The Auditing Standards Board issued an updated Statement on Standards for Attestation Engagements (SSAE 18) effective May 1, 2017. Why the changes? What’s different? Join us to learn more about how these new standards will impact your next SOC review and report.
ControlCase covers the following:
- What does SOC stand for?
- What is SOC 2 compliance?
- What is SOC 2 certification?
- What is a SOC 2 report?
- Who can perform a SOC 2 audit?
- How do managed service providers comply with SOC 2
- How to lower cost of SOC 2 audit?
- ControlCase methodology for SOC 2 compliance
ControlCase covers the following:
- What does SOC stand for?
- What is SOC 2 compliance?
- What is SOC 2 certification?
- What is a SOC 2 report?
- Who can perform a SOC 2 audit?
- How do managed service providers comply with SOC 2
- How to lower cost of SOC 2 audit?
- ControlCase methodology for SOC 2 compliance
An Oversight or a New Customer Phenomenon, Getting the Most of your Contact C...Cisco Canada
As corporations consistently seek to maximize customer loyalty, secure predictable revenue, gain a competitive advantage and ensure customer satisfaction, more than often the words ‘Contact Center’ are never spoken. Much of the budget is allocated to the corporate marketing groups as they unveil flashy new websites, packaging and literature targeted for new and existing customers. More often than not, the Contact Center which is a critical portal to these customers is neglected with respect to revenue generation and customer loyalty.
Internal Control Certification – It’s Not Just an Accounting Thing (Credit Un...NAFCU Services Corporation
In this recorded 2012 NAFCU Technology & Security Conference session, you will learn about the internal control certification process and how it impacts more than just the accounting department. Discover the importance of becoming internal control certified, gain insight on the impact of recent regulation change from SAS70 to SSAE 16, and get a walkthrough of the process and audit reports (Type I & Type II) as well as discuss the involvement from the “technology side of the house,” including documentation of systems controls, disaster recovery and more!
Presented by Jeff Ziliani, CPA, Director of Finance and Administration, Burns-Fazzi, Brock
Burns-Fazzi, Brock is the NAFCU Services Preferred Partner for Executive Benefits and Compensation Consulting and Long Term Care Insurance.
More information at http://www.nafcu.org/bfb
Use of audit clauses in information technology and outsourcing agreements including implications for the Cloud, OSFI Memorandum of February 29, 2012, control audits and CSAE 3416 Audits (Richard Austin and Ken Silverman)
Disruptieve omstandigheden, zoals we die vandaag meemaken, kunnen ertoe leiden dat installaties tijdelijk stilgelegd moeten worden. Hoe dit stilleggen aangepakt wordt, kan een zeer grote impact hebben op het weer opgestart krijgen.
In dit webinar schetsen we u een systematisch opgebouwde aanpak om te bepalen wat u moet doen om installaties tijdelijk stil te leggen tegen minimale kosten en risico’s. Bij deze aanpak bekijken we welke de kritische factoren zijn om straks uw installaties weer vlot in bedrijf te nemen. Precies op die kritische factoren dienen bij het stilleggen de gepaste maatregels genomen te worden. En daarbij wordt ook buiten de puur technische aspecten gekeken, zoals de nodige mankracht en competenties, de kennis over de installatie en de milieuaspecten.
We nemen u graag mee in deze aanpak van Stork Asset Management Technology tijdens dit webinar.
This SEC in Focus includes remarks from SEC Chairman Jay Clayton on cybersecurity disclosures in SEC filings, recent guidance on pay ratio disclosure requirements, regulatory relief for companies and individuals affected by recent hurricanes, staff clarifications about its nonpublic review program and recent trends in SEC staff comments on non-GAAP measures and other topics.
This slide presentation has been prepared by the IAASB’s Auditor Reporting Implementation Working Group to assist IAASB members, national standard setters, auditors and others promote awareness of the new and revised Auditor Reporting standards within their respective jurisdictions.
A 2nd 90 minute webinar was hosted by the IAASB to discuss the key revisions to the auditor’s risk identification and assessment procedures, as introduced through the recently published ISA 315 (Revised) Exposure Draft. Listen to IAASB Task Force Chair Fiona Campbell as she goes through specific questions sent from stakeholders about the changes we are proposing.
Understanding ROI: The Real Impact of Data QualityNICSA
Calculating ROI on data initiatives is critical to business planning. Understanding and demonstrating the value that data initiatives can unlock requires in-depth understanding of business needs and pain points. This panel of asset managers and data professionals will investigate strategies, implementation and measurement at various firms.
The Reality Behind Buzzwords Series: BlockchainNICSA
Business execs looking for the latest update on technology issues impacting the global asset management industry are invited to join NICSA’s panel of experts as they guide participants through case studies and applications of the most buzzworthy innovations. In this ongoing webinar series, we will focus on one buzzword at a time to learn “tech speak,” fine tune the application of the term, and know what buzzwords are a reality in practical business models within the asset management industry.
More Related Content
Similar to The Clarity Project: SSAE-18 Essentials
An Oversight or a New Customer Phenomenon, Getting the Most of your Contact C...Cisco Canada
As corporations consistently seek to maximize customer loyalty, secure predictable revenue, gain a competitive advantage and ensure customer satisfaction, more than often the words ‘Contact Center’ are never spoken. Much of the budget is allocated to the corporate marketing groups as they unveil flashy new websites, packaging and literature targeted for new and existing customers. More often than not, the Contact Center which is a critical portal to these customers is neglected with respect to revenue generation and customer loyalty.
Internal Control Certification – It’s Not Just an Accounting Thing (Credit Un...NAFCU Services Corporation
In this recorded 2012 NAFCU Technology & Security Conference session, you will learn about the internal control certification process and how it impacts more than just the accounting department. Discover the importance of becoming internal control certified, gain insight on the impact of recent regulation change from SAS70 to SSAE 16, and get a walkthrough of the process and audit reports (Type I & Type II) as well as discuss the involvement from the “technology side of the house,” including documentation of systems controls, disaster recovery and more!
Presented by Jeff Ziliani, CPA, Director of Finance and Administration, Burns-Fazzi, Brock
Burns-Fazzi, Brock is the NAFCU Services Preferred Partner for Executive Benefits and Compensation Consulting and Long Term Care Insurance.
More information at http://www.nafcu.org/bfb
Use of audit clauses in information technology and outsourcing agreements including implications for the Cloud, OSFI Memorandum of February 29, 2012, control audits and CSAE 3416 Audits (Richard Austin and Ken Silverman)
Disruptieve omstandigheden, zoals we die vandaag meemaken, kunnen ertoe leiden dat installaties tijdelijk stilgelegd moeten worden. Hoe dit stilleggen aangepakt wordt, kan een zeer grote impact hebben op het weer opgestart krijgen.
In dit webinar schetsen we u een systematisch opgebouwde aanpak om te bepalen wat u moet doen om installaties tijdelijk stil te leggen tegen minimale kosten en risico’s. Bij deze aanpak bekijken we welke de kritische factoren zijn om straks uw installaties weer vlot in bedrijf te nemen. Precies op die kritische factoren dienen bij het stilleggen de gepaste maatregels genomen te worden. En daarbij wordt ook buiten de puur technische aspecten gekeken, zoals de nodige mankracht en competenties, de kennis over de installatie en de milieuaspecten.
We nemen u graag mee in deze aanpak van Stork Asset Management Technology tijdens dit webinar.
This SEC in Focus includes remarks from SEC Chairman Jay Clayton on cybersecurity disclosures in SEC filings, recent guidance on pay ratio disclosure requirements, regulatory relief for companies and individuals affected by recent hurricanes, staff clarifications about its nonpublic review program and recent trends in SEC staff comments on non-GAAP measures and other topics.
This slide presentation has been prepared by the IAASB’s Auditor Reporting Implementation Working Group to assist IAASB members, national standard setters, auditors and others promote awareness of the new and revised Auditor Reporting standards within their respective jurisdictions.
A 2nd 90 minute webinar was hosted by the IAASB to discuss the key revisions to the auditor’s risk identification and assessment procedures, as introduced through the recently published ISA 315 (Revised) Exposure Draft. Listen to IAASB Task Force Chair Fiona Campbell as she goes through specific questions sent from stakeholders about the changes we are proposing.
Understanding ROI: The Real Impact of Data QualityNICSA
Calculating ROI on data initiatives is critical to business planning. Understanding and demonstrating the value that data initiatives can unlock requires in-depth understanding of business needs and pain points. This panel of asset managers and data professionals will investigate strategies, implementation and measurement at various firms.
The Reality Behind Buzzwords Series: BlockchainNICSA
Business execs looking for the latest update on technology issues impacting the global asset management industry are invited to join NICSA’s panel of experts as they guide participants through case studies and applications of the most buzzworthy innovations. In this ongoing webinar series, we will focus on one buzzword at a time to learn “tech speak,” fine tune the application of the term, and know what buzzwords are a reality in practical business models within the asset management industry.
Industry Leaders Outlook: Product & Marketing RoundtableNICSA
New ways of attracting and engaging investors make 2019 an exciting (and challenging) time to work in global asset management. The industry is facing rapid evolution in terms of product development and marketing trends. Our panel of industry thought leaders explores the industry’s biggest obstacles and opportunities for product differentiation and brand loyalty. Find out what product trends have traction for the long term and how product and marketing teams are working together to support these trends.
This presentation will discuss the adoption of Regulation Best Interest (Reg BI) and its effect on broker-dealers, investment advisors, and asset managers. Our panel of experts will explain the implications and will provide practical steps that industry participants can take to ensure compliance with Reg BI.
Asset managers and distributors are invited to learn the importance of developing targeted and successful strategies that increase their reach and impact among financial advisors. Join Cogent for up-to-the-minute thought leadership on advisor preferences and insightful guidance on how to strengthen partnerships.
New Challenges on the TA Compliance LandscapeNICSA
Join NICSA’s panel of experts as we discuss what it takes for transfer agents to stay compliant with GDPR regulations, elder abuse prevention best practices, and other top of mind compliance issues. Take a guided tour of the NICSA Transfer Agent Compliance Guide, an essential resource available to NICSA members for understanding and responding to industry and regulatory challenges. Subject matter experts will review what’s new for 2019 and discuss what the future may hold for the regulatory landscape.
Navigating Turbulent Changes to the Sanctions LandscapeNICSA
Recent geo-political events have made for challenging times for sanctions compliance professionals. SIX is hosting a webinar with NICSA members to explore ways to reduce operational risk by staying one step ahead of evolving economic sanctions.
Join expert Connie Lindsey, Head of Corporate Social Responsibility and Global Diversity & Inclusion at Northern Trust, as she leads a discussion around progressing talent recruitment, retention and managing to improve diversity and inclusion in the financial industry. Rethink industry hiring practices and explore how diversifying the workplace reshapes opportunity. Listen to panelist Dan Houlihan, Head of Asset Servicing for North America, and Jim Fitzpatrick, President of NICSA, as they share more information about The Diversity Project North America, an organization dedicated to a more inclusive workforce culture.
There is a sea change underway in the retirement industry. New technologies are emerging to engage participants and streamline back-office operations. All the while, the regulatory environment continues to shift with new and proposed rules.
This webinar will reveal new research on the saving habits of a new generation of investors, review the regulatory landscape, and reveal strategies that retirement plan professionals are using to streamline operations and leverage new technologies.
Key Objectives:
Our panel will take a deep dive into the trends driving the retirement industry foreword including:
Behavioral finance strategies aimed at closing the retirement savings gap
Regulatory trends such as Multiple Employer Plans and new State-sponsored Retirement plans that may present new opportunities for asset managers
How firms are using AI, blockchain, the Cloud, and data science to save money and boost productivity
Building Deeper Advisory Relationships with DataNICSA
An exploration into how asset managers are addressing today’s marketplace challenges and leveraging new tools and technologies to create more fruitful relationships with financial advisors.
The asset management industry is confronted with several challenges to growth. Increased transparency via technology, competitive fee pressure, product commoditization, regulatory change and demographic shifts are contributing to increased margin pressure. One possible solve is to deepen relationships by turning existing client data into an asset. While leveraging analytics to inform client segmentation, client journey mapping and brand enhancement is not a novel exercise in the business world, it has perhaps not been fully adopted and implemented within intermediary distributed asset management.
Will regulatory temperature rise again this year?
With regulators on both sides of the Atlantic poised to take action on multiple fronts, it is important that asset managers understand what issues are on the horizon. This webinar aims at giving you key information on new developments, regulations, and trends that we think asset managers should be tracking for the year ahead.
EU elections in May 2019: What to expect?
EU policymakers face a tight deadline to get all open legislative proposals approved ahead of the EU Parliamentary elections in May 2019. Key open issues include: updates to the UCITS and AIFMD frameworks, a proposed Environmental, Social, and Governance (ESG) framework, the creation of a Pan-European Personal Pension Product, and changes to the European Market Infrastructure Regulation.
What’s in the Pipeline?
Get the latest insight on UCITS 6, AIFMD 2, PRIIPS2, MiFID 3, as well as the latest on the regulation of digital assets from a panel of industry experts and thought leaders.
Join our panel of experts to explore surprising insights and opportunities focused on the next-generation client. This webinar will feature new research to help Asset Management firms attract and retain Next Gen clients. Join us for an in-depth look at myths and facts about how financial firms can connect with millennial investors by understanding their financial outlook, what’s important to them and how they like to communicate.
Tenured experts from Broadridge and Cogent will take a deep dive into the profile of the Affluent Millennial including:
- Product usage
- Risk tolerance
- Financial priorities
Tax & Reporting Update: Avoiding Fund Reporting TrapsNICSA
As we enter into the new year, asset managers should consider the tax legislation and reporting requirements that will affect them most drastically in 2019. Join NICSA for recap of recent and proposed legislation impacting financial reporting. Get an up-to-the-minute state of the union and hear the questions most asked by fund boards.
Professionals from State Street and EY will provide an in depth look at the tax developments and accounting standards having the biggest impact on the upcoming reporting periods.
Learning Objectives:
• Understanding of the current regulatory environment
• Overview of reporting requirements with biggest impact to asset managers
• Tax legislation and technical corrections update, including Section 199
Learn how data-driven analytics, omni-channel delivery, and blockchain are helping mutual funds achieve their proxy goals. Join us for a discussion about the rise of social media and text messaging and how to apply these digital strategies to shareholder voting and how distributed ledger technology eliminates the need for post-vote reconciliation. Participate in an active discussion on how the accuracy, transparency, and efficiency of the proxy voting and solicitation system can be improved via digital strategies.
Best Practices in Building a Global Compliance ProgramNICSA
Investment firms with an international footprint are beginning to integrate a global view on their overall compliance policies and programs. Join our panel of experts for an in-depth discussion about the challenges firms face, and the efficiencies they can gain, by creating and maintaining a global compliance program. What does the interaction across jurisdictions look like? How do firms coordinate across borders? Hear a panel of asset managers and financial service providers dissect the best practices and overall impact of globalizing risk and compliance programs.
Learn more about leveraging AI within your organization! AI has the promise of driving operational efficiencies, enhancing compliance and informing investment decisions. Join our candid discussion with some of today’s leading experts on where the dollars are going, which trends are being successfully implemented, and which technologies promise to shape the next decade within the global asset management industry. Hear asset management case studies in and get an insider’s “reality check” on all things AI.
Rule 30e-3: Best Practices for Notice, Access & E-DeliveryNICSA
Join our panel of experts to explore the key aspects and required action items related to the 30e-3 ruling. This webinar will take a deep dive into the impact on multiple facets of the industry and will provide insight from diverse perspectives regarding implementation and execution strategies.
Tenured experts from Invesco, MFS, Morgan Stanley and Broadridge will take a deep dive into the following issues:
- What are the implications for fund complexes, broker dealers, and investors?
- What preparatory actions are asset managers taking now?
- What are BDs doing to prepare?
- What solutions are you considering?
- Will it change the client experience?
How are product development processes within the asset management industry evolving to support innovation? NICSA’s panel of experts explores how product teams are vetting and nurturing ideas, what factors are considered in vehicle structure decisions, and the operational aspects involved in launching new products. Participants will come away with actionable steps and key trends based on recent studies and reports from Ignites Research.
The Bottom Line: Exploring the Benefits of Wellness in the WorkplaceNICSA
Financial services firms continue to re-imagine their business models. As our industry re-defines the workplaces of the future, more firms are implementing and scaling workplace wellness programs. Research shows we cannot deny the positive impact of these programs from reduced health care costs to increased productivity. Forward thinking firms are viewing the employee value proposition through a broader lens and this lens includes multi-dimensional wellness programs. In this webinar, we'll share diverse points of view on the value of wellness programs, how to get started, and ideas for developing impactful and rewarding programs.
Join NICSA and a panel of wellness leaders in asset management as they explore and share:
• Examples of wellness programs and emerging trends (what’s next in the evolution of wellness programs).
• The business benefits and implications of workplace wellness programs – talent acquisition and retention, increased productivity, decreased stress and health care costs.
• Ideas on getting started – corporate and grassroots programs
Data Analytics 301: Converting Analysis into Business StrategyNICSA
You’ve identified, sourced, and analyzed your most valuable data. Now what?
During our Data Analytics Webinar Series, we’ve discussed the basics of kick-starting data tools, as well as the application of advanced modeling techniques. Now, learn from leading financial institutions how to turn analytics into actionable business strategies.
This webinar will discuss how to build the right dashboards for specific business lines, and how to put those dashboard to work. Hear current use cases demonstrating how asset managers are leveraging transactional, demographic and marketing data into action items for sales and distribution teams.
Join our live webinar to hear notable experts offer invaluable insight on:
- Building dashboards for sales and distribution teams
- Converting analytics to actionable business goals
- Developing a cohesive data-based business strategy
how to swap pi coins to foreign currency withdrawable.DOT TECH
As of my last update, Pi is still in the testing phase and is not tradable on any exchanges.
However, Pi Network has announced plans to launch its Testnet and Mainnet in the future, which may include listing Pi on exchanges.
The current method for selling pi coins involves exchanging them with a pi vendor who purchases pi coins for investment reasons.
If you want to sell your pi coins, reach out to a pi vendor and sell them to anyone looking to sell pi coins from any country around the globe.
Below is the contact information for my personal pi vendor.
Telegram: @Pi_vendor_247
Falcon stands out as a top-tier P2P Invoice Discounting platform in India, bridging esteemed blue-chip companies and eager investors. Our goal is to transform the investment landscape in India by establishing a comprehensive destination for borrowers and investors with diverse profiles and needs, all while minimizing risk. What sets Falcon apart is the elimination of intermediaries such as commercial banks and depository institutions, allowing investors to enjoy higher yields.
Lecture slide titled Fraud Risk Mitigation, Webinar Lecture Delivered at the Society for West African Internal Audit Practitioners (SWAIAP) on Wednesday, November 8, 2023.
The European Unemployment Puzzle: implications from population agingGRAPE
We study the link between the evolving age structure of the working population and unemployment. We build a large new Keynesian OLG model with a realistic age structure, labor market frictions, sticky prices, and aggregate shocks. Once calibrated to the European economy, we quantify the extent to which demographic changes over the last three decades have contributed to the decline of the unemployment rate. Our findings yield important implications for the future evolution of unemployment given the anticipated further aging of the working population in Europe. We also quantify the implications for optimal monetary policy: lowering inflation volatility becomes less costly in terms of GDP and unemployment volatility, which hints that optimal monetary policy may be more hawkish in an aging society. Finally, our results also propose a partial reversal of the European-US unemployment puzzle due to the fact that the share of young workers is expected to remain robust in the US.
when will pi network coin be available on crypto exchange.DOT TECH
There is no set date for when Pi coins will enter the market.
However, the developers are working hard to get them released as soon as possible.
Once they are available, users will be able to exchange other cryptocurrencies for Pi coins on designated exchanges.
But for now the only way to sell your pi coins is through verified pi vendor.
Here is the telegram contact of my personal pi vendor
@Pi_vendor_247
Yes of course, you can easily start mining pi network coin today and sell to legit pi vendors in the United States.
Here the telegram contact of my personal vendor.
@Pi_vendor_247
#pi network #pi coins #legit #passive income
#US
The secret way to sell pi coins effortlessly.DOT TECH
Well as we all know pi isn't launched yet. But you can still sell your pi coins effortlessly because some whales in China are interested in holding massive pi coins. And they are willing to pay good money for it. If you are interested in selling I will leave a contact for you. Just telegram this number below. I sold about 3000 pi coins to him and he paid me immediately.
Telegram: @Pi_vendor_247
where can I find a legit pi merchant onlineDOT TECH
Yes. This is very easy what you need is a recommendation from someone who has successfully traded pi coins before with a merchant.
Who is a pi merchant?
A pi merchant is someone who buys pi network coins and resell them to Investors looking forward to hold thousands of pi coins before the open mainnet.
I will leave the telegram contact of my personal pi merchant to trade with
@Pi_vendor_247
3. www.nicsa.org
Discussion Points
• Timeline of Technical Guidance and Overview of SOC 1
• AICPA Branding of SOC Reports
• The Clarity Project and SSAE 18
• Summary of Changes Resulting from SSAE 18
• Overview of SOC 1, SOC 2 and SOC 3 Reports
• Glossary
3NTAC:3NS-20
7. www.nicsa.org
Polling Question #1
How does your organization engage in the SOC
process?
a) Service Provider who undergoes a SOC examination
b) Recipient/reviewer of reports from Service Providers
c) Both a) and b)
d) Audit firm performing SOC examinations
e) Other
NTAC:3NS-20 7
9. www.nicsa.org
AICPA Branding: System and Organization
Control ("SOC") Reports
The AICPA Systems for Service Organization Controls is a suite of
services that CPAs may provide in connection with system level
controls at a service organization or entity-level controls of other
organizations.
SOC for Service Organizations
SOC reports are internal control reports on the services provided by a
service organization providing valuable information that users need to
assess and address the risks associated with an outsourced service.
• SOC 1® - SOC for Service Organizations: ICFR
• SOC 2® - SOC for Service Organizations: Trust Services Criteria
• SOC 3® - SOC for Service Organizations: Trust Services Criteria for
General Use Report
NTAC:3NS-20 9
11. www.nicsa.org
Background
Under the direction of the Auditing Standards Board (ASB)
members of the "Clarification Project" undertook the initiative to
revise and restructure the Statements on Standards for
Attestation Engagements (SSAEs).
The effort was intended to restructure the guidance to more
easily allow practitioners to adhere to relevant guidance for their
engagements by performing the following:
• Removing unnecessary redundancy across the standards
• Removing contradictory guidance existent within the
standards
• Aligning US standards with International standards
NTAC:3NS-20 11
12. www.nicsa.org
As a result of the Clarity Project, the ASB issued the new
Statement on Standards for Attestation Engagements (SSAE)
No. 18, Attestation Standards: Clarification and Recodification.
SSAE 18 became effective for reports with periods ending on or
after May 1, 2017.
SSAE 18 establishes requirements for performing and reporting
on examination, review, and agreed-upon procedures
engagements that enable practitioners to report on subject
matter ordinarily other than financial statements.
NTAC:3NS-20 12
Background
13. www.nicsa.org
Sections of SSAE 18
SSAE 18 is codified into sections. The identifier “AT-C” is used to
differentiate the sections of the clarified attestation standards
(“AT-C" sections) from the sections of the attestation standards
that are superseded by SSAE No. 18 (“AT” sections).
NTAC:3NS-20 13
14. www.nicsa.org
Chapters of SSAE 18
The result of the AICPA's Clarity Project was to centralize or
consolidate guidance applicable to attestation engagements into the
following chapters:
AT-C Sec. 105 – Concepts Common to All Attestation Engagements
AT-C Sec. 205 – Examination engagements
AT-C Sec. 210 – Review engagements
AT-C Sec. 215 – Agreed upon Procedures engagements
AT-C Sec. 305 – Prospective Financial Information
AT-C Sec. 310 – Reporting on Pro Forma Financial Information
AT-C Sec. 315 – Compliance Attestation
AT-C Sec. 320 – Reporting on an Examination of Controls at a
Service Organization Relevant to User Entities'
Internal Control over Financial Reporting
NTAC:3NS-20 14
15. www.nicsa.org
Polling Question #2
Before today’s program, how much did you know
about the changes?
a) Nothing, I wasn’t aware of the change
b) A little, but another team in my organization is leading
c) A lot, we are well underway with our changes
d) Everything, we have already adopted all required
changes
NTAC:3NS-20 15
17. www.nicsa.org
Summary of Changes
Complementary Subservice Organization Controls (CSOC)
• A CSOC is a control that management assumes will be
implemented by the subservice organization and is necessary
to achieve a control objective.
• The CSOC must be included in Section III: Description of the
System. They will be included in the table within the
Subservice Organization section.
Monitoring Subservice Organizations
• Previously, the service organization was responsible for
monitoring carve-out subservice organizations. This
monitoring now applies to subservice organizations using the
inclusive method.
NTAC:3NS-20 17
18. www.nicsa.org
Controls Testing
• Only key controls should be identified for testing. Non-key
controls should be removed if they are not necessary to
achieve the control objectives. All key controls should be
included in Section III.
Management's Assertion
• SSAE 18 establishes a minimum criteria for management's
assertions. The service organization should make minimal to
no changes to the assertion. This will allow user
organizations to more easily compare consistency across
SOC reports.
NTAC:3NS-20 18
Summary of Changes
19. www.nicsa.org
Definition of Internal Audit
• Service auditors relying on Internal Audit must revisit the
competence and objectivity of the group based on the revised
definition.
• Internal audit reports with the same scope as the SOC report
should be reviewed and evaluated by the service auditor.
Reliability of Information
• The service auditor must perform procedures to evaluate the
completeness, accuracy and sufficiency of the data provided
by the service organization.
NTAC:3NS-20 19
Summary of Changes
20. www.nicsa.org
Definition of Misstatement
• A difference between the measurement or evaluation of the
subject matter by the responsible party and the proper
measurement or evaluation of the subject matter based on the
criteria.
• Misstatements can be intentional or unintentional, qualitative
or quantitative, and include omissions. In certain
engagements, a misstatement may be referred to as a
deviation, exception, or instance of noncompliance.
• Issues related to fair presentation or design will be referred to
as misstatements.
• Issues related to operating effectiveness will be referred to as
exceptions.
NTAC:3NS-20 20
Summary of Changes
21. www.nicsa.org
Definition of Risk of Material Misstatement
• The risk that the subject matter is not in accordance with (or
based on) the criteria in all material respects or that the
assertion is not fairly stated, in all material respects.
• A comprehensive risk assessment should be performed and
documented by the service organization.
• The service auditor should design and perform further
procedures whose nature, timing, and extent are based on,
and responsive to, the assessed risks of material
misstatement.
NTAC:3NS-20 21
Summary of Changes
22. www.nicsa.org
The Service Auditor's Opinion
• The content has been reorganized and the format has
changed to include headers for each section.
• The template includes references to complementary
subservice organization controls (CSOC).
• The restricted use paragraph has been expanded to include
the auditors who audit and report on internal controls over
financial reporting (ICFR).
NTAC:3NS-20 22
Summary of Changes
23. www.nicsa.org
Polling Question #3
Which of the changes below will have the greatest
impact on your organization?
a) CSOC – Complementary Subservice Organization Controls
b) Key controls/removing non-key controls
c) Revisiting reliance on internal audit
d) Definition of Misstatement
e) All of them!
NTAC:3NS-20 23
25. www.nicsa.org
Overview of SOC 1, SOC 2 and SOC 3
Short
Report
Name
Full
Report
Name
Standard and Section
for
Engagement
Subject Matter
of the
Engagement
Service
Auditor's
Report
Intended
Users
SOC 1
Report
SOC 1 ® - SOC for
Service Organizations:
ICFR
Statement of Standards for
Attestation Engagements No. 18
• AT-C Section 105, Concepts Common to
All Attestation Engagements
• AT-C Section 205, Examination
Engagements
• AT-C Section 320, Reporting on an
Examination of Controls at a Service
Organization Relevant to User Entities'
Internal Control over Financial Reporting
Controls at a service organization
relevant to user entities internal
control over financial reporting.
Contains opinions on
• the fairness of the presentation
of the description of the
system
• the suitability of the design of
the controls
• the operating effectiveness of
the controls (for Type 2 report)
Restricted Use Report: The report is intended solely
for the information and use of management of the
company, user entities of the company's System,
and their auditors who audit and report on such user
entities’ financial statements or internal control over
financial reporting and have a sufficient
understanding to consider it, along with other
information, including information about controls
implemented by user entities themselves, when
assessing the risks of material misstatement of
user entities’ financial statements.
SOC 2
Report
SOC 2 ® - SOC for
Service Organizations:
Trust Services Criteria
Statement of Standards for
Attestation Engagements No. 18
• AT-C Section 105, Concepts Common to
All Attestation Engagements
• AT-C Section 205, Examination
Engagements
Controls at a service organization
relevant to
• security
• availability
• processing integrity
• confidentiality, or
• privacy.
Contains opinions on
• the fairness of the presentation
of the description of the system
• the suitability of the design of
the controls
• the operating effectiveness of
the controls (for Type 2 report)
Restricted Use Report: The report is intended solely
for the information and use of the Company; user
entities of the Company’s System during some or all
of the Specified Period; those prospective user
entities, independent auditors, and practitioners
providing services to such user entities, and
regulators who have sufficient knowledge and
understanding.
SOC 3
Report
SOC 3 ® - SOC for
Service Organizations:
Trust Services Criteria
for General User
Report
Statement of Standards for
Attestation Engagements No. 18
• AT-C Section 105, Concepts Common
to All Attestation Engagements
• AT-C Section 205, Examination
Engagements
Controls at a service organization
relevant to
• security
• availability
• processing integrity
• confidentiality, or
• privacy.
Report on whether the entity
maintained effective controls over its
system as it relates to the principle
being reported on in the subject
matter of the engagement, based on
the applicable trust services criteria.
General Use Report: The report can be freely
distributed or posted on a website as a seal.
NTAC:3NS-20 25
27. www.nicsa.org
Glossary
Assertion. Any declaration or set of declarations about whether the subject matter is in accordance with (or based on) the
criteria.
Attestation engagement. An examination, review, or agreed-upon procedures engagement performed under the attestation
standards related to subject matter or an assertion that is the responsibility of another party. The following are the three types of
attestation engagements:
Examination engagement. An attestation engagement in which the practitioner obtains reasonable assurance by obtaining
sufficient appropriate evidence about the measurement or evaluation of subject matter against criteria in order to be able
to draw reasonable conclusions on which to base the practitioner's opinion about whether the subject matter is in
accordance with (or based on) the criteria or the assertion is fairly stated, in all material respects. (Ref: par .. A7)
Review engagement. An attestation engagement in which the practitioner obtains limited assurance by obtaining sufficient
appropriate review evidence about the measurement or evaluation of subject matter against criteria in order to express a
conclusion about whether any material modification should be made to the subject matter in order for it be in accordance
with (or based on) the criteria or to the assertion in order for it to be fairly stated. (Ref: par .. A8)
Agreed-upon procedures engagement. An attestation engagement in which a practitioner performs specific procedures on
subject matter or an assertion and reports the findings without providing an opinion or a conclusion on it. The parties to
the engagement (specified party), as defined later in this paragraph, agree upon and are responsible for the sufficiency of
the procedures for their purposes.
Control objectives. The aim or purpose of specified controls at the service organization. Control objectives address the risks that
controls are intended to mitigate.
Complementary sub service organization controls. Controls that management of the service organization assumes, in the design
of the service organization's system, will be implemented by the subservice organizations and are necessary to achieve the control
objectives stated in management's description of the service organization's system.
Complementary user entity controls. Controls that management of the service organization assumes, in the design of the service
organization’s system, will be implemented by user entities and are necessary to achieve the control objectives stated in
management’s description of the service organization’s system. (Ref: par. .A6)
27NTAC:3NS-20
28. www.nicsa.org
Engaging party. The party(ies) that engages the practitioner to perform the attestation engagement. (Ref: par .. Al 7)
Evidence. Information used by the practitioner in arriving at the opinion, conclusion, or findings on which the practitioner's
report is based.
General use. Use of a practitioner's report that is not restricted to specified parties.
Internal audit function. A function of an entity that performs assurance and consulting activities designed to evaluate and
improve the effectiveness of the entity's governance, risk management, and internal control processes.
Misstatement. A difference between the measurement or evaluation of the subject matter by the responsible party and the
proper measurement or evaluation of the subject matter based on the criteria. Misstatements can be intentional or
unintentional, qualitative or quantitative, and include omissions. In certain engagements, a misstatement may be referred to as a
deviation, exception, or instance of noncompliance.
Professional judgment. The application of relevant training, knowledge, and experience, within the context provided by
attestation and ethical standards in making informed decisions about the courses of action that are appropriate in the
circumstances of the attestation engagement.
Professional skepticism. An attitude that includes a questioning mind, being alert to conditions that may indicate possible
misstatement due to fraud or error, and a critical assessment of evidence.
Reasonable assurance. A high, but not absolute, level of assurance.
Responsible party. The party(ies) responsible for the subject matter. If the nature of the subject matter is such that no such party
exists, a party who has a reasonable basis for making a written assertion about the subject matter may be deemed to be the
responsible party.
Service auditor. A practitioner who reports on controls at a service organization.
Service organization. An organization or segment of an organization that provides services to user entities, which are likely to be
relevant to those user entities' internal control over financial reporting.
28NTAC:3NS-20
Glossary
29. www.nicsa.org
Service organization's assertion. A written assertion about the matters referred to in part (b) of the definition of management's
description of a service organization's system and a service auditor's report on that description and on the suitability of the
design and operating effectiveness of controls, for a type 2 report, and, for a type 1 report, the matters referred to in part (b) of
the definition of management's description of a service organization's system and a service auditor's report on that description
and on the suitability of the design of controls.
Specified party. The intended user(s) to whom use of the written practitioner's report is limited.
Subject matter. The phenomenon that is measured or evaluated by applying criteria.
Subservice organization. A service organization used by another service organization to perform some of the services provided to
user entities that are likely to be relevant to those user entities' internal control over financial reporting. The following are the two
treatments for subservice organizations:
Carve-out method. Method of addressing the services provided by a subservice organization, whereby management's
description of the service organization's system identifies the nature of the services performed by the subservice
organization and excludes from the description and from the scope of the service auditor's engagement the subservice
organization’s relevant control objectives and related controls.
Inclusive method. Method of addressing the services provided by a subservice organization whereby management's
description of the service organization's system includes a description of the nature of the services provided by the
subservice organization as well as the subservice organization's relevant control objectives and related controls.
User auditor. An auditor who audits and reports on the financial statements of a user entity.
User entity. An entity that uses a service organization for which controls at the service organization are likely to be relevant to
that entity's internal control over financial reporting.
29NTAC:3NS-20
Glossary