Moss Adams SSAE 16 SOC Audits


Published on

Overview of SOC reporting, Scope and coverage of SOC audits for AIS, Background about Moss Adams, Key terminology, Customers’ responsibilities

Published in: Technology, Business
1 Comment
No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • Security. The system is protected against unauthorized access (both physical and logical). Availability. The system is available for operation and use as committed or agreed.Processing Integrity. System processing is complete, accurate, timely, and authorized.Confidentiality. Information designated as confidential is protected as committed or agreed. Privacy. Personal information is collected, used, retained, disclosed, and destroyed in conformity with the commitments in the entity’s privacy notice and with criteria set forth in generally accepted privacy principles (GAPP) issued by the AICPA and CICA.Policies. The entity has defined and documented its policies relevant to the particular principle. (The term policies as used here refer to written statements that communicate management's intent, objectives, requirements, responsibilities, and standards for a particular subject). Communications. The entity has communicated its defined policies to responsible parties and authorized users of the system.Procedures. The entity placed in operation procedures to achieve its objectives in accordance with its defined policies.Monitoring. The entity monitors the system and takes action to maintain compliance with its defined policies.
  • Moss Adams SSAE 16 SOC Audits

    1. 1. SOC Audits Service Organization Reporting MOSS ADAMS LLP | 1
    2. 2. INTRODUCTION Chris Kradjan, CPA, CITP, CRISC Chris Kradjan is the National SSAE 16 Leader for Moss Adams. He has been with Moss Adams since 1994, and has been auditing and consulting since 1992. He works routinely with a wide range of complex service organizations to meet their needs. His practice areas include SSAE 16 SOC 1/2/3 auditing, PCI-DSS compliance services, internal controls reviews, Sarbanes-Oxley compliance services, SysTrust/WebTrust audits, and independent technology assessments. Furthermore, Chris is regularly involved with technology and financial controls assessments based on the COSO, COBIT, PCI-DSS, NIST, FISMA, and ISO 27002 frameworks. He serves on the AICPA SOC 2 Task Force and was recently appointed to the AICPA Assurance Services Executive Committee. SLIDE 2 MOSS ADAMS LLP | 2
    3. 3. OBJECTIVES • • • • • • Overview of SOC reporting Scope and coverage of SOC audits for AIS Background about Moss Adams as your auditors Key terminology Customers’ responsibilities AIS internal contact SLIDE 3 MOSS ADAMS LLP | 3
    4. 4. MARKET / REGULATORY PRESSURES • • • • • • • • • • Increased competition Sarbanes-Oxley – SEC/publicly traded companies HIPAA Security and Privacy Rules – Healthcare GLBA – Financial services FERPA – Education PCI-DSS – Payment card data State and local security and privacy laws NIST 800-53 – Federal compliance ISO 27001 – Security Safe Harbor – International SLIDE 4 MOSS ADAMS LLP | 4
    5. 5. SOC AUDITS • Represents that AIS has been through an in-depth audit of its system/controls • For business unit(s) or entire organization • Discloses controls relevant to customers • Demonstrates design and operating effectiveness of controls in place • Follows AICPA standards - can only be issued by CPAs • Even more important given Sarbanes-Oxley, heightened regulatory conditions, and increasing competition SLIDE 5 MOSS ADAMS LLP | 5
    6. 6. VALUE OF SOC AUDITS • Provide customers independent assurance about AIS’ controls • Satisfy multiple customers through a single audit • Help AIS differentiate itself from its competition • Provide independent feedback to management to define and monitor adherence to established operational metrics • Identify potential opportunities to strengthen the business practices and operating environment at AIS SLIDE 6 MOSS ADAMS LLP | 6
    7. 7. RELEVANT PARTIES User Auditors User Auditors User Entities User Entities Moss Adams American Internet Services User Entities User Auditors SLIDE 7 User Entities User Auditors MOSS ADAMS LLP | 7
    8. 8. RELEVANT PARTIES - DEFINED • Audit of “system”/controls (vs. financial audit) • AIS performs services (as “service organization”) for its own customers • In turn, its customers (“user entities”) and their auditors (“user auditors”) want assurance over the AIS systems/controls • AIS then hired Moss Adams (“service auditor”) to opine on AIS’ systems/controls SLIDE 8 MOSS ADAMS LLP | 8
    9. 9. MOSS ADAMS 11th largest accounting and consulting firm Reputable and nationally recognized, celebrating 100 years Over 1,800 professionals and 240 partners in 22 offices Strong acceptance to relevant customers and industries/markets Well established in the tech and data center space Professionals serving in important leadership roles through the AICPA, COSO, and other national committees • Proven technical expertise and industry credentials • Established SOC auditing and testing processes • Practical, solution-oriented approach • • • • • • SLIDE 9 MOSS ADAMS LLP | 9
    10. 10. AUDIT TEAM Leads • Chris Kradjan, Partner • Francis Tam, Partner • JP Langlois, Supervisor Highlights • Lead by SSAE 16 National Practice Leader • Comprised of seasoned SOC team • Security, operations and controls advisors • SOC, Sarbanes-Oxley, HIPAA, PCI, internal controls specialist • CPA, CISA, CISM, CITP, CRISC, PCI QSA SLIDE 10 MOSS ADAMS LLP | 10
    11. 11. SCOPE Reports • SOC 1 Type 2 Audit (SSAE 16 and ISAE 3402) • SOC 2 Type 2 Audit • SOC 3 Type 2 Audit Audit Period Ending: April 30, 2012, April 30, 2013, etc. Sites • Lightwave Data Center (LWDC) • San Diego Tech Center (SDTC) • Fiber Alley Data Centers #1/#2/#3 (FADC) • One Wilshire Point of Presence (OWPOP) • Van Buren Data Center (VBDC) SLIDE 11 MOSS ADAMS LLP | 11
    12. 12. CONTROL AREAS SOC 1/ISAE 3402 Control Areas: • Service Delivery • Solutions Design • Computer Operations • Logical and Physical Security • Change Management • Incident Management • Disaster Recovery Planning • Business Continuity Planning SLIDE 12 SOC 2 and SOC 3 Principles: • Security • Availability Control Areas: • Policies • Communication • Procedures • Monitoring MOSS ADAMS LLP | 12
    13. 13. ALPHABET SOUP Historical with SAS 70 SAS 70 Reporting AU 324 New with SSAE 16 • SOC 1 – Internal Controls Over Financial Reporting • SOC 2 – AT 101 and Trust Services Principles (Detailed Reporting) • SOC 3 – Trust Services Principles (SysTrust/WebTrust) AT 801 AT 101 AT 101 Type 1 and 2 reporting both still applicable SLIDE 13 MOSS ADAMS LLP | 13
    14. 14. SOC 2 AND 3 REPORTING • AICPA SOC 2 Report AT 101 Attest Engagements Report on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality and/or Privacy (Type 1 and 2 Reports) • AICPA SOC 3 Report Trust Services Report Trust Services Principles, Criteria and Illustrations (Including WebTrust® and SysTrust®) SLIDE 14 MOSS ADAMS LLP | 14
    15. 15. TRUST SERVICES • Follows Trust Services Principles, Criteria and Illustrations (Including WebTrust® and SysTrust®) • The engagement is used to emphasize system reliability • Based on a prescribed set of control objectives and criteria Principles Control Areas o o o o o Security Availability Processing Integrity Confidentiality Privacy o o o o Policies Communication Procedures Monitoring • Intended audience is system stakeholders • No restrictions on report distribution SLIDE 15 MOSS ADAMS LLP | 15
    16. 16. ISAE 3402 SSAE 16 HKCPA 860.2 United States HK/China CICA 5970 AUS 810 Canada Australia AAF 01/06 United Kingdom SLIDE 16 Others MOSS ADAMS LLP | 16
    17. 17. REPORT COMPARISON SOC 2 1. 2. 3. 4. 5. Auditors report Detail system description Management assertion Management controls Auditor tests of controls and results of those tests – criteria SOC 1/ISAE 3402 1. 2. 3. 4. 5. Auditors report Detail system description Management assertion Management controls Auditor tests of controls and results of those tests – control objectives SLIDE 17 SOC 3 1. 2. 3. 4. 5. Auditors report Detail system description Management assertion Management controls Auditor tests of controls and results of those tests Source: AICPA © 2011 MOSS ADAMS LLP | 17
    18. 18. CUSTOMERS’ FIDUCIARY RESPONSIBILITY Periodically monitor AIS in formal manner Obtain and maintain an understanding of AIS operations Assess policies, procedures and controls in place Identify recent changes and reportable issues Use the latest SOC Type 2 reports to reduce their own compliance efforts • Obtain a gap letter/negative assurance letter between reports • • • • • SLIDE 18 MOSS ADAMS LLP | 18
    19. 19. CUSTOMERS’ BENEFITS OF SOC REPORTS • Streamlined way to obtain detailed and regular input on the performance of the service organization • Provides a clear description of the controls in place • Independently affirms the controls were (1) designed appropriately, and (2) operating effectively. • Simplifies ability to fulfill fiduciary responsibilities • Helps focus on exceptions and issues • May provide them cost savings through reduced audit fees SLIDE 19 MOSS ADAMS LLP | 19
    20. 20. REVIEWING AN SSAE 16 REPORT Audit period covered and whether it is a SOC Type 2 report Firm engaged to perform the SOC audits Nature of the opinion and if there are any modifications Any subservice organizations included or carved out Scope of controls and level of detail within control description Coverage and sufficiency of the specified control activities Extent of changes since prior report Nature, timing and extent of testing performed by service auditor • Nature and extent of exceptions, and their significance • Review and consideration of the user control considerations • • • • • • • • SLIDE 20 MOSS ADAMS LLP | 20
    21. 21. AIS INTERNAL CONTACT Frank Gaff VP Service Assurance & Chief Compliance Officer (858) 576-4272 x128 “In successfully completing its current suite of SOC 1, SOC 2 and SOC 3 Type 2 audit reports, AIS has reinforced its strong commitment to the security and availability of its data center facilities and operations.” Chris Kradjan, Partner, National IT/SOC Practice Leader, Moss Adams SLIDE 21 MOSS ADAMS LLP | 21
    22. 22. Chris Kradjan, CPA, CITP, CRISC Partner , SSAE 16 National Practice Leader (206) 302-6511 The material appearing in this presentation is for informational purposes only and is not legal or accounting advice. Communication of this information is not intended to create, and receipt does not constitute, a legal relationship, including, but not limited to, an accountantclient relationship. Although these materials may have been prepared by professionals, they should not be used as a substitute for professional services. If legal, accounting, or other professional advice is required, the services of a professional should be sought. MOSS ADAMS LLP | 22 22