SlideShare a Scribd company logo

Evaluating Service Organization Control Reports

J
Jay Crossland

Considerations when evaluating a Service Organization Control (SOC) report

Business
1 of 5
Download to read offline
Page 1 of 5 Crossland Advisors, Inc. http://crosslandadvisors.com/ 610-365-4852 Copyright © 2016 Evaluating Service Organization Control Reports (SOC1, SOC2, SOC3) Even though Service Organization Control (SOC) reports have been available since 1992, their actual usage and importance has increased significantly with the Sarbanes- Oxley (SOX) Act in 2002. Prior to SOX, contractual obligations for service organizations to provide a SOC report were generally not specific or not included (it is noted that prior to 2002, contractual requirements for SOC reports were typically found in the government sector, but not for commercial companies). Also, the client organization (aka the user entity) requesting and receiving the report seldom evaluated the report; often, it was a “check-the-box” compliance exercise only to make sure a report was received. With the advent of SOX, financial auditors realized that controls at service organizations needed to be thoroughly evaluated to make sure they were comprehensive, appropriate and operating effectively. The increased focus by financial auditors forced user entity management to also evaluate the controls at their service organization(s) since these services are an extension of the user entity’s processes and internal controls and could have a direct impact on other user entity controls and financial statements. The user entity should expect their service organization(s) to have at least the same level of controls as if those services were provided in-house. Unfortunately, most user entities do not have a thorough understanding of SOC reports and thus do not know how to effectively evaluate the report(s) they receive from their service organization(s). A comprehensive evaluation of a SOC report will ascertain whether: • The report as of a date or period is appropriate for user entity purposes • The standard under which the SOC report was issued is appropriate • The report identifies the use of subservice organizations • The intended users of the report are appropriate • The report addresses the “System”, which includes the IT applications, policies and procedures and service organization locations, used by the entity. “System” refers to the policies and procedures designed, implemented and documented by management of the service organization, including IT components, to provide user entities with the services covered by the service auditor's report. The term “System” does not refer to just the IT applications. • The evidence provided by the report is sufficient and appropriate for understanding the service organization's relevant processes and risks • The report identifies issues with the processes or controls at the service organization
Page 2 of 5 Crossland Advisors, Inc. http://crosslandadvisors.com/ 610-365-4852 Copyright © 2016 The first step in evaluating a SOC report is to understand the sections of the report:  SOC1 o Report cover o Auditor’s opinion o Management assertion o Description of the system o Control objectives, controls, tests and results  SOC2 o Report cover o Auditor’s opinion o Management assertion o Description of the system o Criteria, controls, tests and results  SOC3 o Report cover o Auditor’s opinion o Management assertion o Short description of the system Auditor’s opinion The Auditor’s opinion summaries the scope and conclusion of the report. The opinion includes:  The system(s) included in scope and the period being audited  An identification of subservice organizations included or carved-out  Whether or not the system description fairly presents what was designed and implemented, the controls related to the control objectives were suitably designed to reasonably achieve the control objectives and the controls tested were operating effectively throughout the period  The intended users of the report Management assertion The service organization makes an assertion regarding its description of the system and the operation of the system. Management asserts that:  The description presents how the service organization’s system was designed and implemented
Page 3 of 5 Crossland Advisors, Inc. http://crosslandadvisors.com/ 610-365-4852 Copyright © 2016  The description of the service organization’s system includes relevant details of changes to the service organization’s system during the period covered by the description  The description of the service organization’s system does not omit or distort information relevant to the service organization’s system, while acknowledging that management’s description of the service organization’s system is prepared to meet the common needs of a broad range of user entities and their user auditors, and may not, therefore, include every aspect of the service organization’s system that each individual user entity and its user auditor may consider important in its own particular environment  The risks that threaten the achievement of the control objectives/criteria stated in management’s description of the service organization’s system have been identified by management  The controls identified in management’s description of the service organization’s system would, if operating as described, provide reasonable assurance that those risks would not prevent the control objectives/criteria stated in the description from being achieved  The controls were consistently applied as designed, throughout the specified period, including whether manual controls were applied by individuals who have the appropriate competence and authority An assertion should be included for any service organization whose control objectives and controls have been included in the Auditor’s opinion, system description and control objectives/ criteria, controls, tests and results. The assertion may include the name of the authorizing official at the service organization, but such naming is not required. Description of the system The system description identifies the services that are likely to affect a user entity’s internal controls, including applications, technology and supporting IT processes. The description will identify and document:  The control environment, risk assessment and monitoring performed as part of internal control  Each business process/principle being included as part of the service overview along with the processes owner(s), process description and related controls  The control objectives/criteria associated with each business process/principle and document the risks that threaten the achievement of the control objectives/criteria, the controls that address the risks, and the service organization’s basis for its assertion that each control was implemented throughout the report period. While IT controls do not directly affect the financial statement assertions of user entities, they are almost always
Page 4 of 5 Crossland Advisors, Inc. http://crosslandadvisors.com/ 610-365-4852 Copyright © 2016 necessary for the proper functioning of the business process controls that do directly affect these assertions.  The physical location(s) where processing occurs  Subservice organizations and the services they provide  Complementary user entity controls (CUECs). CUECs are controls assumed to be in place at the user entity in order for the specified control objectives and related controls to be achieved Control objectives/criteria, controls, tests and results The control objectives/criteria in scope are detailed in a matrix that includes a description of the tests performed to determine the operating effectiveness of the controls along with any control deviations noted during testing. The description of the tests performed should include the nature, timing and extent of the testing performed. Areas for follow-up when reviewing a report:  The report date or period is not appropriate for the intended use  The report type is not appropriate for the intended use  The reporting standard is not appropriate for the intended use  Subservice organizations are noted in the Auditor’s opinion and system description  The auditor is not independent and competent  The Auditor’s opinion is qualified  The report has restricted usage  There is not a Management Assertion for each subservice organization whose control objectives and controls have been included in the Auditor’s opinion, system description and control objectives/ criteria, controls, tests and results  The Description of the system does not address, in detail, the processes and controls expected  The processing location(s) listed are not the same as those contracted for with the service organization  Complementary user entity controls (CUECs) will need to be assessed for applicability and testing  The tests performed do not address all aspects of the control objectives/ criteria  Testing deviations are noted
Page 5 of 5 Crossland Advisors, Inc. http://crosslandadvisors.com/ 610-365-4852 Copyright © 2016 Crossland Advisors provides IT risk and control services to a number of industries, including:  Manufacturing  Pharmaceuticals  Healthcare  Financial Services  Insurance  Government  Retail  Utilities Our extensive experience allows us to develop real world solutions to complex challenges. We use a process-focused risk-based approach and are able to relate leading practices and improvements to understand, anticipate and address a wide variety of information system risk and process issues. Crossland Advisors is ready to work with you to satisfy your IT risk and control needs.

Recommended

Auditor Reporting on Controls at Service Organizations
Auditor Reporting on Controls at Service OrganizationsAuditor Reporting on Controls at Service Organizations
Auditor Reporting on Controls at Service OrganizationsUniversity of Waterloo
 
information system and computers
information system and computersinformation system and computers
information system and computers9535814851
 
Dimension data pursuing compliance in public cloud white paper
Dimension data pursuing compliance in public cloud white paperDimension data pursuing compliance in public cloud white paper
Dimension data pursuing compliance in public cloud white paperJason Cumberland
 
BKMSH Basics of SOC II
BKMSH Basics of SOC IIBKMSH Basics of SOC II
BKMSH Basics of SOC IIMojoFinancial
 
Achieving SSAE 16 Certification
Achieving SSAE 16 Certification Achieving SSAE 16 Certification
Achieving SSAE 16 Certification Gary Pennington
 
ISO/DIS 45001:2017 OH&S manual (preview)
ISO/DIS 45001:2017 OH&S manual (preview)ISO/DIS 45001:2017 OH&S manual (preview)
ISO/DIS 45001:2017 OH&S manual (preview)Centauri Business Group Inc.
 
Internal audit ( pdf drive )
Internal audit ( pdf drive )Internal audit ( pdf drive )
Internal audit ( pdf drive )TaDo8
 
Audit Checklist for Information Systems
Audit Checklist for Information SystemsAudit Checklist for Information Systems
Audit Checklist for Information SystemsAhmad Tariq Bhatti
 

Recommended

Auditor Reporting on Controls at Service Organizations
Auditor Reporting on Controls at Service OrganizationsAuditor Reporting on Controls at Service Organizations
Auditor Reporting on Controls at Service OrganizationsUniversity of Waterloo
 
information system and computers
information system and computersinformation system and computers
information system and computers9535814851
 
Dimension data pursuing compliance in public cloud white paper
Dimension data pursuing compliance in public cloud white paperDimension data pursuing compliance in public cloud white paper
Dimension data pursuing compliance in public cloud white paperJason Cumberland
 
BKMSH Basics of SOC II
BKMSH Basics of SOC IIBKMSH Basics of SOC II
BKMSH Basics of SOC IIMojoFinancial
 
Achieving SSAE 16 Certification
Achieving SSAE 16 Certification Achieving SSAE 16 Certification
Achieving SSAE 16 Certification Gary Pennington
 
ISO/DIS 45001:2017 OH&S manual (preview)
ISO/DIS 45001:2017 OH&S manual (preview)ISO/DIS 45001:2017 OH&S manual (preview)
ISO/DIS 45001:2017 OH&S manual (preview)Centauri Business Group Inc.
 
Internal audit ( pdf drive )
Internal audit ( pdf drive )Internal audit ( pdf drive )
Internal audit ( pdf drive )TaDo8
 
Audit Checklist for Information Systems
Audit Checklist for Information SystemsAudit Checklist for Information Systems
Audit Checklist for Information SystemsAhmad Tariq Bhatti
 
NQA ISO 13485 Gap Guide – what’s changed?
NQA ISO 13485 Gap Guide – what’s changed?NQA ISO 13485 Gap Guide – what’s changed?
NQA ISO 13485 Gap Guide – what’s changed?NQA
 
SOX 2016 - PART I - COSO 2013
SOX 2016 - PART I - COSO 2013SOX 2016 - PART I - COSO 2013
SOX 2016 - PART I - COSO 2013Lorri Jongeneel, CPA
 
NQA ISO 9001 to ISO 27001 Gap Guide
NQA ISO 9001 to ISO 27001 Gap GuideNQA ISO 9001 to ISO 27001 Gap Guide
NQA ISO 9001 to ISO 27001 Gap GuideNQA
 
Building a QMS for Your SaMD
Building a QMS for Your SaMDBuilding a QMS for Your SaMD
Building a QMS for Your SaMDEMMAIntl
 
Computer system validation
Computer system validationComputer system validation
Computer system validationNitor Infotech
 
Computer System Validation Training
Computer System Validation TrainingComputer System Validation Training
Computer System Validation TrainingNetZealous LLC
 
VFD_QAM_1-_AAR_M-1003_Rev_B_-_04_AUG_2014
VFD_QAM_1-_AAR_M-1003_Rev_B_-_04_AUG_2014VFD_QAM_1-_AAR_M-1003_Rev_B_-_04_AUG_2014
VFD_QAM_1-_AAR_M-1003_Rev_B_-_04_AUG_2014Brian McAuliffe
 
Computer-System-Validation
Computer-System-ValidationComputer-System-Validation
Computer-System-ValidationHal Plant
 
Pravin
PravinPravin
PravinPravin Jadhao
 
SSAE 16 Transitions Overview
SSAE 16 Transitions OverviewSSAE 16 Transitions Overview
SSAE 16 Transitions OverviewJeffrey Paulette
 
Computerized system validation
Computerized system validationComputerized system validation
Computerized system validationDevipriya Viswambharan
 
(4) NIST SP 800-53 Revision 4 (security control enhancements omitted) 20140804
(4) NIST SP 800-53 Revision 4 (security control enhancements omitted) 20140804(4) NIST SP 800-53 Revision 4 (security control enhancements omitted) 20140804
(4) NIST SP 800-53 Revision 4 (security control enhancements omitted) 20140804James W. De Rienzo
 
Tugas mandiri audit novita dewi 11353202277
Tugas mandiri audit novita dewi 11353202277Tugas mandiri audit novita dewi 11353202277
Tugas mandiri audit novita dewi 11353202277novita dewi
 
Audit process
Audit processAudit process
Audit processNext Generation Security Agency
 
Understanding changes of ISO 9001-2008 to ISO 9001-2015
Understanding changes of ISO 9001-2008 to ISO 9001-2015Understanding changes of ISO 9001-2008 to ISO 9001-2015
Understanding changes of ISO 9001-2008 to ISO 9001-2015Jose Alejandro Soto Zevallos
 
System Analysts_CSV
System Analysts_CSVSystem Analysts_CSV
System Analysts_CSVVictor J Colon Vidal
 
Overview on “Computer System Validation” CSV
Overview on “Computer System Validation” CSVOverview on “Computer System Validation” CSV
Overview on “Computer System Validation” CSVAnil Sharma
 
Computer system validation review article by-mahesh b wazade
Computer system validation review article by-mahesh b wazadeComputer system validation review article by-mahesh b wazade
Computer system validation review article by-mahesh b wazadeMahesh B. Wazade
 
Use Of Techniques And Technology In Internal Audit
Use Of Techniques And Technology In Internal AuditUse Of Techniques And Technology In Internal Audit
Use Of Techniques And Technology In Internal AuditManoj Agarwal
 
Overview of computer system validation
Overview of computer system validationOverview of computer system validation
Overview of computer system validationNilesh Damale
 
Due dilligence on a cpa firm or other accounting services provdier
Due dilligence on a cpa firm or other accounting services provdierDue dilligence on a cpa firm or other accounting services provdier
Due dilligence on a cpa firm or other accounting services provdieraBIZinaBOX Inc - CPA's - Financial Advisory, Taxation, Predictive Analytics & Technology
 
Isae 3402 Abstract
Isae 3402 AbstractIsae 3402 Abstract
Isae 3402 AbstractHut & Co. Registeraccountants
 

More Related Content

What's hot

NQA ISO 13485 Gap Guide – what’s changed?
NQA ISO 13485 Gap Guide – what’s changed?NQA ISO 13485 Gap Guide – what’s changed?
NQA ISO 13485 Gap Guide – what’s changed?NQA
 
NQA ISO 9001 to ISO 27001 Gap Guide
NQA ISO 9001 to ISO 27001 Gap GuideNQA ISO 9001 to ISO 27001 Gap Guide
NQA ISO 9001 to ISO 27001 Gap GuideNQA
 
Building a QMS for Your SaMD
Building a QMS for Your SaMDBuilding a QMS for Your SaMD
Building a QMS for Your SaMDEMMAIntl
 
Computer system validation
Computer system validationComputer system validation
Computer system validationNitor Infotech
 
Computer System Validation Training
Computer System Validation TrainingComputer System Validation Training
Computer System Validation TrainingNetZealous LLC
 
VFD_QAM_1-_AAR_M-1003_Rev_B_-_04_AUG_2014
VFD_QAM_1-_AAR_M-1003_Rev_B_-_04_AUG_2014VFD_QAM_1-_AAR_M-1003_Rev_B_-_04_AUG_2014
VFD_QAM_1-_AAR_M-1003_Rev_B_-_04_AUG_2014Brian McAuliffe
 
Computer-System-Validation
Computer-System-ValidationComputer-System-Validation
Computer-System-ValidationHal Plant
 
SSAE 16 Transitions Overview
SSAE 16 Transitions OverviewSSAE 16 Transitions Overview
SSAE 16 Transitions OverviewJeffrey Paulette
 
(4) NIST SP 800-53 Revision 4 (security control enhancements omitted) 20140804
(4) NIST SP 800-53 Revision 4 (security control enhancements omitted) 20140804(4) NIST SP 800-53 Revision 4 (security control enhancements omitted) 20140804
(4) NIST SP 800-53 Revision 4 (security control enhancements omitted) 20140804James W. De Rienzo
 
Tugas mandiri audit novita dewi 11353202277
Tugas mandiri audit novita dewi 11353202277Tugas mandiri audit novita dewi 11353202277
Tugas mandiri audit novita dewi 11353202277novita dewi
 
Understanding changes of ISO 9001-2008 to ISO 9001-2015
Understanding changes of ISO 9001-2008 to ISO 9001-2015Understanding changes of ISO 9001-2008 to ISO 9001-2015
Understanding changes of ISO 9001-2008 to ISO 9001-2015Jose Alejandro Soto Zevallos
 
Overview on “Computer System Validation” CSV
Overview on “Computer System Validation” CSVOverview on “Computer System Validation” CSV
Overview on “Computer System Validation” CSVAnil Sharma
 
Computer system validation review article by-mahesh b wazade
Computer system validation review article by-mahesh b wazadeComputer system validation review article by-mahesh b wazade
Computer system validation review article by-mahesh b wazadeMahesh B. Wazade
 
Use Of Techniques And Technology In Internal Audit
Use Of Techniques And Technology In Internal AuditUse Of Techniques And Technology In Internal Audit
Use Of Techniques And Technology In Internal AuditManoj Agarwal
 
Overview of computer system validation
Overview of computer system validationOverview of computer system validation
Overview of computer system validationNilesh Damale
 

What's hot (20)

NQA ISO 13485 Gap Guide – what’s changed?
NQA ISO 13485 Gap Guide – what’s changed?NQA ISO 13485 Gap Guide – what’s changed?
NQA ISO 13485 Gap Guide – what’s changed?
 
SOX 2016 - PART I - COSO 2013
SOX 2016 - PART I - COSO 2013SOX 2016 - PART I - COSO 2013
SOX 2016 - PART I - COSO 2013
 
NQA ISO 9001 to ISO 27001 Gap Guide
NQA ISO 9001 to ISO 27001 Gap GuideNQA ISO 9001 to ISO 27001 Gap Guide
NQA ISO 9001 to ISO 27001 Gap Guide
 
Building a QMS for Your SaMD
Building a QMS for Your SaMDBuilding a QMS for Your SaMD
Building a QMS for Your SaMD
 
Computer system validation
Computer system validationComputer system validation
Computer system validation
 
Computer System Validation Training
Computer System Validation TrainingComputer System Validation Training
Computer System Validation Training
 
VFD_QAM_1-_AAR_M-1003_Rev_B_-_04_AUG_2014
VFD_QAM_1-_AAR_M-1003_Rev_B_-_04_AUG_2014VFD_QAM_1-_AAR_M-1003_Rev_B_-_04_AUG_2014
VFD_QAM_1-_AAR_M-1003_Rev_B_-_04_AUG_2014
 
Computer-System-Validation
Computer-System-ValidationComputer-System-Validation
Computer-System-Validation
 
Pravin
PravinPravin
Pravin
 
SSAE 16 Transitions Overview
SSAE 16 Transitions OverviewSSAE 16 Transitions Overview
SSAE 16 Transitions Overview
 
Computerized system validation
Computerized system validationComputerized system validation
Computerized system validation
 
(4) NIST SP 800-53 Revision 4 (security control enhancements omitted) 20140804
(4) NIST SP 800-53 Revision 4 (security control enhancements omitted) 20140804(4) NIST SP 800-53 Revision 4 (security control enhancements omitted) 20140804
(4) NIST SP 800-53 Revision 4 (security control enhancements omitted) 20140804
 
Tugas mandiri audit novita dewi 11353202277
Tugas mandiri audit novita dewi 11353202277Tugas mandiri audit novita dewi 11353202277
Tugas mandiri audit novita dewi 11353202277
 
Audit process
Audit processAudit process
Audit process
 
Understanding changes of ISO 9001-2008 to ISO 9001-2015
Understanding changes of ISO 9001-2008 to ISO 9001-2015Understanding changes of ISO 9001-2008 to ISO 9001-2015
Understanding changes of ISO 9001-2008 to ISO 9001-2015
 
System Analysts_CSV
System Analysts_CSVSystem Analysts_CSV
System Analysts_CSV
 
Overview on “Computer System Validation” CSV
Overview on “Computer System Validation” CSVOverview on “Computer System Validation” CSV
Overview on “Computer System Validation” CSV
 
Computer system validation review article by-mahesh b wazade
Computer system validation review article by-mahesh b wazadeComputer system validation review article by-mahesh b wazade
Computer system validation review article by-mahesh b wazade
 
Use Of Techniques And Technology In Internal Audit
Use Of Techniques And Technology In Internal AuditUse Of Techniques And Technology In Internal Audit
Use Of Techniques And Technology In Internal Audit
 
Overview of computer system validation
Overview of computer system validationOverview of computer system validation
Overview of computer system validation
 

Similar to Evaluating Service Organization Control Reports

Account Right SOC Services brochure.pptx
Account Right SOC Services brochure.pptxAccount Right SOC Services brochure.pptx
Account Right SOC Services brochure.pptxGaneshMeenakshiSunda4
 
Planning for a new Service Organization Control (SOC) report
Planning for a new Service Organization Control (SOC) reportPlanning for a new Service Organization Control (SOC) report
Planning for a new Service Organization Control (SOC) reportJay Crossland
 
The Use of Spreadsheets: As it relates to Section 404 of the Sarbanes-Oxley Act.
The Use of Spreadsheets: As it relates to Section 404 of the Sarbanes-Oxley Act.The Use of Spreadsheets: As it relates to Section 404 of the Sarbanes-Oxley Act.
The Use of Spreadsheets: As it relates to Section 404 of the Sarbanes-Oxley Act.gueste080564
 
The Use of Spreadsheets: As it relates to Section 404 of the Sarbanes-Oxley Act.
The Use of Spreadsheets: As it relates to Section 404 of the Sarbanes-Oxley Act.The Use of Spreadsheets: As it relates to Section 404 of the Sarbanes-Oxley Act.
The Use of Spreadsheets: As it relates to Section 404 of the Sarbanes-Oxley Act.renetta
 
Technology Controls in Business - End User Computing
Technology Controls in Business - End User ComputingTechnology Controls in Business - End User Computing
Technology Controls in Business - End User Computingguestc1bca2
 
Key Principles for SOC Certificate
Key Principles for SOC CertificateKey Principles for SOC Certificate
Key Principles for SOC CertificateShyamMishra72
 
Asset Manager’s Guide to SOC 1
Asset Manager’s Guide to SOC 1Asset Manager’s Guide to SOC 1
Asset Manager’s Guide to SOC 1Grant Thornton LLP
 
Internal Control Certification – It’s Not Just an Accounting Thing (Credit Un...
Internal Control Certification – It’s Not Just an Accounting Thing (Credit Un...Internal Control Certification – It’s Not Just an Accounting Thing (Credit Un...
Internal Control Certification – It’s Not Just an Accounting Thing (Credit Un...NAFCU Services Corporation
 
September article SSAE 16 the SAS 70 Final Version (mp)
September article SSAE 16 the SAS 70 Final Version (mp)September article SSAE 16 the SAS 70 Final Version (mp)
September article SSAE 16 the SAS 70 Final Version (mp)Amara Omar Kuyateh
 
SOC Certification for Service Providers: Securing Customer Data
SOC Certification for Service Providers: Securing Customer DataSOC Certification for Service Providers: Securing Customer Data
SOC Certification for Service Providers: Securing Customer DataShyamMishra72
 
Crafting an End-to-End Pharma GRC Strategy
Crafting an End-to-End Pharma GRC StrategyCrafting an End-to-End Pharma GRC Strategy
Crafting an End-to-End Pharma GRC StrategyCognizant
 
BKMSH Basics of SOC III
BKMSH Basics of SOC IIIBKMSH Basics of SOC III
BKMSH Basics of SOC IIIMojoFinancial
 
BKMSH Basics of SOC III
BKMSH Basics of SOC IIIBKMSH Basics of SOC III
BKMSH Basics of SOC IIIMojoFinancial
 
A Beginner's Guide to SOC 2 Certification
A Beginner's Guide to SOC 2 CertificationA Beginner's Guide to SOC 2 Certification
A Beginner's Guide to SOC 2 CertificationShyamMishra72
 
ISA 402 Audit Considerations Relating to an Entity Using a Service Organisation
ISA 402 Audit Considerations Relating to an Entity Using a Service OrganisationISA 402 Audit Considerations Relating to an Entity Using a Service Organisation
ISA 402 Audit Considerations Relating to an Entity Using a Service OrganisationSazzad Hossain, ITP, MBA, CSCA™
 

Similar to Evaluating Service Organization Control Reports (20)

Due dilligence on a cpa firm or other accounting services provdier
Due dilligence on a cpa firm or other accounting services provdierDue dilligence on a cpa firm or other accounting services provdier
Due dilligence on a cpa firm or other accounting services provdier
 
Isae 3402 Abstract
Isae 3402 AbstractIsae 3402 Abstract
Isae 3402 Abstract
 
Account Right SOC Services brochure.pptx
Account Right SOC Services brochure.pptxAccount Right SOC Services brochure.pptx
Account Right SOC Services brochure.pptx
 
Planning for a new Service Organization Control (SOC) report
Planning for a new Service Organization Control (SOC) reportPlanning for a new Service Organization Control (SOC) report
Planning for a new Service Organization Control (SOC) report
 
The Use of Spreadsheets: As it relates to Section 404 of the Sarbanes-Oxley Act.
The Use of Spreadsheets: As it relates to Section 404 of the Sarbanes-Oxley Act.The Use of Spreadsheets: As it relates to Section 404 of the Sarbanes-Oxley Act.
The Use of Spreadsheets: As it relates to Section 404 of the Sarbanes-Oxley Act.
 
The Use of Spreadsheets: As it relates to Section 404 of the Sarbanes-Oxley Act.
The Use of Spreadsheets: As it relates to Section 404 of the Sarbanes-Oxley Act.The Use of Spreadsheets: As it relates to Section 404 of the Sarbanes-Oxley Act.
The Use of Spreadsheets: As it relates to Section 404 of the Sarbanes-Oxley Act.
 
Technology Controls in Business - End User Computing
Technology Controls in Business - End User ComputingTechnology Controls in Business - End User Computing
Technology Controls in Business - End User Computing
 
Key Principles for SOC Certificate
Key Principles for SOC CertificateKey Principles for SOC Certificate
Key Principles for SOC Certificate
 
Asset Manager’s Guide to SOC 1
Asset Manager’s Guide to SOC 1Asset Manager’s Guide to SOC 1
Asset Manager’s Guide to SOC 1
 
Internal Control Certification – It’s Not Just an Accounting Thing (Credit Un...
Internal Control Certification – It’s Not Just an Accounting Thing (Credit Un...Internal Control Certification – It’s Not Just an Accounting Thing (Credit Un...
Internal Control Certification – It’s Not Just an Accounting Thing (Credit Un...
 
September article SSAE 16 the SAS 70 Final Version (mp)
September article SSAE 16 the SAS 70 Final Version (mp)September article SSAE 16 the SAS 70 Final Version (mp)
September article SSAE 16 the SAS 70 Final Version (mp)
 
SMKI vs SMAP vs SMM vs SML v04
SMKI vs SMAP vs SMM vs SML v04SMKI vs SMAP vs SMM vs SML v04
SMKI vs SMAP vs SMM vs SML v04
 
SOC Certification for Service Providers: Securing Customer Data
SOC Certification for Service Providers: Securing Customer DataSOC Certification for Service Providers: Securing Customer Data
SOC Certification for Service Providers: Securing Customer Data
 
Crafting an End-to-End Pharma GRC Strategy
Crafting an End-to-End Pharma GRC StrategyCrafting an End-to-End Pharma GRC Strategy
Crafting an End-to-End Pharma GRC Strategy
 
BKMSH Basics of SOC III
BKMSH Basics of SOC IIIBKMSH Basics of SOC III
BKMSH Basics of SOC III
 
BKMSH Basics of SOC III
BKMSH Basics of SOC IIIBKMSH Basics of SOC III
BKMSH Basics of SOC III
 
SOC Certification.pdf
SOC Certification.pdfSOC Certification.pdf
SOC Certification.pdf
 
A Beginner's Guide to SOC 2 Certification
A Beginner's Guide to SOC 2 CertificationA Beginner's Guide to SOC 2 Certification
A Beginner's Guide to SOC 2 Certification
 
ISA 402 Audit Considerations Relating to an Entity Using a Service Organisation
ISA 402 Audit Considerations Relating to an Entity Using a Service OrganisationISA 402 Audit Considerations Relating to an Entity Using a Service Organisation
ISA 402 Audit Considerations Relating to an Entity Using a Service Organisation
 
4 iso 9001 2000 standard
4 iso 9001 2000 standard4 iso 9001 2000 standard
4 iso 9001 2000 standard
 

Recently uploaded

Best VIP Call Girls Noida Sector 40 Call Me: 8448380779
Best VIP Call Girls Noida Sector 40 Call Me: 8448380779Best VIP Call Girls Noida Sector 40 Call Me: 8448380779
Best VIP Call Girls Noida Sector 40 Call Me: 8448380779Delhi Call girls
 
Enhancing and Restoring Safety & Quality Cultures - Dave Litwiller - May 2024...
Enhancing and Restoring Safety & Quality Cultures - Dave Litwiller - May 2024...Enhancing and Restoring Safety & Quality Cultures - Dave Litwiller - May 2024...
Enhancing and Restoring Safety & Quality Cultures - Dave Litwiller - May 2024...Dave Litwiller
 
Call Girls in Gomti Nagar - 7388211116 - With room Service
Call Girls in Gomti Nagar - 7388211116 - With room ServiceCall Girls in Gomti Nagar - 7388211116 - With room Service
Call Girls in Gomti Nagar - 7388211116 - With room Servicediscovermytutordmt
 
Yaroslav Rozhankivskyy: Три складові і три передумови максимальної продуктивн...
Yaroslav Rozhankivskyy: Три складові і три передумови максимальної продуктивн...Yaroslav Rozhankivskyy: Три складові і три передумови максимальної продуктивн...
Yaroslav Rozhankivskyy: Три складові і три передумови максимальної продуктивн...Lviv Startup Club
 
Insurers' journeys to build a mastery in the IoT usage
Insurers' journeys to build a mastery in the IoT usageInsurers' journeys to build a mastery in the IoT usage
Insurers' journeys to build a mastery in the IoT usageMatteo Carbone
 
A DAY IN THE LIFE OF A SALESMAN / WOMAN
A DAY IN THE LIFE OF A SALESMAN / WOMANA DAY IN THE LIFE OF A SALESMAN / WOMAN
A DAY IN THE LIFE OF A SALESMAN / WOMANIlamathiKannappan
 
Call Girls In DLf Gurgaon ➥99902@11544 ( Best price)100% Genuine Escort In 24...
Call Girls In DLf Gurgaon ➥99902@11544 ( Best price)100% Genuine Escort In 24...Call Girls In DLf Gurgaon ➥99902@11544 ( Best price)100% Genuine Escort In 24...
Call Girls In DLf Gurgaon ➥99902@11544 ( Best price)100% Genuine Escort In 24...lizamodels9
 
Socio-economic-Impact-of-business-consumers-suppliers-and.pptx
Socio-economic-Impact-of-business-consumers-suppliers-and.pptxSocio-economic-Impact-of-business-consumers-suppliers-and.pptx
Socio-economic-Impact-of-business-consumers-suppliers-and.pptxtrishalcan8
 
Mondelez State of Snacking and Future Trends 2023
Mondelez State of Snacking and Future Trends 2023Mondelez State of Snacking and Future Trends 2023
Mondelez State of Snacking and Future Trends 2023Neil Kimberley
 
Monte Carlo simulation : Simulation using MCSM
Monte Carlo simulation : Simulation using MCSMMonte Carlo simulation : Simulation using MCSM
Monte Carlo simulation : Simulation using MCSMRavindra Nath Shukla
 
VIP Call Girls Pune Kirti 8617697112 Independent Escort Service Pune
VIP Call Girls Pune Kirti 8617697112 Independent Escort Service PuneVIP Call Girls Pune Kirti 8617697112 Independent Escort Service Pune
VIP Call Girls Pune Kirti 8617697112 Independent Escort Service PuneCall girls in Ahmedabad High profile
 
VIP Call Girl Jamshedpur Aashi 8250192130 Independent Escort Service Jamshedpur
VIP Call Girl Jamshedpur Aashi 8250192130 Independent Escort Service JamshedpurVIP Call Girl Jamshedpur Aashi 8250192130 Independent Escort Service Jamshedpur
VIP Call Girl Jamshedpur Aashi 8250192130 Independent Escort Service JamshedpurSuhani Kapoor
 
Creating Low-Code Loan Applications using the Trisotech Mortgage Feature Set
Creating Low-Code Loan Applications using the Trisotech Mortgage Feature SetCreating Low-Code Loan Applications using the Trisotech Mortgage Feature Set
Creating Low-Code Loan Applications using the Trisotech Mortgage Feature SetDenis Gagné
 
VIP Kolkata Call Girl Howrah 👉 8250192130 Available With Room
VIP Kolkata Call Girl Howrah 👉 8250192130 Available With RoomVIP Kolkata Call Girl Howrah 👉 8250192130 Available With Room
VIP Kolkata Call Girl Howrah 👉 8250192130 Available With Roomdivyansh0kumar0
 
The CMO Survey - Highlights and Insights Report - Spring 2024
The CMO Survey - Highlights and Insights Report - Spring 2024The CMO Survey - Highlights and Insights Report - Spring 2024
The CMO Survey - Highlights and Insights Report - Spring 2024christinemoorman
 
Pharma Works Profile of Karan Communications
Pharma Works Profile of Karan CommunicationsPharma Works Profile of Karan Communications
Pharma Works Profile of Karan Communicationskarancommunications
 
Call Girls In Panjim North Goa 9971646499 Genuine Service
Call Girls In Panjim North Goa 9971646499 Genuine ServiceCall Girls In Panjim North Goa 9971646499 Genuine Service
Call Girls In Panjim North Goa 9971646499 Genuine Serviceritikaroy0888
 
Regression analysis: Simple Linear Regression Multiple Linear Regression
Regression analysis: Simple Linear Regression Multiple Linear RegressionRegression analysis: Simple Linear Regression Multiple Linear Regression
Regression analysis: Simple Linear Regression Multiple Linear RegressionRavindra Nath Shukla
 
Russian Faridabad Call Girls(Badarpur) : ☎ 8168257667, @4999
Russian Faridabad Call Girls(Badarpur) : ☎ 8168257667, @4999Russian Faridabad Call Girls(Badarpur) : ☎ 8168257667, @4999
Russian Faridabad Call Girls(Badarpur) : ☎ 8168257667, @4999Tina Ji
 

Recently uploaded (20)

Best VIP Call Girls Noida Sector 40 Call Me: 8448380779
Best VIP Call Girls Noida Sector 40 Call Me: 8448380779Best VIP Call Girls Noida Sector 40 Call Me: 8448380779
Best VIP Call Girls Noida Sector 40 Call Me: 8448380779
 
Enhancing and Restoring Safety & Quality Cultures - Dave Litwiller - May 2024...
Enhancing and Restoring Safety & Quality Cultures - Dave Litwiller - May 2024...Enhancing and Restoring Safety & Quality Cultures - Dave Litwiller - May 2024...
Enhancing and Restoring Safety & Quality Cultures - Dave Litwiller - May 2024...
 
Call Girls in Gomti Nagar - 7388211116 - With room Service
Call Girls in Gomti Nagar - 7388211116 - With room ServiceCall Girls in Gomti Nagar - 7388211116 - With room Service
Call Girls in Gomti Nagar - 7388211116 - With room Service
 
Yaroslav Rozhankivskyy: Три складові і три передумови максимальної продуктивн...
Yaroslav Rozhankivskyy: Три складові і три передумови максимальної продуктивн...Yaroslav Rozhankivskyy: Три складові і три передумови максимальної продуктивн...
Yaroslav Rozhankivskyy: Три складові і три передумови максимальної продуктивн...
 
Forklift Operations: Safety through Cartoons
Forklift Operations: Safety through CartoonsForklift Operations: Safety through Cartoons
Forklift Operations: Safety through Cartoons
 
Insurers' journeys to build a mastery in the IoT usage
Insurers' journeys to build a mastery in the IoT usageInsurers' journeys to build a mastery in the IoT usage
Insurers' journeys to build a mastery in the IoT usage
 
A DAY IN THE LIFE OF A SALESMAN / WOMAN
A DAY IN THE LIFE OF A SALESMAN / WOMANA DAY IN THE LIFE OF A SALESMAN / WOMAN
A DAY IN THE LIFE OF A SALESMAN / WOMAN
 
Call Girls In DLf Gurgaon ➥99902@11544 ( Best price)100% Genuine Escort In 24...
Call Girls In DLf Gurgaon ➥99902@11544 ( Best price)100% Genuine Escort In 24...Call Girls In DLf Gurgaon ➥99902@11544 ( Best price)100% Genuine Escort In 24...
Call Girls In DLf Gurgaon ➥99902@11544 ( Best price)100% Genuine Escort In 24...
 
Socio-economic-Impact-of-business-consumers-suppliers-and.pptx
Socio-economic-Impact-of-business-consumers-suppliers-and.pptxSocio-economic-Impact-of-business-consumers-suppliers-and.pptx
Socio-economic-Impact-of-business-consumers-suppliers-and.pptx
 
Mondelez State of Snacking and Future Trends 2023
Mondelez State of Snacking and Future Trends 2023Mondelez State of Snacking and Future Trends 2023
Mondelez State of Snacking and Future Trends 2023
 
Monte Carlo simulation : Simulation using MCSM
Monte Carlo simulation : Simulation using MCSMMonte Carlo simulation : Simulation using MCSM
Monte Carlo simulation : Simulation using MCSM
 
VIP Call Girls Pune Kirti 8617697112 Independent Escort Service Pune
VIP Call Girls Pune Kirti 8617697112 Independent Escort Service PuneVIP Call Girls Pune Kirti 8617697112 Independent Escort Service Pune
VIP Call Girls Pune Kirti 8617697112 Independent Escort Service Pune
 
VIP Call Girl Jamshedpur Aashi 8250192130 Independent Escort Service Jamshedpur
VIP Call Girl Jamshedpur Aashi 8250192130 Independent Escort Service JamshedpurVIP Call Girl Jamshedpur Aashi 8250192130 Independent Escort Service Jamshedpur
VIP Call Girl Jamshedpur Aashi 8250192130 Independent Escort Service Jamshedpur
 
Creating Low-Code Loan Applications using the Trisotech Mortgage Feature Set
Creating Low-Code Loan Applications using the Trisotech Mortgage Feature SetCreating Low-Code Loan Applications using the Trisotech Mortgage Feature Set
Creating Low-Code Loan Applications using the Trisotech Mortgage Feature Set
 
VIP Kolkata Call Girl Howrah 👉 8250192130 Available With Room
VIP Kolkata Call Girl Howrah 👉 8250192130 Available With RoomVIP Kolkata Call Girl Howrah 👉 8250192130 Available With Room
VIP Kolkata Call Girl Howrah 👉 8250192130 Available With Room
 
The CMO Survey - Highlights and Insights Report - Spring 2024
The CMO Survey - Highlights and Insights Report - Spring 2024The CMO Survey - Highlights and Insights Report - Spring 2024
The CMO Survey - Highlights and Insights Report - Spring 2024
 
Pharma Works Profile of Karan Communications
Pharma Works Profile of Karan CommunicationsPharma Works Profile of Karan Communications
Pharma Works Profile of Karan Communications
 
Call Girls In Panjim North Goa 9971646499 Genuine Service
Call Girls In Panjim North Goa 9971646499 Genuine ServiceCall Girls In Panjim North Goa 9971646499 Genuine Service
Call Girls In Panjim North Goa 9971646499 Genuine Service
 
Regression analysis: Simple Linear Regression Multiple Linear Regression
Regression analysis: Simple Linear Regression Multiple Linear RegressionRegression analysis: Simple Linear Regression Multiple Linear Regression
Regression analysis: Simple Linear Regression Multiple Linear Regression
 
Russian Faridabad Call Girls(Badarpur) : ☎ 8168257667, @4999
Russian Faridabad Call Girls(Badarpur) : ☎ 8168257667, @4999Russian Faridabad Call Girls(Badarpur) : ☎ 8168257667, @4999
Russian Faridabad Call Girls(Badarpur) : ☎ 8168257667, @4999
 

Evaluating Service Organization Control Reports

  • 1. Page 1 of 5 Crossland Advisors, Inc. http://crosslandadvisors.com/ 610-365-4852 Copyright © 2016 Evaluating Service Organization Control Reports (SOC1, SOC2, SOC3) Even though Service Organization Control (SOC) reports have been available since 1992, their actual usage and importance has increased significantly with the Sarbanes- Oxley (SOX) Act in 2002. Prior to SOX, contractual obligations for service organizations to provide a SOC report were generally not specific or not included (it is noted that prior to 2002, contractual requirements for SOC reports were typically found in the government sector, but not for commercial companies). Also, the client organization (aka the user entity) requesting and receiving the report seldom evaluated the report; often, it was a “check-the-box” compliance exercise only to make sure a report was received. With the advent of SOX, financial auditors realized that controls at service organizations needed to be thoroughly evaluated to make sure they were comprehensive, appropriate and operating effectively. The increased focus by financial auditors forced user entity management to also evaluate the controls at their service organization(s) since these services are an extension of the user entity’s processes and internal controls and could have a direct impact on other user entity controls and financial statements. The user entity should expect their service organization(s) to have at least the same level of controls as if those services were provided in-house. Unfortunately, most user entities do not have a thorough understanding of SOC reports and thus do not know how to effectively evaluate the report(s) they receive from their service organization(s). A comprehensive evaluation of a SOC report will ascertain whether: • The report as of a date or period is appropriate for user entity purposes • The standard under which the SOC report was issued is appropriate • The report identifies the use of subservice organizations • The intended users of the report are appropriate • The report addresses the “System”, which includes the IT applications, policies and procedures and service organization locations, used by the entity. “System” refers to the policies and procedures designed, implemented and documented by management of the service organization, including IT components, to provide user entities with the services covered by the service auditor's report. The term “System” does not refer to just the IT applications. • The evidence provided by the report is sufficient and appropriate for understanding the service organization's relevant processes and risks • The report identifies issues with the processes or controls at the service organization
  • 2. Page 2 of 5 Crossland Advisors, Inc. http://crosslandadvisors.com/ 610-365-4852 Copyright © 2016 The first step in evaluating a SOC report is to understand the sections of the report:  SOC1 o Report cover o Auditor’s opinion o Management assertion o Description of the system o Control objectives, controls, tests and results  SOC2 o Report cover o Auditor’s opinion o Management assertion o Description of the system o Criteria, controls, tests and results  SOC3 o Report cover o Auditor’s opinion o Management assertion o Short description of the system Auditor’s opinion The Auditor’s opinion summaries the scope and conclusion of the report. The opinion includes:  The system(s) included in scope and the period being audited  An identification of subservice organizations included or carved-out  Whether or not the system description fairly presents what was designed and implemented, the controls related to the control objectives were suitably designed to reasonably achieve the control objectives and the controls tested were operating effectively throughout the period  The intended users of the report Management assertion The service organization makes an assertion regarding its description of the system and the operation of the system. Management asserts that:  The description presents how the service organization’s system was designed and implemented
  • 3. Page 3 of 5 Crossland Advisors, Inc. http://crosslandadvisors.com/ 610-365-4852 Copyright © 2016  The description of the service organization’s system includes relevant details of changes to the service organization’s system during the period covered by the description  The description of the service organization’s system does not omit or distort information relevant to the service organization’s system, while acknowledging that management’s description of the service organization’s system is prepared to meet the common needs of a broad range of user entities and their user auditors, and may not, therefore, include every aspect of the service organization’s system that each individual user entity and its user auditor may consider important in its own particular environment  The risks that threaten the achievement of the control objectives/criteria stated in management’s description of the service organization’s system have been identified by management  The controls identified in management’s description of the service organization’s system would, if operating as described, provide reasonable assurance that those risks would not prevent the control objectives/criteria stated in the description from being achieved  The controls were consistently applied as designed, throughout the specified period, including whether manual controls were applied by individuals who have the appropriate competence and authority An assertion should be included for any service organization whose control objectives and controls have been included in the Auditor’s opinion, system description and control objectives/ criteria, controls, tests and results. The assertion may include the name of the authorizing official at the service organization, but such naming is not required. Description of the system The system description identifies the services that are likely to affect a user entity’s internal controls, including applications, technology and supporting IT processes. The description will identify and document:  The control environment, risk assessment and monitoring performed as part of internal control  Each business process/principle being included as part of the service overview along with the processes owner(s), process description and related controls  The control objectives/criteria associated with each business process/principle and document the risks that threaten the achievement of the control objectives/criteria, the controls that address the risks, and the service organization’s basis for its assertion that each control was implemented throughout the report period. While IT controls do not directly affect the financial statement assertions of user entities, they are almost always
  • 4. Page 4 of 5 Crossland Advisors, Inc. http://crosslandadvisors.com/ 610-365-4852 Copyright © 2016 necessary for the proper functioning of the business process controls that do directly affect these assertions.  The physical location(s) where processing occurs  Subservice organizations and the services they provide  Complementary user entity controls (CUECs). CUECs are controls assumed to be in place at the user entity in order for the specified control objectives and related controls to be achieved Control objectives/criteria, controls, tests and results The control objectives/criteria in scope are detailed in a matrix that includes a description of the tests performed to determine the operating effectiveness of the controls along with any control deviations noted during testing. The description of the tests performed should include the nature, timing and extent of the testing performed. Areas for follow-up when reviewing a report:  The report date or period is not appropriate for the intended use  The report type is not appropriate for the intended use  The reporting standard is not appropriate for the intended use  Subservice organizations are noted in the Auditor’s opinion and system description  The auditor is not independent and competent  The Auditor’s opinion is qualified  The report has restricted usage  There is not a Management Assertion for each subservice organization whose control objectives and controls have been included in the Auditor’s opinion, system description and control objectives/ criteria, controls, tests and results  The Description of the system does not address, in detail, the processes and controls expected  The processing location(s) listed are not the same as those contracted for with the service organization  Complementary user entity controls (CUECs) will need to be assessed for applicability and testing  The tests performed do not address all aspects of the control objectives/ criteria  Testing deviations are noted
  • 5. Page 5 of 5 Crossland Advisors, Inc. http://crosslandadvisors.com/ 610-365-4852 Copyright © 2016 Crossland Advisors provides IT risk and control services to a number of industries, including:  Manufacturing  Pharmaceuticals  Healthcare  Financial Services  Insurance  Government  Retail  Utilities Our extensive experience allows us to develop real world solutions to complex challenges. We use a process-focused risk-based approach and are able to relate leading practices and improvements to understand, anticipate and address a wide variety of information system risk and process issues. Crossland Advisors is ready to work with you to satisfy your IT risk and control needs.