentation, design, and effectiveness of controls over a period, usually 12 months (Type 2).

— A SOC report may cover a shorter period of time if the system/service has not been in operation for a full year or if annual reporting is insufficient to meet user needs. A minimum reporting period of 6 months is recommended to be useful to user auditors.

— A SOC report may also cover only the design of controls at a specified point in time for a new system/service for the initial examination of a system/service.

Type 1 Report – DesignType 2 Report – Design and

Operating Effectiveness

— Report on the fairness of the presentation of management’s description of the service organization’s system and the suitability of the design of the controls to achieve the related control objectives included in the description as of a specified date.

— Point in time

— Report on the fairness of the presentation of management’s description of the service organization’s system and the suitability of the design and operating effectiveness of the controls to achieve the related control objectives included in the description throughout a specified period.

— Period of time (throughout the period)

SOC 1 and SOC 2 engagements can be issued as a Type 1 or a Type 2:


Knowledge Check #1

Which of the following is NOT a characteristic of a SOC 1 report?

Select one of the following options.

A. Focuses on Internal control over financial reporting for user entities

B. Focuses on operational efficiencies and security controls the service organization performs for user entities

C. Control objectives are defined by the service organization

D. Restricted use report


Knowledge Check #1 - Answer

Which of the following is NOT a characteristic of a SOC 1 report?

A. Focuses on Internal control over financial reporting for user entities

B. Focuses on operational efficiencies and security controls the service organization performs for user entities

C. Control objectives are defined by the service provider

D. Restricted use report


SOC Reports Structure

Historical SAS 70 SOC 1 SOC 2 SOC 3 Responsible Party

Auditors’ opinion Auditors’ opinion Auditors’ opinion Auditors’ opinion Service Auditor

– Management assertion

Management assertion

Management assertion Service Organization

System description(including controls)

System description (including controls)

System description (including controls)

System description (including controls) Service Organization

Control objectives Control objectives Criteria Criteria (referenced) Service Organization

Control activities Control activities Control activities – Service Organization

Tests of operatingeffectiveness*

Tests of operatingeffectiveness*

Tests of operatingeffectiveness* – Service Auditor

Results of tests* Results of tests* Results of tests* – Service Auditor & Service Organization

Other information(if applicable)

Other information (if applicable)

Other information (if applicable) – Service Organization

* Type 1 and Type 2 structure is very similar; however, these sections are not included in a Type 1 report (no opinion on the operating effectiveness of controls).


Subservice Organizations

How do we present the controls of the subservice organization in our report? Carve-out or Inclusive? What is the difference?

Carve-out method. Method of addressing the services provided by a subservice organization whereby management's description of the service organization's system identifies the nature of the services performed by the subservice organization and excludes from the description and from the scope of the service auditor's engagement, the subservice organization's relevant control objectives and related controls. Management's description of the service organization's system and the scope of the service auditor's engagement include controls at the service organization that monitor the effectiveness of controls at the subservice organization, which may include management of the service organization's review of a service auditor's report on controls at the subservice organization.

Inclusive method. Method of addressing the services provided by a subservice organization whereby management's description of the service organization's system includes a description of the nature of the services provided by the subservice organization as well as the subservice organization's relevant control objectives and related controls.

Subservice Organization: A service organization used by another service organization to perform some of the services provided to user entities that are likely to be relevant to those user entities’ internal control over financial reporting.


Complementary User Entity Controls (CUECs)

Example CUEC: “Users should have controls in place to address the completeness, accuracy, and existence of information submitted to ABC service organization.”

What is a Complementary User Entity Control (CUECs)?

o Controls that management of the service organization assumes, in the design of the service provided by the service organization, will be implemented by user entities, and which, if necessary to achieve the control objectives stated in management's description of the service organization's system, are identified as such in that description.

o CUECs should be listed in the System Description

Clarified Attestation Standards – SSAE18

What is new with SSAE18, what is the impact and how do we prepare?


Background, Scope and Effective Date

Background

— The Auditing Standards Board (ASB) has completed a multiyear project to redraft all of the standards that it issues into a new “clarity format.” The intent of this format is to address concerns over the clarity, length, and complexity of its standards.

Scope of SSAE 18

— Will impact attestation engagements including SOC reports (i.e., SOC 1, SOC 2, and SOC 3)

Terminology

— Reports will continue to be called SOC 1 reports, not SSAE 18 reports

Effective Date

— Service Auditor’s Reports dated on or after May 1, 2017

— Early adoption permitted

— Since the required implementation is based on the date of the Service Auditor’s Report, the new standards have the potential to impact a wide range of reporting periods.


The following slides summarize the more significant revisions to the attestation standards that directly affect SOC 1 reporting.These revisions include the following topics:

The topics noted above and discussed in the following slides are not meant to be an all-inclusive list of revisions as a result of the clarified attestation standards.

— Review of internal audit reportsand regulatory examinations

— Management’s assertion vs.Management’s description

— Complementary subservice organization controls (CSOCs)

Impact on SOC 1 Reporting

— Completeness and accuracy of information produced by the service organization

— Complementary User Entity Controls (CUECs)

Summary of Revisions

— Obtaining evidence regarding the design ofcontrols (Management’s Risk Assessment)


Complementary Subservice Organization Controls (CSOCs)

Revision Impact to service organization Potential impact level

When using the carve-out methodto report on subserviceorganizations, management will berequired to identify controls thatmanagement assumes will beimplemented by those subserviceorganizations and that are necessaryto achieve the control objectivesstated in management’s description.

This is in addition to the requirementto monitor the effectiveness ofcontrols at carved-out subservice organizations.

— Evaluate and rationalize the existing list of subservice organizations presented in the report and identify theimpacted control objectives.

— Identify the types of controls that management assumes will be implemented at each carved-out subservice organization and that are necessary to achieve the control objectives.

— Link to the relevant controlobjective(s) that are impactedand include in the description.

High


Key considerations:

— Service organizations should consider whether their list of subservice organizations is complete and accurate(vendor versus subservice organization)

Source: AICPA Service Organizations Guide chapter 3 paragraph 14 Table 3-1

Document storage and recordretention

— This organization picks up boxesof documents from the serviceorganization and stores them atits facility.

Application hosting

— This organization manages all of the information technology systems for the service organization.

No Vendor

Yes Subserviceorganization

What service does theorganization provide to theservice organization?

Is the service provided by theorganization relevant to user entities'internal control over financial reporting?

Is the organization avendor or a subserviceorganization?

Complementary Subservice Organization Controls –Key considerations


Example A – table similar to the presentation of the Complementary User Entity Controls in management’sdescription of the system

Example B – included in the service auditor’s testing tables

Subserviceorganization

Complementary subservice organization control consideration Control objectivereference

Data Center HostingCompany ABC

Subservice organizations should periodically review users withprivileged access at the Operating System and Data Base layers to determine that such access is restricted to appropriate andauthorized personnel.

A-5 – Logical Access

Client statementsControl Objective: Controls provide reasonable assurance that statements are produced completely, accurately, andtimely.

Control Description: Data from the recordkeeping systemare systematically extracted to produce data files designatingperiodic statements to be generated and mailed based onestablished criteria. The data files are systematically queuedfor access by the print vendor.

Tests performed: For a selection of statement batches and months, inspected the job detailsprocessed from the recordkeeping system anddetermined that the jobs ran successfully.

Results of Testing Performed: No exceptions noted

Complementary Subservice Organization Control Consideration: Subservice organizations should havecontrols in place to validate the completeness and accuracy of the statement file and to monitor the timelyreceipt of the file.

Complementary Subservice Organization Controls –Reporting Options


Considerations for monitoring SSO control activities:

Management's description of the service organization's system and the scope of the service auditor's engagement includes controls at the service organization that monitor the effectiveness of controls at thesubservice organization.

— Reviewing and reconciling output reports,

— Holding periodic discussions with the SSO,

— Making regular site visits to the SSO to discuss the design and effectiveness ofcontrols, planned changes, operating issues, etc.

— Testing controls at the SSO by members of the service organization's internal audit function,

— Reviewing type 2 SOC reports on the SSO’s system, and

— Monitoring external communications, such as customer complaints relevant to theservices by the SSO

— Logging and tracking the resolution of issues that resultfrom the SSO’s processing

Monitoringactivities include:

Complementary Subservice Organization Controls – Considerationsfor monitoring subservice organization (SSO) control activities


Knowledge Check #2

What is a key distinction between SSAE16 and SSAE18 as it relates to subservice organizations?


A. Management is responsible for identifying subservice organizations for inclusion in the report

B. Management is responsible for deciding whether service organizations will be in presented as an inclusive or carved-out subservice organization

C. It is the service auditors responsibility to identify subservice organizations performing control activities key to the achievement of the control objectives

D. Management is responsible for identifying and presenting detailed control activities performed by subservice organizations key to the achievement of control objectives


Knowledge Check #2 – Answer

What is a key distinction between SSAE16 and SSAE18 as it relates to subservice organizations?

A. Management is responsible for identifying subservice organizations for inclusion in the report

B. Management is responsible for deciding whether service organizations will be in presented as an inclusive or carved-out subservice organization

C. It is the service auditors responsibility to identify subservice organizations performing control activities key to the achievement of the control objectives

D. Management is responsible for identifying and presenting detailed control activities performed by subservice organizations key to the achievement of control objectives


Completeness and Accuracy of Information Produced by the Service Organization


Requires the service auditor toevaluate evidence around thecompleteness and accuracy ofinformation produced by the service organization (e.g., lists of data that have specific characteristics, exception documents, transaction reconciliations, documentation that provides evidence of the operating effectiveness of controls, such as user access lists and system-generated reports) and ability to include the procedures performed in the description of the tests of the controls.

— Provide the service auditorwith an understanding of how information is produced and provide additional documentation as needed.

— The standards do not impose a requirement on management or the service auditor to include theprocedures performed in thedescription.

High


Information produced by the service organization/entity (referred to as “IPE”):

— It is required that the service auditor evaluate whether such information is sufficiently reliable for theservice auditor’s purpose by obtaining evidence about its accuracy and completeness and evaluating whether the information is sufficiently precise and detailed.

— The following are examples of information produced by a service organization that are commonly usedby a service auditor:

- Population lists the service auditor uses to select a sample of items for testing

- Lists of data that have specific characteristics

- Exception reports

- Transaction reconciliations

- Documentation that provides evidence of the operating effectiveness of controls, such as useraccess lists

- System-generated reports

- Other system-generated data

Source: AT-C 320.A52 and AT-C 320.30



Generally, there are two types of information that the service auditor will come across when performing aSOC engagement:

1. Information that is the subject of the primary audit procedure:

2. Information that is relied upon by management in the performance of a control:

This type of report is electronic data that the engagement team extracts directly from theservice organization's information in order to perform an audit procedure but is not used bymanagement in the performance of a control. These are often the population lists that the serviceauditor uses to select a sample of items for testing.

This type of report is generated by management of the service organization in order to perform a control. This information can take various forms and may be manually prepared by the service organization, extracted from the service organization's information system, or a combination of both.



Management has the responsibility of identifying the risks that threaten the achievement of the control objectives stated in the description and designing, implementing, and documenting controlsthat are suitably designed and operating effectively to provide reasonable assurance that the controlobjectives stated in the description of the service organization’s system will be achieved.

Risks that threaten the achievement of the control objectives should include the possibility of relying on reports that are not C&A. The controls that management has put in place to address those risks should be designed with a consideration of C&A of report information in order for the control objectives to be achieved.



Complementary User Entity Controls (CUECs)


Clarified that CUECs only includecontrols that are necessary toachieve the control objectives stated in management’s description.

— Assess the current listing of CUECs and remove controls that are not necessary to achieve the control objectives in the description of the system.

— CUECs are not intended to be a broad list of user responsibilities.

Low


Control Objective:

Potential CUEC Is the CUEC relevant tothe achievement of acontrol objective?

Should the CUEC be listed in the report?

User entities are responsible for ensuring thesupervision, management, and control of the use ofService Organization’s services by their personnel.

No No

User entities should establish controls to communicate terminated user entity users forremoval from service provider systems in a timelymanner.

Yes Yes

User entities are responsible for selecting an ISP, ifused, to connect to Service Organization’ssystems. Security provided by the ISP would needto be considered by the customer in its overall assessment of logical security.

No No

Complementary User Entity Controls (CUECs) - example

Controls provide reasonable assurance that logical access to programs, data, and computer resources is restricted to authorized and appropriate users, and such users are restricted to performing authorized andappropriate actions.


Review of Internal Audit Reports and Regulatory Examinations


Service auditors will be required to review internal audit reports and regulatory examinations relating to the services provided to user entities and the scope of thereport.

Relevant reports should be provided to the service auditor completely and timely.

Low


Management’s Assertion vs. Management’s Description


Clarifies that management’s assertion is not part of management’s description of its system. If the assertion and description are included in the same section, they need to be clearly segregated from each other.

Management’s assertion is generally presented in a separatesection of the report. However, if it is included in the same section as the description, there must be aclear separation between theassertion and the description.

Low


Obtaining Evidence Regarding the Design of Controls (Management’s Risk Assessment)Revision Impact to service organization Potential impact level

Revises the service auditor’s requirements related to obtaining evidence regarding the design of controls.The service auditor is to assess whether the controls identifiedby management were suitably designed to achieve the control objectives by:— Obtaining an understanding of

management’s process for identifying and evaluating the risks that threaten the achievement of the control objectives and assessing the completeness and accuracy of managements identification of those risks.

— Evaluating the linkage of the controls with those risks.

— Determining that thecontrols have beenimplemented.

Management was already responsible for this under SSAE 16; however, the auditor will now focus on management’s assessment rather than performing an independent assessment.As a result, management shouldensure that it is prepared to provideand discuss its assessment with the service auditor.

Moderate


Example Assessment Process for Supporting Design of ControlsId

enti

fied

Co

ntr

ols

toM

itig

ate

Ris

ks

Controls provide reasonable assurance that development and implementation of new application software is authorized, tested, approved, properly implemented, anddocumented.

Identified RisksNew software is notauthorized.

New software is notadequately tested.

New software is notapproved beforeimplementation to production.

New software is notimplemented properly andwithin the appropriate timeframe.

New software isnot documented.

Developmentand implementationof newapplication software

Scheduled Projects are authorized by senior members of management.Authorization is indicated by a project’s presence on the Product Roadmap.Technical Consulting projects are authorized via signed SOWs or contracts with EPs. (Control 1.3)

Scheduled and Technical Consulting projects must be tested in a separate QA environment. Testing results for Scheduled Projects are documented in the RALLY QA development system, and testing results for Technical Consulting projects are documented in the tTrack ticketing system. (Control 1.4)

Scheduled and Technical Consulting projects must be approved for implementation by the QA and/or project push team. The QA and/or project push team completes an RFC and assigns an RFC number to indicate approval for implementation. (Control 1.5)

Programmers do not have the ability to implement new program development into the production environment. (Control 1.8)

Scheduled and Technical Consulting projects must be documented. Projects are documented in RFCs, the Production Calendar, and/or the tTrack ticketing system. (Control 1.6)

The QAR Software Development Process and Company ABC Functions and Roles for Technical Consulting documents govern the Company ABC SDLC process for managing product releases and project management within the QAR and Technical Consulting Groups. (Control 1.1)



Potentially include rewordedcontrol or new control relatedto timeliness of projectcompletion.

The QAR Software Development Process and Company ABC Functions and Roles for Technical Consulting documents govern the Company ABC SDLC process for managing product releases and project management within the QAR and Technical Consulting Groups.(Control 1.1)



Knowledge Check #3

Which of the following is a new focus of the standard related to obtaining evidence regarding the design of controls?


A. The new focus is that only the service organization has to perform an evaluation around the suitability of the design of the controls to meet the control objectives

B. The new standard will now focus on management’s assessment of the suitability of the design of the controls in order to meet the control objectives

C. The service auditor no longer has to perform an independent evaluation of the design of the controls to meet the control objectives

D. The entity no longer has to perform a risk assessment to determine whether the controls are designed to meet the control objectives


Knowledge Check #3

Which of the following is a new focus of the standard related to obtaining evidence regarding the design of controls?

A. The new focus is that only the service organization has to perform an evaluation around the suitability of the design of the controls to meet the control objectives

B. The new standard will now focus on management’s assessment of the suitability of the design of the controls in order to meet the control objectives

C. The service auditor no longer has to perform an independent evaluation of the design of the controls to meet the control objectives

D. The entity no longer has to perform a risk assessment to determine whether the controls are designed to meet the control objectives


— Begin to assess your list of subservice organizations and vendors to determine wherecomplementary subservice organization controls are necessary

— Work with the service auditor on your account to determine where additional completenessand accuracy procedures are required

— Review your list of complementary user entity controls to determine if they directly impact the ability to achieve the control objectives in the description of the system

— Assess the internal audit and regulatory reports that have been completed and provide themto your service auditor

— Review your SOC 1 reports and determine if there is a clear separation between yourassertion and the description of your system

— Review your management assertion support and develop documentation that can be provided to your service auditor to support your risk assessment process

Next Steps

SOC for Cybersecurity



Overview

— Organizations are under increasing pressure to demonstrate that they are managing cybersecurity threats, and that they have effective processes and controls in place to detect, respond to, mitigate and recover from breaches and other security events.

— Organizations’ effective and secure interaction with business partners, vendors, and service organizations are critical to the efficient operation of business processes. Companies has implemented cyber risk management programs but struggle to obtain and share this information internally and externally.

— In response to growing challenges related to cybersecurity, the AICPA has developed an entity-level cybersecurity risk management reporting framework (the Framework) that organizations can use to communicate relevant and useful information about the effectiveness of their cybersecurity risk management program to a broad range of stakeholders.

— This new Framework affords companies the ability to provide key information about the effectiveness of their cybersecurity risk management program that can be useful to board of directors, senior management, and other pertinent internal and external stakeholders.

Components of the Framework



What is new

— Framework provides common approach to evaluating and reporting on an entity’s cybersecurity risk management program

— The report, “System and Organization Controls (SOC) for Cybersecurity” is comprised of three sections:

1) Management’s description of the cybersecurity risk management program (program);

2) Management’s assertion regarding the description and effectiveness of the program’s controls;

3) Independent auditor’s opinion on the description and effectiveness of the programs’ controls to achieve cybersecurity objectives.

— Framework provides two sets of criteria for use by companies and the practitioner:

1) First is a set of description criteria used to assist management with the preparation of a consistent and comparable narrative description of their program

2) Second is the AICPA’s revised Trust Services Criteria for Security, Availability, and Confidentiality (2017), which can be used to evaluate the effectiveness of controls within the program



How can it be used?

The framework can be used at all stages of preparing for and performing a cybersecurity risk management program examination by both company management and practitioners:

— Cybersecurity Risk Management Examination (report)

— Readiness Assessment

— Remediation


Questions and Discussion

Thank you

© 2017 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. NDPPS 642096

The KPMG name and logo are registered trademarks or trademarks of KPMG International.

The information contained herein is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavor to provide accurate and timely information, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act on such information without appropriate professional advice after a thorough examination of the particular situation.

kpmg.com/socialmedia

soc reporting overview & the clarified attestation ... · pdf filesoc reporting overview...

Documents