SAS 70 ENDS EXIT TO SSAE 16 Service

SAS 70 ENDS EXIT TO SSAE 16 Service Organization Control Reports What Have We Learned? Chris Bruhn DIRECTOR, IT RISK SERVICES, BKD, LLP

Agenda • What are Service Organization Control (SOC) Reports? • Reading a Report • Experiences – SOC 1 (SSAE 16) • Experiences – SOC 2 & SOC 3 • Current Developments • Questions / Discussion

SOC Report: Key Terms • Service Organization – provider of services that may impact a risk to a user’s financial reporting, or that pose a business or compliance risk • Service auditor – a CPA who examines and reports on controls at a service organization • Users and User Auditor – clients of service organization and their financial auditors v May need assurance regarding controls over ICFR (SOC 1) or security, availability, processing integrity, confidentiality or privacy (SOC 2) • By the way… v No such thing as SOC “certified”

Service Organization Control Reports SAS 70 ENDS EXIT TO SSAE 16

Service Organization Control Reports SOC 1 SOC 2 SOC 3 Purpose Report on controls relevant to user related to entities ICFR 1 compliance and operations Report on controls related to compliance and operations Use of Report Restricted 2 Restricted 3 General Report Detail Includes Testing Detail Type 1 or Type 2 No Testing Detail AICPA Interpretive Guidance & Reporting Vehicle SSAE 16, AICPA Guide AT 101, AICPA Trust Services Principles TSP 100 1 Internal Control Over Financial Reporting Organization Management, Users Auditor 3 Service Organization Management, Users, Knowledgeable Parties 2 Service

SOC Report: Two Types • Type 1 v Auditor’s opinion includes: üfairness of presentation of management’s description of the service organization’s system, and; üThe suitability of design of controls v As of a point in time • May be useful when: üOrganization is new üAn understanding system and controls is needed üRecently made significant changes üInsufficient time or history to perform Type 2

SOC Report: Two Types • Type 2 v Auditor’s opinion covers the same as Type 1 plus: üoperating effectiveness of key controls v Covers a period of time üChanges must be captured in the description and control testing v A detailed description of service auditor’s tests of controls and results

Reading a Report

SOC Report Content • Section I v Auditor Opinion • Section II v Management Assertion v Description of the system (Narrative) v Complementary User Entity Control Considerations (CUEC’s) • Section III v Control Objectives, Control Activities, and results of testing for Type 2 v And for SOC 2 – mapping of organization’s controls to applicable trust services principle criteria • Section IV v Other – unaudited information

Report Components: Auditor’s Opinion • Auditor’s Opinion v Qualified (Modified) üConcept of materiality is not applicable when auditor reports results of testing v References to subservice organizations üInclusive or Exclusive v Complementary User Entity Controls (CUEC’s) v Auditor is in the role of providing assurance regarding management’s assertions

Report Components: Management Assertion • Management’s Assertion states* v System fairly represented v System suitably designed and implemented v The related controls activities were suitably designed to achieve the stated control objectives v That the control activities are operating effectively throughout the report period (Type 2 only) *The auditor opinion attests to these statements. • Subservice Organizations ü Inclusive or Exclusive

Report Components: Management Assertion • The report will reference that management is responsible for: v Preparing the system description v Providing the stated services v Specifying the control objectives v Identifying the risks v Selecting and stating the criteria for their assertion (e. g. monitoring activities) v Designing, implementing and documenting controls that are suitably designed and operating effectively

Report Components: System Description • SSAE 16 requires a description of the system • Components common to Descriptions v Organizational Overview v Types of Services covered v COSO Risk Categories v Specified Control objectives and related control activities v Complementary user entity controls (CUEC’s)

Report Components: Control Description • Control Objectives v Organization / scope of objectives v Sufficiency of service process areas compared to services utilized v Completeness for your purpose • Control Activities v Completeness v Description of testing v Results / exceptions v Impact of exceptions on your services

Report Components • Other Information v Period of coverage v Other unaudited information relevant to user üManagement responses to opinion modifications or testing exceptions üGlossary üBCP / DR executive overview üOrganizational information üSubsequent events

SOC 1 – Experiences and Key Issues

Using a SOC 1 Report v Understand scope of assertion and description üUnique service lines or applications üSub-service organizations (inclusive vs. exclusive) v Can I place reliance on the report? üIs the scope of the report in-line with related services impacting financial reporting? üAre objectives and controls appropriate for the financial reporting risks associated with services? üAre User Controls in place?

Key Issues: Supporting Control Design Risk Assessment Supporting Control Design Services Provided Assessment of risks to services leads to: Control Objectives Assessment of risk to control objective leads to: Control Activities

Key Issues: Supporting Control Design • Types of Control Objectives v Entity v IT General Controls v Business Process v Regulatory or customer defined • Risk Assertions defined v ICFR (complete, accurate, timely, valuation, etc. ) v Trust Services Principles

Key Issues: Design of Control Activities • Completeness of activities to address risks to control objective • Specificity of activities v Controls vs. processes v Specific v Testable • Identifying and maintaining supporting documentation • Relating user entity control considerations

SOC 2 –Experiences and Key Issues

SOC 2 Reporting • TSP Criteria v Security (Common Criteria): The system is protected against v v unauthorized access, use, or modification Availability: The system is available for operation and use as committed or agreed. Processing Integrity: System processing is complete, valid, accurate, timely, and authorized. Confidentiality: Information designated as confidential is protected as committed or agreed. Privacy: System’s collection, use, retention, disclosure, and disposal of personal information in conformity with the commitments in the entity’s privacy notice and with criteria set forth in generally accepted privacy principles (GAPP) issued by the AICPA and Canadian Institute of Chartered Accountants

Unique SOC 2 Key Issues • Most Issues the same as SSAE 16 • Identification of applicable Trust Service Principles / Criteria • Major issue was overlap of criteria –addressed with TSP update effective 12/15/14 • New SOC 2 & 3 audit guide issued June 2015 v More guidance on identifying expectations at subservice organization

Unique SOC 2 Key Issues • Narrative v Discussion of key TSP criteria managed by subservice organizations v Identification of reliance on relevant subservice organizations controls for achieving key TSP criteria • Report v Display of control activities supporting selected TSP criteria

Reporting to Multiple Audiences • Multiple reports scenarios v. SOC 1 and SOC 2 ü Services impacting ICFR of user and other services with trust services principles concerns v. SOC 2 and SOC 3 ü Services not impacting ICFR and need to use beyond current users such as marketing to prospects v. SOC 1 and SOC 3 ü Services impacting ICFR of user and other services with trust services principles concerns or marketing needs • Note – must be separate reports

Unique SOC 3 Considerations • Public report • Very abbreviated report – essentially a “SOC 2 light” • Assertion and Opinion only opine on: v Suitability of design v Operating effectiveness of controls v Not on system description • Description is brief and does not include the detail as a SOC 2 • No longer has a required seal v There is a SOC logo that an organization can display from AICPA v Must register and have a report within the last year

Unique SOC 3 Requirements • Essentially must do SOC 2 in order to issue a SOC 3 v SOC 2 report must have an unqualified opinion v Must cover at least a 2 month period • Currently cannot issue a SOC 3 unqualified opinion if v There are carved out subservice organizations in the SOC 2 v There are significant complementary user-entity controls necessary to achieve the applicable trust services principles’ criteria

Current Developments • SOC 2 Plus v Cloud Security Alliance v HITRUST v Additional considerations for the future • Privacy TSP exposure draft out now for comment

Questions / Discussion

Thank you for attending. Learn more at bkd. com FOR MORE INFORMATION // For a complete list of our offices and subsidiaries, visit bkd. com or contact: Chris Bruhn, CPA, CISA, CITP // Director cbruhn@bkd. com // 816. 221. 6300