An overview of Sumerian literature in all its forms, by Piotr Michalowski, a Professor of Ancient Near Eastern Languages and. Civilizations at the University of Michigan in Ann Arbor
Organic Petrology: An Overview Suárez-Ruiz Isabel Instituto Nacional del Carbón (INCAR-CSIC) Oviedo SpainFull description
Overview of the Natural & Manmade Fiber sector in India.
An Overview of Land Titles and Deeds
Constitutive Modeling of Concrete an Overview
An Overview of SSAE 16 (Statement on Standards for Attestation Engagements No. 16)
Presentation Objectives Background Information
Types and Uses of Internal Control Reports (SOC 1, SOC 2, SOC 3)
User Entity Considerations
Industry Trends & Advantages
Background Backgroun d
Terminology Service Organization User Entity (Customer) Service Organization Control (SOC) reports SSAE 16
• Organization which which provides services services relevant to a user entity’s entity’s (customer) internal controls. Issuer of the internal controls report.
• The customer of the service organization. User of the internal control report.
• Internal control reports on the services provided by a Service Organization (SOC 1, SOC 2 and SOC 3).
• Professional standard used by auditors when issuing a report on internal controls related to financial reporting (SOC 1).
AT A T 101
• Professional standard used by auditors when issuing a report on internal controls related to non-financial related topics (SOC 2 & 3).
Trust Services Principles (SOC 2 & 3)
• Standardized principles principles used to measure an entity’s entity’s controls around specific IT areas.
WebTrust & SysTrust
• Standards used by auditors to evaluate a company’s company’s controls around the Trust Services Principles specifically associated with the web (WebTrust) and Systems (SysTrust). 4
Types of Service Organizations & User Entities Service Organizations
• • • • •
Outsourced service processors (e.g. Payroll, Actuarial, Claims) Datacenters and co-location facilities Software as a Service (SaaS) IT support Data analytics providers
• • • • •
Public companies (subject to Sarbanes-Oxley) Financial institutions Healthcare entities Governmental agencies Companies with other compliance requirements (e.g. PCI, FFIEC)
Trust Services Principles Principle
What It Means
# of Criteria
The system is protected against unauthorized access (both physical and logical).
The system is available for operation and use as committed or agreed.
System processing is complete, accurate, timely and authorized.
Information designated as confidential is protected as committed and agreed.
Personal information is collected, used, retained, disclosed and destroyed in conformity with the commitments in the t he entity’s privacy notice and with criteria set forth in generally accepted privacy principles (GAPP) issued by the AICP AIC PA.
History of Internal Control Reports Focus
Evaluation of controls related to Financial Reporting
Evaluation of controls related to IT processes
Web Trust & Sys Trust
SOC 1 (SSAE 16)
SOC 2 (AT 101)
SOC 3 (AT 101)
Trust Services Principles 7
Types of Internal Control Reports
SOC 1 Report (SSAE 16) • Primarily by financial auditors of customers • Supports control reliance • Avoid duplication of effort by customer’s auditors.
• Objectives defined by management • Focus on procedures impacting customer’s financial information • Customers (and/or their auditors) may wish to modify
• Audit Report • SOC Logo (available for website)
Audit Report Composition • 4 Sections • Type I or Type II • Management Assertion required • User Entity Considerations
SOC 2 Report (AT 101) • Used by customer’s to evaluate IT controls • May impact decision to use service organization • May impact customer’s other compliance requirements
• Principle(s) selected by management • Pre-defined criteria (not modifiable) support Principles • Audit covers all criteria of selected Principle(s)
• Same as SOC 1
Trust Services Principles
Audit Report Composition • Same as SOC 1
SOC 3 Report (AT 101)
• SOC Seal (available for website) • Audit Opinion
• Same as SOC 2
• Same as SOC 2
Trust Services Principles
Audit Report Composition • Audit Opinion and scope of services only • No process description or test results • No Type I or II
Types of SOC 1 & 2 Reports Type I
• • • • •
Report on the design (only) of a user entity’s control structure Auditor Opinion is is as of a point in in time (similar to a balance sheet) Usually performed during first year only Involves performing “walkthroughs” of controls Not as useful to the auditors of user entities
• • • • •
Report on the design and operating effectiveness effectiveness of controls Auditor Opinion covers a period of time (generally 6 months) Report usually issued one time per year Period ending driven by year ends of customers (user entities) Provide description of tests performed and results of tests (including exceptions) • More useful to auditors of user entities 12
SOC 1 & 2 Report Components Section I
• Independent Service Auditor’s Report (Opinion) Section II
• Management’ Management’s s Assertion Section III • Description of the Service Organization’s Processes and Controls
Section IV • Information Provided by the Independent Service Auditor – Type I – Listing of Controls – Type II – II – Listing of Controls and Tests Tests Performed by the Independent Service Auditor (and Results of Tests) 13
User Entity Considerations Procedure
Review contract with Service Organization
Ensure that your service is included in the scope of the report (including location of service being provided).
Applicability of Control Objectives/Principles (SOC 1 & 2)
Determine if objectives meet your requirements and if i f they do not, discuss changes with service organization.
Evaluate impact of qualified auditor opinion
Determine if the issues impact your reliance on the report.
Evaluate impact of testing exceptions (section IV)
Determine if the exceptions impact your reliance reli ance on the report.
Evaluate User Entity Considerations section of report
Determine if your organization is performing the procedures required.
Verify audit period
Determine if the end of the audit period is within 6 months of your company’s year end (stale considerations). 15
Industry Trends Increase proliferation proliferation of SaaS applications and outsourcing of IT systems to Datacenters SOC 1 report continues to be most popular report issued Report consistency & robustness has not yet been achieved with new SSAE 16 guidance Service Organizations are moving toward obtaining SOC 2 reports (in addition to SOC 1)
SOC 3 report is not pervasive at this time
Reporting Advantages Leads to strengthening of internal control structure
Cost savings for user entities
Auditor reliance on controls for financial audit of service organization