what the ficca?!
DESCRIPTION
Do you struggle with how to read or interpret SOC-1, SSAE-16 or FICCA results? Join this useful session that will help you navigate the various standards, as testing and differences in testing levels continue to increase.TRANSCRIPT
#NICSAGMM
What the FICCA?
September 11, 2014
Suzanne Nersessian
Stephanie Roche
Deloitte & Touche LLP
AGENDA•Explaining the mystery
– Types of reports • FICCA / SOC / SSAE / ISAE – I just want a SAS 70!
– Who and what may be relevant
•Reporting standards and what they mean
•We received the report – now what?
•Internal considerations and setting expectations
Explaining The Mystery - Types of Reports
•What happened to SAS 70?•Third party reports
– SSAE 16 – Also called SOC 1– ISAE 3402 – International version of SSAE 16– FICCA– CPER– SOC 2– AT101
Explaining The Mystery - Types of Reports
•Type 1 vs. Type 2
•Other types of reports–AUP–17Ad-13–Custody Rule
Explaining The Mystery –
Who/What May Be Relevant•What is outsourced?•How significant?•What if something goes wrong?
– Will you know?– How will it be detected?– How quickly?– What are the ramifications – to clients/to the company?
Explaining The Mystery –
Who/What May Be Relevant
•What reporting do they provide– SOC / FICCA / Other– Type 1 or Type 2 report
•Other types of communications?
Reporting Standards & What They Mean
•Examination engagements– Provides an opinion
• AT101 (FICCA/Custody Rule)• AT801 (SSAE 16)• AT601 (Compliance)• SOP 07-2
•AUP – Procedures and Findings (no opinion)
• AT201• AT601
We Received the Report – Now What?•Don’t hide it!•Where to focus:
– Opinion– Assertion– Description of internal control system– Control matrix
• Service org control objectives & controls• Service auditor testing procedures• Results of testing
– Other information – may or may not be important
We Received the Report – Now What?•Opinion
– Qualified or unqualified– Explanatory paragraphs/emphasis of a matter– Scope
• Coverage• Locations• Anything excluded?
– Coverage period• Is enough of the period covered?• Close enough to your year end?
We Received the Report – Now What?•Opinion
– User controls (CUECs)• Are they identified?• Will I need to consider them?
– Subservice organizations• Carved out/included• Are names listed?• What services are outsourced?• Do these matter to my processing?• Do I need to request their report or do anything else?
We Received the Report – Now What?•Assertion
– Scope – Same as the opinion?– Anything identified – qualifications, etc.?
•Description of the I/C System– Control environment
• Does COSO matter?
– Application systems – UECCs– Subservice organizations
We Received the Report – Now What?•Control matrix
– Service organization determines/auditor evaluates– Objectives
• Relevant• Objective• Complete• Measurable
– Controls• Classes of transactions• Designed to meet each assertion
We Received the Report – Now What?•Control matrix
– Tests of service auditor• Type• Extent• Quality
– Result of service auditor• No exceptions noted or detail of exceptions identified• Relevance and potential Impact of exceptions• Consider if exceptions are identified year over year• Determine expected changes – management response
Internal Considerations and Setting Expectations•Determine who is important
– What do you get from your service providers?– What do you need?– Is the frequency of reports adequate?– Define risks and exposures– How are exceptions/qualifications addressed? Is it timely?
•Assess your organization– Identify your controls– Determine how robust your controls are– Consider periodic testing (internal or external) of your controls– Other procedures performed
Internal Considerations and Setting Expectations•Overall monitoring
– Don’t solely rely on the report– Other procedures
• Internal Audit• Periodic calls / meetings• Reporting• Internal controls• Follow up on exceptions/qualifications• Notices of forthcoming changes• Bridge letters• Other communications/testing
Internal Considerations and Setting Expectations•Overall monitoring
– Consider subservice organizations• Importance• Carved out or included• Available reports• Monitoring done by service organization• Possible UECCs• Determine whether any other monitoring is needed
Internal Considerations and Setting Expectations
•Setting clear expectations– Scope
• Missing or incomplete areas
– Type 1 vs. Type 2 report– Type of report needed (maybe more than one) – Coverage period– Timing of report distribution
Internal Considerations and Setting Expectations
•Setting clear expectations (continued)– Identify quality of communications and
consistency– Exception resolution – Expectation of notification of intentional acts– Quality of report
QUESTIONS AND FOLLOW UP
This presentation contains general information only and Deloitte is not, by means of this presentation, rendering accounting, business, financial, investment, legal, tax, or other professional advice or services. This presentation is not a substitute for such professional advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified professional advisor.
Deloitte shall not be responsible for any loss sustained by any person who relies on this presentation.
About Deloitte
Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee (“DTTL”), its network of member firms, and their related entities. DTTL and each of its member firms are legally separate and independent entities. DTTL (also referred to as “Deloitte Global”) does not provide services to clients. Please see www.deloitte.com/about for a detailed description of DTTL and its member firms. Please see www.deloitte.com/us/about for a detailed description of the legal structure of Deloitte LLP and its subsidiaries. Certain services may not be available to attest clients under the rules and regulations of public accounting.