SOC Reports: What are they and what should you do with them? berrydunn.com GAIN CONTROL

Transcription

1 SOC Reports: What are they and what should you do with them? berrydunn.com GAIN CONTROL

2 AGENDA SOC REPORTS OVERVIEW RELEVANT SECTIONS TO REVIEW SOC REVIEW CHECKLIST 2

3 SOC REPORTS OVERVIEW 3

4 SOC REPORTS OVERVIEW Terms to know: SOC Service Organization Control Service organization the third-party service provider that performs a task or function for other entities Service auditor the CPA firm doing the SOC exam User organization customers of the service organization User auditors the customer s financial statement auditors 4

5 SOC REPORTS OVERVIEW Things to know SOC 1 (SSAE 16) SOC 2 What is it? Who needs it? What does it cover? What does it look like? Report on internal controls on financial reporting A company that acts as a service organization that processes data or provides services critical to their customers financial reporting For example: third-party administrators, e- commerce industries that process data, payroll administrators, insurance organizations Relevant internal controls on financial reporting as defined by the service organization Report consisting of: 1. Auditor s Opinion 2. Written Description 3. Controls and Results of Tests Report on internal controls based on Security, Availability, Processing Integrity, Confidentiality, Privacy A company that acts as a service organization that may host or support customer data For example: data centers, software-as-aservice (SaaS) organizations, printing services, managed service providers One of more of the AICPA defined Trust Service Principles (TSPs) and criteria Who uses it? Service organization, user organizations, user auditors 5

6 SOC REPORTS OVERVIEW Type 1 Audit of design effectiveness. Provides assurance that the controls are properly designed and in place at a point in time An inquiry and observation only audit Ideal for first time auditees Limited usefulness for user organizations Type 2 Audit of design and operating effectiveness. Provides assurance that the controls are properly designed, in place and operating effectively over a period of time Much more detailed prove it testing, observation inspection and reperformance More appropriate for financial auditors who are assessing controls at the service organization Provides reasonable assurance control objectives are met 6

7 SOC REPORTS OVERVIEW: PRIMARY COMPONENTS I. Independent Service Auditor s Report: Addresses the report type, reporting period, opinion, and any qualifications or disclaimers II. Description of the System: Free-form narrative description of processes and controls provided by the service organization III. Information Provided by the Auditor: Identifies the procedures (tests) performed by the auditor and results IV. Other Information: May contain other information provided by the service organization (section not tested by the auditor) 7

8 SOC REPORTS OVERVIEW Why Review a SOC Report? Risk Management Vendor Due Diligence Financial Statement Impacts 8

9 RELEVANT SECTIONS TO REVIEW 9

10 RELEVANT SECTIONS TO REVIEW Independent Service Auditor s Report What type of report is it? Is the time period parallel to your audit period? Is the scope of the report relevant to your operations? Are there any disclaimers? Is the opinion qualified (bad) or unqualified (good)? Control Objectives Results of Tests User Control Considerations (UCCs) 10

11 RELEVANT SECTIONS TO REVIEW: AUDITOR S REPORT 11

12 RELEVANT SECTIONS TO REVIEW: AUDITOR S REPORT 12

13 RELEVANT SECTIONS TO REVIEW: AUDITOR S REPORT 13

14 RELEVANT SECTIONS TO REVIEW Independent Service Auditor s Report Control Objectives Is there sufficient coverage of relevant controls? Is the big picture of the control environment captured? Results of Tests User Control Considerations (UCCs) 14

15 RELEVANT SECTIONS TO REVIEW: CONTROL OBJECTIVES CONTROL OBJECTIVES AND RELATED CONTROL ACTIVITIES Although the control objectives and related control activities are described in Section Three, they are, nevertheless, an integral part of ABC control environment. The description of the service auditor s tests of operating effectiveness and the results of those tests are also presented in the testing matrices in Section Three, adjacent to ABC description of controls. The description of the tests of operating effectiveness and the results of those tests are the responsibility of the service auditor and should be considered information provided by the service auditor. The control objectives include: Control Objective 1: Controls provide reasonable assurance that the creation and modification of contract records are properly authorized and that customer data is accurately and completely input into the system. Control Objective 2: Controls provide reasonable assurance that the creation of, and modifications to, participant accounts are properly authorized and information is accurately and completely input into the system. Control Objective 3: Controls provide reasonable assurance that the participant or plan statements are prepared completely, timely, and accurately. Control Objective 4: Controls provide reasonable assurance that contributions and loan repayments are authorized and are recorded completely, accurately, and timely to a participant account. Control Objective 5: Controls provide reasonable assurance that distributions and participant loans from the Plan are authorized and recorded completely, accurately, and timely. Control Objective 6: Controls provide reasonable assurance that the purchase and sale of investments and each participant s share of investment income or loss are properly authorized and recorded for the correct amount, in the proper period, and to the correct account. Control Objective 7: Controls provide reasonable assurance that the compliance tests required under Employee Retirement Income Security Act (ERISA), Department of Labor (DOL), and Internal Revenue Code (IRC) rules and regulations are prepared and Internal Revenue Service (IRS) forms are timely prepared and sent to clients. Control Objective 8: Controls provide reasonable assurance that changes to plan administration software are authorized, approved, and implemented in accordance with management s instructions. Control Objective 9: Controls provide reasonable assurance that logical access to plan administration software and related data files is restricted to properly authorized individuals. Control Objective 10: Controls provide reasonable assurance that critical applications and data are backed up regularly and backup media is archived off-site for a reasonable amount of time. Control Objective 11: Controls provide reasonable assurance that facilities and computing equipment are physically and environmentally safeguarded. 15

16 RELEVANT SECTIONS TO REVIEW Independent Service Auditor s Report Control Objectives Results of Tests Are there any deviations noted? How are they relevant to your operations? Do the deviations impact you? User Control Considerations (UCCs) 16

17 RELEVANT SECTIONS TO REVIEW: RESULTS OF TESTS (SOC 1) 17

18 RELEVANT SECTIONS TO REVIEW Independent Service Auditor s Report Control Objectives Results of Tests User Control Considerations (UCCs) Are you doing all these? 18

19 RELEVANT SECTIONS TO REVIEW: UCCs UCCs are controls at your organization that should be in place to supplement the controls at the service organization These controls are your responsibility and the control is only effective if you do your part Does your organization have these controls in place? Review UCCs in conjunction with signed Service Level Agreements 19

20 RELEVANT SECTIONS TO REVIEW: UCCs PURPOSE AND SCOPE OF THE REPORT This report is intended to provide ABC customers and other interested parties with information about ABC s controls that may affect the processing of transactions for its customers. The information contained in this report, when combined with an understanding of the controls in place at the customer, is intended to assist the customer s independent auditor in planning the audit of the customer, and in assessing control risk for assertions in the customer s financial statements that may be affected by controls at ABC. It is the responsibility of each user of this report to evaluate the information contained in this report, in relation to the controls in place at the customer. If certain complementary controls are not in place at the customer, ABC controls may not compensate for such weaknesses. 20

21 RELEVANT SECTIONS TO REVIEW: UCCs USER CONTROL CONSIDERATIONS ABC procedures are designed with the assumption that certain internal controls are implemented by customers of ABC. The application of such internal controls by the customer is necessary to achieve the control objectives identified. There may be additional control objectives and related controls that would be appropriate for the processing of transactions that are not identified. This section describes certain internal controls that the users should consider to achieve the control objectives identified in this report. The user control considerations presented below should not be regarded as a comprehensive list of all the controls that should be employed by users. 1. The client should review all plan setup reports, conversion reconciliations, and notices during the conversion process. 2. The client is responsible for submitting all plan provision changes in writing and authorizing the request prior to forwarding to ABC. 3. The client is responsible for determining employee eligibility unless the client has elected in a Plan Services Agreement (PSA) that these services be provided by ABC or a third party. 4. The client should review participant enrollment forms for accuracy and completeness and authorize the forms prior to providing them to ABC. 5. The client is responsible for providing missing information on all returned forms. 6. The client should forward all transaction requests for processing on a timely basis and retain copies of all documents on file. 7. The client is responsible for ensuring that loan requests are within the plan and loan program guidelines prior to authorizing and forwarding the request to ABC. 8. The client is responsible for verifying distribution requests and monitoring requirements for hardship distributions before paperwork is forwarded to ABC. 9. The client is responsible for notifying ABC of participant status changes (retirement, termination, or death, etc.) in writing and in a timely manner. 10. The client is responsible for providing ABC with written instructions regarding forfeitures and allocations of forfeitures. 11. The client should provide ABC with year-end and census information in good order and in a timely manner. 12. The client should notify ABC of any participants exceeding 415 limitations or with excessive contributions. 13. The client should verify and maintain all regulatory testing results. 14. Plan sponsors and participants should keep passwords and PINs confidential and change passwords and PINs on a periodic basis. 21

22 SOC REVIEW CHECKLIST 22

23 INTERESTED IN MORE? CONTACT US. Tina Papadopoulos, CISA Management and Information Technology Consulting Group