SlideShare a Scribd company logo

The Clarity Project: SSAE-18 Essentials

Download as PPTX, PDF
NICSA
NICSA

The Auditing Standards Board issued an updated Statement on Standards for Attestation Engagements (SSAE 18) effective May 1, 2017. Why the changes? What’s different? Join us to learn more about how these new standards will impact your next SOC review and report.

Economy & Finance
1 of 30
www.nicsa.org The Clarity Project: What You Need to Know About SSAE 18 NTAC:3NS-20 SPONSORED BY:
www.nicsa.org Our Presenter Vincent Concialdi Partner Grant Thornton LLP Advisory Services Midwest Special Attestation Reporting Solutions Leader T 312.602.8731 E Vincent.Concialdi@us.gt.com NTAC:3NS-20 2
www.nicsa.org Discussion Points • Timeline of Technical Guidance and Overview of SOC 1 • AICPA Branding of SOC Reports • The Clarity Project and SSAE 18 • Summary of Changes Resulting from SSAE 18 • Overview of SOC 1, SOC 2 and SOC 3 Reports • Glossary 3NTAC:3NS-20
www.nicsa.org Timeline of Technical Guidance and Overview of SOC 1 NTAC:3NS-20 4
www.nicsa.org 5NTAC:3NS-20 1992 2018 1993 1994 1995 1996 1997 1998 1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015 2016 2017 2010 SSAE No. 16 2017 SSAE No. 18 2009 ISAE No. 3402 1992 SAS No. 70 2006 TSP 2006 2009 TSP 2009 2018 TSP 2018 2014 TSP 2014 2016 TSP 2016 Guidance Date SAS No. 70 1992 Trust Services Principles 2006 Trust Services Principles Updates 2009 ISAE No. 3402 2009 SSAE No. 16 2010 Trust Services Principles Updates 2014 Trust Services Principles Updates 2016 SSAE No. 18 2017 Trust Services Principles Updates 2018 Timeline of Technical Guidance
www.nicsa.org Subservice Organization Subservice Organization Subservice Organization Auditor to Auditor Communication Service Organization User Organization User Organization User Organization User Auditor User Auditor User Auditor Service Auditor Complementary Subservice Organization Controls (CSOC) Complementary User Entity Controls Control Environment SOC 1 Overview 6NTAC:3NS-20
www.nicsa.org Polling Question #1 How does your organization engage in the SOC process? a) Service Provider who undergoes a SOC examination b) Recipient/reviewer of reports from Service Providers c) Both a) and b) d) Audit firm performing SOC examinations e) Other NTAC:3NS-20 7
www.nicsa.org AICPA Branding of SOC Reports NTAC:3NS-20 8
www.nicsa.org AICPA Branding: System and Organization Control ("SOC") Reports The AICPA Systems for Service Organization Controls is a suite of services that CPAs may provide in connection with system level controls at a service organization or entity-level controls of other organizations. SOC for Service Organizations SOC reports are internal control reports on the services provided by a service organization providing valuable information that users need to assess and address the risks associated with an outsourced service. • SOC 1® - SOC for Service Organizations: ICFR • SOC 2® - SOC for Service Organizations: Trust Services Criteria • SOC 3® - SOC for Service Organizations: Trust Services Criteria for General Use Report NTAC:3NS-20 9
www.nicsa.org The Clarity Project and SSAE 18 NTAC:3NS-20 10
www.nicsa.org Background Under the direction of the Auditing Standards Board (ASB) members of the "Clarification Project" undertook the initiative to revise and restructure the Statements on Standards for Attestation Engagements (SSAEs). The effort was intended to restructure the guidance to more easily allow practitioners to adhere to relevant guidance for their engagements by performing the following: • Removing unnecessary redundancy across the standards • Removing contradictory guidance existent within the standards • Aligning US standards with International standards NTAC:3NS-20 11
www.nicsa.org As a result of the Clarity Project, the ASB issued the new Statement on Standards for Attestation Engagements (SSAE) No. 18, Attestation Standards: Clarification and Recodification. SSAE 18 became effective for reports with periods ending on or after May 1, 2017. SSAE 18 establishes requirements for performing and reporting on examination, review, and agreed-upon procedures engagements that enable practitioners to report on subject matter ordinarily other than financial statements. NTAC:3NS-20 12 Background
www.nicsa.org Sections of SSAE 18 SSAE 18 is codified into sections. The identifier “AT-C” is used to differentiate the sections of the clarified attestation standards (“AT-C" sections) from the sections of the attestation standards that are superseded by SSAE No. 18 (“AT” sections). NTAC:3NS-20 13
www.nicsa.org Chapters of SSAE 18 The result of the AICPA's Clarity Project was to centralize or consolidate guidance applicable to attestation engagements into the following chapters: AT-C Sec. 105 – Concepts Common to All Attestation Engagements AT-C Sec. 205 – Examination engagements AT-C Sec. 210 – Review engagements AT-C Sec. 215 – Agreed upon Procedures engagements AT-C Sec. 305 – Prospective Financial Information AT-C Sec. 310 – Reporting on Pro Forma Financial Information AT-C Sec. 315 – Compliance Attestation AT-C Sec. 320 – Reporting on an Examination of Controls at a Service Organization Relevant to User Entities' Internal Control over Financial Reporting NTAC:3NS-20 14
www.nicsa.org Polling Question #2 Before today’s program, how much did you know about the changes? a) Nothing, I wasn’t aware of the change b) A little, but another team in my organization is leading c) A lot, we are well underway with our changes d) Everything, we have already adopted all required changes NTAC:3NS-20 15
www.nicsa.org Summary of Changes Resulting from SSAE 18 NTAC:3NS-20 16
www.nicsa.org Summary of Changes Complementary Subservice Organization Controls (CSOC) • A CSOC is a control that management assumes will be implemented by the subservice organization and is necessary to achieve a control objective. • The CSOC must be included in Section III: Description of the System. They will be included in the table within the Subservice Organization section. Monitoring Subservice Organizations • Previously, the service organization was responsible for monitoring carve-out subservice organizations. This monitoring now applies to subservice organizations using the inclusive method. NTAC:3NS-20 17
www.nicsa.org Controls Testing • Only key controls should be identified for testing. Non-key controls should be removed if they are not necessary to achieve the control objectives. All key controls should be included in Section III. Management's Assertion • SSAE 18 establishes a minimum criteria for management's assertions. The service organization should make minimal to no changes to the assertion. This will allow user organizations to more easily compare consistency across SOC reports. NTAC:3NS-20 18 Summary of Changes
www.nicsa.org Definition of Internal Audit • Service auditors relying on Internal Audit must revisit the competence and objectivity of the group based on the revised definition. • Internal audit reports with the same scope as the SOC report should be reviewed and evaluated by the service auditor. Reliability of Information • The service auditor must perform procedures to evaluate the completeness, accuracy and sufficiency of the data provided by the service organization. NTAC:3NS-20 19 Summary of Changes
www.nicsa.org Definition of Misstatement • A difference between the measurement or evaluation of the subject matter by the responsible party and the proper measurement or evaluation of the subject matter based on the criteria. • Misstatements can be intentional or unintentional, qualitative or quantitative, and include omissions. In certain engagements, a misstatement may be referred to as a deviation, exception, or instance of noncompliance. • Issues related to fair presentation or design will be referred to as misstatements. • Issues related to operating effectiveness will be referred to as exceptions. NTAC:3NS-20 20 Summary of Changes
www.nicsa.org Definition of Risk of Material Misstatement • The risk that the subject matter is not in accordance with (or based on) the criteria in all material respects or that the assertion is not fairly stated, in all material respects. • A comprehensive risk assessment should be performed and documented by the service organization. • The service auditor should design and perform further procedures whose nature, timing, and extent are based on, and responsive to, the assessed risks of material misstatement. NTAC:3NS-20 21 Summary of Changes
www.nicsa.org The Service Auditor's Opinion • The content has been reorganized and the format has changed to include headers for each section. • The template includes references to complementary subservice organization controls (CSOC). • The restricted use paragraph has been expanded to include the auditors who audit and report on internal controls over financial reporting (ICFR). NTAC:3NS-20 22 Summary of Changes
www.nicsa.org Polling Question #3 Which of the changes below will have the greatest impact on your organization? a) CSOC – Complementary Subservice Organization Controls b) Key controls/removing non-key controls c) Revisiting reliance on internal audit d) Definition of Misstatement e) All of them! NTAC:3NS-20 23
www.nicsa.org Overview of SOC 1, SOC 2 and SOC 3 Reports NTAC:3NS-20 24
www.nicsa.org Overview of SOC 1, SOC 2 and SOC 3 Short Report Name Full Report Name Standard and Section for Engagement Subject Matter of the Engagement Service Auditor's Report Intended Users SOC 1 Report SOC 1 ® - SOC for Service Organizations: ICFR Statement of Standards for Attestation Engagements No. 18 • AT-C Section 105, Concepts Common to All Attestation Engagements • AT-C Section 205, Examination Engagements • AT-C Section 320, Reporting on an Examination of Controls at a Service Organization Relevant to User Entities' Internal Control over Financial Reporting Controls at a service organization relevant to user entities internal control over financial reporting. Contains opinions on • the fairness of the presentation of the description of the system • the suitability of the design of the controls • the operating effectiveness of the controls (for Type 2 report) Restricted Use Report: The report is intended solely for the information and use of management of the company, user entities of the company's System, and their auditors who audit and report on such user entities’ financial statements or internal control over financial reporting and have a sufficient understanding to consider it, along with other information, including information about controls implemented by user entities themselves, when assessing the risks of material misstatement of user entities’ financial statements. SOC 2 Report SOC 2 ® - SOC for Service Organizations: Trust Services Criteria Statement of Standards for Attestation Engagements No. 18 • AT-C Section 105, Concepts Common to All Attestation Engagements • AT-C Section 205, Examination Engagements Controls at a service organization relevant to • security • availability • processing integrity • confidentiality, or • privacy. Contains opinions on • the fairness of the presentation of the description of the system • the suitability of the design of the controls • the operating effectiveness of the controls (for Type 2 report) Restricted Use Report: The report is intended solely for the information and use of the Company; user entities of the Company’s System during some or all of the Specified Period; those prospective user entities, independent auditors, and practitioners providing services to such user entities, and regulators who have sufficient knowledge and understanding. SOC 3 Report SOC 3 ® - SOC for Service Organizations: Trust Services Criteria for General User Report Statement of Standards for Attestation Engagements No. 18 • AT-C Section 105, Concepts Common to All Attestation Engagements • AT-C Section 205, Examination Engagements Controls at a service organization relevant to • security • availability • processing integrity • confidentiality, or • privacy. Report on whether the entity maintained effective controls over its system as it relates to the principle being reported on in the subject matter of the engagement, based on the applicable trust services criteria. General Use Report: The report can be freely distributed or posted on a website as a seal. NTAC:3NS-20 25
www.nicsa.org Glossary NTAC:3NS-20 26
www.nicsa.org Glossary Assertion. Any declaration or set of declarations about whether the subject matter is in accordance with (or based on) the criteria. Attestation engagement. An examination, review, or agreed-upon procedures engagement performed under the attestation standards related to subject matter or an assertion that is the responsibility of another party. The following are the three types of attestation engagements: Examination engagement. An attestation engagement in which the practitioner obtains reasonable assurance by obtaining sufficient appropriate evidence about the measurement or evaluation of subject matter against criteria in order to be able to draw reasonable conclusions on which to base the practitioner's opinion about whether the subject matter is in accordance with (or based on) the criteria or the assertion is fairly stated, in all material respects. (Ref: par .. A7) Review engagement. An attestation engagement in which the practitioner obtains limited assurance by obtaining sufficient appropriate review evidence about the measurement or evaluation of subject matter against criteria in order to express a conclusion about whether any material modification should be made to the subject matter in order for it be in accordance with (or based on) the criteria or to the assertion in order for it to be fairly stated. (Ref: par .. A8) Agreed-upon procedures engagement. An attestation engagement in which a practitioner performs specific procedures on subject matter or an assertion and reports the findings without providing an opinion or a conclusion on it. The parties to the engagement (specified party), as defined later in this paragraph, agree upon and are responsible for the sufficiency of the procedures for their purposes. Control objectives. The aim or purpose of specified controls at the service organization. Control objectives address the risks that controls are intended to mitigate. Complementary sub service organization controls. Controls that management of the service organization assumes, in the design of the service organization's system, will be implemented by the subservice organizations and are necessary to achieve the control objectives stated in management's description of the service organization's system. Complementary user entity controls. Controls that management of the service organization assumes, in the design of the service organization’s system, will be implemented by user entities and are necessary to achieve the control objectives stated in management’s description of the service organization’s system. (Ref: par. .A6) 27NTAC:3NS-20
www.nicsa.org Engaging party. The party(ies) that engages the practitioner to perform the attestation engagement. (Ref: par .. Al 7) Evidence. Information used by the practitioner in arriving at the opinion, conclusion, or findings on which the practitioner's report is based. General use. Use of a practitioner's report that is not restricted to specified parties. Internal audit function. A function of an entity that performs assurance and consulting activities designed to evaluate and improve the effectiveness of the entity's governance, risk management, and internal control processes. Misstatement. A difference between the measurement or evaluation of the subject matter by the responsible party and the proper measurement or evaluation of the subject matter based on the criteria. Misstatements can be intentional or unintentional, qualitative or quantitative, and include omissions. In certain engagements, a misstatement may be referred to as a deviation, exception, or instance of noncompliance. Professional judgment. The application of relevant training, knowledge, and experience, within the context provided by attestation and ethical standards in making informed decisions about the courses of action that are appropriate in the circumstances of the attestation engagement. Professional skepticism. An attitude that includes a questioning mind, being alert to conditions that may indicate possible misstatement due to fraud or error, and a critical assessment of evidence. Reasonable assurance. A high, but not absolute, level of assurance. Responsible party. The party(ies) responsible for the subject matter. If the nature of the subject matter is such that no such party exists, a party who has a reasonable basis for making a written assertion about the subject matter may be deemed to be the responsible party. Service auditor. A practitioner who reports on controls at a service organization. Service organization. An organization or segment of an organization that provides services to user entities, which are likely to be relevant to those user entities' internal control over financial reporting. 28NTAC:3NS-20 Glossary
www.nicsa.org Service organization's assertion. A written assertion about the matters referred to in part (b) of the definition of management's description of a service organization's system and a service auditor's report on that description and on the suitability of the design and operating effectiveness of controls, for a type 2 report, and, for a type 1 report, the matters referred to in part (b) of the definition of management's description of a service organization's system and a service auditor's report on that description and on the suitability of the design of controls. Specified party. The intended user(s) to whom use of the written practitioner's report is limited. Subject matter. The phenomenon that is measured or evaluated by applying criteria. Subservice organization. A service organization used by another service organization to perform some of the services provided to user entities that are likely to be relevant to those user entities' internal control over financial reporting. The following are the two treatments for subservice organizations: Carve-out method. Method of addressing the services provided by a subservice organization, whereby management's description of the service organization's system identifies the nature of the services performed by the subservice organization and excludes from the description and from the scope of the service auditor's engagement the subservice organization’s relevant control objectives and related controls. Inclusive method. Method of addressing the services provided by a subservice organization whereby management's description of the service organization's system includes a description of the nature of the services provided by the subservice organization as well as the subservice organization's relevant control objectives and related controls. User auditor. An auditor who audits and reports on the financial statements of a user entity. User entity. An entity that uses a service organization for which controls at the service organization are likely to be relevant to that entity's internal control over financial reporting. 29NTAC:3NS-20 Glossary
www.nicsa.org WEBINAR SPONSORED BY: #WebinarWednesdays Thank you!

Recommended

B audit standards review questionnaire
B audit standards review questionnaireB audit standards review questionnaire
B audit standards review questionnaire
Sazzad Hossain, ITP, MBA, CSCA™
 
Moss Adams SSAE 16 SOC Audits
Moss Adams SSAE 16 SOC AuditsMoss Adams SSAE 16 SOC Audits
Moss Adams SSAE 16 SOC Audits
AISDC
 
Description of Methodology
Description of MethodologyDescription of Methodology
Description of MethodologyDavid Facter
 
Citistat PPT 01.14.2016
Citistat PPT 01.14.2016Citistat PPT 01.14.2016
Citistat PPT 01.14.2016Mark Conway
 
Auditor Reporting on Controls at Service Organizations
Auditor Reporting on Controls at Service OrganizationsAuditor Reporting on Controls at Service Organizations
Auditor Reporting on Controls at Service OrganizationsUniversity of Waterloo
 
MRM-16 (2020).pptx
MRM-16 (2020).pptxMRM-16 (2020).pptx
MRM-16 (2020).pptx
xego1
 
SOC 2 Compliance and Certification
SOC 2 Compliance and CertificationSOC 2 Compliance and Certification
SOC 2 Compliance and Certification
ControlCase
 
Clint Britt _ Six Sigma Project _ MFP_ June2016
Clint Britt _ Six Sigma Project _ MFP_ June2016Clint Britt _ Six Sigma Project _ MFP_ June2016
Clint Britt _ Six Sigma Project _ MFP_ June2016Clint Britt
 

Recommended

B audit standards review questionnaire
B audit standards review questionnaireB audit standards review questionnaire
B audit standards review questionnaire
Sazzad Hossain, ITP, MBA, CSCA™
 
Moss Adams SSAE 16 SOC Audits
Moss Adams SSAE 16 SOC AuditsMoss Adams SSAE 16 SOC Audits
Moss Adams SSAE 16 SOC Audits
AISDC
 
Description of Methodology
Description of MethodologyDescription of Methodology
Description of MethodologyDavid Facter
 
Citistat PPT 01.14.2016
Citistat PPT 01.14.2016Citistat PPT 01.14.2016
Citistat PPT 01.14.2016Mark Conway
 
Auditor Reporting on Controls at Service Organizations
Auditor Reporting on Controls at Service OrganizationsAuditor Reporting on Controls at Service Organizations
Auditor Reporting on Controls at Service OrganizationsUniversity of Waterloo
 
MRM-16 (2020).pptx
MRM-16 (2020).pptxMRM-16 (2020).pptx
MRM-16 (2020).pptx
xego1
 
SOC 2 Compliance and Certification
SOC 2 Compliance and CertificationSOC 2 Compliance and Certification
SOC 2 Compliance and Certification
ControlCase
 
Clint Britt _ Six Sigma Project _ MFP_ June2016
Clint Britt _ Six Sigma Project _ MFP_ June2016Clint Britt _ Six Sigma Project _ MFP_ June2016
Clint Britt _ Six Sigma Project _ MFP_ June2016Clint Britt
 
Custodial Services - performance standards 2015
Custodial Services - performance standards 2015Custodial Services - performance standards 2015
Custodial Services - performance standards 2015Lindsay Bauckham
 
An Oversight or a New Customer Phenomenon, Getting the Most of your Contact C...
An Oversight or a New Customer Phenomenon, Getting the Most of your Contact C...An Oversight or a New Customer Phenomenon, Getting the Most of your Contact C...
An Oversight or a New Customer Phenomenon, Getting the Most of your Contact C...
Cisco Canada
 
sevottam certification 21112022.pptx
sevottam certification 21112022.pptxsevottam certification 21112022.pptx
sevottam certification 21112022.pptx
GauravDhanda5
 
360 cellutions casestudy
360 cellutions casestudy360 cellutions casestudy
360 cellutions casestudy360cell
 
Internal Control Certification – It’s Not Just an Accounting Thing (Credit Un...
Internal Control Certification – It’s Not Just an Accounting Thing (Credit Un...Internal Control Certification – It’s Not Just an Accounting Thing (Credit Un...
Internal Control Certification – It’s Not Just an Accounting Thing (Credit Un...
NAFCU Services Corporation
 
Audit clauses in IT agreements
Audit clauses in IT agreementsAudit clauses in IT agreements
Audit clauses in IT agreements
Richard Austin
 
PM
PMPM
PMSharif Abou-Sabh, P.E.
 
Webinar | Compliance ABC - 01042020
Webinar | Compliance ABC - 01042020Webinar | Compliance ABC - 01042020
Webinar | Compliance ABC - 01042020
Stork
 
Q3 SEC in Focus (EY publication)
Q3 SEC in Focus (EY publication)Q3 SEC in Focus (EY publication)
Q3 SEC in Focus (EY publication)
Azhar Qureshi
 
Isae 3402 Abstract
Isae 3402 AbstractIsae 3402 Abstract
Isae 3402 Abstract
Hut & Co. Registeraccountants
 
2018 SEC Comments and Trends (summary publication)
2018 SEC Comments and Trends (summary publication)2018 SEC Comments and Trends (summary publication)
2018 SEC Comments and Trends (summary publication)
Azhar Qureshi
 
2018 SEC Comments and Trends (Summary Publication By EY)
2018 SEC Comments and Trends (Summary Publication By EY)2018 SEC Comments and Trends (Summary Publication By EY)
2018 SEC Comments and Trends (Summary Publication By EY)
Azhar Qureshi
 
March 2016 final
March 2016 finalMarch 2016 final
March 2016 final
ctwater
 
Slide Presentation in Support of the IAASB’s New and Revised Auditor Reportin...
Slide Presentation in Support of the IAASB’s New and Revised Auditor Reportin...Slide Presentation in Support of the IAASB’s New and Revised Auditor Reportin...
Slide Presentation in Support of the IAASB’s New and Revised Auditor Reportin...
International Federation of Accountants
 
The New Auditor’s Report
The New Auditor’s ReportThe New Auditor’s Report
The New Auditor’s Report
International Federation of Accountants
 
Planning for a new Service Organization Control (SOC) report
Planning for a new Service Organization Control (SOC) reportPlanning for a new Service Organization Control (SOC) report
Planning for a new Service Organization Control (SOC) report
Jay Crossland
 
ISA 315 (Revised) - Exposure Draft Webinar, October 3rd, 2018
ISA 315 (Revised) - Exposure Draft Webinar, October 3rd, 2018ISA 315 (Revised) - Exposure Draft Webinar, October 3rd, 2018
ISA 315 (Revised) - Exposure Draft Webinar, October 3rd, 2018
International Federation of Accountants
 
Investor Presentation - February 2016
Investor Presentation - February 2016Investor Presentation - February 2016
Investor Presentation - February 2016
ctwater
 
April 2016 4-4-16
April 2016 4-4-16April 2016 4-4-16
April 2016 4-4-16
ctwater
 
INTERNATIONAL STANDARDS ON REVIEW ENGAGEMENTS
INTERNATIONAL STANDARDS ON REVIEW ENGAGEMENTS INTERNATIONAL STANDARDS ON REVIEW ENGAGEMENTS
INTERNATIONAL STANDARDS ON REVIEW ENGAGEMENTS
MUHAMMAD HUZAIFA CHAUDHARY
 
Understanding ROI: The Real Impact of Data Quality
Understanding ROI: The Real Impact of Data QualityUnderstanding ROI: The Real Impact of Data Quality
Understanding ROI: The Real Impact of Data Quality
NICSA
 
The Reality Behind Buzzwords Series: Blockchain
The Reality Behind Buzzwords Series: BlockchainThe Reality Behind Buzzwords Series: Blockchain
The Reality Behind Buzzwords Series: Blockchain
NICSA
 

More Related Content

Similar to The Clarity Project: SSAE-18 Essentials

Custodial Services - performance standards 2015
Custodial Services - performance standards 2015Custodial Services - performance standards 2015
Custodial Services - performance standards 2015Lindsay Bauckham
 
An Oversight or a New Customer Phenomenon, Getting the Most of your Contact C...
An Oversight or a New Customer Phenomenon, Getting the Most of your Contact C...An Oversight or a New Customer Phenomenon, Getting the Most of your Contact C...
An Oversight or a New Customer Phenomenon, Getting the Most of your Contact C...
Cisco Canada
 
sevottam certification 21112022.pptx
sevottam certification 21112022.pptxsevottam certification 21112022.pptx
sevottam certification 21112022.pptx
GauravDhanda5
 
360 cellutions casestudy
360 cellutions casestudy360 cellutions casestudy
360 cellutions casestudy360cell
 
Internal Control Certification – It’s Not Just an Accounting Thing (Credit Un...
Internal Control Certification – It’s Not Just an Accounting Thing (Credit Un...Internal Control Certification – It’s Not Just an Accounting Thing (Credit Un...
Internal Control Certification – It’s Not Just an Accounting Thing (Credit Un...
NAFCU Services Corporation
 
Audit clauses in IT agreements
Audit clauses in IT agreementsAudit clauses in IT agreements
Audit clauses in IT agreements
Richard Austin
 
Webinar | Compliance ABC - 01042020
Webinar | Compliance ABC - 01042020Webinar | Compliance ABC - 01042020
Webinar | Compliance ABC - 01042020
Stork
 
Q3 SEC in Focus (EY publication)
Q3 SEC in Focus (EY publication)Q3 SEC in Focus (EY publication)
Q3 SEC in Focus (EY publication)
Azhar Qureshi
 
Isae 3402 Abstract
Isae 3402 AbstractIsae 3402 Abstract
Isae 3402 Abstract
Hut & Co. Registeraccountants
 
2018 SEC Comments and Trends (summary publication)
2018 SEC Comments and Trends (summary publication)2018 SEC Comments and Trends (summary publication)
2018 SEC Comments and Trends (summary publication)
Azhar Qureshi
 
2018 SEC Comments and Trends (Summary Publication By EY)
2018 SEC Comments and Trends (Summary Publication By EY)2018 SEC Comments and Trends (Summary Publication By EY)
2018 SEC Comments and Trends (Summary Publication By EY)
Azhar Qureshi
 
March 2016 final
March 2016 finalMarch 2016 final
March 2016 final
ctwater
 
Slide Presentation in Support of the IAASB’s New and Revised Auditor Reportin...
Slide Presentation in Support of the IAASB’s New and Revised Auditor Reportin...Slide Presentation in Support of the IAASB’s New and Revised Auditor Reportin...
Slide Presentation in Support of the IAASB’s New and Revised Auditor Reportin...
International Federation of Accountants
 
The New Auditor’s Report
The New Auditor’s ReportThe New Auditor’s Report
The New Auditor’s Report
International Federation of Accountants
 
Planning for a new Service Organization Control (SOC) report
Planning for a new Service Organization Control (SOC) reportPlanning for a new Service Organization Control (SOC) report
Planning for a new Service Organization Control (SOC) report
Jay Crossland
 
ISA 315 (Revised) - Exposure Draft Webinar, October 3rd, 2018
ISA 315 (Revised) - Exposure Draft Webinar, October 3rd, 2018ISA 315 (Revised) - Exposure Draft Webinar, October 3rd, 2018
ISA 315 (Revised) - Exposure Draft Webinar, October 3rd, 2018
International Federation of Accountants
 
Investor Presentation - February 2016
Investor Presentation - February 2016Investor Presentation - February 2016
Investor Presentation - February 2016
ctwater
 
April 2016 4-4-16
April 2016 4-4-16April 2016 4-4-16
April 2016 4-4-16
ctwater
 
INTERNATIONAL STANDARDS ON REVIEW ENGAGEMENTS
INTERNATIONAL STANDARDS ON REVIEW ENGAGEMENTS INTERNATIONAL STANDARDS ON REVIEW ENGAGEMENTS
INTERNATIONAL STANDARDS ON REVIEW ENGAGEMENTS
MUHAMMAD HUZAIFA CHAUDHARY
 

Similar to The Clarity Project: SSAE-18 Essentials (20)

Custodial Services - performance standards 2015
Custodial Services - performance standards 2015Custodial Services - performance standards 2015
Custodial Services - performance standards 2015
 
An Oversight or a New Customer Phenomenon, Getting the Most of your Contact C...
An Oversight or a New Customer Phenomenon, Getting the Most of your Contact C...An Oversight or a New Customer Phenomenon, Getting the Most of your Contact C...
An Oversight or a New Customer Phenomenon, Getting the Most of your Contact C...
 
sevottam certification 21112022.pptx
sevottam certification 21112022.pptxsevottam certification 21112022.pptx
sevottam certification 21112022.pptx
 
360 cellutions casestudy
360 cellutions casestudy360 cellutions casestudy
360 cellutions casestudy
 
Internal Control Certification – It’s Not Just an Accounting Thing (Credit Un...
Internal Control Certification – It’s Not Just an Accounting Thing (Credit Un...Internal Control Certification – It’s Not Just an Accounting Thing (Credit Un...
Internal Control Certification – It’s Not Just an Accounting Thing (Credit Un...
 
Audit clauses in IT agreements
Audit clauses in IT agreementsAudit clauses in IT agreements
Audit clauses in IT agreements
 
PM
PMPM
PM
 
Webinar | Compliance ABC - 01042020
Webinar | Compliance ABC - 01042020Webinar | Compliance ABC - 01042020
Webinar | Compliance ABC - 01042020
 
Q3 SEC in Focus (EY publication)
Q3 SEC in Focus (EY publication)Q3 SEC in Focus (EY publication)
Q3 SEC in Focus (EY publication)
 
Isae 3402 Abstract
Isae 3402 AbstractIsae 3402 Abstract
Isae 3402 Abstract
 
2018 SEC Comments and Trends (summary publication)
2018 SEC Comments and Trends (summary publication)2018 SEC Comments and Trends (summary publication)
2018 SEC Comments and Trends (summary publication)
 
2018 SEC Comments and Trends (Summary Publication By EY)
2018 SEC Comments and Trends (Summary Publication By EY)2018 SEC Comments and Trends (Summary Publication By EY)
2018 SEC Comments and Trends (Summary Publication By EY)
 
March 2016 final
March 2016 finalMarch 2016 final
March 2016 final
 
Slide Presentation in Support of the IAASB’s New and Revised Auditor Reportin...
Slide Presentation in Support of the IAASB’s New and Revised Auditor Reportin...Slide Presentation in Support of the IAASB’s New and Revised Auditor Reportin...
Slide Presentation in Support of the IAASB’s New and Revised Auditor Reportin...
 
The New Auditor’s Report
The New Auditor’s ReportThe New Auditor’s Report
The New Auditor’s Report
 
Planning for a new Service Organization Control (SOC) report
Planning for a new Service Organization Control (SOC) reportPlanning for a new Service Organization Control (SOC) report
Planning for a new Service Organization Control (SOC) report
 
ISA 315 (Revised) - Exposure Draft Webinar, October 3rd, 2018
ISA 315 (Revised) - Exposure Draft Webinar, October 3rd, 2018ISA 315 (Revised) - Exposure Draft Webinar, October 3rd, 2018
ISA 315 (Revised) - Exposure Draft Webinar, October 3rd, 2018
 
Investor Presentation - February 2016
Investor Presentation - February 2016Investor Presentation - February 2016
Investor Presentation - February 2016
 
April 2016 4-4-16
April 2016 4-4-16April 2016 4-4-16
April 2016 4-4-16
 
INTERNATIONAL STANDARDS ON REVIEW ENGAGEMENTS
INTERNATIONAL STANDARDS ON REVIEW ENGAGEMENTS INTERNATIONAL STANDARDS ON REVIEW ENGAGEMENTS
INTERNATIONAL STANDARDS ON REVIEW ENGAGEMENTS
 

More from NICSA

Understanding ROI: The Real Impact of Data Quality
Understanding ROI: The Real Impact of Data QualityUnderstanding ROI: The Real Impact of Data Quality
Understanding ROI: The Real Impact of Data Quality
NICSA
 
The Reality Behind Buzzwords Series: Blockchain
The Reality Behind Buzzwords Series: BlockchainThe Reality Behind Buzzwords Series: Blockchain
The Reality Behind Buzzwords Series: Blockchain
NICSA
 
Industry Leaders Outlook: Product & Marketing Roundtable
Industry Leaders Outlook: Product & Marketing RoundtableIndustry Leaders Outlook: Product & Marketing Roundtable
Industry Leaders Outlook: Product & Marketing Roundtable
NICSA
 
Understanding Regulation Best Interest
Understanding Regulation Best InterestUnderstanding Regulation Best Interest
Understanding Regulation Best Interest
NICSA
 
Trends in the Advisor Market
Trends in the Advisor Market Trends in the Advisor Market
Trends in the Advisor Market
NICSA
 
New Challenges on the TA Compliance Landscape
New Challenges on the TA Compliance LandscapeNew Challenges on the TA Compliance Landscape
New Challenges on the TA Compliance Landscape
NICSA
 
Navigating Turbulent Changes to the Sanctions Landscape
Navigating Turbulent Changes to the Sanctions LandscapeNavigating Turbulent Changes to the Sanctions Landscape
Navigating Turbulent Changes to the Sanctions Landscape
NICSA
 
Engaging and Empowering A Diverse Workforce
Engaging and Empowering A Diverse WorkforceEngaging and Empowering A Diverse Workforce
Engaging and Empowering A Diverse Workforce
NICSA
 
Retirement 2020: Maximize Participation,Boost Efficiency & Accelerate Outcomes
Retirement 2020: Maximize Participation,Boost Efficiency & Accelerate OutcomesRetirement 2020: Maximize Participation,Boost Efficiency & Accelerate Outcomes
Retirement 2020: Maximize Participation,Boost Efficiency & Accelerate Outcomes
NICSA
 
Building Deeper Advisory Relationships with Data
Building Deeper Advisory Relationships with DataBuilding Deeper Advisory Relationships with Data
Building Deeper Advisory Relationships with Data
NICSA
 
FinReg Outlook: Clouds on the Horizon
FinReg Outlook: Clouds on the HorizonFinReg Outlook: Clouds on the Horizon
FinReg Outlook: Clouds on the Horizon
NICSA
 
Preparing for the Next-Gen Client Base
Preparing for the Next-Gen Client BasePreparing for the Next-Gen Client Base
Preparing for the Next-Gen Client Base
NICSA
 
Tax & Reporting Update: Avoiding Fund Reporting Traps
Tax & Reporting Update: Avoiding Fund Reporting TrapsTax & Reporting Update: Avoiding Fund Reporting Traps
Tax & Reporting Update: Avoiding Fund Reporting Traps
NICSA
 
Next Generation Proxy Voting
Next Generation Proxy VotingNext Generation Proxy Voting
Next Generation Proxy Voting
NICSA
 
Best Practices in Building a Global Compliance Program
Best Practices in Building a Global Compliance ProgramBest Practices in Building a Global Compliance Program
Best Practices in Building a Global Compliance Program
NICSA
 
AI Trends with Traction
AI Trends with TractionAI Trends with Traction
AI Trends with Traction
NICSA
 
Rule 30e-3: Best Practices for Notice, Access & E-Delivery
Rule 30e-3: Best Practices for Notice, Access & E-DeliveryRule 30e-3: Best Practices for Notice, Access & E-Delivery
Rule 30e-3: Best Practices for Notice, Access & E-Delivery
NICSA
 
Rethinking Product Development
Rethinking Product DevelopmentRethinking Product Development
Rethinking Product Development
NICSA
 
The Bottom Line: Exploring the Benefits of Wellness in the Workplace
The Bottom Line: Exploring the Benefits of Wellness in the WorkplaceThe Bottom Line: Exploring the Benefits of Wellness in the Workplace
The Bottom Line: Exploring the Benefits of Wellness in the Workplace
NICSA
 
Data Analytics 301: Converting Analysis into Business Strategy
Data Analytics 301: Converting Analysis into Business StrategyData Analytics 301: Converting Analysis into Business Strategy
Data Analytics 301: Converting Analysis into Business Strategy
NICSA
 

More from NICSA (20)

Understanding ROI: The Real Impact of Data Quality
Understanding ROI: The Real Impact of Data QualityUnderstanding ROI: The Real Impact of Data Quality
Understanding ROI: The Real Impact of Data Quality
 
The Reality Behind Buzzwords Series: Blockchain
The Reality Behind Buzzwords Series: BlockchainThe Reality Behind Buzzwords Series: Blockchain
The Reality Behind Buzzwords Series: Blockchain
 
Industry Leaders Outlook: Product & Marketing Roundtable
Industry Leaders Outlook: Product & Marketing RoundtableIndustry Leaders Outlook: Product & Marketing Roundtable
Industry Leaders Outlook: Product & Marketing Roundtable
 
Understanding Regulation Best Interest
Understanding Regulation Best InterestUnderstanding Regulation Best Interest
Understanding Regulation Best Interest
 
Trends in the Advisor Market
Trends in the Advisor Market Trends in the Advisor Market
Trends in the Advisor Market
 
New Challenges on the TA Compliance Landscape
New Challenges on the TA Compliance LandscapeNew Challenges on the TA Compliance Landscape
New Challenges on the TA Compliance Landscape
 
Navigating Turbulent Changes to the Sanctions Landscape
Navigating Turbulent Changes to the Sanctions LandscapeNavigating Turbulent Changes to the Sanctions Landscape
Navigating Turbulent Changes to the Sanctions Landscape
 
Engaging and Empowering A Diverse Workforce
Engaging and Empowering A Diverse WorkforceEngaging and Empowering A Diverse Workforce
Engaging and Empowering A Diverse Workforce
 
Retirement 2020: Maximize Participation,Boost Efficiency & Accelerate Outcomes
Retirement 2020: Maximize Participation,Boost Efficiency & Accelerate OutcomesRetirement 2020: Maximize Participation,Boost Efficiency & Accelerate Outcomes
Retirement 2020: Maximize Participation,Boost Efficiency & Accelerate Outcomes
 
Building Deeper Advisory Relationships with Data
Building Deeper Advisory Relationships with DataBuilding Deeper Advisory Relationships with Data
Building Deeper Advisory Relationships with Data
 
FinReg Outlook: Clouds on the Horizon
FinReg Outlook: Clouds on the HorizonFinReg Outlook: Clouds on the Horizon
FinReg Outlook: Clouds on the Horizon
 
Preparing for the Next-Gen Client Base
Preparing for the Next-Gen Client BasePreparing for the Next-Gen Client Base
Preparing for the Next-Gen Client Base
 
Tax & Reporting Update: Avoiding Fund Reporting Traps
Tax & Reporting Update: Avoiding Fund Reporting TrapsTax & Reporting Update: Avoiding Fund Reporting Traps
Tax & Reporting Update: Avoiding Fund Reporting Traps
 
Next Generation Proxy Voting
Next Generation Proxy VotingNext Generation Proxy Voting
Next Generation Proxy Voting
 
Best Practices in Building a Global Compliance Program
Best Practices in Building a Global Compliance ProgramBest Practices in Building a Global Compliance Program
Best Practices in Building a Global Compliance Program
 
AI Trends with Traction
AI Trends with TractionAI Trends with Traction
AI Trends with Traction
 
Rule 30e-3: Best Practices for Notice, Access & E-Delivery
Rule 30e-3: Best Practices for Notice, Access & E-DeliveryRule 30e-3: Best Practices for Notice, Access & E-Delivery
Rule 30e-3: Best Practices for Notice, Access & E-Delivery
 
Rethinking Product Development
Rethinking Product DevelopmentRethinking Product Development
Rethinking Product Development
 
The Bottom Line: Exploring the Benefits of Wellness in the Workplace
The Bottom Line: Exploring the Benefits of Wellness in the WorkplaceThe Bottom Line: Exploring the Benefits of Wellness in the Workplace
The Bottom Line: Exploring the Benefits of Wellness in the Workplace
 
Data Analytics 301: Converting Analysis into Business Strategy
Data Analytics 301: Converting Analysis into Business StrategyData Analytics 301: Converting Analysis into Business Strategy
Data Analytics 301: Converting Analysis into Business Strategy
 

Recently uploaded

how to swap pi coins to foreign currency withdrawable.
how to swap pi coins to foreign currency withdrawable.how to swap pi coins to foreign currency withdrawable.
how to swap pi coins to foreign currency withdrawable.
DOT TECH
 
innovative-invoice-discounting-platforms-in-india-empowering-retail-investors...
innovative-invoice-discounting-platforms-in-india-empowering-retail-investors...innovative-invoice-discounting-platforms-in-india-empowering-retail-investors...
innovative-invoice-discounting-platforms-in-india-empowering-retail-investors...
Falcon Invoice Discounting
 
This assessment plan proposal is to outline a structured approach to evaluati...
This assessment plan proposal is to outline a structured approach to evaluati...This assessment plan proposal is to outline a structured approach to evaluati...
This assessment plan proposal is to outline a structured approach to evaluati...
lamluanvan.net Viết thuê luận văn
 
Instant Issue Debit Cards - School Designs
Instant Issue Debit Cards - School DesignsInstant Issue Debit Cards - School Designs
Instant Issue Debit Cards - School Designs
egoetzinger
 
Which Crypto to Buy Today for Short-Term in May-June 2024.pdf
Which Crypto to Buy Today for Short-Term in May-June 2024.pdfWhich Crypto to Buy Today for Short-Term in May-June 2024.pdf
Which Crypto to Buy Today for Short-Term in May-June 2024.pdf
Kezex (KZX)
 
SWAIAP Fraud Risk Mitigation Prof Oyedokun.pptx
SWAIAP Fraud Risk Mitigation Prof Oyedokun.pptxSWAIAP Fraud Risk Mitigation Prof Oyedokun.pptx
SWAIAP Fraud Risk Mitigation Prof Oyedokun.pptx
Godwin Emmanuel Oyedokun MBA MSc PhD FCA FCTI FCNA CFE FFAR
 
Instant Issue Debit Cards - High School Spirit
Instant Issue Debit Cards - High School SpiritInstant Issue Debit Cards - High School Spirit
Instant Issue Debit Cards - High School Spirit
egoetzinger
 
The European Unemployment Puzzle: implications from population aging
The European Unemployment Puzzle: implications from population agingThe European Unemployment Puzzle: implications from population aging
The European Unemployment Puzzle: implications from population aging
GRAPE
 
The Role of Non-Banking Financial Companies (NBFCs)
The Role of Non-Banking Financial Companies (NBFCs)The Role of Non-Banking Financial Companies (NBFCs)
The Role of Non-Banking Financial Companies (NBFCs)
nickysharmasucks
 
when will pi network coin be available on crypto exchange.
when will pi network coin be available on crypto exchange.when will pi network coin be available on crypto exchange.
when will pi network coin be available on crypto exchange.
DOT TECH
 
can I really make money with pi network.
can I really make money with pi network.can I really make money with pi network.
can I really make money with pi network.
DOT TECH
 
The secret way to sell pi coins effortlessly.
The secret way to sell pi coins effortlessly.The secret way to sell pi coins effortlessly.
The secret way to sell pi coins effortlessly.
DOT TECH
 
where can I find a legit pi merchant online
where can I find a legit pi merchant onlinewhere can I find a legit pi merchant online
where can I find a legit pi merchant online
DOT TECH
 
一比一原版(UoB毕业证)伯明翰大学毕业证如何办理
一比一原版(UoB毕业证)伯明翰大学毕业证如何办理一比一原版(UoB毕业证)伯明翰大学毕业证如何办理
一比一原版(UoB毕业证)伯明翰大学毕业证如何办理
nexop1
 
Patronage and Good Governance 5.pptx pptc
Patronage and Good Governance 5.pptx pptcPatronage and Good Governance 5.pptx pptc
Patronage and Good Governance 5.pptx pptc
AbdulNasirNichari
 
The WhatsPump Pseudonym Problem and the Hilarious Downfall of Artificial Enga...
The WhatsPump Pseudonym Problem and the Hilarious Downfall of Artificial Enga...The WhatsPump Pseudonym Problem and the Hilarious Downfall of Artificial Enga...
The WhatsPump Pseudonym Problem and the Hilarious Downfall of Artificial Enga...
muslimdavidovich670
 
Intro_Economics_ GPresentation Week 4.pptx
Intro_Economics_ GPresentation Week 4.pptxIntro_Economics_ GPresentation Week 4.pptx
Intro_Economics_ GPresentation Week 4.pptx
shetivia
 
APP I Lecture Notes to students 0f 4the year
APP I Lecture Notes to students 0f 4the yearAPP I Lecture Notes to students 0f 4the year
APP I Lecture Notes to students 0f 4the year
telilaalilemlem
 
Analyzing the instability of equilibrium in thr harrod domar model
Analyzing the instability of equilibrium in thr harrod domar modelAnalyzing the instability of equilibrium in thr harrod domar model
Analyzing the instability of equilibrium in thr harrod domar model
ManthanBhardwaj4
 
Tax System, Behaviour, Justice, and Voluntary Compliance Culture in Nigeria -...
Tax System, Behaviour, Justice, and Voluntary Compliance Culture in Nigeria -...Tax System, Behaviour, Justice, and Voluntary Compliance Culture in Nigeria -...
Tax System, Behaviour, Justice, and Voluntary Compliance Culture in Nigeria -...
Godwin Emmanuel Oyedokun MBA MSc PhD FCA FCTI FCNA CFE FFAR
 

Recently uploaded (20)

how to swap pi coins to foreign currency withdrawable.
how to swap pi coins to foreign currency withdrawable.how to swap pi coins to foreign currency withdrawable.
how to swap pi coins to foreign currency withdrawable.
 
innovative-invoice-discounting-platforms-in-india-empowering-retail-investors...
innovative-invoice-discounting-platforms-in-india-empowering-retail-investors...innovative-invoice-discounting-platforms-in-india-empowering-retail-investors...
innovative-invoice-discounting-platforms-in-india-empowering-retail-investors...
 
This assessment plan proposal is to outline a structured approach to evaluati...
This assessment plan proposal is to outline a structured approach to evaluati...This assessment plan proposal is to outline a structured approach to evaluati...
This assessment plan proposal is to outline a structured approach to evaluati...
 
Instant Issue Debit Cards - School Designs
Instant Issue Debit Cards - School DesignsInstant Issue Debit Cards - School Designs
Instant Issue Debit Cards - School Designs
 
Which Crypto to Buy Today for Short-Term in May-June 2024.pdf
Which Crypto to Buy Today for Short-Term in May-June 2024.pdfWhich Crypto to Buy Today for Short-Term in May-June 2024.pdf
Which Crypto to Buy Today for Short-Term in May-June 2024.pdf
 
SWAIAP Fraud Risk Mitigation Prof Oyedokun.pptx
SWAIAP Fraud Risk Mitigation Prof Oyedokun.pptxSWAIAP Fraud Risk Mitigation Prof Oyedokun.pptx
SWAIAP Fraud Risk Mitigation Prof Oyedokun.pptx
 
Instant Issue Debit Cards - High School Spirit
Instant Issue Debit Cards - High School SpiritInstant Issue Debit Cards - High School Spirit
Instant Issue Debit Cards - High School Spirit
 
The European Unemployment Puzzle: implications from population aging
The European Unemployment Puzzle: implications from population agingThe European Unemployment Puzzle: implications from population aging
The European Unemployment Puzzle: implications from population aging
 
The Role of Non-Banking Financial Companies (NBFCs)
The Role of Non-Banking Financial Companies (NBFCs)The Role of Non-Banking Financial Companies (NBFCs)
The Role of Non-Banking Financial Companies (NBFCs)
 
when will pi network coin be available on crypto exchange.
when will pi network coin be available on crypto exchange.when will pi network coin be available on crypto exchange.
when will pi network coin be available on crypto exchange.
 
can I really make money with pi network.
can I really make money with pi network.can I really make money with pi network.
can I really make money with pi network.
 
The secret way to sell pi coins effortlessly.
The secret way to sell pi coins effortlessly.The secret way to sell pi coins effortlessly.
The secret way to sell pi coins effortlessly.
 
where can I find a legit pi merchant online
where can I find a legit pi merchant onlinewhere can I find a legit pi merchant online
where can I find a legit pi merchant online
 
一比一原版(UoB毕业证)伯明翰大学毕业证如何办理
一比一原版(UoB毕业证)伯明翰大学毕业证如何办理一比一原版(UoB毕业证)伯明翰大学毕业证如何办理
一比一原版(UoB毕业证)伯明翰大学毕业证如何办理
 
Patronage and Good Governance 5.pptx pptc
Patronage and Good Governance 5.pptx pptcPatronage and Good Governance 5.pptx pptc
Patronage and Good Governance 5.pptx pptc
 
The WhatsPump Pseudonym Problem and the Hilarious Downfall of Artificial Enga...
The WhatsPump Pseudonym Problem and the Hilarious Downfall of Artificial Enga...The WhatsPump Pseudonym Problem and the Hilarious Downfall of Artificial Enga...
The WhatsPump Pseudonym Problem and the Hilarious Downfall of Artificial Enga...
 
Intro_Economics_ GPresentation Week 4.pptx
Intro_Economics_ GPresentation Week 4.pptxIntro_Economics_ GPresentation Week 4.pptx
Intro_Economics_ GPresentation Week 4.pptx
 
APP I Lecture Notes to students 0f 4the year
APP I Lecture Notes to students 0f 4the yearAPP I Lecture Notes to students 0f 4the year
APP I Lecture Notes to students 0f 4the year
 
Analyzing the instability of equilibrium in thr harrod domar model
Analyzing the instability of equilibrium in thr harrod domar modelAnalyzing the instability of equilibrium in thr harrod domar model
Analyzing the instability of equilibrium in thr harrod domar model
 
Tax System, Behaviour, Justice, and Voluntary Compliance Culture in Nigeria -...
Tax System, Behaviour, Justice, and Voluntary Compliance Culture in Nigeria -...Tax System, Behaviour, Justice, and Voluntary Compliance Culture in Nigeria -...
Tax System, Behaviour, Justice, and Voluntary Compliance Culture in Nigeria -...
 

The Clarity Project: SSAE-18 Essentials

  • 1. www.nicsa.org The Clarity Project: What You Need to Know About SSAE 18 NTAC:3NS-20 SPONSORED BY:
  • 2. www.nicsa.org Our Presenter Vincent Concialdi Partner Grant Thornton LLP Advisory Services Midwest Special Attestation Reporting Solutions Leader T 312.602.8731 E Vincent.Concialdi@us.gt.com NTAC:3NS-20 2
  • 3. www.nicsa.org Discussion Points • Timeline of Technical Guidance and Overview of SOC 1 • AICPA Branding of SOC Reports • The Clarity Project and SSAE 18 • Summary of Changes Resulting from SSAE 18 • Overview of SOC 1, SOC 2 and SOC 3 Reports • Glossary 3NTAC:3NS-20
  • 4. www.nicsa.org Timeline of Technical Guidance and Overview of SOC 1 NTAC:3NS-20 4
  • 5. www.nicsa.org 5NTAC:3NS-20 1992 2018 1993 1994 1995 1996 1997 1998 1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015 2016 2017 2010 SSAE No. 16 2017 SSAE No. 18 2009 ISAE No. 3402 1992 SAS No. 70 2006 TSP 2006 2009 TSP 2009 2018 TSP 2018 2014 TSP 2014 2016 TSP 2016 Guidance Date SAS No. 70 1992 Trust Services Principles 2006 Trust Services Principles Updates 2009 ISAE No. 3402 2009 SSAE No. 16 2010 Trust Services Principles Updates 2014 Trust Services Principles Updates 2016 SSAE No. 18 2017 Trust Services Principles Updates 2018 Timeline of Technical Guidance
  • 7. www.nicsa.org Polling Question #1 How does your organization engage in the SOC process? a) Service Provider who undergoes a SOC examination b) Recipient/reviewer of reports from Service Providers c) Both a) and b) d) Audit firm performing SOC examinations e) Other NTAC:3NS-20 7
  • 8. www.nicsa.org AICPA Branding of SOC Reports NTAC:3NS-20 8
  • 9. www.nicsa.org AICPA Branding: System and Organization Control ("SOC") Reports The AICPA Systems for Service Organization Controls is a suite of services that CPAs may provide in connection with system level controls at a service organization or entity-level controls of other organizations. SOC for Service Organizations SOC reports are internal control reports on the services provided by a service organization providing valuable information that users need to assess and address the risks associated with an outsourced service. • SOC 1® - SOC for Service Organizations: ICFR • SOC 2® - SOC for Service Organizations: Trust Services Criteria • SOC 3® - SOC for Service Organizations: Trust Services Criteria for General Use Report NTAC:3NS-20 9
  • 10. www.nicsa.org The Clarity Project and SSAE 18 NTAC:3NS-20 10
  • 11. www.nicsa.org Background Under the direction of the Auditing Standards Board (ASB) members of the "Clarification Project" undertook the initiative to revise and restructure the Statements on Standards for Attestation Engagements (SSAEs). The effort was intended to restructure the guidance to more easily allow practitioners to adhere to relevant guidance for their engagements by performing the following: • Removing unnecessary redundancy across the standards • Removing contradictory guidance existent within the standards • Aligning US standards with International standards NTAC:3NS-20 11
  • 12. www.nicsa.org As a result of the Clarity Project, the ASB issued the new Statement on Standards for Attestation Engagements (SSAE) No. 18, Attestation Standards: Clarification and Recodification. SSAE 18 became effective for reports with periods ending on or after May 1, 2017. SSAE 18 establishes requirements for performing and reporting on examination, review, and agreed-upon procedures engagements that enable practitioners to report on subject matter ordinarily other than financial statements. NTAC:3NS-20 12 Background
  • 13. www.nicsa.org Sections of SSAE 18 SSAE 18 is codified into sections. The identifier “AT-C” is used to differentiate the sections of the clarified attestation standards (“AT-C" sections) from the sections of the attestation standards that are superseded by SSAE No. 18 (“AT” sections). NTAC:3NS-20 13
  • 14. www.nicsa.org Chapters of SSAE 18 The result of the AICPA's Clarity Project was to centralize or consolidate guidance applicable to attestation engagements into the following chapters: AT-C Sec. 105 – Concepts Common to All Attestation Engagements AT-C Sec. 205 – Examination engagements AT-C Sec. 210 – Review engagements AT-C Sec. 215 – Agreed upon Procedures engagements AT-C Sec. 305 – Prospective Financial Information AT-C Sec. 310 – Reporting on Pro Forma Financial Information AT-C Sec. 315 – Compliance Attestation AT-C Sec. 320 – Reporting on an Examination of Controls at a Service Organization Relevant to User Entities' Internal Control over Financial Reporting NTAC:3NS-20 14
  • 15. www.nicsa.org Polling Question #2 Before today’s program, how much did you know about the changes? a) Nothing, I wasn’t aware of the change b) A little, but another team in my organization is leading c) A lot, we are well underway with our changes d) Everything, we have already adopted all required changes NTAC:3NS-20 15
  • 16. www.nicsa.org Summary of Changes Resulting from SSAE 18 NTAC:3NS-20 16
  • 17. www.nicsa.org Summary of Changes Complementary Subservice Organization Controls (CSOC) • A CSOC is a control that management assumes will be implemented by the subservice organization and is necessary to achieve a control objective. • The CSOC must be included in Section III: Description of the System. They will be included in the table within the Subservice Organization section. Monitoring Subservice Organizations • Previously, the service organization was responsible for monitoring carve-out subservice organizations. This monitoring now applies to subservice organizations using the inclusive method. NTAC:3NS-20 17
  • 18. www.nicsa.org Controls Testing • Only key controls should be identified for testing. Non-key controls should be removed if they are not necessary to achieve the control objectives. All key controls should be included in Section III. Management's Assertion • SSAE 18 establishes a minimum criteria for management's assertions. The service organization should make minimal to no changes to the assertion. This will allow user organizations to more easily compare consistency across SOC reports. NTAC:3NS-20 18 Summary of Changes
  • 19. www.nicsa.org Definition of Internal Audit • Service auditors relying on Internal Audit must revisit the competence and objectivity of the group based on the revised definition. • Internal audit reports with the same scope as the SOC report should be reviewed and evaluated by the service auditor. Reliability of Information • The service auditor must perform procedures to evaluate the completeness, accuracy and sufficiency of the data provided by the service organization. NTAC:3NS-20 19 Summary of Changes
  • 20. www.nicsa.org Definition of Misstatement • A difference between the measurement or evaluation of the subject matter by the responsible party and the proper measurement or evaluation of the subject matter based on the criteria. • Misstatements can be intentional or unintentional, qualitative or quantitative, and include omissions. In certain engagements, a misstatement may be referred to as a deviation, exception, or instance of noncompliance. • Issues related to fair presentation or design will be referred to as misstatements. • Issues related to operating effectiveness will be referred to as exceptions. NTAC:3NS-20 20 Summary of Changes
  • 21. www.nicsa.org Definition of Risk of Material Misstatement • The risk that the subject matter is not in accordance with (or based on) the criteria in all material respects or that the assertion is not fairly stated, in all material respects. • A comprehensive risk assessment should be performed and documented by the service organization. • The service auditor should design and perform further procedures whose nature, timing, and extent are based on, and responsive to, the assessed risks of material misstatement. NTAC:3NS-20 21 Summary of Changes
  • 22. www.nicsa.org The Service Auditor's Opinion • The content has been reorganized and the format has changed to include headers for each section. • The template includes references to complementary subservice organization controls (CSOC). • The restricted use paragraph has been expanded to include the auditors who audit and report on internal controls over financial reporting (ICFR). NTAC:3NS-20 22 Summary of Changes
  • 23. www.nicsa.org Polling Question #3 Which of the changes below will have the greatest impact on your organization? a) CSOC – Complementary Subservice Organization Controls b) Key controls/removing non-key controls c) Revisiting reliance on internal audit d) Definition of Misstatement e) All of them! NTAC:3NS-20 23
  • 24. www.nicsa.org Overview of SOC 1, SOC 2 and SOC 3 Reports NTAC:3NS-20 24
  • 25. www.nicsa.org Overview of SOC 1, SOC 2 and SOC 3 Short Report Name Full Report Name Standard and Section for Engagement Subject Matter of the Engagement Service Auditor's Report Intended Users SOC 1 Report SOC 1 ® - SOC for Service Organizations: ICFR Statement of Standards for Attestation Engagements No. 18 • AT-C Section 105, Concepts Common to All Attestation Engagements • AT-C Section 205, Examination Engagements • AT-C Section 320, Reporting on an Examination of Controls at a Service Organization Relevant to User Entities' Internal Control over Financial Reporting Controls at a service organization relevant to user entities internal control over financial reporting. Contains opinions on • the fairness of the presentation of the description of the system • the suitability of the design of the controls • the operating effectiveness of the controls (for Type 2 report) Restricted Use Report: The report is intended solely for the information and use of management of the company, user entities of the company's System, and their auditors who audit and report on such user entities’ financial statements or internal control over financial reporting and have a sufficient understanding to consider it, along with other information, including information about controls implemented by user entities themselves, when assessing the risks of material misstatement of user entities’ financial statements. SOC 2 Report SOC 2 ® - SOC for Service Organizations: Trust Services Criteria Statement of Standards for Attestation Engagements No. 18 • AT-C Section 105, Concepts Common to All Attestation Engagements • AT-C Section 205, Examination Engagements Controls at a service organization relevant to • security • availability • processing integrity • confidentiality, or • privacy. Contains opinions on • the fairness of the presentation of the description of the system • the suitability of the design of the controls • the operating effectiveness of the controls (for Type 2 report) Restricted Use Report: The report is intended solely for the information and use of the Company; user entities of the Company’s System during some or all of the Specified Period; those prospective user entities, independent auditors, and practitioners providing services to such user entities, and regulators who have sufficient knowledge and understanding. SOC 3 Report SOC 3 ® - SOC for Service Organizations: Trust Services Criteria for General User Report Statement of Standards for Attestation Engagements No. 18 • AT-C Section 105, Concepts Common to All Attestation Engagements • AT-C Section 205, Examination Engagements Controls at a service organization relevant to • security • availability • processing integrity • confidentiality, or • privacy. Report on whether the entity maintained effective controls over its system as it relates to the principle being reported on in the subject matter of the engagement, based on the applicable trust services criteria. General Use Report: The report can be freely distributed or posted on a website as a seal. NTAC:3NS-20 25
  • 27. www.nicsa.org Glossary Assertion. Any declaration or set of declarations about whether the subject matter is in accordance with (or based on) the criteria. Attestation engagement. An examination, review, or agreed-upon procedures engagement performed under the attestation standards related to subject matter or an assertion that is the responsibility of another party. The following are the three types of attestation engagements: Examination engagement. An attestation engagement in which the practitioner obtains reasonable assurance by obtaining sufficient appropriate evidence about the measurement or evaluation of subject matter against criteria in order to be able to draw reasonable conclusions on which to base the practitioner's opinion about whether the subject matter is in accordance with (or based on) the criteria or the assertion is fairly stated, in all material respects. (Ref: par .. A7) Review engagement. An attestation engagement in which the practitioner obtains limited assurance by obtaining sufficient appropriate review evidence about the measurement or evaluation of subject matter against criteria in order to express a conclusion about whether any material modification should be made to the subject matter in order for it be in accordance with (or based on) the criteria or to the assertion in order for it to be fairly stated. (Ref: par .. A8) Agreed-upon procedures engagement. An attestation engagement in which a practitioner performs specific procedures on subject matter or an assertion and reports the findings without providing an opinion or a conclusion on it. The parties to the engagement (specified party), as defined later in this paragraph, agree upon and are responsible for the sufficiency of the procedures for their purposes. Control objectives. The aim or purpose of specified controls at the service organization. Control objectives address the risks that controls are intended to mitigate. Complementary sub service organization controls. Controls that management of the service organization assumes, in the design of the service organization's system, will be implemented by the subservice organizations and are necessary to achieve the control objectives stated in management's description of the service organization's system. Complementary user entity controls. Controls that management of the service organization assumes, in the design of the service organization’s system, will be implemented by user entities and are necessary to achieve the control objectives stated in management’s description of the service organization’s system. (Ref: par. .A6) 27NTAC:3NS-20
  • 28. www.nicsa.org Engaging party. The party(ies) that engages the practitioner to perform the attestation engagement. (Ref: par .. Al 7) Evidence. Information used by the practitioner in arriving at the opinion, conclusion, or findings on which the practitioner's report is based. General use. Use of a practitioner's report that is not restricted to specified parties. Internal audit function. A function of an entity that performs assurance and consulting activities designed to evaluate and improve the effectiveness of the entity's governance, risk management, and internal control processes. Misstatement. A difference between the measurement or evaluation of the subject matter by the responsible party and the proper measurement or evaluation of the subject matter based on the criteria. Misstatements can be intentional or unintentional, qualitative or quantitative, and include omissions. In certain engagements, a misstatement may be referred to as a deviation, exception, or instance of noncompliance. Professional judgment. The application of relevant training, knowledge, and experience, within the context provided by attestation and ethical standards in making informed decisions about the courses of action that are appropriate in the circumstances of the attestation engagement. Professional skepticism. An attitude that includes a questioning mind, being alert to conditions that may indicate possible misstatement due to fraud or error, and a critical assessment of evidence. Reasonable assurance. A high, but not absolute, level of assurance. Responsible party. The party(ies) responsible for the subject matter. If the nature of the subject matter is such that no such party exists, a party who has a reasonable basis for making a written assertion about the subject matter may be deemed to be the responsible party. Service auditor. A practitioner who reports on controls at a service organization. Service organization. An organization or segment of an organization that provides services to user entities, which are likely to be relevant to those user entities' internal control over financial reporting. 28NTAC:3NS-20 Glossary
  • 29. www.nicsa.org Service organization's assertion. A written assertion about the matters referred to in part (b) of the definition of management's description of a service organization's system and a service auditor's report on that description and on the suitability of the design and operating effectiveness of controls, for a type 2 report, and, for a type 1 report, the matters referred to in part (b) of the definition of management's description of a service organization's system and a service auditor's report on that description and on the suitability of the design of controls. Specified party. The intended user(s) to whom use of the written practitioner's report is limited. Subject matter. The phenomenon that is measured or evaluated by applying criteria. Subservice organization. A service organization used by another service organization to perform some of the services provided to user entities that are likely to be relevant to those user entities' internal control over financial reporting. The following are the two treatments for subservice organizations: Carve-out method. Method of addressing the services provided by a subservice organization, whereby management's description of the service organization's system identifies the nature of the services performed by the subservice organization and excludes from the description and from the scope of the service auditor's engagement the subservice organization’s relevant control objectives and related controls. Inclusive method. Method of addressing the services provided by a subservice organization whereby management's description of the service organization's system includes a description of the nature of the services provided by the subservice organization as well as the subservice organization's relevant control objectives and related controls. User auditor. An auditor who audits and reports on the financial statements of a user entity. User entity. An entity that uses a service organization for which controls at the service organization are likely to be relevant to that entity's internal control over financial reporting. 29NTAC:3NS-20 Glossary