WHO’S ON FIRST? - cricpa.com · specifically stated it was for internal controls over financial...

WHO’S ONFIRST?

THE WHAT & WHY OF SOC REPORTS

CRIcpa.com

CRIn

sigh

ts

HIT A HOME RUN WITH CRI & SOC REPORTS


CARR, RIGGS & INGRAM & AUDITWERXLarge firm resources with boutique firm service.

Auditwerx specializes in SOC 1, SOC 2, and SOC 3 attestation services. Auditwerx delivers quality, in-depth SOC reports while providing personalized results to help service organizations grow their business. As a division of Carr, Riggs & Ingram (CRI), one of the top 25 largest CPA firms nationally, Auditwerx delivers the resources, skills, and experience of a super-regional firm while maintaining the accessibility and attention of a boutique firm.

WHY FOCUS ON SERVICE ORGANIZATION SECURITY? 1

BUILDING TRUST AND CONFIDENCE 2

SOC-1 3

SOC-2 4

SOC-3 6

FACT OR FICTION: SOC REPORT MISCONCEPTIONS 7

WHICH SOC REPORT IS RIGHT FOR YOUR SERVICE ORGANIZATION? 8

CHOOSING CPAS AND A CPA FIRM FOR YOUR SOC ENGAGEMENT 9

WHY FOCUS ON SERVICE ORGANIZATION SECURITY?

All companies are focused on the bottom line and improving efficiencies. That’s why outsourcing business functions to service organizations is becoming commonplace. Doing so allows management to focus its resources on the company’s (user entity) core competencies. Of course, while a service organization is performing these outsourced responsibilities, the user of the service organization (user entity) retains overall accountability for the services provided to its customers. Therefore, user entities need to be assured that the service organization’s internal controls protect them and their customers from potential risks associated with these outsourced services.

Several factors have converged to heighten awareness of the need for service organization controls over security and privacy. Two of the major reasons include:

• Heightened regulatory focus on internal control. Examples include the Federal Financial Institutions Examination Council (FFIEC), Gramm Leach Bliley Act (GLBA or privacy act), Sarbanes-Oxley Act of 2002 (SOX), and the Health Insurance Portability and Accountability Act of 1996 (HIPAA), and subsequent HITECH Act.

• Increasing internal control breakdowns such as security breaches, privacy breaches, and fraudulent activity, which also leads to mounting stakeholder concerns and pressure. The chart below highlights several high profile, recent cases.

1WHO’S ON FIRST?: THE WHAT & WHY OF SOC REPORTS

Trust Service Principlesand Criteria Company The Breach Source

Security Privacy Epsilon(E-mail Marketing Provider)

Intruders accessed one of its e-mail servers and obtainednames and e-mail accounts

of some of its 2,500 corporate customers

computerworld.com

Availability Amazon Web Services

Multiday service outage slowed and shut down a large

number of prominenet internet businesses

informationsweek.com

Security Confidentiality U.S. Government and Wikileaks

Wikileaks obtained and published classified and

confidential U.S. documents via cables electronically, about wars

in Iraq and Afghanistan.

zdnet.com

Security Processiong Intergrity PayPal, MasterCard, Visa

WikiLeaks advocates formed Operation Payback and send massive denial of

service attacked against the corporations’ servers

pcworld.com

BUILDING TRUST AND CONFIDENCE

The bottom line is that technological, regulatory, and other changes have heightened the need for management to demonstrate and provide assurance that it has addressed certain concerns of the public. Beginning in 1992, these needs were addressed with the AICPA Statement on Auditing Standards No. 70 (SAS 70). The purpose of the original SAS 70 engagement was to gather evidence on internal controls of a service organization associated with the delivery of a service relating to the user entity’s financial reports and impacting the financial statement to a material degree (i.e. the SAS 70 was designed and intended only to address items affecting user entities’ financial statements).

The SAS 70 was widely adopted and embraced; however two major issues subsequently developed:

• Misuse and abuse. The business community began to value a SAS 70 engagement even beyond the originally intended scope and purpose of the engagement. For instance, service providers (e.g. data centers, cloud computing companies, banks, and retirement accounts) found that when they called on prospective customers, the primary concern was security. Consequently, a SAS 70 report became a valuable marketing tool (which was not the intention) to illustrate that the user entity had sufficient controls in place to ensure adequate security. This process worked so well that companies began using a SAS 70 engagement as a means of obtaining assurance regarding compliance and operations. Since the SAS 70 specifically stated it was for internal controls over financial reporting (ICFR), such usage was actually a misuse of the SAS 70.

• Lack of consistent or standard controls evaluated. Since management of each service organization identified the controls to be evaluated, one or more critical controls could have been missed and thus tainted the SAS 70 engagement (i.e. management could mistakenly choose the wrong controls, or “cherry-pick” the controls to be tested to avoid disclosing relevant issues – and remain within the SAS 70 guidelines while doing so).

By offering three SOC reporting options, the American Institute of Certified Public Accountants (AICPA) seeks to address the needs of the marketplace while enabling CPAs to protect the public. Engaging an independent CPA to examine and report on a service organization’s controls allows service organizations to meet the information and assurance needs of user entities and also obtain an objective evaluation their controls that may affect user entities’ financial reporting, operations, or compliance.

In deciding whether a user entity needs a service organization control (SOC) report, it should consider various factors. For example, a user entity that uses a cloud computing service organization offering software as a service (SaaS) would consider:

• The nature of the information the cloud processes and maintains for the user entity.

• Whether the information has been accurately processed and needs to be protected.

• How that information is used by the user entity and its customers.

• How the user entity can determine if the information is accurate and protected during all stages of processing and storage of data.

2 WHO’S ON FIRST?: THE WHAT & WHY OF SOC REPORTS

Realizing the needs for a variety of objectives of service organization controls, in 2010 the AICPA introduced three Service Organization Controls (SOC) reports with varying purposes, identified simply as SOC-1, SOC-2, and SOC-3. SOC-1 is related only to internal controls over financial reporting (ICFR). SOC-2 is related to controls using the AICPA’s trust services principles (it provides details for the service organization’s internal use), and SOC-3 is related to controls over the same trust principles as an SOC-2 but without details regarding the testing of controls and is intended to be freely distributed in marketing materials (the ONLY SOC report that has unlimited distribution).

SOC-1

SOC-1 is intended only for ICFR, which was previously performed under SAS 70 and now is performed under Statement of Standards for Attestation Engagements No. 16 (SSAE 16). SOC-1 reports focus solely on controls at a service organization that are likely to be relevant to the user entity’s ICFR and are used in an audit of the user entity’s financial statements. These reports are restricted and only utilized auditor-to-auditor1 or auditor-to-management.

For example, a manufacturer uses a payroll service organization to perform its payroll functions. The manufacturer’s (user) auditors likely will require assurance over the controls of the payroll function being outsourced because it is material to the financial reports – and the need to examine completeness and accuracy of the payroll amounts. The payroll service organization would engage an independent accounting firm to complete a SOC-1 report engagement (in accordance with SSAE No. 16) to provide the user organization and its auditors assurance that the proper controls are in place and working effectively (a “type II” SOC report). The SOC-1 report is then provided to the manufacturer and its auditors (note: it is a limited in distribution and cannot be provided to the general public). Since audits are typically performed annually, and controls tend to change in a relatively short period of time, a SOC-1 report generally is completed every 12 months to ensure controls are continually operating effectively.

Another important point is that the service organization being assessed under SOC-1 identifies the controls for testing, which seems a bit like the fox being in charge of the henhouse. The new guidance requires the service auditor to exercise judgment and due care to ensure that the controls selected by management are proper. Thus the above risk of mistakenly, or purposely, choosing the wrong controls has been addressed in SOC report literature.

Now let’s discuss the two types of SOC-1 reports: SOC-1, Type I and SOC-1, Type II.

• SOC-1, Type I: Service organizations that have never completed an SOC-1 report often first need a readiness review to assist in the SOC process. Completion of a readiness review and an SOC 1 type I report enables the service organization to properly document controls in place and establish and document those controls which need to be implemented. The SOC-1, Type I report identifies and describes the service organization’s controls in place as of that date.

The SOC-1, Type I does not provide assurance that the controls are operating effectively; it only provides the description of the controls in place. Therefore, there is still a big part of the assurance missing: the testing of the operating effectiveness of controls. That’s why the SOC-1, Type I report is often the starting point for an SOC-2, Type II report.


1AICPA, Quick Reference Guide to Service Organization Control Reports

• SOC-1, Type II: This report includes testing and evaluation of the effectiveness of the identified controls. While the SOC-1, Type I report is issued at a certain point in time and can be the starting point for the Type II report, the SOC-1, Type II report covers a period of time such as January 1, 2012 to December 31, 2012. Why? The user entities (and their auditors) are interested in assurance that the controls of the service organization were operating effectively over a period of time, in this example January 1, 2012 to December 31, 2012.

Completion of an SOC-1, Type I report is not required before a SOC-1, Type II; however, we recommend it for those service organizations that have never had this type of assessment. We generally recommend six months between the completion of the Type I and Type II reports, allowing more realistic test results of the controls’ effectiveness. Meanwhile, companies that have previously issued an SOC-1, Type II can normally continue without again completing a Type I.

The SOC-1 is the most requested SOC, but it is often not the right report. Many services provided to users have nothing to do with financial data underlying or reported on the user entity’s financial statements – which is the purpose of the SOC-1.

SOC-2

Consider a bank that provides online banking and uses a data center to house all of its servers. Utilization of the data center does not necessarily impact the financial statements of the bank but is important to the banking company, and in particular its’ online banking services. Management of the banking company likely wants assurance that the data center has good controls over security, confidentiality, availability, processing integrity, and privacy. The topic is still a service organization’s protection of its data and processes, so the answer is an SOC Report. Since these concerns do not directly impact the bank’s financial statement, the correct report is an SOC-2 versus the SOC-1.

SOC-2 engagements are available to management of the service organization and other knowledgeable parties (such as regulators) specifically named in the report2 and address controls related to the AICPA’s trust service principles.


SOC-1, Type I SOC-1, Type II

Timeline Specific date Specific period of time, e.g. one year

PurposeIdentifies and describes

the internal controls related to ICFR

Identifies and tests the effectiveness of internal controls related to ICFR

Audience Auditor-to-Auditor (service organization to user entity)

Auditor-to-Auditor (service organization to user entity)

Controls Defined by Service organization Service organization

Frequency Once, prior to SOC-1, Type IIRecommended annually,

in conjunction with audit period


AICPA TRUST SERVICES PRINCIPLES

Service organizations may request an SOC-2 engagement for one or any number of the five AICPA trust service principles3.

1. Security. The system is protected against unauthorized access (both physical and logical).

2. Availability. The system is available for operation and use as committed or agreed.

3. Processing Integrity. System processing is complete, accurate, timely, and authorized.

4. Confidentiality. Information designated as confidential is protected as committed or agreed.

5. Privacy. Personal information is collected, used, retained, disclosed, and disposed of in conformity with the commitments in the service organization’s privacy notice.

SOC-2 engagements are most typically requested by service organizations providing services to financial institutions, insurance companies, healthcare entities, credit unions, government agencies and usually impact the following areas:

• Cloud computing

• Managed security

• Customer accounting

• Customer support

• Computer support services

• Healthcare claims management and processing

• Healthcare outsourcers such as labs and pharmacies

• Enterprise IT outsourcing services

• Cable companies and other entities who outsource installs


SECURITY

AVAILABILITY

PROCESSING INTEGRITYCONFIDENTIALITY

PRIVACY

3AICPA, Trust Services Principles and Criteria – An Overview http://www.aicpa.org/interestareas/informationtechnology/resources/trustservices/pages/trust%20services%20

There also happen to be two types of SOC-2 reports: SOC-2, Type I and SOC-2, Type II.

• SOC-2, Type I: Just like SOC-1, those service organizations having never completed an SOC-2 report should probably complete a readiness review via a SOC-2, Type I report that is applicable to a specific date.

• SOC-2, Type II: This report tests the effectiveness of the controls detailed in SOC-2, Type I – which apply to the AICPA’s five Trust Principles. This report, like SOC-1, Type II, covers a period of time that usually coincides with an audit period.

Upon completion of an SOC-1, SOC-2, or SOC-3 report the user entity may display the AICPA SOC logo (shown on page 7) on its web site and marketing materials in accordance with the AICPA guidelines – which prohibits distribution of SOC-1 and SOC-2 reports via web sites, etc.

SOC-3

The AICPA recognized that service organizations completing an SOC report may find it beneficial to use it as a marketing tool to pursue or attract new business. SOC-3 reports address the same criteria as a SOC-2 engagement: the AICPA’s five Trust Principles. The major difference is that the SOC-3 report does not contain the detailed description of the service auditor’s tests of controls and results. As a result, these reports may be used for sales and marketing purposes. The AICPA provides a seal for service organizations that have completed an SOC-3 report that may be used in marketing collateral and on the organization’s website4.

Note: The SOC-3 report uses only the SOC-2 and not the SOC-1, which is strictly reserved for auditor-to-auditor. In other words, a SOC-3 can only be provided related the service organizations adherence to the AICPA’s trust principles, NOT regarding the service organizations adherence support related to ICFR. With no exceptions, a service organization must have completed the SOC-2, Type 2 report to request the SOC-3.


SOC-2, Type I SOC-2, Type II

Timeline Specific date Specific period of time, e.g. one year

PurposeIdentifies and describes the internal controls related to

AICPA Trust Service Principles

Tests the internal controls related to AICPA Trust

Service Principles

Audience

Management, regulators, and others interested in

service organization’s governance, risk

management, compliance, oversight, due diligence, etc.

Management, regulators, and others interested in

service organization’s governance, risk

management, compliance, oversight, due diligence, etc.

Controls Defined by AICPA AICPA

Frequency Once, prior to SOC-2, Type IIRecommended annually, in conjunction with audit

period


FACT OR FICTION: SOC REPORT MISCONCEPTIONS

• Fiction: My service organization is “SAS 70 certified” or “SOC compliant.”

• Fact: While many companies have claimed such certifications in marketing materials, a SAS 70 certification or seal is much like a unicorn – widely discussed but lacking in existence. However, the AICPA acknowledged this need for a marketing tool for service organizations and created the new SOC-3 report. Its seal is the only verification provided.

• Fiction: I need one of the three SOC reports.

• Fact: Each SOC report has a very specific purpose, and service organizations may need multiple reports. For example, let’s return to our online banking service organization and use of a data center. If the bank’s accounting data and/or financial reporting data is stored at the data center, then the bank’s (user) auditors may have concerns over accuracy or completeness of that data associated with financial statements. However, bank management may also be concerned about security or privacy. That is, bank management may want some assurance of the adequacy of certain controls at the data center not related to financial reports. Therefore, the service organization may also need to complete an SOC-2 for the applicable concern (e.g., “privacy” trust principle) to satisfy the bank’s needs. In addition, the data center will likely want to promote its security, privacy, availability, processing integrity, and confidentiality controls and thus need a SOC-3 report. Remember it is not possible to perform a SOC-3 report set of processes/engagement without also performing a set of SOC-2 report processes/engagement. Conclusion: The data center needs all 3 SOC reports!

• Fiction: A user entity has not yet requested that my service organization complete an SOC report, so I don’t need to incur this expense.

• Fact: First, regulatory agencies are becoming more strict and beginning to require the report. Meanwhile, companies are outsourcing more functions but realizing that they maintain responsibility for those functions. Of course, auditors are also becoming savvier. Therefore, these requests will only become more frequent. Since the best practice suggests six months between SOC-1, Type I for those service organizations having never completed the report previously and SOC-1, Type II, waiting for a request could preclude your service organization from fulfilling the needs of a user entity. Furthermore, user entities should proactively request an SOC-1 report from any and all service organizations and service organizations should proactively complete a SOC-1 report.


• Fiction: I need a single, larger SOC report.

• Fact: When faced with completing both SOC-1 and SOC-2 reports, the service organization often requests “one huge SOC-1 report that also includes the Trust Principles.” That’s not an option, and here are the reasons why (other than the logistics of a 300 page report).

» The audiences are different. The SOC-1 reports are intended for auditor-to-auditor or auditor-to-management communication from the service organization (payroll service organization) auditor to the user entity (manufacturer) auditor. SOC-2 reports are accessible by management and regulators, and SOC-3 reports are available to the general public.

» The reports are not interchangeable since the SOC-1 report relates to ICFR and SOC-2 and SOC-3 relates to the Trust Services Principles.

WHICH SOC REPORT IS RIGHT FOR YOUR SERVICE ORGANIZATION?

Several factors should be considered when choosing an SOC report for your organization:

• Who are the users?

• What is the system?

• How do the users use the system?

• Relevancy to internal control over financial reporting (ICFR)?

• The services, business units, functional areas, business processes, and activities or applications that will be of interest to users because of concerns regarding compliance with laws or regulations or governance or because the service organization has made commitments to user entities to provide a report.


Will the report be used by your customers (user entities) and their auditors to plan and perform an audit or integrated audit of your customer’s financial statements? Yes SOC-1 Report

Will the report be used by your customers (user entities) as part of their compliance with the Sarbanes-Oxley Act or similar law or regulation? Yes SOC-1 Report

Will the report be used by your customers (user entities) or stakeholders to gain confidence and place trust in a service organization’s systems? Yes SOC-2 Report and

SOC-3 Report

Do you need to make the report generally available? Yes SOC-3 Report

Do your customers (user entities) have the need for and ability to understand the details of the processing and controls at a service organization, the tests performed by the service auditor and results of those tests?

Yes

No

SOC-2 Report

SOC-3 Report

CHOOSING CPAS AND A CPA FIRM FOR YOUR SOC ENGAGEMENT

CPAs are the best suited professionals to provide these services to service organizations. First, SOC services provided by CPAs are, without a doubt, best-in-class. Second, audit, attest and assurance are part of a CPA’s DNA. The education, CPA Exam, and experience requirements for licensing facilitate our knowledge and understanding of the underlying issues that ensure the best possible feedback. Additionally, the AICPA supports the public interest by setting performance and reporting standards for these engagements; enforcing a Code of Conduct that provides for the independent, objective, competent performance of such services; and maintaining peer review standards to examine SOC engagements for firms that do this work. Non-CPA consulting firms are not held to such high standards.

As for which firm, it’s true with most engagements that experience translates into a more efficient, targeted solution. That’s why service organizations should choose CRI to complete their SOC reports. Since their inception last year, our firm has led the way in performing these engagements, and our team has already developed best practices that will be leveraged to your advantage.


SOC-1WHO? Audience is user entity’s auditors.

WHY? Evaluate controls impacting user entities’ financial statements

WHAT? Test controls relevant to financial reporting

SOC-2WHO? Audience is management, regulators, and others.

WHY? Governance, risk management, compliance, oversight, due diligence

WHAT? Test controls regarding AICPA trust services principles

SOC-3WHO? Anyone – particularly prospective clients of service organizations.

WHY? Marketing of the service organization, complete with an AICPA seal.

WHAT? Communicate SOC-2 report process was completed without details about the controls themselves.


In compliance with IRS Circular

230: Any statements or tax

advice that are contained

in this document are not

intended or written to be used,

and cannot be used by any

taxpayer, for the purpose of

avoiding penalties that may be

imposed on the taxpayer.

CRIcpa.com

WHO’S ON FIRST? - cricpa.com · specifically stated it was for internal controls over financial...

Documents

Transcript of WHO’S ON FIRST? - cricpa.com · specifically stated it was for internal controls over financial...