Rec ecen ent C Chan anges es t to S SOC C Rep eportin ing S Stan andar ards ds: Wha hat Y You ou Shou Should K Kno now a and nd How to Pr o Prepa pare June 28, 28, 20 2018 Troy Fine ine - Ma Manager, Ri Risk Advi visory y Servi vices Scott Walt lton on - Ma Manager, Ri Risk Advi visory y Services
Housekeeping Items • To obtain CPE for this event: – Respond to the 3 polling questions. – Complete the evaluation form that will be emailed to you approximately one hour after the conclusion of the program. • CPE Certificates will be emailed out to those that completed the polling questions and online evaluation. 2
Who Is Sc Is Schneid ider Do r Downs? One of the top 60 largest accounting and business advisory firms • in the United States Established in 1956; offices in Pittsburgh, PA and Columbus, OH • Largest regional independently owned, registered public • accounting and business advisory firm in Western Pennsylvania. Approximately 450 personnel in total, including more than 45 shareholders Registered with the PCAOB • Risk Advisory Services • – SOC Reports – Cybersecurity/Penetration Testing – SOX Section 404 Compliance – Internal Audit Outsourcing/Co-sourcing – Risk Assessments – Internal Control/Business Process Reviews 3
Troy Fine Manager, Risk Advisory Services • CPA/CITP, CISA • Joined Schneider Downs in 2011 • Areas of expertise: • – SOC 1 and 2 assurance services – SOC 2+ assurance services (HITRUST) – SOC for Cybersecurity assurance services – SOX Section 404 compliance – Internal control assessments – HIPAA assessments Industry experience: Cloud Computing/Software-as-a-Service, Higher • Education, Banking, Financial Services, Healthcare, Manufacturing, Nonprofit AICPA CITP Credential Committee Member • Pennsylvania’s CPA Journal Editorial Board Member • 4
Sco cott W tt Walt lton Manager, Risk Advisory Services • Joined Schneider Downs in 2008 • CISA, CIA (Certified Internal Auditor) • 10 + years of experience in Internal Audit / IT Audit • Experience in delivering information technology general • control reviews, security assessments, enterprise risk assessments, internal audit co-sourcing services and process improvement engagements Industry Experience: Data Centers, Software-as-a-Service, • Higher Education, Financial Services, Healthcare, Manufacturing, Nonprofit, Insurance Manage the SOC practice for the Columbus office • 5
Agenda enda • Nomenclature Update • Brief Overview of SOC Reports • SSAE 18 Updates and Impacts • SOC 2 Updates and Impacts • SOC for Cybersecurity Overview 6
SOC Nomenclature SOC - System and Organization Controls (No longer Service Organization Controls) SSAE 18 Attestation Standard (supersedes SSAE 16 Attestation Standard) SOC Suite of Services 7
Timeline of Change • 1992 – SAS 70 – Service Organizations • 2003 – Trust Services Principles and Criteria (Merger between SysTrust and Webtrust) • 2010 – SSAE 16 Reporting on Controls at a Service Organization • 2011 – SOC 1, SOC 2, SOC 3 • 2016 – SSAE 18 (AT-C105, AT-C205 (SOC 1 & 2), AT-C Section 320 (SOC 1)) • 2017 – SOC for Cybersecurity • In the near future – SOC for Vendor Supply Chain 8
SOC Suite of Services System and Organization Controls (SOC) System and Organization Controls (SOC) SOC for SOC for Vendor SOC for Service Organizations Cybersecurity Supply Chain (New) ( Under Development) SOC 2 SOC 1 SOC 3 9
Polling Question #1 10
Overview of SOC Reports 11
Overview of SOC Reports SOC SOC for or Se Servic ice Or Organiza ganizatio ions • SOC 1: A report on controls at a Service Organization that are relevant to user entities' internal control over financial reporting. • SOC 2: A report on a business's nonfinancial reporting controls as they relate to the Trust Services Criteria security, availability, processing integrity, confidentiality and/or privacy of a system. • SOC 3: A report that is based on the Trust Services Criteria, like the SOC 2, but is intended for a general audience and is therefore shorter and includes less detail than a SOC 2. 12
Overview of SOC Reports SOC OC f for or Cy Cyber bersec securit ity • Report on an entity’s effectiveness of its cybersecurity risk management programs. SOC C for V Vendo endor S Suppl upply Ch Chai ain • Internal controls report on a vendor’s manufacturing processes for customers of manufacturers and distributors to better understand cybersecurity risks in their supply chains. (Under Development by the AICPA) 13
Overview of SOC Reports Typ ypes of of SOC OC R Repor orts ts • Type I: An attestation of controls at a service organization at a specific point in time. Attests on the design of controls. Type II: • An attestation of controls at a service organization over a period of time. Attests on the design and operating effectiveness of controls. 14
Components of a SOC Report Section I: Independent Auditor’s Report Section II: Management Assertion Section III: Management’s Description of the System Section IV: Description of Testing Performed and the Results of Testing for a Type II Examination. Section V: Other Information Provided by the Service Organization 15
Components of SOC Reports Service Audi uditor’s R ’s Repor port • On the fairness of the presentation of the system description (except SOC 3) • The suitability of design and operating effectiveness of the controls to achieve the objectives of the system or program 16
Components of SOC Reports Mana nageme ment nt’s s As Assertion • Management’s fair presentation of the system description (except SOC 3) • The suitability of design and operating effectiveness of the controls to achieve the objectives of the system or program 17
Components of SOC Reports Mana nageme ment nt’s s Descript ption of of th the System em • Of the service organization’s system – (SOC 1, SOC 2 and SOC for Vendor Supply Chain) • Of the entity’s cybersecurity risk management program – (SOC for Cybersecurity) 18
SSAE 18 Updates and Impacts 19
SSAE 18 Updates and Impacts Statement on Standards for Attestation Engagements SSAE 18 (supersedes SSAE 16) • Significantly restructures the attestation standards into • the following sections: AT-C 105 - Common Concepts: matters that relate to – all attestation engagements. AT-C 205 - Examinations: the performance and – reporting requirements and application guidance. AT-C 320 - Reporting on an Examination of Controls – at a Service Organization Relevant to User Entities' Internal Control Over Financial Reporting 20
SSAE 18 Updates and Impact SSAE 18 vs SSAE 16 Differences (cont.) Requires the service organization to include two sets of control detail related to subservice organizations. – Complementary User Entity Controls – Complementary Subservice Organization Controls – Both need to be included in management’s description of the system – The service organization needs to monitor the effectiveness of the controls at the subservice organization. 21
Polling Question #2 22
SOC 2 Updates 23
SOC 2 Updates – What Changed? • April 2017 – SOC 2 Trust Services Criteria (TSC) Updated • April 2018 – SOC 2 System Description Criteria Updated (DC Section 200) 24
Effective Dates • Report periods ending on on or af or after 12/16/2018 – Must use updated 2017 TSC and 2018 Description Criteria • Report periods ending on on or p or prior t rior to o 12/15/2018 – Can use current versions of TSC and Description Criteria 25
2017 TSC Updates • Codified in TSP 100 - 2017 Trust Services Criteria for Security, Availability, Processing Integrity Confidentiality, and Privacy – Restructured and aligned the TSC with the COSO Internal Control Framework – Added supplemental criteria to better address cybersecurity risks – Expanded requirements for existing criteria – Added Points of Focus – Removed the term “Principles” and renamed to “Categories” 26
Organization of 2017 TSC 27
2018 Description Criteria Updates • Codified in DC Section 200 - Description Criteria for a Description of a Service Organization’s System in a SOC 2 Report – New disclosures about the service organization’s principal service commitments and system requirements – New disclosures about certain security incidents 28
How to Prepare for SOC 2 Updates 29
How to Prepare for 2017 TSC • If you issued a SOC 2 Report Using the 2016 TSC in 2017: – If SOC 2 examination period end date is on or before 12/15/18: • Perform examination using 2016 TSC and 2015 DC • Simultaneously, perform a readiness assessment using the 2017 TSC and 2018 DC • Review and update system description to ensure it meets the 2018 DC – If SOC 2 examination period end date is on or after 12/16/18: • Must perform examination using 2017 TSC and 2018 DC • Risk having pervasive exceptions that could cause the report to be qualified • Consider ending examination period prior to 12/16/18 30
Recommend
More recommend