The Who, What, and Why of Service Organization Control (SOC) Engagements. Presentation to: 2nd Annual 'I Heart Audit' Conference

Transcription

1 The Who, What, and Why of Service Organization Control (SOC) Engagements Presentation to: 2nd Annual 'I Heart Audit' Conference February 24, 2016

2 Agenda What is SOC? Who needs SOC? Types of SOC Engagements Role of Service Organization Role of Service Auditor The SOC Report Next Steps Questions? 2

3 What is SOC? SOC = Service Organization Control NOT SOX! Statement on Standards for Attestation Engagements No. 16, Reporting on Controls at a Service Organization Looks at the organization once and issues a report rather than being tested by each user 3

4 Who Needs SOC? Companies who perform outsourced processes for other companies Payroll processing Medical claims processing Data centers Billing services No technical requirement for SOC Breaches of data, increase in outsourcing have increased demand 4

5 Types of SOC Engagements SOC 1 - SSAE No. 16, Reporting on Controls at a Service Organization Controls at a service organization relevant to user entities internal control over financial reporting. SOC 2 - AT 101, Attestation Engagements Controls at a service organization relevant to security, availability, processing integrity confidentiality, or privacy. Detailed report issued to management. SOC 3 - AT 101, Attestation Engagements Controls at a service organization relevant to security, availability, processing integrity, confidentiality, or privacy. General use seal, requires special licensing, limited use. 5

6 Types of SOC Engagements, continued Type 1: A report on management s description of the service organization s system and the suitability of the design of the controls to achieve the related control objectives included in the description as of a specified date. Testing limited to walkthroughs. Type 2: A report on management s description of the service organization s system and the suitability of the design and operating effectiveness of the controls to achieve the related control objectives included in the description throughout a specified period. Sample testing over a period of time (at least 6 months) 6

7 Role of Service Organization DEFINING the scope of the service auditor s engagement DETERMINING the type of engagement to be performed, the period to be covered by the report, including or carving out any subservice organizations SELECTING the criteria to be used PREPARING the description of the service organization s system SPECIFYING the control objectives IDENTIFYING risks that threaten achievement of the control objectives PREPARING management s written assertion 7

8 Role of Service Auditor DETERMINING Whether to accept or continue an engagement for a particular client ASSESSING The suitability and availability of the criteria management has used in preparing the description READING The description of the service organization s system and obtaining an understanding of the system ESTABLISHING An understanding with management of the service organization regarding services to be performed and the responsibilities of management and the service auditor, which ordinarily is documented in an engagement letter OBTAINING A list of user entities and determining how the services provided by the service organization are likely to affect the user entities 8

9 Role of Service Auditor, continued READING Contracts with user entities to understand the nature and scope of the services provided by the service organization as well as the service organization s contractual obligations OBSERVING Procedures performed by service organization personnel READING Service organization s policy and procedure manuals and other documentation of the system (for example, flowcharts & narratives) PERFORMING Walkthroughs of transactions and identifying controls DISCUSSING The contents of management s assertion and description with management and other service organization personnel 9

10 Role of Service Auditor, continued Overall: The service auditor determines which controls at the service organization are necessary to achieve the control objectives stated in management s description of the service organization s system and assesses whether those controls were suitably designed to achieve the control objectives. Review to ensure control objectives, if in place, are adequate Test to determine whether they are in place 10

11 The SOC Report Issue report with opinion unqualified, qualified, adverse, or disclaimer Management s Assertion Description of environment, control objectives, and controls Results of testing of controls (Type 2 only) Other Information Provided by Service Organization (not tested) 11

12 Next Steps Perform a SOC readiness review Once controls in place, perform a Type 1 engagement as of a specified date Let time elapse (at least 6 months) Perform a Type 2 engagement over the testing period For example: Controls were deemed adequate and in place as of June 30 Issue a Type 1 report as of 6/30. Testing period for Type 2 = 7/1 through 12/31 Perform sample testing over 6 month period and issue a Type 2 report for the period 7/1 12/31. 12

13 Questions 13

14 Kelli Falk Padgett, Stratemann & Co., L.L.P. AUSTIN 811 Barton Springs Suite 550 Austin, Texas HOUSTON 1980 Post Oak Boulevard Suite 1100 Houston, Texas SAN ANTONIO 100 NE Loop 410 Suite 1100 San Antonio, Texas