@iiachicago #iiachi service organization controls … seminar presentations/b6...service...
TRANSCRIPT
IIA Chicago Chapter 53rd Annual SeminarApril 15, 2013, Donald E. Stephens Convention Center
@IIAChicago
#IIACHI
Service Organization Controls (SOC)
Reporting Discussion:Perspectives and Opportunities
Carly Iagulli-Warren, Senior Manager, Advisory, Ernst & Young LLP
Jason Lipschultz, Senior Manager, Advisory, Ernst & Young LLP
John Gatto, Divisional VP – Audit Services, Health Care Service Corporation
Agenda
• Introductions
• Outsourcing: Objectives, risks and governance
• SOC Reporting: A dynamic solution
• Trends and Opportunities
April 15, 2013 IIA Chicago Chapter 53rd Annual Seminar 2
Outsourcing: Objectives and risks
April 15, 2013 IIA Chicago Chapter 53rd Annual Seminar 3
Understanding user outsourcing related needs
• When a user entity outsources it needs to implement a governance process to:
Validate the quality of service received is in accordance with its requirements
Identify the risks associated with outsourcing and identify controls that address those
risks
Evaluate the effectiveness of the controls
Address the regulatory and legal compliance requirements impacted by outsourcing
• The importance of these needs will vary:
By type and location of service
By user organization
Over time
Although a task or function is outsourced, management of the user entity retains responsibility for managing and assessing risk and needs
to monitor the services provided by the service organization.
April 15, 2013 IIA Chicago Chapter 53rd Annual Seminar 4
Understanding user outsourcing related needs
• Common areas of interest
Controls relevant to financial audits
Security
Availability
Processing integrity
Confidentiality
Regulatory
Contractual compliance
Privacy
Governance needs
Audit requirements
Governance/risk management
Vendor management
Regulatory compliance
Internal report-management confidence
Enhancing trust regarding services
Risks
Financial reporting
Compliance
Operational: Cost, Processing integrity, data security, confidentiality, lack of availability, failure to deliver on requirements
April 15, 2013 IIA Chicago Chapter 53rd Annual Seminar 5
User organizations address outsourcing related needs
These needs and risks can be addressed:
By the user entity:
Independent quality measurement/assessment (e.g., perform QA testing on a sample of items processed)
Implementation of compensating mitigating controls in their own environment
Performed by the user entity or by the user entity contracting out the activities
By the service organization:
System reporting
SLA reporting
Descriptions of services and controls
Providing results of tests of operating effectiveness
SOC reports
By a combination of the user entity and service organization:
Combination of the above, plus: Questionnaires Site visits Performance of requested procedures
April 15, 2013 IIA Chicago Chapter 53rd Annual Seminar 6
SOC Reporting: A dynamic solution
April 15, 2013 IIA Chicago Chapter 53rd Annual Seminar 7
SOC reporting: address outsourcing risks and improve market positioning and efficiency
SOC reports are a major component of an efficient and effective strategy to deliver customers the control information and assurance they need.
Challenges► Service organization customers, regulators and
others demand both an understanding of the controls over a service organization’s system and evidence the controls are operating effectively.
► Service organizations can either:• Proactively design and provide this information
and evidence as a part of their core service.• Assist customers in extracting the information
piecemeal from them► Most service organizations currently focus their
efforts in piecemeal causing:• Duplication of effort• Disruption of operations• Distraction of key personnel • Excess costs
April 15, 2013 IIA Chicago Chapter 53rd Annual Seminar 8
SOC reports are a major component of an efficient and effective strategy to deliver customers the control information and assurance they need.
SOCR valueA combination of SOC reports and other custom criteria reports is effective in meeting internal control service demands:►Offers a service-oriented view of control
reporting►Provides a common method to communicate
capabilities to customers and others►Addresses multiple security evaluation
frameworks with one report►Helps improve the maturity of the internal
control confidence process►Reduces redundant questions and testing –
decreasing costs and disruptions
SOC reporting: address outsourcing risks and improve market positioning and efficiency
April 15, 2013 IIA Chicago Chapter 53rd Annual Seminar 9
SOC reporting types
Report
type
Reporting
standard
Intended
usersConsiderations
Subject
matter
Distribution
limitations
SOC 1
(Type 1
and 2)
► Int’l: ISAE 3402
► US: SSAE 16
► Other countries:
None
► Auditors of the user
entities’ financial
statements
► Management of the
user entities
► Management of the
service organization
► Pre-assessment for new
services
► Risk Assessment
process
► Management Assertion
► Controls at a service
organization relevant to user
entities’ internal control over
financial reporting; examples
include:
► Custody
► Fund administration
► Middle office
► Payroll processing
► Shared services (IT, recons)
► Application hosting
► Restricted to current
customers
► May be shared with
prospective customers if
third-party access letter
is obtained
► Not intended for
investors or other
prospective users
SOC 2
(Type 1
and 2)
► Int’l: ISAE 3000
► US: AT101
► Other countries:
None
► Management of the
user entities
► Management of the
service organization
► Other relevant parties
that require assurance
over the subject matter.
For example
► Business partners
► Regulators
► Employees
Same as above +
► Start with Security and
availability
► Plan for Privacy
► Prepare for possible
qualification first year
► Controls at a service
organization relevant to
security, availability, processing
integrity, confidentiality or
privacy; examples include:
► Credit card processor
reporting on processing
integrity and data
confidentiality
► Application service provider
outsourcer reporting on
security and availability
► Cloud computing vendor
reporting on security and
privacy
► Restricted to current
customers
► May be shared with
prospective customers
or other parties with
“sufficient knowledge” of
the subject matter if
third-party access letter
is obtained
SOC 3
N/A
Same as SOC 2 Same as SOC 2 Same as SOC-2 Same as SOC 2 ► No restrictions on
distribution – can be
widely shared
► Report posted on
website
► Report mentioned in
marketing materials
Direct consumer
User entity
Financial statement assertions
Industrystandards
Agreed-upon procedures
SOC 1(SSAE)
Contractual compliance
Processing Integrity (*)
Availability (*)
Regulatory requirements
Contractually specified
Security (*)
Confidentiality (*)
Regulatory/ self-regulatory
Privacy (*)
Business
partner
Management/
BOD
Due diligence firm
Other
Regulator
Other
Internal controls over financial reporting
Contractual compliance
Vendor management
Governance/risk management
Regulatory compliance
Meet audit needs
Enhance trust
regarding
service
SOC 3
SOC 2
Findings and recommendations (internal use, no assurance provided)
Internal report –management confidence
Key decisions to develop the right assurance communication
Who will use the
communication?
What are the
user’s areas
of interest?
What is the user’s
business
purpose
for the
communication?
What “criteria”
will the report
measure
against ?
What report
type and
distribution
method
will be used?
(*) = SOC 2 Principles
April 15, 2013 IIA Chicago Chapter 53rd Annual Seminar 11
Enhancing Value in SOC Reports
• SOC reports are an aspect of the services purchased
• Identify internal stakeholders
• Identify risks
• Determine purpose for obtaining report and report scope requirements
• Communicate report scope requirements
• Evaluate report against expectations
• Require customers to fully leverage the SOC report
April 15, 2013 IIA Chicago Chapter 53rd Annual Seminar 12
Trends and Opportunities
April 15, 2013 IIA Chicago Chapter 53rd Annual Seminar 13
Trends: SOC 1, SOC 2, SOC 3 Integration
System
Testing
Description
Opinion
Assertion
SOC 1
Testing
Description
Opinion
Assertion
SOC 2
Short Desc
Opinion
Assertion
SOC 3
Security Availability Confidentiality Privacy
Scope of SOC1 (SSAE 16)
Scope of SOC 2 and SOC 3(Trust Services Criteria)
Users:User entity controllerUser entity SOX departmentUser auditor
Users:User entity securityUser entity complianceUser entity vendor managementRegulatorsProspective user entities
Users:General public
Processing Integrity
April 15, 2013 IIA Chicago Chapter 53rd Annual Seminar 14
Integrate reporting efforts
• Large overlap in controls
• Ability to address multiple regulations
• Align coverage periods
• Align scope
• Use same risk assessment and operating effectiveness process
• Align descriptions
– Use same text when possible
– There will be differences
– Make sure you meet user needs for both reports
• Select same controls to meet control objectives/criteria when possible
April 15, 2013 IIA Chicago Chapter 53rd Annual Seminar 15
SOC reporting opportunities
Build competitive advantage – Used as a market differentiator.
Assist clients with vendor oversight activities – New and emerging regulations establish vendor management requirements; a SOC report will assist client management with monitoring the services provided by outsourced third-parties.
Enhance client communications – A well described system in a SOC report can increase transparency to clients and enhance their understanding of outsourced internal controls.
Manage client support costs – A SOC report can be used to reduce client audits, due diligence/ vendor risk questionnaires and on-site visits, while providing an added level of assurance.
Satisfy contractual agreements – New clients may request a SOC report as part of their contract; existing clients may amend their contracts.
Improve/lean your processes – SOC assessment activities generate process improvement ideas and opportunities to further centralize and standardize processes and controls.
April 15, 2013 IIA Chicago Chapter 53rd Annual Seminar 16
Appendix: Using SOC Reports
April 15, 2013 IIA Chicago Chapter 53rd Annual Seminar 17
Evaluating the scope
• Services, systems, locations covered
– Does it cover the areas of concern?
– What is missing?
• Control objectives (SOC 1) or principles
(SOC 2)
– Map to areas of concern
– Match to contractual requirements
– Completeness, accuracy, timeliness, etc.
April 15, 2013 IIA Chicago Chapter 53rd Annual Seminar 18
Evaluating the description
• Start with the results/outputs– Identification of key reports and data feeds
– Accuracy of reports
• Work backward – Description of process
– Key steps
– Inputs along the way
• Is it at the right depth?
• Special considerations regarding processing integrity in a SOC 2
• What is missing?
• What strikes you as curious?
• Compliance requirements
April 15, 2013 IIA Chicago Chapter 53rd Annual Seminar 19
Evaluating the controls
• Are they what is expected?
– Map to your risks
– Map to known risk models
– Map to contractual requirements
• Are they described in sufficient detail to
permit you to separately evaluate their
design?
• What processes, technologies, services
are missing/weak?April 15, 2013 IIA Chicago Chapter 53rd Annual Seminar 20
Complementary User Entity Controls
(CUECs)
• Are they relevant to internal control or a
protection mechanism for the service
organization/auditor?
• Do they really describe what you should
be doing?
• Is it consistent with
documentation/contracts, etc.?
• Have you implemented them?
• Have you evaluated their operation and
documented it for our financial auditor?April 15, 2013 IIA Chicago Chapter 53rd Annual Seminar 21
Management’s assertion
• What is the coverage period? Does it meet
your needs?
• Are the criteria complete?
• Any subservice organizations? If so are
they carved-out or included?
• Anything unusual?
April 15, 2013 IIA Chicago Chapter 53rd Annual Seminar 22
Service auditor’s report
• What standard is used?
• Who is this firm?
• Where was it issued?
• Any carve-out or unusual items noted in the scope description?
• Any qualifications?
• For SOC 2 reports, are there any opinions on subject matter other than internal control (e.g., compliance)?
• Any inconsistencies with professional standards or unusual items?
April 15, 2013 IIA Chicago Chapter 53rd Annual Seminar 23
Service auditor’s test and results
• Are the tests described in a way that lets you understand the nature of what was performed?
• Are they the “right” tests for the control?
– Responsive to the control
– What would our financial auditor have done
• Are any deviations described sufficiently to permit the evaluation of the impact?
• What is the service organization management’s response?
• Have there been any other communications on the issue?
April 15, 2013 IIA Chicago Chapter 53rd Annual Seminar 24
What can you do if the report is
unsatisfactory
• Discussions with service organization
• Additional service auditor procedures
• Additional local procedures
• Test at the service organization
April 15, 2013 IIA Chicago Chapter 53rd Annual Seminar 25
What do you think?Share your thoughts about this presentation on Twitter using the hashtag #IIACHI
@IIAChicago
Visit our Social Media booth in the Exhibit Hall to join the conversation today!
Not on Twitter?
Follow us on Twitter