SlideShare a Scribd company logo

SOC 1 Overview

Schellman & Company
Schellman & Company

To compete in today's marketplace, your customers must have trust and confidence in your environment. The popularity of the SOC 1 report has been amplified with an increase in outsourcing relationships and customer mandates for a stronger control environment. * Review of the background and history * Definition of the AICPA Framework * Overview of the purpose and scope * Discussion of boundaries and benefits * Requirements of the examination process * Outline the anatomy of the report

Business
1 of 58
Download to read offline
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved ©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved Background & Overview 01 ©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved OVERVIEW • SSAE 16 • SOC 1 • AT Section 801 • ISAE 3402
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved SERVICE AUDITORS ©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved SERVICE PROVIDERS
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved USER ENTITIES
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved USER AUDITORS
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved Overview of the AICPA Framework 02 ©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved AICPA SOC FRAMEWORK Applicable SOC-1 SOC-2 SOC-3 Standard/Guidance SSAE 16: AICPA Guide (2013) AT 101: AICPA Guide (2013) AT 101: Technical Practice Aid (2014) Scope ICFR Security/Systems, Privacy Security/Systems, Privacy Criteria Control Objectives Trust Services Principles/GAPP Trust Services Principles/GAPP Usage of report User auditor, user entity, management of SO Knowledgeable parties Anyone
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved Purpose & Scope 03 ©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved WHY DO YOU NEED AN SOC REPORT? Regulatory requirements User entity mandates Outsourcing relationships Internal control analysis Independent 3rd party opinion Competition and market
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved Focused on financial reporting risks
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved SPECIFIED BY THE SERVICE ORGANIZATION • Operational/Application • General IT controls
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved The Boundaries 04 ©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved If there is internal control over financial reporting relevance, there is SOC 1 examination!
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved BOUNDARIES • What SOC 1 does cover? • What SOC 1 does cover?
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved BOUNDARIES • Limited for specific users • Limited purpose
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved The Anatomy 05 ©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved Service Auditor’s Report – “The Opinion” Management’s Assertion Description of the System Tests of Controls and Corresponding Results Additional Information – Provided by Service Organization REPORT STRUCTURE
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved Unqualified vs. Qualified SERVICE AUDITOR’S REPORT
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved • Commitment - suitability and accuracy • SOX Section 302 certification • Subservice organizations MANAGEMENT’S ASSERTION
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved Objective description of the services SYSTEM DESCRIPTION
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved Management’s objective description of the services provided to user entities. SYSTEM DESCRIPTION
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved • Test procedures • Results • Deviations / Exceptions TEST OF CONTROLS / RESULTS
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved Information not related to ICFR ADDITIONAL INFORMATION
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved Common Challenges and Benefits05 ©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved • Impact on financial reporting • Legal / regulatory compliance • Impact on production /quality RELEVANCE TO CUSTOMERS’ ICFR
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved RELEVANCE TO CUSTOMERS’ ICFR • No financial reporting impact • Misuse of the report
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved RELEVANCE TO CUSTOMERS’ ICFR • Accurate use of report • User auditor expectations
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved • Contracts, RFP, SLA • AICPA website • Training and awareness • Executive communication • Discussion with service auditor EDUCATION & PREPAREDNESS
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved EDUCATION & PREPAREDNESS • Insufficient timing • Silos / groups
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved EDUCATION & PREPAREDNESS • Demonstrates management’s responsibility and accountability • Promotes successful examination efforts
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved CUSTOMER REQUIREMENTS • Document client needs • Client discussions • Decide on report type
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved CUSTOMER REQUIREMENTS • Choosing the correct report • Trying to meet multiple compliance efforts as a single deliverable
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved CUSTOMER REQUIREMENTS • Meet ICFR regulatory or contractual mandates • Bolster trust and confidence • One exam meets multiple customer requests • Promote a stronger control environment
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved CARVE-OUT VS INCLUSIVE • Carve-out method emphasis • Subservice organization • Inclusive method requirements
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved CARVE-OUT VS INCLUSIVE • Obtaining cooperation / documentation for subservice organization(s)
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved CARVE-OUT VS INCLUSIVE • Focused and tailored report
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved • Type 1 • Type 2 REPORT TYPE
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved • Insufficient coverage • Implementation of controls REPORT TYPE
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved • Both attestation reports • Timeliness of report • Report coverage and content REPORT TYPE
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved Perform a risk assessment RISK ASSESSMENT & SCOPE
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved • Accurate scope • Control identification RISK ASSESSMENT & SCOPE
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved • Pre-planning process • Better understanding of environment • Early identification of issues RISK ASSESSMENT & SCOPE
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved • Direct assistance • Use work of others INTERNAL AUDIT ASSISTANCE
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved • Learning curve • Difference in testing strategies INTERNAL AUDIT ASSISTANCE
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved • Professional fees and time • Understanding of environment • Evidence gathering and management INTERNAL AUDIT ASSISTANCE
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved • Internally • Service auditors READINESS ASSESSMENT
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved • Inaccurate description of process • Lack of resources READINESS ASSESSMENT
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved • Increase success in the audit • Earlier remediation efforts • Better preparation • Documentation of the narrative READINESS ASSESSMENT
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved • Policies/Procedures • Segregation of duties • Monitoring REMEDIATION
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved • Insufficient planning • Resource constraints • Timely remediation REMEDIATION
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved • Meet ICFR regulatory or contractual mandates • Bolster confidence • Promote a stronger control environment REMEDIATION
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved • Licensed CPA firm • Independent • Single Vendor Approach • Audit Team AUDIT FIRM SELECTION
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved • Lack of mature methodology • Remote only testing • Use of offshore resources AUDIT FIRM SELECTION
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved • Acceptable auditor to auditor communication • Value-added controls assessment process AUDIT FIRM SELECTION
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved • SOC Overview • Examination Scoping • RFP Template • Sample Report Download SOC 1 PrepKit

Recommended

Everything You Need To Know About SOC 1
Everything You Need To Know About SOC 1Everything You Need To Know About SOC 1
Everything You Need To Know About SOC 1
Schellman & Company
 
SOC 2 and You
SOC 2 and YouSOC 2 and You
SOC 2 and You
Schellman & Company
 
Security & Compliance
Security & ComplianceSecurity & Compliance
Security & Compliance
Amazon Web Services
 
SOC 2: Build Trust and Confidence
SOC 2: Build Trust and ConfidenceSOC 2: Build Trust and Confidence
SOC 2: Build Trust and Confidence
Schellman & Company
 
ISO 27001
ISO 27001ISO 27001
ISO 27001
n|u - The Open Security Community
 
Introduction to it auditing
Introduction to it auditingIntroduction to it auditing
Introduction to it auditing
Damilola Mosaku
 
ISO27001: Implementation & Certification Process Overview
ISO27001: Implementation & Certification Process OverviewISO27001: Implementation & Certification Process Overview
ISO27001: Implementation & Certification Process Overview
Shankar Subramaniyan
 
SOC2 Intro and Mindfulness
SOC2 Intro and MindfulnessSOC2 Intro and Mindfulness
SOC2 Intro and Mindfulness
EmilyGladstoneCole
 

Recommended

Everything You Need To Know About SOC 1
Everything You Need To Know About SOC 1Everything You Need To Know About SOC 1
Everything You Need To Know About SOC 1
Schellman & Company
 
SOC 2 and You
SOC 2 and YouSOC 2 and You
SOC 2 and You
Schellman & Company
 
Security & Compliance
Security & ComplianceSecurity & Compliance
Security & Compliance
Amazon Web Services
 
SOC 2: Build Trust and Confidence
SOC 2: Build Trust and ConfidenceSOC 2: Build Trust and Confidence
SOC 2: Build Trust and Confidence
Schellman & Company
 
ISO 27001
ISO 27001ISO 27001
ISO 27001
n|u - The Open Security Community
 
Introduction to it auditing
Introduction to it auditingIntroduction to it auditing
Introduction to it auditing
Damilola Mosaku
 
ISO27001: Implementation & Certification Process Overview
ISO27001: Implementation & Certification Process OverviewISO27001: Implementation & Certification Process Overview
ISO27001: Implementation & Certification Process Overview
Shankar Subramaniyan
 
SOC2 Intro and Mindfulness
SOC2 Intro and MindfulnessSOC2 Intro and Mindfulness
SOC2 Intro and Mindfulness
EmilyGladstoneCole
 
NQA ISO 27001 Implementation Guide
NQA ISO 27001 Implementation GuideNQA ISO 27001 Implementation Guide
NQA ISO 27001 Implementation Guide
NQA
 
Iso 27001 isms presentation
Iso 27001 isms presentationIso 27001 isms presentation
Iso 27001 isms presentation
Midhun Nirmal
 
Iso27001- Nashwan Mustafa
Iso27001- Nashwan MustafaIso27001- Nashwan Mustafa
Iso27001- Nashwan Mustafa
Fahmi Albaheth
 
Quick Guide to ISO/IEC 27701 - The Newest Privacy Information Standard
Quick Guide to ISO/IEC 27701 - The Newest Privacy Information StandardQuick Guide to ISO/IEC 27701 - The Newest Privacy Information Standard
Quick Guide to ISO/IEC 27701 - The Newest Privacy Information Standard
PECB
 
ISO27k ISMS implementation and certification process overview v2.pptx
ISO27k ISMS implementation and certification process overview v2.pptxISO27k ISMS implementation and certification process overview v2.pptx
ISO27k ISMS implementation and certification process overview v2.pptx
Napoleon NV
 
Soc 2 vs iso 27001 certification withh links converted-converted
Soc 2 vs iso 27001 certification withh links converted-convertedSoc 2 vs iso 27001 certification withh links converted-converted
Soc 2 vs iso 27001 certification withh links converted-converted
VISTA InfoSec
 
ISO/IEC 27001:2022 – What are the changes?
ISO/IEC 27001:2022 – What are the changes?ISO/IEC 27001:2022 – What are the changes?
ISO/IEC 27001:2022 – What are the changes?
PECB
 
Third-Party Risk Management (TPRM) | Risk Assessment Questionnaires
Third-Party Risk Management (TPRM) | Risk Assessment QuestionnairesThird-Party Risk Management (TPRM) | Risk Assessment Questionnaires
Third-Party Risk Management (TPRM) | Risk Assessment Questionnaires
Corporater
 
Project plan for ISO 27001
Project plan for ISO 27001Project plan for ISO 27001
Project plan for ISO 27001
technakama
 
Cybersecurity Audit
Cybersecurity AuditCybersecurity Audit
Cybersecurity Audit
EC-Council
 
ITIL and ISO 20000: Fundamentals and necessary compliance Synergies
ITIL and ISO 20000: Fundamentals and necessary compliance SynergiesITIL and ISO 20000: Fundamentals and necessary compliance Synergies
ITIL and ISO 20000: Fundamentals and necessary compliance Synergies
PECB
 
ISO 27001 - Information security user awareness training presentation - part 3
ISO 27001 - Information security user awareness training presentation - part 3ISO 27001 - Information security user awareness training presentation - part 3
ISO 27001 - Information security user awareness training presentation - part 3
Tanmay Shinde
 
Soc 2 attestation or ISO 27001 certification - Which is better for organization
Soc 2 attestation or ISO 27001 certification - Which is better for organizationSoc 2 attestation or ISO 27001 certification - Which is better for organization
Soc 2 attestation or ISO 27001 certification - Which is better for organization
VISTA InfoSec
 
NIST Cybersecurity Framework - Mindmap
NIST Cybersecurity Framework - MindmapNIST Cybersecurity Framework - Mindmap
NIST Cybersecurity Framework - Mindmap
WAJAHAT IQBAL
 
SOC 2 Compliance and Certification
SOC 2 Compliance and CertificationSOC 2 Compliance and Certification
SOC 2 Compliance and Certification
ControlCase
 
ISO 27001:2022 Introduction
ISO 27001:2022 IntroductionISO 27001:2022 Introduction
ISO 27001:2022 Introduction
Andrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
What is ISO 27001 ISMS
What is ISO 27001 ISMSWhat is ISO 27001 ISMS
What is ISO 27001 ISMS
Business Beam
 
Audit of it infrastructure
Audit of it infrastructureAudit of it infrastructure
Audit of it infrastructure
pramod_kmr73
 
Privacy Trends: Key practical steps on ISO/IEC 27701:2019 implementation
Privacy Trends: Key practical steps on ISO/IEC 27701:2019 implementationPrivacy Trends: Key practical steps on ISO/IEC 27701:2019 implementation
Privacy Trends: Key practical steps on ISO/IEC 27701:2019 implementation
PECB
 
How can the ISO 27701 help to design, implement, operate and improve a privac...
How can the ISO 27701 help to design, implement, operate and improve a privac...How can the ISO 27701 help to design, implement, operate and improve a privac...
How can the ISO 27701 help to design, implement, operate and improve a privac...
Hernan Huwyler, MBA CPA
 
Hitrust: Navigating to 2017, Your Map to HITRUST Certification
Hitrust: Navigating to 2017, Your Map to HITRUST CertificationHitrust: Navigating to 2017, Your Map to HITRUST Certification
Hitrust: Navigating to 2017, Your Map to HITRUST Certification
Schellman & Company
 
CSA STAR Program
CSA STAR ProgramCSA STAR Program
CSA STAR Program
Schellman & Company
 

More Related Content

What's hot

NQA ISO 27001 Implementation Guide
NQA ISO 27001 Implementation GuideNQA ISO 27001 Implementation Guide
NQA ISO 27001 Implementation Guide
NQA
 
Quick Guide to ISO/IEC 27701 - The Newest Privacy Information Standard
Quick Guide to ISO/IEC 27701 - The Newest Privacy Information StandardQuick Guide to ISO/IEC 27701 - The Newest Privacy Information Standard
Quick Guide to ISO/IEC 27701 - The Newest Privacy Information Standard
PECB
 
ISO27k ISMS implementation and certification process overview v2.pptx
ISO27k ISMS implementation and certification process overview v2.pptxISO27k ISMS implementation and certification process overview v2.pptx
ISO27k ISMS implementation and certification process overview v2.pptx
Napoleon NV
 
ISO/IEC 27001:2022 – What are the changes?
ISO/IEC 27001:2022 – What are the changes?ISO/IEC 27001:2022 – What are the changes?
ISO/IEC 27001:2022 – What are the changes?
PECB
 
Third-Party Risk Management (TPRM) | Risk Assessment Questionnaires
Third-Party Risk Management (TPRM) | Risk Assessment QuestionnairesThird-Party Risk Management (TPRM) | Risk Assessment Questionnaires
Third-Party Risk Management (TPRM) | Risk Assessment Questionnaires
Corporater
 
ITIL and ISO 20000: Fundamentals and necessary compliance Synergies
ITIL and ISO 20000: Fundamentals and necessary compliance SynergiesITIL and ISO 20000: Fundamentals and necessary compliance Synergies
ITIL and ISO 20000: Fundamentals and necessary compliance Synergies
PECB
 
Privacy Trends: Key practical steps on ISO/IEC 27701:2019 implementation
Privacy Trends: Key practical steps on ISO/IEC 27701:2019 implementationPrivacy Trends: Key practical steps on ISO/IEC 27701:2019 implementation
Privacy Trends: Key practical steps on ISO/IEC 27701:2019 implementation
PECB
 

What's hot (20)

NQA ISO 27001 Implementation Guide
NQA ISO 27001 Implementation GuideNQA ISO 27001 Implementation Guide
NQA ISO 27001 Implementation Guide
 
Iso 27001 isms presentation
Iso 27001 isms presentationIso 27001 isms presentation
Iso 27001 isms presentation
 
Iso27001- Nashwan Mustafa
Iso27001- Nashwan MustafaIso27001- Nashwan Mustafa
Iso27001- Nashwan Mustafa
 
Quick Guide to ISO/IEC 27701 - The Newest Privacy Information Standard
Quick Guide to ISO/IEC 27701 - The Newest Privacy Information StandardQuick Guide to ISO/IEC 27701 - The Newest Privacy Information Standard
Quick Guide to ISO/IEC 27701 - The Newest Privacy Information Standard
 
ISO27k ISMS implementation and certification process overview v2.pptx
ISO27k ISMS implementation and certification process overview v2.pptxISO27k ISMS implementation and certification process overview v2.pptx
ISO27k ISMS implementation and certification process overview v2.pptx
 
Soc 2 vs iso 27001 certification withh links converted-converted
Soc 2 vs iso 27001 certification withh links converted-convertedSoc 2 vs iso 27001 certification withh links converted-converted
Soc 2 vs iso 27001 certification withh links converted-converted
 
ISO/IEC 27001:2022 – What are the changes?
ISO/IEC 27001:2022 – What are the changes?ISO/IEC 27001:2022 – What are the changes?
ISO/IEC 27001:2022 – What are the changes?
 
Third-Party Risk Management (TPRM) | Risk Assessment Questionnaires
Third-Party Risk Management (TPRM) | Risk Assessment QuestionnairesThird-Party Risk Management (TPRM) | Risk Assessment Questionnaires
Third-Party Risk Management (TPRM) | Risk Assessment Questionnaires
 
Project plan for ISO 27001
Project plan for ISO 27001Project plan for ISO 27001
Project plan for ISO 27001
 
Cybersecurity Audit
Cybersecurity AuditCybersecurity Audit
Cybersecurity Audit
 
ITIL and ISO 20000: Fundamentals and necessary compliance Synergies
ITIL and ISO 20000: Fundamentals and necessary compliance SynergiesITIL and ISO 20000: Fundamentals and necessary compliance Synergies
ITIL and ISO 20000: Fundamentals and necessary compliance Synergies
 
ISO 27001 - Information security user awareness training presentation - part 3
ISO 27001 - Information security user awareness training presentation - part 3ISO 27001 - Information security user awareness training presentation - part 3
ISO 27001 - Information security user awareness training presentation - part 3
 
Soc 2 attestation or ISO 27001 certification - Which is better for organization
Soc 2 attestation or ISO 27001 certification - Which is better for organizationSoc 2 attestation or ISO 27001 certification - Which is better for organization
Soc 2 attestation or ISO 27001 certification - Which is better for organization
 
NIST Cybersecurity Framework - Mindmap
NIST Cybersecurity Framework - MindmapNIST Cybersecurity Framework - Mindmap
NIST Cybersecurity Framework - Mindmap
 
SOC 2 Compliance and Certification
SOC 2 Compliance and CertificationSOC 2 Compliance and Certification
SOC 2 Compliance and Certification
 
ISO 27001:2022 Introduction
ISO 27001:2022 IntroductionISO 27001:2022 Introduction
ISO 27001:2022 Introduction
 
What is ISO 27001 ISMS
What is ISO 27001 ISMSWhat is ISO 27001 ISMS
What is ISO 27001 ISMS
 
Audit of it infrastructure
Audit of it infrastructureAudit of it infrastructure
Audit of it infrastructure
 
Privacy Trends: Key practical steps on ISO/IEC 27701:2019 implementation
Privacy Trends: Key practical steps on ISO/IEC 27701:2019 implementationPrivacy Trends: Key practical steps on ISO/IEC 27701:2019 implementation
Privacy Trends: Key practical steps on ISO/IEC 27701:2019 implementation
 
How can the ISO 27701 help to design, implement, operate and improve a privac...
How can the ISO 27701 help to design, implement, operate and improve a privac...How can the ISO 27701 help to design, implement, operate and improve a privac...
How can the ISO 27701 help to design, implement, operate and improve a privac...
 

Similar to SOC 1 Overview

Innovation TVA Presentation Deck
Innovation TVA Presentation DeckInnovation TVA Presentation Deck
Innovation TVA Presentation Deck
Joe Scherrer
 
How Gainsight's CEO Uses Gainsight
How Gainsight's CEO Uses GainsightHow Gainsight's CEO Uses Gainsight
How Gainsight's CEO Uses Gainsight
Paul Slakey
 
How Gainsight's CEO Uses Gainsight
How Gainsight's CEO Uses GainsightHow Gainsight's CEO Uses Gainsight
How Gainsight's CEO Uses Gainsight
Gainsight
 
Salesforce.com Relaunch Featuring Customer Success Story From Aon
Salesforce.com Relaunch Featuring Customer Success Story From AonSalesforce.com Relaunch Featuring Customer Success Story From Aon
Salesforce.com Relaunch Featuring Customer Success Story From Aon
Rightpoint
 
How to Use Tax Returns for Global Cash Flow with Multiple Pass-Through Entities
How to Use Tax Returns for Global Cash Flow with Multiple Pass-Through EntitiesHow to Use Tax Returns for Global Cash Flow with Multiple Pass-Through Entities
How to Use Tax Returns for Global Cash Flow with Multiple Pass-Through Entities
Libby Bierman
 
The keys to scaling your customer success program
The keys to scaling your customer success programThe keys to scaling your customer success program
The keys to scaling your customer success program
Gainsight
 

Similar to SOC 1 Overview (20)

Hitrust: Navigating to 2017, Your Map to HITRUST Certification
Hitrust: Navigating to 2017, Your Map to HITRUST CertificationHitrust: Navigating to 2017, Your Map to HITRUST Certification
Hitrust: Navigating to 2017, Your Map to HITRUST Certification
 
CSA STAR Program
CSA STAR ProgramCSA STAR Program
CSA STAR Program
 
Innovation TVA Presentation Deck
Innovation TVA Presentation DeckInnovation TVA Presentation Deck
Innovation TVA Presentation Deck
 
Facilities Management - Extending Service Automation to Outside Contractors
Facilities Management - Extending Service Automation to Outside ContractorsFacilities Management - Extending Service Automation to Outside Contractors
Facilities Management - Extending Service Automation to Outside Contractors
 
The Customer Success Nuances of On Premise Solutions
The Customer Success Nuances of On Premise SolutionsThe Customer Success Nuances of On Premise Solutions
The Customer Success Nuances of On Premise Solutions
 
2 dean lightwood debt sale (4 3)
2 dean lightwood debt sale (4 3)2 dean lightwood debt sale (4 3)
2 dean lightwood debt sale (4 3)
 
Closing the Loop on Survey Programs
Closing the Loop on Survey ProgramsClosing the Loop on Survey Programs
Closing the Loop on Survey Programs
 
How Gainsight's CEO Uses Gainsight
How Gainsight's CEO Uses GainsightHow Gainsight's CEO Uses Gainsight
How Gainsight's CEO Uses Gainsight
 
How Gainsight's CEO Uses Gainsight
How Gainsight's CEO Uses GainsightHow Gainsight's CEO Uses Gainsight
How Gainsight's CEO Uses Gainsight
 
Working Cross-Functionally at Gainsight
Working Cross-Functionally at GainsightWorking Cross-Functionally at Gainsight
Working Cross-Functionally at Gainsight
 
Salesforce.com Relaunch Featuring Customer Success Story From Aon
Salesforce.com Relaunch Featuring Customer Success Story From AonSalesforce.com Relaunch Featuring Customer Success Story From Aon
Salesforce.com Relaunch Featuring Customer Success Story From Aon
 
Issues Management In The Digital Age
Issues Management In The Digital AgeIssues Management In The Digital Age
Issues Management In The Digital Age
 
Best practices in CSM compensation with customer success leaders
Best practices in CSM compensation with customer success leadersBest practices in CSM compensation with customer success leaders
Best practices in CSM compensation with customer success leaders
 
How to Use Tax Returns for Global Cash Flow with Multiple Pass-Through Entities
How to Use Tax Returns for Global Cash Flow with Multiple Pass-Through EntitiesHow to Use Tax Returns for Global Cash Flow with Multiple Pass-Through Entities
How to Use Tax Returns for Global Cash Flow with Multiple Pass-Through Entities
 
Customer Success Webinar Series: How to Align your Company Around an Onboardi...
Customer Success Webinar Series: How to Align your Company Around an Onboardi...Customer Success Webinar Series: How to Align your Company Around an Onboardi...
Customer Success Webinar Series: How to Align your Company Around an Onboardi...
 
Pulse 2016: Managing Sponsor Change
Pulse 2016: Managing Sponsor ChangePulse 2016: Managing Sponsor Change
Pulse 2016: Managing Sponsor Change
 
"How to Re-Energize Your Digital Analytics Program" - Hyatt + WAD, Digital Ve...
"How to Re-Energize Your Digital Analytics Program" - Hyatt + WAD, Digital Ve..."How to Re-Energize Your Digital Analytics Program" - Hyatt + WAD, Digital Ve...
"How to Re-Energize Your Digital Analytics Program" - Hyatt + WAD, Digital Ve...
 
Getting Value From Gainsight
Getting Value From GainsightGetting Value From Gainsight
Getting Value From Gainsight
 
The keys to scaling your customer success program
The keys to scaling your customer success programThe keys to scaling your customer success program
The keys to scaling your customer success program
 
Usage Data or Not, Customer Success is still Customer Success
Usage Data or Not, Customer Success is still Customer SuccessUsage Data or Not, Customer Success is still Customer Success
Usage Data or Not, Customer Success is still Customer Success
 

More from Schellman & Company

Demystifying the Cyber NISTs
Demystifying the Cyber NISTsDemystifying the Cyber NISTs
Demystifying the Cyber NISTs
Schellman & Company
 
Get Ready Now for HITRUST 2017
Get Ready Now for HITRUST 2017Get Ready Now for HITRUST 2017
Get Ready Now for HITRUST 2017
Schellman & Company
 

More from Schellman & Company (15)

Privacy in the Cloud- Introduction to ISO 27018
Privacy in the Cloud- Introduction to ISO 27018Privacy in the Cloud- Introduction to ISO 27018
Privacy in the Cloud- Introduction to ISO 27018
 
Demystifying the Cyber NISTs
Demystifying the Cyber NISTsDemystifying the Cyber NISTs
Demystifying the Cyber NISTs
 
Determining Scope for PCI DSS Compliance
Determining Scope for PCI DSS ComplianceDetermining Scope for PCI DSS Compliance
Determining Scope for PCI DSS Compliance
 
Privacy shield: What You Need To Know About Storing EU Data
Privacy shield: What You Need To Know About Storing EU DataPrivacy shield: What You Need To Know About Storing EU Data
Privacy shield: What You Need To Know About Storing EU Data
 
Work With Federal Agencies? Here's What You Should Know About FedRAMP Assessm...
Work With Federal Agencies? Here's What You Should Know About FedRAMP Assessm...Work With Federal Agencies? Here's What You Should Know About FedRAMP Assessm...
Work With Federal Agencies? Here's What You Should Know About FedRAMP Assessm...
 
PA-DSS and Application Penetration Testing
PA-DSS and Application Penetration TestingPA-DSS and Application Penetration Testing
PA-DSS and Application Penetration Testing
 
The CSA STAR Program: Certification & Attestation
The CSA STAR Program: Certification & AttestationThe CSA STAR Program: Certification & Attestation
The CSA STAR Program: Certification & Attestation
 
Get Ready Now for HITRUST 2017
Get Ready Now for HITRUST 2017Get Ready Now for HITRUST 2017
Get Ready Now for HITRUST 2017
 
STAND OUT: Why You Should Become ISO 27001 Certified
STAND OUT: Why You Should Become ISO 27001 CertifiedSTAND OUT: Why You Should Become ISO 27001 Certified
STAND OUT: Why You Should Become ISO 27001 Certified
 
Locking Up Your Cloud Environment: An Introduction to ISO/IEC 27017 and 27018
Locking Up Your Cloud Environment: An Introduction to ISO/IEC 27017 and 27018Locking Up Your Cloud Environment: An Introduction to ISO/IEC 27017 and 27018
Locking Up Your Cloud Environment: An Introduction to ISO/IEC 27017 and 27018
 
12 Steps to Preparing for a QAR
12 Steps to Preparing for a QAR12 Steps to Preparing for a QAR
12 Steps to Preparing for a QAR
 
EPCS Overview
EPCS OverviewEPCS Overview
EPCS Overview
 
PCI DSS 3.0 Overview and Key Updates
PCI DSS 3.0 Overview and Key UpdatesPCI DSS 3.0 Overview and Key Updates
PCI DSS 3.0 Overview and Key Updates
 
10 Steps Toward FedRAMP Compliance
10 Steps Toward FedRAMP Compliance10 Steps Toward FedRAMP Compliance
10 Steps Toward FedRAMP Compliance
 
Your've Been Hacked in Florida! Now What?
Your've Been Hacked in Florida! Now What?Your've Been Hacked in Florida! Now What?
Your've Been Hacked in Florida! Now What?
 

Recently uploaded

Insurers' journeys to build a mastery in the IoT usage
Insurers' journeys to build a mastery in the IoT usageInsurers' journeys to build a mastery in the IoT usage
Insurers' journeys to build a mastery in the IoT usage
Matteo Carbone
 
Call Girls In DLf Gurgaon ➥99902@11544 ( Best price)100% Genuine Escort In 24...
Call Girls In DLf Gurgaon ➥99902@11544 ( Best price)100% Genuine Escort In 24...Call Girls In DLf Gurgaon ➥99902@11544 ( Best price)100% Genuine Escort In 24...
Call Girls In DLf Gurgaon ➥99902@11544 ( Best price)100% Genuine Escort In 24...
lizamodels9
 
Call Girls Kengeri Satellite Town Just Call 👗 7737669865 👗 Top Class Call Gir...
Call Girls Kengeri Satellite Town Just Call 👗 7737669865 👗 Top Class Call Gir...Call Girls Kengeri Satellite Town Just Call 👗 7737669865 👗 Top Class Call Gir...
Call Girls Kengeri Satellite Town Just Call 👗 7737669865 👗 Top Class Call Gir...
amitlee9823
 
Call Girls Electronic City Just Call 👗 7737669865 👗 Top Class Call Girl Servi...
Call Girls Electronic City Just Call 👗 7737669865 👗 Top Class Call Girl Servi...Call Girls Electronic City Just Call 👗 7737669865 👗 Top Class Call Girl Servi...
Call Girls Electronic City Just Call 👗 7737669865 👗 Top Class Call Girl Servi...
amitlee9823
 
👉Chandigarh Call Girls 👉9878799926👉Just Call👉Chandigarh Call Girl In Chandiga...
👉Chandigarh Call Girls 👉9878799926👉Just Call👉Chandigarh Call Girl In Chandiga...👉Chandigarh Call Girls 👉9878799926👉Just Call👉Chandigarh Call Girl In Chandiga...
👉Chandigarh Call Girls 👉9878799926👉Just Call👉Chandigarh Call Girl In Chandiga...
rajveerescorts2022
 
FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756
FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756
FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756
dollysharma2066
 
Quick Doctor In Kuwait +2773`7758`557 Kuwait Doha Qatar Dubai Abu Dhabi Sharj...
Quick Doctor In Kuwait +2773`7758`557 Kuwait Doha Qatar Dubai Abu Dhabi Sharj...Quick Doctor In Kuwait +2773`7758`557 Kuwait Doha Qatar Dubai Abu Dhabi Sharj...
Quick Doctor In Kuwait +2773`7758`557 Kuwait Doha Qatar Dubai Abu Dhabi Sharj...
daisycvs
 
Mysore Call Girls 8617370543 WhatsApp Number 24x7 Best Services
Mysore Call Girls 8617370543 WhatsApp Number 24x7 Best ServicesMysore Call Girls 8617370543 WhatsApp Number 24x7 Best Services
Mysore Call Girls 8617370543 WhatsApp Number 24x7 Best Services
Dipal Arora
 
The Path to Product Excellence: Avoiding Common Pitfalls and Enhancing Commun...
The Path to Product Excellence: Avoiding Common Pitfalls and Enhancing Commun...The Path to Product Excellence: Avoiding Common Pitfalls and Enhancing Commun...
The Path to Product Excellence: Avoiding Common Pitfalls and Enhancing Commun...
Aggregage
 
Call Girls Pune Just Call 9907093804 Top Class Call Girl Service Available
Call Girls Pune Just Call 9907093804 Top Class Call Girl Service AvailableCall Girls Pune Just Call 9907093804 Top Class Call Girl Service Available
Call Girls Pune Just Call 9907093804 Top Class Call Girl Service Available
Dipal Arora
 
VVVIP Call Girls In Greater Kailash ➡️ Delhi ➡️ 9999965857 🚀 No Advance 24HRS...
VVVIP Call Girls In Greater Kailash ➡️ Delhi ➡️ 9999965857 🚀 No Advance 24HRS...VVVIP Call Girls In Greater Kailash ➡️ Delhi ➡️ 9999965857 🚀 No Advance 24HRS...
VVVIP Call Girls In Greater Kailash ➡️ Delhi ➡️ 9999965857 🚀 No Advance 24HRS...
Call Girls In Delhi Whatsup 9873940964 Enjoy Unlimited Pleasure
 

Recently uploaded (20)

Call Girls Service In Old Town Dubai ((0551707352)) Old Town Dubai Call Girl ...
Call Girls Service In Old Town Dubai ((0551707352)) Old Town Dubai Call Girl ...Call Girls Service In Old Town Dubai ((0551707352)) Old Town Dubai Call Girl ...
Call Girls Service In Old Town Dubai ((0551707352)) Old Town Dubai Call Girl ...
 
Insurers' journeys to build a mastery in the IoT usage
Insurers' journeys to build a mastery in the IoT usageInsurers' journeys to build a mastery in the IoT usage
Insurers' journeys to build a mastery in the IoT usage
 
Call Girls In DLf Gurgaon ➥99902@11544 ( Best price)100% Genuine Escort In 24...
Call Girls In DLf Gurgaon ➥99902@11544 ( Best price)100% Genuine Escort In 24...Call Girls In DLf Gurgaon ➥99902@11544 ( Best price)100% Genuine Escort In 24...
Call Girls In DLf Gurgaon ➥99902@11544 ( Best price)100% Genuine Escort In 24...
 
Business Model Canvas (BMC)- A new venture concept
Business Model Canvas (BMC)- A new venture conceptBusiness Model Canvas (BMC)- A new venture concept
Business Model Canvas (BMC)- A new venture concept
 
Call Girls Kengeri Satellite Town Just Call 👗 7737669865 👗 Top Class Call Gir...
Call Girls Kengeri Satellite Town Just Call 👗 7737669865 👗 Top Class Call Gir...Call Girls Kengeri Satellite Town Just Call 👗 7737669865 👗 Top Class Call Gir...
Call Girls Kengeri Satellite Town Just Call 👗 7737669865 👗 Top Class Call Gir...
 
Call Girls Electronic City Just Call 👗 7737669865 👗 Top Class Call Girl Servi...
Call Girls Electronic City Just Call 👗 7737669865 👗 Top Class Call Girl Servi...Call Girls Electronic City Just Call 👗 7737669865 👗 Top Class Call Girl Servi...
Call Girls Electronic City Just Call 👗 7737669865 👗 Top Class Call Girl Servi...
 
👉Chandigarh Call Girls 👉9878799926👉Just Call👉Chandigarh Call Girl In Chandiga...
👉Chandigarh Call Girls 👉9878799926👉Just Call👉Chandigarh Call Girl In Chandiga...👉Chandigarh Call Girls 👉9878799926👉Just Call👉Chandigarh Call Girl In Chandiga...
👉Chandigarh Call Girls 👉9878799926👉Just Call👉Chandigarh Call Girl In Chandiga...
 
Falcon Invoice Discounting platform in india
Falcon Invoice Discounting platform in indiaFalcon Invoice Discounting platform in india
Falcon Invoice Discounting platform in india
 
FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756
FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756
FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756
 
Quick Doctor In Kuwait +2773`7758`557 Kuwait Doha Qatar Dubai Abu Dhabi Sharj...
Quick Doctor In Kuwait +2773`7758`557 Kuwait Doha Qatar Dubai Abu Dhabi Sharj...Quick Doctor In Kuwait +2773`7758`557 Kuwait Doha Qatar Dubai Abu Dhabi Sharj...
Quick Doctor In Kuwait +2773`7758`557 Kuwait Doha Qatar Dubai Abu Dhabi Sharj...
 
Mysore Call Girls 8617370543 WhatsApp Number 24x7 Best Services
Mysore Call Girls 8617370543 WhatsApp Number 24x7 Best ServicesMysore Call Girls 8617370543 WhatsApp Number 24x7 Best Services
Mysore Call Girls 8617370543 WhatsApp Number 24x7 Best Services
 
MONA 98765-12871 CALL GIRLS IN LUDHIANA LUDHIANA CALL GIRL
MONA 98765-12871 CALL GIRLS IN LUDHIANA LUDHIANA CALL GIRLMONA 98765-12871 CALL GIRLS IN LUDHIANA LUDHIANA CALL GIRL
MONA 98765-12871 CALL GIRLS IN LUDHIANA LUDHIANA CALL GIRL
 
Dr. Admir Softic_ presentation_Green Club_ENG.pdf
Dr. Admir Softic_ presentation_Green Club_ENG.pdfDr. Admir Softic_ presentation_Green Club_ENG.pdf
Dr. Admir Softic_ presentation_Green Club_ENG.pdf
 
B.COM Unit – 4 ( CORPORATE SOCIAL RESPONSIBILITY ( CSR ).pptx
B.COM Unit – 4 ( CORPORATE SOCIAL RESPONSIBILITY ( CSR ).pptxB.COM Unit – 4 ( CORPORATE SOCIAL RESPONSIBILITY ( CSR ).pptx
B.COM Unit – 4 ( CORPORATE SOCIAL RESPONSIBILITY ( CSR ).pptx
 
Falcon's Invoice Discounting: Your Path to Prosperity
Falcon's Invoice Discounting: Your Path to ProsperityFalcon's Invoice Discounting: Your Path to Prosperity
Falcon's Invoice Discounting: Your Path to Prosperity
 
The Path to Product Excellence: Avoiding Common Pitfalls and Enhancing Commun...
The Path to Product Excellence: Avoiding Common Pitfalls and Enhancing Commun...The Path to Product Excellence: Avoiding Common Pitfalls and Enhancing Commun...
The Path to Product Excellence: Avoiding Common Pitfalls and Enhancing Commun...
 
Call Girls Pune Just Call 9907093804 Top Class Call Girl Service Available
Call Girls Pune Just Call 9907093804 Top Class Call Girl Service AvailableCall Girls Pune Just Call 9907093804 Top Class Call Girl Service Available
Call Girls Pune Just Call 9907093804 Top Class Call Girl Service Available
 
It will be International Nurses' Day on 12 May
It will be International Nurses' Day on 12 MayIt will be International Nurses' Day on 12 May
It will be International Nurses' Day on 12 May
 
RSA Conference Exhibitor List 2024 - Exhibitors Data
RSA Conference Exhibitor List 2024 - Exhibitors DataRSA Conference Exhibitor List 2024 - Exhibitors Data
RSA Conference Exhibitor List 2024 - Exhibitors Data
 
VVVIP Call Girls In Greater Kailash ➡️ Delhi ➡️ 9999965857 🚀 No Advance 24HRS...
VVVIP Call Girls In Greater Kailash ➡️ Delhi ➡️ 9999965857 🚀 No Advance 24HRS...VVVIP Call Girls In Greater Kailash ➡️ Delhi ➡️ 9999965857 🚀 No Advance 24HRS...
VVVIP Call Girls In Greater Kailash ➡️ Delhi ➡️ 9999965857 🚀 No Advance 24HRS...
 

SOC 1 Overview

  • 1. ©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved ©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
  • 2. ©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved Background & Overview 01 ©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
  • 3. ©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved OVERVIEW • SSAE 16 • SOC 1 • AT Section 801 • ISAE 3402
  • 4. ©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved SERVICE AUDITORS ©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
  • 5. ©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved SERVICE PROVIDERS
  • 6. ©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved USER ENTITIES
  • 7. ©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved USER AUDITORS
  • 8. ©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
  • 9. ©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved Overview of the AICPA Framework 02 ©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
  • 10. ©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved AICPA SOC FRAMEWORK Applicable SOC-1 SOC-2 SOC-3 Standard/Guidance SSAE 16: AICPA Guide (2013) AT 101: AICPA Guide (2013) AT 101: Technical Practice Aid (2014) Scope ICFR Security/Systems, Privacy Security/Systems, Privacy Criteria Control Objectives Trust Services Principles/GAPP Trust Services Principles/GAPP Usage of report User auditor, user entity, management of SO Knowledgeable parties Anyone
  • 11. ©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved Purpose & Scope 03 ©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
  • 12. ©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved WHY DO YOU NEED AN SOC REPORT? Regulatory requirements User entity mandates Outsourcing relationships Internal control analysis Independent 3rd party opinion Competition and market
  • 13. ©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved Focused on financial reporting risks
  • 14. ©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved SPECIFIED BY THE SERVICE ORGANIZATION • Operational/Application • General IT controls
  • 15. ©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved The Boundaries 04 ©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
  • 16. ©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved If there is internal control over financial reporting relevance, there is SOC 1 examination!
  • 17. ©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved BOUNDARIES • What SOC 1 does cover? • What SOC 1 does cover?
  • 18. ©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved BOUNDARIES • Limited for specific users • Limited purpose
  • 19. ©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved The Anatomy 05 ©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
  • 20. ©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved Service Auditor’s Report – “The Opinion” Management’s Assertion Description of the System Tests of Controls and Corresponding Results Additional Information – Provided by Service Organization REPORT STRUCTURE
  • 21. ©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved Unqualified vs. Qualified SERVICE AUDITOR’S REPORT
  • 22. ©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved • Commitment - suitability and accuracy • SOX Section 302 certification • Subservice organizations MANAGEMENT’S ASSERTION
  • 23. ©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved Objective description of the services SYSTEM DESCRIPTION
  • 24. ©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved Management’s objective description of the services provided to user entities. SYSTEM DESCRIPTION
  • 25. ©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved • Test procedures • Results • Deviations / Exceptions TEST OF CONTROLS / RESULTS
  • 26. ©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved Information not related to ICFR ADDITIONAL INFORMATION
  • 27. ©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved Common Challenges and Benefits05 ©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
  • 28. ©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved • Impact on financial reporting • Legal / regulatory compliance • Impact on production /quality RELEVANCE TO CUSTOMERS’ ICFR
  • 29. ©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved RELEVANCE TO CUSTOMERS’ ICFR • No financial reporting impact • Misuse of the report
  • 30. ©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved RELEVANCE TO CUSTOMERS’ ICFR • Accurate use of report • User auditor expectations
  • 31. ©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved • Contracts, RFP, SLA • AICPA website • Training and awareness • Executive communication • Discussion with service auditor EDUCATION & PREPAREDNESS
  • 32. ©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved EDUCATION & PREPAREDNESS • Insufficient timing • Silos / groups
  • 33. ©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved EDUCATION & PREPAREDNESS • Demonstrates management’s responsibility and accountability • Promotes successful examination efforts
  • 34. ©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved CUSTOMER REQUIREMENTS • Document client needs • Client discussions • Decide on report type
  • 35. ©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved CUSTOMER REQUIREMENTS • Choosing the correct report • Trying to meet multiple compliance efforts as a single deliverable
  • 36. ©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved CUSTOMER REQUIREMENTS • Meet ICFR regulatory or contractual mandates • Bolster trust and confidence • One exam meets multiple customer requests • Promote a stronger control environment
  • 37. ©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved CARVE-OUT VS INCLUSIVE • Carve-out method emphasis • Subservice organization • Inclusive method requirements
  • 38. ©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved CARVE-OUT VS INCLUSIVE • Obtaining cooperation / documentation for subservice organization(s)
  • 39. ©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved CARVE-OUT VS INCLUSIVE • Focused and tailored report
  • 40. ©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved • Type 1 • Type 2 REPORT TYPE
  • 41. ©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved • Insufficient coverage • Implementation of controls REPORT TYPE
  • 42. ©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved • Both attestation reports • Timeliness of report • Report coverage and content REPORT TYPE
  • 43. ©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved Perform a risk assessment RISK ASSESSMENT & SCOPE
  • 44. ©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved • Accurate scope • Control identification RISK ASSESSMENT & SCOPE
  • 45. ©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved • Pre-planning process • Better understanding of environment • Early identification of issues RISK ASSESSMENT & SCOPE
  • 46. ©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved • Direct assistance • Use work of others INTERNAL AUDIT ASSISTANCE
  • 47. ©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved • Learning curve • Difference in testing strategies INTERNAL AUDIT ASSISTANCE
  • 48. ©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved • Professional fees and time • Understanding of environment • Evidence gathering and management INTERNAL AUDIT ASSISTANCE
  • 49. ©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved • Internally • Service auditors READINESS ASSESSMENT
  • 50. ©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved • Inaccurate description of process • Lack of resources READINESS ASSESSMENT
  • 51. ©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved • Increase success in the audit • Earlier remediation efforts • Better preparation • Documentation of the narrative READINESS ASSESSMENT
  • 52. ©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved • Policies/Procedures • Segregation of duties • Monitoring REMEDIATION
  • 53. ©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved • Insufficient planning • Resource constraints • Timely remediation REMEDIATION
  • 54. ©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved • Meet ICFR regulatory or contractual mandates • Bolster confidence • Promote a stronger control environment REMEDIATION
  • 55. ©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved • Licensed CPA firm • Independent • Single Vendor Approach • Audit Team AUDIT FIRM SELECTION
  • 56. ©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved • Lack of mature methodology • Remote only testing • Use of offshore resources AUDIT FIRM SELECTION
  • 57. ©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved • Acceptable auditor to auditor communication • Value-added controls assessment process AUDIT FIRM SELECTION
  • 58. ©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved • SOC Overview • Examination Scoping • RFP Template • Sample Report Download SOC 1 PrepKit