6/19/2017

1

CPAs & ADVISORS

WHICH SOC REPORT IS RIGHT FOR YOUR CLIENT?

Cindy Boyle

STRATEGIC ALLIANCE WEBINAR SERIESJune 20, 2017

• Participate in entire webinar• Answer polls when they are provided• If you are viewing this webinar in a group Complete group attendance form with

• Title & date of live webinar• Your company name• Your printed name, signature & email address

All group attendance sheets must be submitted to training@bkd.com within 24 hours of live webinar

Answer polls when they are provided• If all eligibility requirements are met, each participant will be emailed their CPE

certificates within 15 business days of live webinar

TO RECEIVE CPE CREDIT

6/19/2017

2

Jason JobgenDirectorAlliance Services

Cindy BoylePartnerIT Risk Services

6/19/2017

3

AGENDACommon TerminologyTypes of ReportsRecent ChangesQuestions?

6/19/2017

4

COMMON TERMINOLOGYService organization – performs services outsourced by companies/auditeeService auditor – CPA who examines & reports on controls at a service organization used in lieu or practitioner Users – typically considered clients of service organizationUser auditor – CPA who performs an audit on the users’ financial statements

COMMON TERMINOLOGY

SOC – service organization control reports but AICPA moving to system & organization control reports

Broader category of SOC suite of servicesSOC 2 +Will include additional attestations

6/19/2017

5

WHAT ARE SERVICE ORGANIZATIONS?

Service organization – provider of services that may impact a risk to a user’s financial reporting or that poses a business or compliance risk

Services such as Cloud computing (SaaS, IaaS, PaaS)Managed security providersAR /AP/Payroll/Tax outsourcingCore financial IT system processing or hostingCustomer supportHealth care claims management & processing

TYPES OF REPORTS

6/19/2017

6

SOC 1 SOC 2 SOC 3

Controls affect user entities …

Financial statement –ICFR

Compliance & operations

Compliance & operations

Use of report Restricted Restricted General

AICPA interpretive guidance & reporting vehicle

SSAE No. 18 which includes AT-C section 320,AICPA Guide

SSAE No. 18 which includes AT-C section 105 & AT-C section 205, AICPA GuideTSP section 100, AICPA, 2017 Trust Services Criteria

SSAE No. 18 which includes AT-C section 105 & AT-C section 205,TSP section 100AICPA, 2017 Trust Services Criteria

PRIMARY TYPES OF REPORTS

Information obtained from AICPA.org

SOC 1 SOC 2 SOC 3

Contents of the report

• Description of service organization’s system

• Management’s written assertion

• Service auditor’s report

• Type 2 includes a description of tests of controls & results of the tests

• Description of service organization’s system

• Management’s written assertion

• Service auditor’s report

• Type 2 includes a description of tests of controls & results of the tests

Service auditor’s opinion on whether the entity maintained effective controls over its system

PRIMARY TYPES OF REPORTS

Information obtained from AICPA.org

6/19/2017

7

SOC 2 REPORTINGTrust Services Principles (TSP) criteria

Security (common criteria): system is protected against unauthorized access, use or modificationAvailability: system is available for operation & use as committed or agreedProcessing Integrity: system processing is complete, valid, accurate, timely & authorized

SOC 2 REPORTINGTrust Services Principles (TSP) criteria

Confidentiality: information designated as confidential is protected as committed or agreedPrivacy: system’s collection, use, retention, disclosure & disposal of personal information in conformity with the commitments in the entity’s privacy notice & with criteria set forth in generally accepted privacy principles issued by AICPA & Canadian Institute of Chartered Accountants

6/19/2017

8

SOC 3 REPORTINGPublic reportVery abbreviated report – essentially a “SOC 2 light”Assertion & opinion only on

Suitability of design Operating effectiveness of controlsNot on system description

SOC 3 REPORTINGNo longer has a required seal

There is a SOC logo that an organization can display from AICPA

Essentially must do SOC 2 in order to issue a SOC 3

SOC 2 report must have an unqualified opinionMust cover at least a two-month period

6/19/2017

9

SOC 3 REPORTINGCurrently cannot issue a SOC 3 unqualified opinion if

There are carved out subservice organizations in the SOC 2There are significant complementary user-entity controls necessary to achieve the applicable trust services principles’ criteria

TWO SUB-TYPES OF SOC 1 & SOC 2 REPORTS

6/19/2017

10

SUBTYPES OF REPORTS – TYPE 1Reports on fairness of presentation of management’s description of the service organization’s systemSuitability of design of controls Point in time reportingMay be useful when

Organization is newUnderstanding system & controls is neededRecently made significant changesInsufficient time or history to perform Type 2

SUBTYPES OF REPORTS – TYPE 2

Same as Type 1, plusReports on fairness of presentation, suitability of design & operating effectivenessIncludes a description of service auditor’s tests of controls & resultsCovers a period of time

6/19/2017

11

REPORTING TO MULTIPLE AUDIENCESMultiple reports scenarios

SOC 1 & SOC 2Services impacting ICFR of user & other services with TSP concerns

SOC 2 & SOC 3Services not impacting ICFR & need to use beyond current users such as marketing to prospects

SOC 1 & SOC 3Services impacting ICFR of user & other services with TSP concerns or marketing needs

Note – must be separate reports

RECENT CHANGES

SSAE 18SOC for Cybersecurity Engagements

6/19/2017

12

RECENT CHANGES – SSAE 18Subservice organizationsSignificant changes to service organization management responsibilityService auditor changes

SUBSERVICE ORGANIZATIONS

Introduces complimentary subservice organization controls (CSOC)Service organization must identify risks that subservice organization controls are not in placeService auditor must consider CSOC as part of risk assessment process & assess how management addressed the risks

6/19/2017

13

SIGNIFICANT CHANGES TO SERVICE ORGANIZATION MANAGEMENT RESPONSIBILITY

Previously, service auditor identified risks; now they are to obtain an understanding of how management identified risksPreviously, service auditor was to determine which controls were necessary; now they are to understand which controls are necessaryEmphasizes service organization management’s responsibility for the narrative, objectives & controls

SERVICE AUDITOR CHANGES

Service auditor is now required to understand internal audit’s role in the service organizations systemMust obtain evidence of the accuracy & completeness of information like populationsService auditor must more clearly define intended users of the report

6/19/2017

14

RECENT CHANGES – SOC FOR CYBERSECURITY ENGAGEMENTS

AICPA Guide June 1, 2017 – Reporting on an Entity’s Cybersecurity Risk Management Program & ControlsIn a cybersecurity risk management examination, the practitioner opines on: (a) management’s description of the entity’s cybersecurity risk management program & (b) effectiveness of controls within that program to achieve entity’s cybersecurity objectivesExamination results in issuance of a general use cybersecurity report designed to meet the needs of a variety of potential users

UNDER DEVELOPMENT: SOC FOR VENDOR SUPPLY CHAINS

An internal controls report on a vendor’s manufacturing processes for customers of manufacturers & distributors to better understand the cybersecurity risk in their supply chains

6/19/2017

15

PEER REVIEWSOC EXAMS ARE NOW REQUIRED SELECTIONS

6/19/2017

16

The information contained in these slides is presented by professionals for your information only. Applying specific information to your situation requires careful consideration of facts & circumstances. Consult your BKD advisor before acting on any matters covered herein or in these seminars.

BKD, LLP is registered with the National Association of State Boards of Accountancy (NASBA) as a sponsor of continuing professional education on the National Registry of CPE Sponsors. State boards of accountancy have final authority on the acceptance of individual courses for CPE credit. Complaints regarding registered sponsors may be submitted to the National Registry of CPE Sponsors through its website: www.nasbaregistry.org.

CPE CREDIT

CPE credit may be awarded upon verification of participant attendanceFor questions, concerns or comments regarding CPE credit, please email the BKD Learning & Development Department at training@bkd.com

6/19/2017

17

THANK YOU

FOR MORE INFORMATION // For a complete list of our offices & subsidiaries, visit bkd.com or contact:

Cindy Boyle, CPA, CIA®, CITP, CISA // Partnercboyle@bkd.com // 501.372.1040