WHO’S ON FIRST? - cricpa.com · specifically stated it was for internal controls over financial...
Transcript of WHO’S ON FIRST? - cricpa.com · specifically stated it was for internal controls over financial...
WHO’S ONFIRST?
THE WHAT & WHY OF SOC REPORTS
CRIcpa.com
CRIn
sigh
ts
HIT A HOME RUN WITH CRI & SOC REPORTS
HIT A HOME RUN WITH CRI & SOC REPORTS
CARR, RIGGS & INGRAM & AUDITWERXLarge firm resources with boutique firm service.
Auditwerx specializes in SOC 1, SOC 2, and SOC 3 attestation services. Auditwerx delivers quality, in-depth SOC reports while providing personalized results to help service organizations grow their business. As a division of Carr, Riggs & Ingram (CRI), one of the top 25 largest CPA firms nationally, Auditwerx delivers the resources, skills, and experience of a super-regional firm while maintaining the accessibility and attention of a boutique firm.
WHY FOCUS ON SERVICE ORGANIZATION SECURITY? 1
BUILDING TRUST AND CONFIDENCE 2
SOC-1 3
SOC-2 4
SOC-3 6
FACT OR FICTION: SOC REPORT MISCONCEPTIONS 7
WHICH SOC REPORT IS RIGHT FOR YOUR SERVICE ORGANIZATION? 8
CHOOSING CPAS AND A CPA FIRM FOR YOUR SOC ENGAGEMENT 9
WHY FOCUS ON SERVICE ORGANIZATION SECURITY?
All companies are focused on the bottom line and improving efficiencies. That’s why outsourcing business functions to service organizations is becoming commonplace. Doing so allows management to focus its resources on the company’s (user entity) core competencies. Of course, while a service organization is performing these outsourced responsibilities, the user of the service organization (user entity) retains overall accountability for the services provided to its customers. Therefore, user entities need to be assured that the service organization’s internal controls protect them and their customers from potential risks associated with these outsourced services.
Several factors have converged to heighten awareness of the need for service organization controls over security and privacy. Two of the major reasons include:
• Heightened regulatory focus on internal control. Examples include the Federal Financial Institutions Examination Council (FFIEC), Gramm Leach Bliley Act (GLBA or privacy act), Sarbanes-Oxley Act of 2002 (SOX), and the Health Insurance Portability and Accountability Act of 1996 (HIPAA), and subsequent HITECH Act.
• Increasing internal control breakdowns such as security breaches, privacy breaches, and fraudulent activity, which also leads to mounting stakeholder concerns and pressure. The chart below highlights several high profile, recent cases.
1WHO’S ON FIRST?: THE WHAT & WHY OF SOC REPORTS
Trust Service Principlesand Criteria Company The Breach Source
Security Privacy Epsilon(E-mail Marketing Provider)
Intruders accessed one of its e-mail servers and obtainednames and e-mail accounts
of some of its 2,500 corporate customers
computerworld.com
Availability Amazon Web Services
Multiday service outage slowed and shut down a large
number of prominenet internet businesses
informationsweek.com
Security Confidentiality U.S. Government and Wikileaks
Wikileaks obtained and published classified and
confidential U.S. documents via cables electronically, about wars
in Iraq and Afghanistan.
zdnet.com
Security Processiong Intergrity PayPal, MasterCard, Visa
WikiLeaks advocates formed Operation Payback and send massive denial of
service attacked against the corporations’ servers
pcworld.com
BUILDING TRUST AND CONFIDENCE
The bottom line is that technological, regulatory, and other changes have heightened the need for management to demonstrate and provide assurance that it has addressed certain concerns of the public. Beginning in 1992, these needs were addressed with the AICPA Statement on Auditing Standards No. 70 (SAS 70). The purpose of the original SAS 70 engagement was to gather evidence on internal controls of a service organization associated with the delivery of a service relating to the user entity’s financial reports and impacting the financial statement to a material degree (i.e. the SAS 70 was designed and intended only to address items affecting user entities’ financial statements).
The SAS 70 was widely adopted and embraced; however two major issues subsequently developed:
• Misuse and abuse. The business community began to value a SAS 70 engagement even beyond the originally intended scope and purpose of the engagement. For instance, service providers (e.g. data centers, cloud computing companies, banks, and retirement accounts) found that when they called on prospective customers, the primary concern was security. Consequently, a SAS 70 report became a valuable marketing tool (which was not the intention) to illustrate that the user entity had sufficient controls in place to ensure adequate security. This process worked so well that companies began using a SAS 70 engagement as a means of obtaining assurance regarding compliance and operations. Since the SAS 70 specifically stated it was for internal controls over financial reporting (ICFR), such usage was actually a misuse of the SAS 70.
• Lack of consistent or standard controls evaluated. Since management of each service organization identified the controls to be evaluated, one or more critical controls could have been missed and thus tainted the SAS 70 engagement (i.e. management could mistakenly choose the wrong controls, or “cherry-pick” the controls to be tested to avoid disclosing relevant issues – and remain within the SAS 70 guidelines while doing so).
By offering three SOC reporting options, the American Institute of Certified Public Accountants (AICPA) seeks to address the needs of the marketplace while enabling CPAs to protect the public. Engaging an independent CPA to examine and report on a service organization’s controls allows service organizations to meet the information and assurance needs of user entities and also obtain an objective evaluation their controls that may affect user entities’ financial reporting, operations, or compliance.
In deciding whether a user entity needs a service organization control (SOC) report, it should consider various factors. For example, a user entity that uses a cloud computing service organization offering software as a service (SaaS) would consider:
• The nature of the information the cloud processes and maintains for the user entity.
• Whether the information has been accurately processed and needs to be protected.
• How that information is used by the user entity and its customers.
• How the user entity can determine if the information is accurate and protected during all stages of processing and storage of data.
2 WHO’S ON FIRST?: THE WHAT & WHY OF SOC REPORTS
Realizing the needs for a variety of objectives of service organization controls, in 2010 the AICPA introduced three Service Organization Controls (SOC) reports with varying purposes, identified simply as SOC-1, SOC-2, and SOC-3. SOC-1 is related only to internal controls over financial reporting (ICFR). SOC-2 is related to controls using the AICPA’s trust services principles (it provides details for the service organization’s internal use), and SOC-3 is related to controls over the same trust principles as an SOC-2 but without details regarding the testing of controls and is intended to be freely distributed in marketing materials (the ONLY SOC report that has unlimited distribution).
SOC-1
SOC-1 is intended only for ICFR, which was previously performed under SAS 70 and now is performed under Statement of Standards for Attestation Engagements No. 16 (SSAE 16). SOC-1 reports focus solely on controls at a service organization that are likely to be relevant to the user entity’s ICFR and are used in an audit of the user entity’s financial statements. These reports are restricted and only utilized auditor-to-auditor1 or auditor-to-management.
For example, a manufacturer uses a payroll service organization to perform its payroll functions. The manufacturer’s (user) auditors likely will require assurance over the controls of the payroll function being outsourced because it is material to the financial reports – and the need to examine completeness and accuracy of the payroll amounts. The payroll service organization would engage an independent accounting firm to complete a SOC-1 report engagement (in accordance with SSAE No. 16) to provide the user organization and its auditors assurance that the proper controls are in place and working effectively (a “type II” SOC report). The SOC-1 report is then provided to the manufacturer and its auditors (note: it is a limited in distribution and cannot be provided to the general public). Since audits are typically performed annually, and controls tend to change in a relatively short period of time, a SOC-1 report generally is completed every 12 months to ensure controls are continually operating effectively.
Another important point is that the service organization being assessed under SOC-1 identifies the controls for testing, which seems a bit like the fox being in charge of the henhouse. The new guidance requires the service auditor to exercise judgment and due care to ensure that the controls selected by management are proper. Thus the above risk of mistakenly, or purposely, choosing the wrong controls has been addressed in SOC report literature.
Now let’s discuss the two types of SOC-1 reports: SOC-1, Type I and SOC-1, Type II.
• SOC-1, Type I: Service organizations that have never completed an SOC-1 report often first need a readiness review to assist in the SOC process. Completion of a readiness review and an SOC 1 type I report enables the service organization to properly document controls in place and establish and document those controls which need to be implemented. The SOC-1, Type I report identifies and describes the service organization’s controls in place as of that date.
The SOC-1, Type I does not provide assurance that the controls are operating effectively; it only provides the description of the controls in place. Therefore, there is still a big part of the assurance missing: the testing of the operating effectiveness of controls. That’s why the SOC-1, Type I report is often the starting point for an SOC-2, Type II report.
3WHO’S ON FIRST?: THE WHAT & WHY OF SOC REPORTS
1AICPA, Quick Reference Guide to Service Organization Control Reports
• SOC-1, Type II: This report includes testing and evaluation of the effectiveness of the identified controls. While the SOC-1, Type I report is issued at a certain point in time and can be the starting point for the Type II report, the SOC-1, Type II report covers a period of time such as January 1, 2012 to December 31, 2012. Why? The user entities (and their auditors) are interested in assurance that the controls of the service organization were operating effectively over a period of time, in this example January 1, 2012 to December 31, 2012.
Completion of an SOC-1, Type I report is not required before a SOC-1, Type II; however, we recommend it for those service organizations that have never had this type of assessment. We generally recommend six months between the completion of the Type I and Type II reports, allowing more realistic test results of the controls’ effectiveness. Meanwhile, companies that have previously issued an SOC-1, Type II can normally continue without again completing a Type I.
The SOC-1 is the most requested SOC, but it is often not the right report. Many services provided to users have nothing to do with financial data underlying or reported on the user entity’s financial statements – which is the purpose of the SOC-1.
SOC-2
Consider a bank that provides online banking and uses a data center to house all of its servers. Utilization of the data center does not necessarily impact the financial statements of the bank but is important to the banking company, and in particular its’ online banking services. Management of the banking company likely wants assurance that the data center has good controls over security, confidentiality, availability, processing integrity, and privacy. The topic is still a service organization’s protection of its data and processes, so the answer is an SOC Report. Since these concerns do not directly impact the bank’s financial statement, the correct report is an SOC-2 versus the SOC-1.
SOC-2 engagements are available to management of the service organization and other knowledgeable parties (such as regulators) specifically named in the report2 and address controls related to the AICPA’s trust service principles.
4 WHO’S ON FIRST?: THE WHAT & WHY OF SOC REPORTS
SOC-1, Type I SOC-1, Type II
Timeline Specific date Specific period of time, e.g. one year
PurposeIdentifies and describes
the internal controls related to ICFR
Identifies and tests the effectiveness of internal controls related to ICFR
Audience Auditor-to-Auditor (service organization to user entity)
Auditor-to-Auditor (service organization to user entity)
Controls Defined by Service organization Service organization
Frequency Once, prior to SOC-1, Type IIRecommended annually,
in conjunction with audit period
2AICPA, Quick Reference Guide to Service Organization Control Reports
AICPA TRUST SERVICES PRINCIPLES
Service organizations may request an SOC-2 engagement for one or any number of the five AICPA trust service principles3.
1. Security. The system is protected against unauthorized access (both physical and logical).
2. Availability. The system is available for operation and use as committed or agreed.
3. Processing Integrity. System processing is complete, accurate, timely, and authorized.
4. Confidentiality. Information designated as confidential is protected as committed or agreed.
5. Privacy. Personal information is collected, used, retained, disclosed, and disposed of in conformity with the commitments in the service organization’s privacy notice.
SOC-2 engagements are most typically requested by service organizations providing services to financial institutions, insurance companies, healthcare entities, credit unions, government agencies and usually impact the following areas:
• Cloud computing
• Managed security
• Customer accounting
• Customer support
• Computer support services
• Healthcare claims management and processing
• Healthcare outsourcers such as labs and pharmacies
• Enterprise IT outsourcing services
• Cable companies and other entities who outsource installs
5WHO’S ON FIRST?: THE WHAT & WHY OF SOC REPORTS
SECURITY
AVAILABILITY
PROCESSING INTEGRITYCONFIDENTIALITY
PRIVACY
3AICPA, Trust Services Principles and Criteria – An Overview http://www.aicpa.org/interestareas/informationtechnology/resources/trustservices/pages/trust%20services%20
There also happen to be two types of SOC-2 reports: SOC-2, Type I and SOC-2, Type II.
• SOC-2, Type I: Just like SOC-1, those service organizations having never completed an SOC-2 report should probably complete a readiness review via a SOC-2, Type I report that is applicable to a specific date.
• SOC-2, Type II: This report tests the effectiveness of the controls detailed in SOC-2, Type I – which apply to the AICPA’s five Trust Principles. This report, like SOC-1, Type II, covers a period of time that usually coincides with an audit period.
Upon completion of an SOC-1, SOC-2, or SOC-3 report the user entity may display the AICPA SOC logo (shown on page 7) on its web site and marketing materials in accordance with the AICPA guidelines – which prohibits distribution of SOC-1 and SOC-2 reports via web sites, etc.
SOC-3
The AICPA recognized that service organizations completing an SOC report may find it beneficial to use it as a marketing tool to pursue or attract new business. SOC-3 reports address the same criteria as a SOC-2 engagement: the AICPA’s five Trust Principles. The major difference is that the SOC-3 report does not contain the detailed description of the service auditor’s tests of controls and results. As a result, these reports may be used for sales and marketing purposes. The AICPA provides a seal for service organizations that have completed an SOC-3 report that may be used in marketing collateral and on the organization’s website4.
Note: The SOC-3 report uses only the SOC-2 and not the SOC-1, which is strictly reserved for auditor-to-auditor. In other words, a SOC-3 can only be provided related the service organizations adherence to the AICPA’s trust principles, NOT regarding the service organizations adherence support related to ICFR. With no exceptions, a service organization must have completed the SOC-2, Type 2 report to request the SOC-3.
6 WHO’S ON FIRST?: THE WHAT & WHY OF SOC REPORTS
SOC-2, Type I SOC-2, Type II
Timeline Specific date Specific period of time, e.g. one year
PurposeIdentifies and describes the internal controls related to
AICPA Trust Service Principles
Tests the internal controls related to AICPA Trust
Service Principles
Audience
Management, regulators, and others interested in
service organization’s governance, risk
management, compliance, oversight, due diligence, etc.
Management, regulators, and others interested in
service organization’s governance, risk
management, compliance, oversight, due diligence, etc.
Controls Defined by AICPA AICPA
Frequency Once, prior to SOC-2, Type IIRecommended annually, in conjunction with audit
period
4AICPA, Quick Reference Guide to Service Organization Control Reports
FACT OR FICTION: SOC REPORT MISCONCEPTIONS
• Fiction: My service organization is “SAS 70 certified” or “SOC compliant.”
• Fact: While many companies have claimed such certifications in marketing materials, a SAS 70 certification or seal is much like a unicorn – widely discussed but lacking in existence. However, the AICPA acknowledged this need for a marketing tool for service organizations and created the new SOC-3 report. Its seal is the only verification provided.
• Fiction: I need one of the three SOC reports.
• Fact: Each SOC report has a very specific purpose, and service organizations may need multiple reports. For example, let’s return to our online banking service organization and use of a data center. If the bank’s accounting data and/or financial reporting data is stored at the data center, then the bank’s (user) auditors may have concerns over accuracy or completeness of that data associated with financial statements. However, bank management may also be concerned about security or privacy. That is, bank management may want some assurance of the adequacy of certain controls at the data center not related to financial reports. Therefore, the service organization may also need to complete an SOC-2 for the applicable concern (e.g., “privacy” trust principle) to satisfy the bank’s needs. In addition, the data center will likely want to promote its security, privacy, availability, processing integrity, and confidentiality controls and thus need a SOC-3 report. Remember it is not possible to perform a SOC-3 report set of processes/engagement without also performing a set of SOC-2 report processes/engagement. Conclusion: The data center needs all 3 SOC reports!
• Fiction: A user entity has not yet requested that my service organization complete an SOC report, so I don’t need to incur this expense.
• Fact: First, regulatory agencies are becoming more strict and beginning to require the report. Meanwhile, companies are outsourcing more functions but realizing that they maintain responsibility for those functions. Of course, auditors are also becoming savvier. Therefore, these requests will only become more frequent. Since the best practice suggests six months between SOC-1, Type I for those service organizations having never completed the report previously and SOC-1, Type II, waiting for a request could preclude your service organization from fulfilling the needs of a user entity. Furthermore, user entities should proactively request an SOC-1 report from any and all service organizations and service organizations should proactively complete a SOC-1 report.
7WHO’S ON FIRST?: THE WHAT & WHY OF SOC REPORTS
• Fiction: I need a single, larger SOC report.
• Fact: When faced with completing both SOC-1 and SOC-2 reports, the service organization often requests “one huge SOC-1 report that also includes the Trust Principles.” That’s not an option, and here are the reasons why (other than the logistics of a 300 page report).
» The audiences are different. The SOC-1 reports are intended for auditor-to-auditor or auditor-to-management communication from the service organization (payroll service organization) auditor to the user entity (manufacturer) auditor. SOC-2 reports are accessible by management and regulators, and SOC-3 reports are available to the general public.
» The reports are not interchangeable since the SOC-1 report relates to ICFR and SOC-2 and SOC-3 relates to the Trust Services Principles.
WHICH SOC REPORT IS RIGHT FOR YOUR SERVICE ORGANIZATION?
Several factors should be considered when choosing an SOC report for your organization:
• Who are the users?
• What is the system?
• How do the users use the system?
• Relevancy to internal control over financial reporting (ICFR)?
• The services, business units, functional areas, business processes, and activities or applications that will be of interest to users because of concerns regarding compliance with laws or regulations or governance or because the service organization has made commitments to user entities to provide a report.
8 WHO’S ON FIRST?: THE WHAT & WHY OF SOC REPORTS
Will the report be used by your customers (user entities) and their auditors to plan and perform an audit or integrated audit of your customer’s financial statements? Yes SOC-1 Report
Will the report be used by your customers (user entities) as part of their compliance with the Sarbanes-Oxley Act or similar law or regulation? Yes SOC-1 Report
Will the report be used by your customers (user entities) or stakeholders to gain confidence and place trust in a service organization’s systems? Yes SOC-2 Report and
SOC-3 Report
Do you need to make the report generally available? Yes SOC-3 Report
Do your customers (user entities) have the need for and ability to understand the details of the processing and controls at a service organization, the tests performed by the service auditor and results of those tests?
Yes
No
SOC-2 Report
SOC-3 Report
CHOOSING CPAS AND A CPA FIRM FOR YOUR SOC ENGAGEMENT
CPAs are the best suited professionals to provide these services to service organizations. First, SOC services provided by CPAs are, without a doubt, best-in-class. Second, audit, attest and assurance are part of a CPA’s DNA. The education, CPA Exam, and experience requirements for licensing facilitate our knowledge and understanding of the underlying issues that ensure the best possible feedback. Additionally, the AICPA supports the public interest by setting performance and reporting standards for these engagements; enforcing a Code of Conduct that provides for the independent, objective, competent performance of such services; and maintaining peer review standards to examine SOC engagements for firms that do this work. Non-CPA consulting firms are not held to such high standards.
As for which firm, it’s true with most engagements that experience translates into a more efficient, targeted solution. That’s why service organizations should choose CRI to complete their SOC reports. Since their inception last year, our firm has led the way in performing these engagements, and our team has already developed best practices that will be leveraged to your advantage.
9WHO’S ON FIRST?: THE WHAT & WHY OF SOC REPORTS
SOC-1WHO? Audience is user entity’s auditors.
WHY? Evaluate controls impacting user entities’ financial statements
WHAT? Test controls relevant to financial reporting
SOC-2WHO? Audience is management, regulators, and others.
WHY? Governance, risk management, compliance, oversight, due diligence
WHAT? Test controls regarding AICPA trust services principles
SOC-3WHO? Anyone – particularly prospective clients of service organizations.
WHY? Marketing of the service organization, complete with an AICPA seal.
WHAT? Communicate SOC-2 report process was completed without details about the controls themselves.
HIT A HOME RUN WITH CRI & SOC REPORTS
In compliance with IRS Circular
230: Any statements or tax
advice that are contained
in this document are not
intended or written to be used,
and cannot be used by any
taxpayer, for the purpose of
avoiding penalties that may be
imposed on the taxpayer.
CRIcpa.com