More Related Content Similar to SOC 1 Overview (20) More from Schellman & Company (15) SOC 1 Overview1. ©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
2. ©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
Background
& Overview
01
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
3. ©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
OVERVIEW
• SSAE 16
• SOC 1
• AT Section 801
• ISAE 3402
4. ©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
SERVICE
AUDITORS
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
5. ©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
SERVICE
PROVIDERS
6. ©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
USER
ENTITIES
7. ©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
USER
AUDITORS
8. ©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
9. ©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
Overview of the
AICPA Framework
02
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
10. ©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
AICPA SOC FRAMEWORK
Applicable SOC-1 SOC-2 SOC-3
Standard/Guidance
SSAE 16:
AICPA Guide (2013)
AT 101:
AICPA Guide (2013)
AT 101:
Technical Practice Aid
(2014)
Scope ICFR Security/Systems, Privacy Security/Systems, Privacy
Criteria Control Objectives
Trust Services
Principles/GAPP
Trust Services
Principles/GAPP
Usage of report
User auditor, user entity,
management of SO
Knowledgeable parties Anyone
11. ©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
Purpose
& Scope
03
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
12. ©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
WHY DO YOU NEED AN
SOC REPORT?
Regulatory requirements
User entity mandates
Outsourcing relationships
Internal control analysis
Independent 3rd party opinion
Competition and market
14. ©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
SPECIFIED BY THE SERVICE
ORGANIZATION
• Operational/Application
• General IT controls
15. ©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
The
Boundaries
04
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
16. ©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
If there is internal control over
financial reporting relevance, there is
SOC 1 examination!
17. ©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
BOUNDARIES
• What SOC 1 does cover?
• What SOC 1 does cover?
18. ©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
BOUNDARIES
• Limited for specific users
• Limited purpose
19. ©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
The
Anatomy
05
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
20. ©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
Service Auditor’s Report – “The Opinion”
Management’s Assertion
Description of the System
Tests of Controls and Corresponding Results
Additional Information – Provided by Service Organization
REPORT STRUCTURE
21. ©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
Unqualified vs. Qualified
SERVICE AUDITOR’S REPORT
22. ©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
• Commitment - suitability and accuracy
• SOX Section 302 certification
• Subservice organizations
MANAGEMENT’S ASSERTION
23. ©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
Objective description of the services
SYSTEM DESCRIPTION
24. ©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
Management’s objective description of the
services provided to user entities.
SYSTEM DESCRIPTION
25. ©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
• Test procedures
• Results
• Deviations / Exceptions
TEST OF CONTROLS / RESULTS
26. ©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
Information not related to ICFR
ADDITIONAL INFORMATION
27. ©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
Common
Challenges and
Benefits05
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
28. ©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
• Impact on financial reporting
• Legal / regulatory compliance
• Impact on production /quality
RELEVANCE TO
CUSTOMERS’ ICFR
29. ©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
RELEVANCE TO
CUSTOMERS’ ICFR
• No financial reporting impact
• Misuse of the report
30. ©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
RELEVANCE TO
CUSTOMERS’ ICFR
• Accurate use of report
• User auditor expectations
31. ©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
• Contracts, RFP, SLA
• AICPA website
• Training and awareness
• Executive communication
• Discussion with service auditor
EDUCATION & PREPAREDNESS
32. ©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
EDUCATION & PREPAREDNESS
• Insufficient timing
• Silos / groups
33. ©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
EDUCATION & PREPAREDNESS
• Demonstrates management’s
responsibility and accountability
• Promotes successful examination
efforts
34. ©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
CUSTOMER REQUIREMENTS
• Document client needs
• Client discussions
• Decide on report type
35. ©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
CUSTOMER REQUIREMENTS
• Choosing the correct report
• Trying to meet multiple compliance
efforts as a single deliverable
36. ©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
CUSTOMER REQUIREMENTS
• Meet ICFR regulatory or contractual
mandates
• Bolster trust and confidence
• One exam meets multiple customer requests
• Promote a stronger control environment
37. ©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
CARVE-OUT VS INCLUSIVE
• Carve-out method emphasis
• Subservice organization
• Inclusive method requirements
38. ©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
CARVE-OUT VS INCLUSIVE
• Obtaining cooperation / documentation
for subservice organization(s)
39. ©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
CARVE-OUT VS INCLUSIVE
• Focused and tailored report
41. ©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
• Insufficient coverage
• Implementation of controls
REPORT TYPE
42. ©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
• Both attestation reports
• Timeliness of report
• Report coverage and content
REPORT TYPE
43. ©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
Perform a risk assessment
RISK ASSESSMENT & SCOPE
44. ©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
• Accurate scope
• Control identification
RISK ASSESSMENT & SCOPE
45. ©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
• Pre-planning process
• Better understanding of environment
• Early identification of issues
RISK ASSESSMENT & SCOPE
46. ©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
• Direct assistance
• Use work of others
INTERNAL AUDIT ASSISTANCE
47. ©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
• Learning curve
• Difference in testing strategies
INTERNAL AUDIT ASSISTANCE
48. ©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
• Professional fees and time
• Understanding of environment
• Evidence gathering and management
INTERNAL AUDIT ASSISTANCE
49. ©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
• Internally
• Service auditors
READINESS ASSESSMENT
50. ©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
• Inaccurate description of process
• Lack of resources
READINESS ASSESSMENT
51. ©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
• Increase success in the audit
• Earlier remediation efforts
• Better preparation
• Documentation of the narrative
READINESS ASSESSMENT
52. ©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
• Policies/Procedures
• Segregation of duties
• Monitoring
REMEDIATION
53. ©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
• Insufficient planning
• Resource constraints
• Timely remediation
REMEDIATION
54. ©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
• Meet ICFR regulatory or contractual mandates
• Bolster confidence
• Promote a stronger control environment
REMEDIATION
55. ©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
• Licensed CPA firm
• Independent
• Single Vendor Approach
• Audit Team
AUDIT FIRM SELECTION
56. ©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
• Lack of mature methodology
• Remote only testing
• Use of offshore resources
AUDIT FIRM SELECTION
57. ©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
• Acceptable auditor to auditor
communication
• Value-added controls assessment
process
AUDIT FIRM SELECTION
58. ©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
• SOC Overview
• Examination Scoping
• RFP Template
• Sample Report
Download SOC 1 PrepKit