• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
SOC Standards - Nonprofit organizations
 

SOC Standards - Nonprofit organizations

on

  • 401 views

Presentation from nonprofit CPA firm - Tate & Tryon CPAs - on the transition from SAS 70 reports to SOC Standards and the impact they will have on your regulatory compliance requirements.

Presentation from nonprofit CPA firm - Tate & Tryon CPAs - on the transition from SAS 70 reports to SOC Standards and the impact they will have on your regulatory compliance requirements.

Statistics

Views

Total Views
401
Views on SlideShare
401
Embed Views
0

Actions

Likes
1
Downloads
2
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    SOC Standards - Nonprofit organizations SOC Standards - Nonprofit organizations Presentation Transcript

    • Your Audit Committee and the NewSOC Standards Jeffrey Stefan, CPA Douglas Boedeker, CPA, CMA Partner Partner September 8, 2011
    • Goals for TodayI. Obtain a basic understanding of the new SOC reports.II. Understand the differences between the three types of SOC reports.III. Understand other reporting options that may be of interest to Boards and Audit Committees. September 8. 2011 Copyright © 2011 Tate & Tryon CPAs and Consultants
    • Course Outline Why the new reporting options?  What is SAS 70? What are the new options:  SOC 1 – the new “SAS 70”  SOC 2 – a “SAS 70” report that’s interesting!  SOC 3 – a “SAS 70” report for public consumptionSeptember 8. 2011 Copyright © 2011 Tate & Tryon CPAs and Consultants
    • Course Outline The Trust Services Principles:  Security  Availability  Processing integrity  Confidentiality  Privacy What else is out there?  Integrated Examination of Internal Control  Agreed-Upon ProceduresSeptember 8. 2011 Copyright © 2011 Tate & Tryon CPAs and Consultants
    • Why the new reporting options?SAS 70 became a catch-all for everything!AICPA was not pleased with terms like: “We’re SAS 70 Certified” “We’re SAS 70 Compliant”The movement to outsourced IT services made the problem more pronounced.September 8. 2011 Copyright © 2011 Tate & Tryon CPAs and Consultants
    • What was SAS 70? Statement on Auditing Standards Number 70, Service Organizations. Designed to address a service organization’s controls affecting user entities’ financial statements. Controls over financial reporting. Either a “Type 1” or a “Type 2” report.Primarily an auditor-to-auditor communication.September 8. 2011 Copyright © 2011 Tate & Tryon CPAs and Consultants
    • The New Reporting Options......September 8. 2011 Copyright © 2011 Tate & Tryon CPAs and Consultants
    • SOC 1 – the new “SAS 70” Report content:  Controls at a service organization relevant to a user entities’ internal control over financial reporting. Intended audience is:  Management of service & user organizations  Auditors of the user organizations Nature of reports:  Type 1 – Control description  Type 2 – Control description & operating effectivenessSeptember 8. 2011 Copyright © 2011 Tate & Tryon CPAs and Consultants
    • SOC 2 – a more interesting “SAS 70” Report Content:  Service organization’s controls relevant to:  Security  Availability  Processing integrity  Confidentiality  Privacy There is flexibility in choosing which controls to be included in the report.September 8. 2011 Copyright © 2011 Tate & Tryon CPAs and Consultants
    • SOC 2 – a more interesting “SAS 70” Intended audience is:  Management of service organizations  Management of user organizations Nature of reports:  Type 1 – Control description  Type 2 – Control description & operating effectiveness Note: A SOC 2 report cannot be combined with a SOC 1 report. They must be separate.September 8. 2011 Copyright © 2011 Tate & Tryon CPAs and Consultants
    • SOC 3 – A “SAS 70” for publicconsumption Report Content:  Service organization’s controls relevant to:  Security  Availability  Processing integrity  Confidentiality  Privacy There is flexibility in choosing which controls to be included in the report.September 8. 2011 Copyright © 2011 Tate & Tryon CPAs and Consultants
    • SOC 3 – A “SAS 70” for publicconsumption Intended audience is:  Any user with a need for confidence in the service organization’s controls. Nature of reports:  Very short – similar to an auditor’s opinion on financial statements.  No detail of the organization’s controlsSeptember 8. 2011 Copyright © 2011 Tate & Tryon CPAs and Consultants
    • SOC 3 – A “SAS 70” for publicconsumptionLimitations of SOC 3 Reports An unqualified opinion cannot be issued if:  Controls at subservice organizations have been “carved out.”  Complementary user-entity controls are significant.September 8. 2011 Copyright © 2011 Tate & Tryon CPAs and Consultants
    • The Trust Services Principles (The foundation for SOC 2 & 3)September 8. 2011 Copyright © 2011 Tate & Tryon CPAs and Consultants
    • The Security Principle Refers to the protection of the system from unauthorized access, both logical and physical. “Criteria” to be Tested  Policies – were security policies defined and documented?  Communications – were the policies communicated to the appropriate parties?  Procedures – are procedures in operation to achieve the goals of the security policies?  Monitoring – Is compliance with the policies monitored?September 8. 2011 Copyright © 2011 Tate & Tryon CPAs and Consultants
    • The Availability Principle Refers to the accessibility to the system, products, or services as advertised or committed by contract, service-level, or other agreements. “Criteria” to be Tested  Policies – were availability policies defined and documented?  Communications – were the policies communicated to the appropriate parties?  Procedures – are procedures in operation to achieve the goals of the availability policies?  Monitoring – Is compliance with the policies monitored?September 8. 2011 Copyright © 2011 Tate & Tryon CPAs and Consultants
    • The Processing Integrity Principle Refers to the completeness, accuracy, validity, timeliness, and authorization of system processing. “Criteria” to be Tested  Policies – were processing integrity policies defined and documented?  Communications – were the policies communicated to the appropriate parties?  Procedures – are procedures in operation to achieve the goals of the processing integrity policies?  Monitoring – Is compliance with the policies monitored?September 8. 2011 Copyright © 2011 Tate & Tryon CPAs and Consultants
    • The Confidentiality Principle Refers to the system’s ability to protect the information designated as confidential, as committed or agreed. “Criteria” to be Tested  Policies – were confidential information policies defined and documented?  Communications – were the policies communicated to the appropriate parties?  Procedures – are procedures in operation to achieve the goals of the processing integrity policies?  Monitoring – Is compliance with the policies monitored?September 8. 2011 Copyright © 2011 Tate & Tryon CPAs and Consultants
    • The Privacy Principle Personal information is collected, used, retained, disclosed, and destroyed in conformity with the commitments in the entity’s privacy notice and with criteria set forth in generally accepted privacy principles (GAPP) issued by the AICPA and CICA.September 8. 2011 Copyright © 2011 Tate & Tryon CPAs and Consultants
    • The Privacy Principle - Criteria Policies - The entity defines, documents, communicates, and assigns accountability for its privacy policies and procedures. Notice - The entity provides notice about its privacy policies and procedures and identifies the purposes for which personal information is collected, used, retained and disclosed.September 8. 2011 Copyright © 2011 Tate & Tryon CPAs and Consultants
    • The Privacy Principle - Criteria Choice and Consent – The entity describes the choices available to the individual and obtains implicit or explicit consent with respect to the collection, use, and disclosure of personal information. Collection – The entity collects personal information only for the purposes identified in the notice.September 8. 2011 Copyright © 2011 Tate & Tryon CPAs and Consultants
    • The Privacy Principle - Criteria Use, Retention, & Disposal - The entity limits the use of personal information to the purposes identified in the notice and for which the individual has provided implicit or explicit consent. The entity retains personal information for only as long as necessary to fulfill the stated purposes or as required by law or regulations and thereafter appropriately disposes of such information.September 8. 2011 Copyright © 2011 Tate & Tryon CPAs and Consultants
    • The Privacy Principle - Criteria Access - The entity provides individuals with access to their personal information for review and update. Disclosure to Third Parties – The entity discloses personal information to third parties only for the purposes identified in the notice and with the implicit or explicit consent of the individual. Security – The entity protects personal information against unauthorized access.September 8. 2011 Copyright © 2011 Tate & Tryon CPAs and Consultants
    • The Privacy Principle - Criteria Quality – The entity maintains accurate, complete, and relevant personal information for the purposes identified in the notice. Monitoring & Enforcement – The entity monitors compliance with its privacy policies and procedures and has procedures to address privacy related inquiries, complaints, and disputes.September 8. 2011 Copyright © 2011 Tate & Tryon CPAs and Consultants
    • What else is out there......September 8. 2011 Copyright © 2011 Tate & Tryon CPAs and Consultants
    • Integrated Examination of Internal Control Essentially a “SOX 404” report. Performed in conjunction with a financial statement audit. Provides an opinion on the organization’s controls over financial reporting. A control “criteria” must be set.  COSO is the most common criteria used. Not a restricted use report.September 8. 2011 Copyright © 2011 Tate & Tryon CPAs and Consultants
    • Agreed-Upon Procedures Our favorite option! Gives maximum flexibility regarding pricing and work to be performed. However, no professional opinion is actually rendered. Restricted-use report.September 8. 2011 Copyright © 2011 Tate & Tryon CPAs and Consultants
    • Additional resources..... For additional information on the new SOC reporting framework, here’s a handy web- site:  http://www.aicpa.org/InterestAreas/FRC/AssuranceAdvisoryServi ces/Pages/SORHome.aspx Contact us with questions!  Jeff Stefan, 202-419-5104, Jstefan@tatetryon.com  Doug Boedeker, 202-419-5106, Dboedeker@tatetryon.comSeptember 8. 2011 Copyright © 2011 Tate & Tryon CPAs and Consultants
    • Speaker BiographyDouglas Boedeker , is a partner within Tate & Tryon’s Auditand Assurance Services unit and is also actively involved inthe Firms exempt organization tax services group. He hasmore than 19 years of experience providing an array of audit,tax, and consulting services to a variety of nonprofitorganizations and employee benefit plans. He takesparticular pride that his family has contained at least one CPAevery year since 1923. Doug graduated summa cum laudefrom Susquehanna University in Selinsgrove, Pennsylvaniawith a Bachelor of Science degree in accounting whilesimultaneously completing the coursework for a second majorin arts administration. He was also named as the University’srecipient of The Wall Street Journal Outstanding BusinessStudent Award. Doug is a frequent speaker on a variety of exempt organization tax issues and the Form 990. He recently presented a session on easing the 990 preparation process for CFOs and auditors at the 2011 AICPA Not for Profit Industry Conference. Doug is a coauthor to Guide to the Newest IRS Form 990: Interpreting and Complying with the New Tax Reporting Requirements for Transparency and Accountability, (published by ASAE).September 8. 2011 Copyright © 2011 Tate & Tryon CPAs and Consultants
    • Speaker BiographyJeff Stefan, is the partner in charge of Tate & Tryon’s auditingpractice and has more than 25 years of experience serving thenonprofit sector. In addition to his extensive audit and taxexperience, he has provided consulting services to organizationssuch as The World Bank, Public Company Accounting OversightBoard, and ASAE & The Center for Association Leadership in avariety of areas, including grant compliance, merger duediligence, and internal controls. He has also been called upon toconsult on a variety of complex issues such as: Fair valueaccounting (FAS 157), Accounting for alternative investments(FAS 133), Split interest agreements, Endowment accounting(UPMIFA / FSP 117-1), and Uncertain tax positions (FIN 48).Mr. Stefan has presented and authored articles on many recent accounting and auditingissues including: FASB Staff Position (FSP) FAS 117-1, “Endowments of Not-for-ProfitOrganizations: Net Asset Classification of Funds Subject to an Enacted Version of theUniform Prudent Management of Institutional Funds Act, and Enhanced Disclosures for AllEndowment Funds”, Educating Your Board About Audits, , and A Summary of the NewAudit Risk Standards.September 8. 2011 Copyright © 2011 Tate & Tryon CPAs and Consultants