Recent Changes to SOC Reporting Standards: What You Should Know and How to Prepare

June 28, 2018Troy Fine - Manager, Risk Advisory Services

Scott Walton - Manager, Risk Advisory Services

Housekeeping Items

• To obtain CPE for this event:– Respond to the 3 polling questions.– Complete the evaluation form that will be emailed to you

approximately one hour after the conclusion of the program.

• CPE Certificates will be emailed out to those that completed the polling questions and online evaluation.

2

Who Is Schneider Downs?

• One of the top 60 largest accounting and business advisory firms in the United States

• Established in 1956; offices in Pittsburgh, PA and Columbus, OH• Largest regional independently owned, registered public

accounting and business advisory firm in Western Pennsylvania. Approximately 450 personnel in total, including more than 45 shareholders

• Registered with the PCAOB• Risk Advisory Services

– SOC Reports– Cybersecurity/Penetration Testing– SOX Section 404 Compliance– Internal Audit Outsourcing/Co-sourcing– Risk Assessments– Internal Control/Business Process Reviews

3

Troy Fine

• Manager, Risk Advisory Services• CPA/CITP, CISA• Joined Schneider Downs in 2011• Areas of expertise:

– SOC 1 and 2 assurance services– SOC 2+ assurance services (HITRUST)– SOC for Cybersecurity assurance services– SOX Section 404 compliance– Internal control assessments– HIPAA assessments

• Industry experience: Cloud Computing/Software-as-a-Service, Higher Education, Banking, Financial Services, Healthcare, Manufacturing, Nonprofit

• AICPA CITP Credential Committee Member• Pennsylvania’s CPA Journal Editorial Board Member

4

Scott Walton

• Manager, Risk Advisory Services• Joined Schneider Downs in 2008• CISA, CIA (Certified Internal Auditor)• 10 + years of experience in Internal Audit / IT Audit• Experience in delivering information technology general

control reviews, security assessments, enterprise risk assessments, internal audit co-sourcing services and process improvement engagements

• Industry Experience: Data Centers, Software-as-a-Service, Higher Education, Financial Services, Healthcare, Manufacturing, Nonprofit, Insurance

• Manage the SOC practice for the Columbus office

5

Agenda

• Nomenclature Update• Brief Overview of SOC Reports• SSAE 18 Updates and Impacts• SOC 2 Updates and Impacts• SOC for Cybersecurity Overview

6

SOC Nomenclature

SOC - System and Organization Controls(No longer Service Organization Controls)

SSAE 18 Attestation Standard(supersedes SSAE 16 Attestation Standard)

SOC Suite of Services

7

Timeline of Change

• 1992 – SAS 70 – Service Organizations• 2003 – Trust Services Principles and Criteria

(Merger between SysTrust and Webtrust)• 2010 – SSAE 16 Reporting on Controls at a Service

Organization• 2011 – SOC 1, SOC 2, SOC 3• 2016 – SSAE 18 (AT-C105, AT-C205 (SOC 1 & 2),

AT-C Section 320 (SOC 1))• 2017 – SOC for Cybersecurity• In the near future – SOC for Vendor Supply Chain

8

System and Organization Controls (SOC)

(New) (Under Development)

9

System and Organization Controls (SOC)

SOC for Service Organizations SOC for Cybersecurity

SOC for Vendor Supply Chain

SOC Suite of Services

SOC 1

SOC 3

SOC 2

Polling Question #1

10

Overview of SOC Reports

11

Overview of SOC Reports

SOC for Service Organizations• SOC 1:

A report on controls at a Service Organization that are relevant to user entities' internal control over financial reporting.

• SOC 2: A report on a business's nonfinancial reporting controls as they relate to the Trust Services Criteria security, availability, processing integrity, confidentiality and/or privacy of a system.

• SOC 3: A report that is based on the Trust Services Criteria, like the SOC 2, but is intended for a general audience and is therefore shorter and includes less detail than a SOC 2.

12

Overview of SOC Reports

SOC for Cybersecurity• Report on an entity’s effectiveness of its

cybersecurity risk management programs.

SOC for Vendor Supply Chain• Internal controls report on a vendor’s manufacturing

processes for customers of manufacturers and distributors to better understand cybersecurity risks in their supply chains. (Under Development by the AICPA)

13

Overview of SOC Reports

Types of SOC Reports

• Type I:An attestation of controls at a service organization at a specific point in time. Attests on the design of controls.

• Type II:An attestation of controls at a service organization over a period of time. Attests on the design and operating effectiveness of controls.

14

Components of a SOC Report

Section I: Independent Auditor’s Report

Section II: Management Assertion

Section III: Management’s Description of the System

Section IV: Description of Testing Performed and the Results of Testing for a Type II Examination.

Section V: Other Information Provided by the Service Organization

15

Components of SOC Reports

Service Auditor’s Report

• On the fairness of the presentation of the system description (except SOC 3)

• The suitability of design and operating effectiveness of the controls to achieve the objectives of the system or program

16

Components of SOC Reports

Management’s Assertion

• Management’s fair presentation of the system description (except SOC 3)

• The suitability of design and operating effectiveness of the controls to achieve the objectives of the system or program

17

Components of SOC Reports

Management’s Description of the System

• Of the service organization’s system – (SOC 1, SOC 2 and SOC for Vendor Supply Chain)

• Of the entity’s cybersecurity risk management program – (SOC for Cybersecurity)

18

SSAE 18 Updates and Impacts

19

SSAE 18 Updates and Impacts

Statement on Standards for Attestation Engagements • SSAE 18 (supersedes SSAE 16)

• Significantly restructures the attestation standards into the following sections:– AT-C 105 - Common Concepts: matters that relate to

all attestation engagements. – AT-C 205 - Examinations: the performance and

reporting requirements and application guidance.– AT-C 320 - Reporting on an Examination of Controls

at a Service Organization Relevant to User Entities' Internal Control Over Financial Reporting

20

SSAE 18 Updates and Impact

SSAE 18 vs SSAE 16 Differences (cont.)Requires the service organization to include two sets of control detail related to subservice organizations.

– Complementary User Entity Controls– Complementary Subservice Organization Controls– Both need to be included in management’s description

of the system– The service organization needs to monitor the

effectiveness of the controls at the subservice organization.

21

Polling Question #2

22

SOC 2 Updates

23

SOC 2 Updates – What Changed?

• April 2017 – SOC 2 Trust Services Criteria (TSC) Updated

• April 2018 – SOC 2 System Description Criteria Updated (DC Section 200)

24

Effective Dates

• Report periods ending on or after 12/16/2018– Must use updated 2017 TSC and 2018 Description

Criteria

• Report periods ending on or prior to 12/15/2018– Can use current versions of TSC and Description Criteria

25

2017 TSC Updates

• Codified in TSP 100 - 2017 Trust Services Criteria for Security, Availability, Processing Integrity Confidentiality, and Privacy– Restructured and aligned the TSC with the COSO Internal

Control Framework– Added supplemental criteria to better address

cybersecurity risks– Expanded requirements for existing criteria– Added Points of Focus– Removed the term “Principles” and renamed to

“Categories”

26

Organization of 2017 TSC

27

2018 Description Criteria Updates

• Codified in DC Section 200 - Description Criteria for a Description of a Service Organization’s System in a SOC 2 Report– New disclosures about the service organization’s

principal service commitments and system requirements– New disclosures about certain security incidents

28

How to Prepare for SOC 2 Updates

29

How to Prepare for 2017 TSC

• If you issued a SOC 2 Report Using the 2016 TSC in 2017:– If SOC 2 examination period end date is on or before 12/15/18:

• Perform examination using 2016 TSC and 2015 DC• Simultaneously, perform a readiness assessment using the 2017 TSC and

2018 DC• Review and update system description to ensure it meets the 2018 DC

– If SOC 2 examination period end date is on or after 12/16/18:• Must perform examination using 2017 TSC and 2018 DC• Risk having pervasive exceptions that could cause the report to be qualified• Consider ending examination period prior to 12/16/18

30

How to Prepare for 2017 TSC

• If you did not issue a SOC 2 Report in 2017 and have completed a readiness assessment based on the 2016 TSC:– If SOC 2 examination period end date is on or before to 12/15/18:

• Perform examination using 2016 TSC and 2015 DC• Simultaneously, perform a readiness assessment using the 2017 TSC and

2018 DC• Review and update system description to ensure it meets the 2018 DC.

– If SOC 2 examination period end date is on or after 12/16/18:• Must perform examination using 2017 TSC and 2018 DC.• Risk having pervasive exceptions that could cause the report to be

qualified.• Consider ending examination period prior to 12/16/18 or;• Consider moving examination period start date back and perform a

readiness assessment using the 2017 TSC and 2018 DC.

31

How to Prepare for 2017 TSC

• If you are in the process of engaging a CPA firm to perform a SOC 2 for the first time:– Determine customer requirements

• Services to include• Contractual requirements• Consider deadlines for providing reports to customers

– Determine scope of report– Engage a CPA firm to perform a readiness assessment

using the 2017 TSC and 2018 DC

32

SOC for Cybersecurity

33

Polling Question #3

34

Why SOC for Cybersecurity?

• Boards of Directors and other stake holders require information about cybersecurity risks and controls.

• No framework existed for a CPA firm to assess the effectiveness of an entity’s cybersecurity risk management program.

35

Potential Users of the Report

• Board of Directors• Analysts and Investors• Business Partners• Industry Regulators• Customers

36

What Is a Cybersecurity Risk Management Program?An entity’s cybersecurity risk management program is the set of policies, processes, and controls designed to protect information and systems from security events and to detect, respond to, mitigate, and recover from security events that are not prevented.

37

What Is a SOC for Cybersecurity Report?

• Two Subject Matters– Management’s description of the entity’s cybersecurity

risk management program– The effectiveness of controls within that program to

achieve the entity's cybersecurity objectives

• Will cover a specific time period– Can be point in time (i.e. design-only exam) under

certain circumstances

38

Components of a SOC for Cybersecurity Report

• Management's description of the entity's cybersecurity risk management program

• Management’s Assertion• Practitioner’s Report and opinion on whether:

– the description is presented in accordance with the description criteria and

– the controls within the entity's cybersecurity risk management program were effective to achieve the entity's cybersecurity objectives based on the control criteria.

39

Components of a SOC for Cybersecurity Report (Cont.)• Practitioner's tests of controls and test results are

not included.– General-use report

40

What Are the Control Criteria?

• Control Criteria – Benchmark used by the practitioner when evaluating the effectiveness of controls.– Suitable Criteria:

• The criteria for the security, availability, and confidentiality categories (2017 Trust Services Criteria)

– Other potential suitable control criteria (requires practitioner judgment):

• NIST Cybersecurity Framework• ISO 27001

41

What Are the Description Criteria?

• Description Criteria – A set of benchmarks to be used when preparing and evaluating the presentation of a description of the entity’s cybersecurity risk management program.– Assurance Services Executive Committee (ASEC) of the

AICPA published “Description Criteria for Management’s Description of the Entity’s Cybersecurity Risk Management Program”

42

Categories of the Description Criteria

• Nature of Business and Operations• Nature of Information at Risk• Cybersecurity Objectives• Factors That Have a Significant Effect on Inherent Cybersecurity Risks• Cybersecurity Risk Governance Structure• Cybersecurity Risk Assessment Process• Cybersecurity Communications and the Quality of Cybersecurity

Information• Monitoring of the Cybersecurity Risk Management Program• Cybersecurity Control Processes

– Illustrative SOC for Cybersecurity is available and includes an example description (https://www.aicpa.org/content/dam/aicpa/interestareas/frc/assuranceadvisoryservices/downloadabledocuments/illustrative-cybersercurity-risk-management-report.pdf)

43

How to Prepare for a SOC for Cybersecurity Exam• Understand the intended users of the report.• Determine if scope will be entity-wide or over a

specific business unit.• Determine if the examination will cover a period of

time or a point in time (design only).• Write the system description based on the

description criteria.• Determine the control criteria to be used.• Engage a CPA firm to perform a readiness.

44

Questions?

Contact InformationTroy Fine – tfine@schneiderdowns.com - 412-697-5238

Scott Walton– swalton@schneiderdowns.com - 614-586-7238

Visit our blog for more information on SOC Reports: https://www.schneiderdowns.com/our-thoughts-on

SOC Report FAQs:https://www.schneiderdowns.com/soc-report-faq

45