SOC 1 Overview

Background
& Overview
01

OVERVIEW
• SSAE 16
• SOC 1
• AT Section 801
• ISAE 3402

SERVICE
AUDITORS

©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
SERVICE
PROVIDERS

USER
ENTITIES

USER
AUDITORS

Overview of the
AICPA Framework
02

AICPA SOC FRAMEWORK
Applicable SOC-1 SOC-2 SOC-3
Standard/Guidance
SSAE 16:
AICPA Guide (2013)
AT 101:
AICPA Guide (2013)
AT 101:
Technical Practice Aid
(2014)
Scope ICFR Security/Systems, Privacy Security/Systems, Privacy
Criteria Control Objectives
Trust Services
Principles/GAPP
Trust Services
Principles/GAPP
Usage of report
User auditor, user entity,
management of SO
Knowledgeable parties Anyone

Purpose
& Scope
03

WHY DO YOU NEED AN
SOC REPORT?
Regulatory requirements
User entity mandates
Outsourcing relationships
Internal control analysis
Independent 3rd party opinion
Competition and market

Focused on financial
reporting risks

SPECIFIED BY THE SERVICE
ORGANIZATION
• Operational/Application
• General IT controls

The
Boundaries
04

If there is internal control over
financial reporting relevance, there is
SOC 1 examination!

BOUNDARIES
• What SOC 1 does cover?
• What SOC 1 does cover?

BOUNDARIES
• Limited for specific users
• Limited purpose

The
Anatomy
05

Service Auditor’s Report – “The Opinion”
Management’s Assertion
Description of the System
Tests of Controls and Corresponding Results
Additional Information – Provided by Service Organization
REPORT STRUCTURE

Unqualified vs. Qualified
SERVICE AUDITOR’S REPORT

• Commitment - suitability and accuracy
• SOX Section 302 certification
• Subservice organizations
MANAGEMENT’S ASSERTION

Objective description of the services
SYSTEM DESCRIPTION

Management’s objective description of the
services provided to user entities.
SYSTEM DESCRIPTION

• Test procedures
• Results
• Deviations / Exceptions
TEST OF CONTROLS / RESULTS

Information not related to ICFR
ADDITIONAL INFORMATION

Common
Challenges and
Benefits05

• Impact on financial reporting
• Legal / regulatory compliance
• Impact on production /quality
RELEVANCE TO
CUSTOMERS’ ICFR

RELEVANCE TO
CUSTOMERS’ ICFR
• No financial reporting impact
• Misuse of the report

RELEVANCE TO
CUSTOMERS’ ICFR
• Accurate use of report
• User auditor expectations

• Contracts, RFP, SLA
• AICPA website
• Training and awareness
• Executive communication
• Discussion with service auditor
EDUCATION & PREPAREDNESS

• Insufficient timing
• Silos / groups

• Demonstrates management’s
responsibility and accountability
• Promotes successful examination
efforts

CUSTOMER REQUIREMENTS
• Document client needs
• Client discussions
• Decide on report type

• Choosing the correct report
• Trying to meet multiple compliance
efforts as a single deliverable

• Meet ICFR regulatory or contractual
mandates
• Bolster trust and confidence
• One exam meets multiple customer requests
• Promote a stronger control environment

CARVE-OUT VS INCLUSIVE
• Carve-out method emphasis
• Subservice organization
• Inclusive method requirements

• Obtaining cooperation / documentation
for subservice organization(s)

• Focused and tailored report

• Type 1
• Type 2
REPORT TYPE

• Insufficient coverage
• Implementation of controls
REPORT TYPE

• Both attestation reports
• Timeliness of report
• Report coverage and content
REPORT TYPE

Perform a risk assessment
RISK ASSESSMENT & SCOPE

• Accurate scope
• Control identification

• Pre-planning process
• Better understanding of environment
• Early identification of issues

• Direct assistance
• Use work of others
INTERNAL AUDIT ASSISTANCE

• Learning curve
• Difference in testing strategies

• Professional fees and time
• Understanding of environment
• Evidence gathering and management

• Internally
• Service auditors
READINESS ASSESSMENT

• Inaccurate description of process
• Lack of resources

• Increase success in the audit
• Earlier remediation efforts
• Better preparation
• Documentation of the narrative

• Policies/Procedures
• Segregation of duties
• Monitoring
REMEDIATION

• Insufficient planning
• Resource constraints
• Timely remediation
REMEDIATION

• Meet ICFR regulatory or contractual mandates
• Bolster confidence
• Promote a stronger control environment
REMEDIATION

• Licensed CPA firm
• Independent
• Single Vendor Approach
• Audit Team
AUDIT FIRM SELECTION

• Lack of mature methodology
• Remote only testing
• Use of offshore resources

• Acceptable auditor to auditor
communication
• Value-added controls assessment
process

• SOC Overview
• Examination Scoping
• RFP Template
• Sample Report
Download SOC 1 PrepKit

SOC 1 Overview

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to SOC 1 Overview

Similar to SOC 1 Overview (20)

More from Schellman & Company

More from Schellman & Company (15)

Recently uploaded

Recently uploaded (20)

SOC 1 Overview