Presenting a live 110 ‐ minute teleconference with interactive Q&A Preparing SOC 1, SOC 2 or SOC 3 Reports: Best Practices Meeting Challenges Arising From SSAE 16, ISAE 3402 and Other Service Company Control Standards WEDNESDAY, MARCH 7, 2012 1pm Eastern | 12pm Central | 11am Mountain | 10am Pacific 1pm Eastern | 12pm Central | 11am Mountain | 10am Pacific Today’s faculty features: Suzanne Nersessian, Director, National Service Organization Controls Reporting, Deloitte & Touche , Boston , , g p g, , David Palmer, Managing Director, KPMG , Chicago Nargiz Yusupova, Manager, P&N Consulting , Baton Rouge, La. Ryan Buckner, Shareholder, BrightLine CPAs & Assoc. , Atlanta For this program, attendees must listen to the audio over the telephone. Please refer to the instructions emailed to the registrant for the dial-in information. Attendees can still view the presentation slides online. If you have any questions, please contact Customer Service at1-800-926-7926 ext. 10 .
Conference Materials If you have not printed the conference materials for this program, please complete the following steps: Click on the + sign next to “Conference Materials” in the middle of the left- • hand column on your screen hand column on your screen. Click on the tab labeled “Handouts” that appears, and there you will see a • PDF of the slides for today's program. Double click on the PDF and a separate page will open. Double click on the PDF and a separate page will open. • Print the slides by clicking on the printer icon. •
Continuing Education Credits FOR LIVE EVENT ONLY Attendees must listen to the audio over the telephone . Attendees can still view the presentation slides online but there is no online audio for this program. Attendees must stay on the line for at least 100 minutes in order to qualify for a full 2 credits of CPE. Attendance is monitored as required by NASBA. Please refer to the instructions emailed to the registrant for additional information. If you have any questions, please contact Customer Service at 1-800-926-7926 ext. 10 . at 1 800 926 7926 ext. 10 .
Tips for Optimal Quality S S ound Qualit y d Q lit For this program, you must listen via the telephone by dialing 1-866-873-1442 and entering your PIN when prompted. There will be no sound over the web co connection. ect o . If you dialed in and have any difficulties during the call, press *0 for assistance. You may also send us a chat or e-mail sound@straffordpub.com immediately so we can address the problem. Viewing Qualit y To maximize your screen, press the F11 key on your keyboard. To exit full screen, press the F11 key again press the F11 key again.
P Preparing SOC 1, SOC 2 or SOC 3 i SOC SOC SOC Reports: Best Practices Seminar March 7, 2012 Suzanne Nersessian, Deloitte & Touche David Palmer, KPMG snersessian@deloitte.com davepalmer@kpmg.com Nargiz Yusupova, P & N Consulting Ryan Buckner, BrightLine CPAs & Assoc. nyusupova@pncpa.com buckner@brightline.com
Today’s Program Introduction To SOC Framework Slide 7 – Slide 10 [S uzanne Nersessian] Slide 11 – Slide 23 SOC 1 Review [S uzanne Nersessian] Slide 24 – Slide 34 SOC 2 Review [David Palmer] SOC 3 Review SOC 3 Review Slide 35 – Slide 46 Slide 35 – Slide 46 [Nargiz Y usupova] Slide 47 – Slide 58 Considerations In Selecting An Attestation Examination [Ryan Buckner]
Suzanne Nersessian, Deloitte & Touche INTRODUCTION TO SOC INTRODUCTION TO SOC FRAMEWORK
B Background: Why The Change k d Wh Th Ch • Original intent of SAS 70 • Growth of service organizations over last 40 years • SAS 70 used in ways that were never intended • SAS 70 became a de fact o global standard SAS 70 became a de fact o global standard. • Convergence of U.S. and international standards 8
Ch Changes In Reporting On Controls I R i O C l I.ISAE 3402 led to the development of SSAE 16. II.SAS 70 split A A. AU 402 AU 402 B. SSAE 16 III.Effective date: Periods ending on or after June 15, 2011. g , Specific to covering internal control over financial reporting IV.AICPA Practitioner Guide: Usable for both standards, and for practitioners and service organizations alike practitioners and service organizations alike V.Allows for the use of the framework/guidance to perform engagements under another standard (e.g., SOC 2) 9
Reporting Standards p g AICPA Service Organization Control (SOC) Reports New Standards & Options d d Service Org Service Org Service Org Control 1 Control 1 Control 2 Control 2 Control 3 Control 3 (SOC 1) (SOC 2) (SOC 3) SSAE16 – Service AT 101 AT 101 auditor guidance auditor guidance General Use Generally Restricted Restricted Use Use Report Report Report (Type I or II Report) (w/ public seal) (Type I or II Report) Purpose: Reports on Purpose: Reports on Purpose: Reports on controls related to controls related to controls for F/S audits compliance or operations compliance or operations Trust Services Principles & Criteria 10
Suzanne Nersessian, Deloitte & Touche SOC 1 REVIEW SOC 1 REVIEW
SOC R SOC 1 Reports: Purpose/Intended Use t P /I t d d U • Purpose To provide user entities and their independent auditors with information and a • CPA’s opinion about controls at the service organization relevant to user entities’ internal control over financial reporting Covers fair presentation, design and operating effectiveness p g p g • • Restricted use report Management of the service organization • User entities of the service organization’s system during some or all of the period • covered by the report (for Type 2 reports) Independent auditors of user entites • • Indirect users • Does not include pot ent ial users • Intended use Report on controls that are likely to be relevant to user entities’ internal controls • over financial reporting For use in a financial statement audit • 12
ISAE 3402 Relationship To SSAE 16: Notable Differences Notable Differences SSAE 16 ISAE 3402 Use of report p Required to include a statement restricting the use of the Required to state that it is only intended for user entities and report to management of the service organization, user their auditors, but does not require inclusion of statement entities of the system and user auditors restricting the use. Does not prohibit the inclusion of restricted use language Intentional acts Service auditor considers impact of intentional acts on the Silent on this requirement description of the system, design and operating effectiveness of controls. Use of internal audit U f i l di Provides for use of internal audit in direct assistance Does not provide for the use of internal audit for direct assistance; however, is being considered for adoption Subsequent events Service auditor to consider Type 2 subsequent events after Service auditor to consider Type 2 subsequent events after Limits the service auditor’s disclosure to those events that Limits the service auditor’s disclosure to those events that the report date could affect their opinion (i.e. a type 1 subsequent event) Deviations/exceptions All exceptions are reported regardless of whether they All exceptions are reported regardless of whether they Enables a service auditor to conclude that a deviation Enables a service auditor to conclude that a deviation affect the opinion. identified when performing tests of controls involving sampling is not representative of the population from which the sample was drawn (anomaly) 13
SAS 70 History: Global Environment l b l • ISAE 3402 - Global • SSAE 16 – U.S. • CSAE 3416 - Canada • CSAE 3416 Canada • DE-IDW PS 951 – Germany • HKSAE 3402 “Assurance Reports on Controls at a Service Organization” – Hong Kong O i ti ” H K • Audit and Assurance Standard (AAF) 1/06 – U.K. • ASAE 3402 “ Assurance Reports on Controls at a Service O Organization” - Australia i ti ” A t li 14
Notable Changes From SAS 70 To SSAE 16 15
Notable Changes From SAS 70 To SSAE 16 (Cont.) 16
Key Change: Management’s Assertion • Management is required to provide a written assertion . o It can be included as a separate section of the report, or o The assertion can be part of the description of the system – appropriately identified as the assertion. o Assertion most often (and recommended to be) on company letterhead Key components of management’s assertion: • o The description of the system fairly presents the system that was designed and implemented throughout the specified period o The controls were suitably designed to achieve the control objectives throughout the specified period, including identifying the risks that threaten the achievement of the control objectives. o The controls operated effectively throughout the period to achieve those control objectives. t l bj ti 17
Key Change: Management’s Assertion (Cont.) • Signing the assertion o No requirement to sign o However most currently issued reports have been signed o However, most currently issued reports have been signed. o May be signed by company or by individuals (most have been individuals) 18
Recommend
More recommend