Post on 28-Oct-2018
Presenting a live 110‐minute teleconference with interactive Q&A
SSAE 16 and ISAE 3402: Preparing for New Service Company Control StandardsMastering Requirements Governing Your Next Controls Report
1pm Eastern | 12pm Central | 11am Mountain | 10am Pacific
WEDNESDAY, FEBRUARY 16, 2011
Today’s faculty features:
1pm Eastern | 12pm Central | 11am Mountain | 10am Pacific
Scott Price Director A-lign CPAs Tampa FlaScott Price, Director, A lign CPAs, Tampa, Fla.
Daniel Schroeder, Partner, Habif Arogeti & Wynne, Atlanta
George Fallon, Partner, Clifton Gunderson, Calverton, Maryland
Victor Eckstein, Principal, Grant Thornton, New York
For this program, attendees must listen to the audio over the telephone.
Victor Eckstein, Principal, Grant Thornton, New York
Please refer to the instructions emailed to the registrant for the dial-in information.Attendees can still view the presentation slides online. If you have any questions, pleasecontact Customer Service at1-800-926-7926 ext. 10.
Continuing Education Credits FOR LIVE EVENT ONLY
Attendees must listen to the audio over the telephone. Attendees can still view the presentation slides online but there is no online audio for this program.
Please refer to the instructions emailed to the registrant for additional information. If you have any questions, please contact Customer Service at 1-800-926-7926 ext. 10.at 1 800 926 7926 ext. 10.
Tips for Optimal Quality
S d Q litSound Quality
For this program, you must listen via the telephone by dialing 1-866-873-1442 and entering your PIN when prompted. There will be no sound over the web connection.co ect o .
If you dialed in and have any difficulties during the call, press *0 for assistance. You may also send us a chat or e-mail sound@straffordpub.com immediately so we can address the problem.
Viewing QualityTo maximize your screen, press the F11 key on your keyboard. To exit full screen, press the F11 key againpress the F11 key again.
SSAE 16 and ISAE 3402: Preparing for N S i C C t l New Service Company Control Standards Webinar
Feb. 16, 2011
Scott Price, A-lign CPAsscott.price@aligncpa.com
George Fallon, Clifton Gundersongeorge.fallon@cliftoncpa.com
Victor Eckstein, Grant Thornton victor.eckstein@us.gt.com
Daniel Schroeder, Habif Arogeti & Wynne dan.schroeder@hawcpa.com
Today’s Program
Historical Perspective On Service Company Controls[George Fallon]
Slide 6 – Slide 10
Key Terms Of SSAE 16 And ISAE 3402[Daniel Schroeder and Scott Price]
Slide 11 – Slide 31
Other Legal And Regulatory Developments[Victor Eckstein]
Slide 32 – Slide 38
Preparing Type I And Type II Reports Going Forward[George Fallon And Daniel Schroeder]
Slide 39 – Slide 60
HISTORICAL PERSPECTIVE ON George Fallon, Clifton Gunderson
HISTORICAL PERSPECTIVE ON SERVICE COMPANY CONTROLS
History Of SAS No. 70
C Issued by AICPA in 1992
Represents an in-depth audit of a third-party service
organization
Service organization defines scope of audit
7
Historical Uses
To reduce internal control testing of service providers by user
auditors
Comply with contractual obligation
Comply with regulatory requirements
8
Misuses And Misconceptions
S S f SAS 70 audit is for marketing
SAS 70 audit is a certification
SAS 70 audit is a security audit
SAS 70 audit is mandatory under the Sarbanes-Oxley Act of
2002 (SOX)
9
Factors For Change
Uses of SAS 70 straying from intent
Globalization
Growth in outsourcing
New technologiesg
Sarbanes-Oxley Sect. 404 Convergence: International Standard on Assurance Engagements g g g
(ISAE) 3402
10
D i l S h d H bif A i & W
KEY TERMS OF SSAE 16 AND
Daniel Schroeder, Habif Arogeti & WynneScott Price, A‐lign CPAs
KEY TERMS OF SSAE 16 AND ISAE 3402
SSSSAE 16 is replacing SAS 0SAS 70.
Released April 2010 Effective June 15, 2011Early adoption permitted
| 12
SSAE 16 Changes From SAS 70 ICFR controls focus
Alignment with International Standards on Attestation Engagements (ISAE) 3402
Attestation standard, no longer an auditing standard
Auditor evaluation is based on suitable criteria relative to Auditor evaluation is based on suitable criteria relative to written management assertions – which are included in the report.
Suitability of design opinion (point in time vs entire period) Suitability of design opinion (point in time vs. entire period) Materiality Use of internal audit – more info provided in report as to role of IA Opinion format
| 13
SSAE 16 Focused On Financial Reporting SSAE 16, like SAS No. 70 before it, is focused on controls likely to
be relevant to user entities’ internal control over financial reporting. Intended for limited specific users Intended for limited specific users
User auditors User entities
Limited purpose User entity financial audits Examinations of internal control over financial reporting of
user entities integrated with a financial audit User entity evaluation of internal control over financial
reporting (e.g., Sarbanes-Oxley Act compliance)
Use beyond the intended purpose is likely to create misunderstandingg
| 14
SSAE 16: Management Assertion
“… We confirm, to the best of our knowledge and belief, that...”: 1. The description fairly present the [system name] made available
to user entities from [date 1] to [date 2] …[ ] [ ] Description includes relevant details of changes ...
2. Controls were suitably designed throughout the period to achieve control objectivesachieve control objectives.
3. Controls operated effectively throughout the specified period to achieve the control objectives.
| 15
SSAE 16: Assessing Suitability Of Criteria
Service auditor should assess whether, in all material respects, management has used suitable criteria:
1. In preparing description of service organization system, i.e., “Opinion on Fair Presentation of Managements description of S i O i ti ’ S t ”Service Organization’s System”
2. In evaluating whether controls were suitably designed to achieve stated control objectives, i.e., “Opinion on Suitability of Design”
3. For Type 2 reports, in evaluating whether controls operated yp p g peffectively throughout the period to provide reasonable assurance that control objectives are achieved, i.e., “Opinion on Operating Effectiveness”
| 16
SSAE 16: Fair Presentation Criteria
Description of the system should present how system was designed and implemented, including: Types of services provided and classes of transactions processed Procedures (automated and manual) for transaction flow Related accounting recordsg How system captures and addresses significant events and
conditions other than transactions Process used to prepare reports and other info for user entities Process used to prepare reports and other info for user entities Specified control objectives and controls and, as applicable,
complementary user entity controls Other aspects of the service organization’s control environment risk Other aspects of the service organization s control environment, risk
assessment, info and communication systems, control activities and monitoring that are relevant to the services provided
| 17
SSAE 16: Fair Presentation Criteria cont’d
Management’s description of the system is fairly presented if it: Provides details of changes to the service organization system Provides details of changes to the service organization system
during the period (in the case of Type 2 report) Does not omit or distort information relevant to the system, while
meeting common needs of a broad range of user entity/usermeeting common needs of a broad range of user entity/user auditor needs
| 18
Evidence Regarding Fair Presentation Of Management’s System DescriptionManagement s System Description
Service auditor considerations include: A ll j t f th i id d th t ld bl b Are all major aspects of the service provided that could reasonably be
expected to be relevant to common needs of broad range of user auditors, included in the scope of the engagement?
A t l bj ti bl i i t D th l t t Are control objectives reasonable in circumstances: Do they relate to assertions of financial statements for users that services could be expected to affect?
H ll t l id tifi d b i l t d? Have all controls identified been implemented? Have complementary user entity controls, if any, been adequately
described? Are services provided by sub-service organization(s), if any, adequately
described, including whether the inclusive or carve-out method has been used?
| 19
SSAE 16: Suitability Of Design Criteria
Controls are suitably designed to achieve the control objectives stated inControls are suitably designed to achieve the control objectives stated in management’s description of the service organization system if:
Management has identified the risks that threaten the achievement1. Management has identified the risks that threaten the achievement of the stated control objectives.
2. The controls would (if operating as described) provide reasonable assurance that those risks would be mitigated.
| 20
Evidence Regarding Suitability Of The Design of Controlsg
Service auditor considerations include: Assess which of the controls at the service organization are necessary
to achieve the control objectives Identify risks that threaten the achievement of the control objectivesy j Evaluate the linkage between the controls defined in management’s
description and the identified risks User auditor perspective User auditor perspective Reasonable assurance that material misstatement prevented, or
detected and corrected Service auditor perspective Service auditor perspective Reasonable assurance that control objectives are achieved
| 21
Operating Effectiveness Criteria
Criteria should include at a minimum, whether:
The controls were consistently applied as designed throughout the specified period, and
Manual controls were applied by individuals having appropriate competence and authority.
| 22
Evidence Regarding Operational Effectiveness Controls
Service auditor considerations include: Test controls necessary to achieve control objectives Test controls necessary to achieve control objectives Understand changes to system during the period Designing and performing tests of control: Perform other procedures in combination with inquiry to obtain
evidenceo How the control was appliedo Consistency of control applicationo By whom or what means control applied
Determine whether control depends on other controlsete e et e co t o depe ds o ot e co t o s Determine effective method for selecting items to be tested;
e.g., AU Sect. 350 (audit sampling)
| 23
Using Work Of Internal Audit Function
When planning the engagement, service auditor needs to determine whether work of IA function is likely to be adequate.
To use the work from the IA function, the service auditor should evaluate and perform procedures on that work to determine its adequacy for the service auditor’s purposesadequacy for the service auditor’s purposes.
| 24
Effects Of Internal Audit Work On Service Auditor’s ReportService Auditor s Report
No reference to internal audit in the opinion Service auditor has sole responsibility for the opinion expressed,
regardless of whether IA is involved.
If internal audit work used in performing tests of controls (for Type 2 report), the description of tests should include description of IA’s work and service auditor’s procedures with respect to that work.
| 25
Role In Reducing Audit Risk
Type I Report Does not provide the user
Type II Report A user auditor may be able toDoes not provide the user
auditor with a basis for reducing the assessed level of control risk and thereby reducing
b t ti d
A user auditor may be able to reduce risk below max for certain financial statement assertions … and may therefore be able to reduce the extent of substantive testingsubstantive procedures
Type I report is intended to assist user auditors in obtaining a
the extent of substantive testing performed for those assertions.
A user auditor should not use only the service auditor’s report as a basis for assessing the control risk below maxuser auditors in obtaining a
sufficient understanding of the user organization’s internal control, in order to plan the financial statement
assessing the control risk below max. The user auditor should read the service organization’s description of controls as well as the service auditor’s tests of operating and effectiveness theaudit. tests of operating and effectiveness the results of those tests, and relate this information to assertions in the user organizations’ financial statements.
| 26
Changes To Service Organization’s ResponsibilitiesResponsibilities
• Unchanged from current standards• Specifying the control objectives• Specifying the control objectives• Designing, implementing and maintaining controls• Complementary user organization controls• Control environment elementsControl environment elements
• Changes in new standards• Written assertion by management is required and must include the suitable
criteria used for its assessment.• Audit report must include a written assertion by the sub-service
organization, if inclusive method is used.• Description of systems/processes, as opposed to description of controls• Identifying risks that threaten the achievement of the control objectives• For Type II reports, fair presentation of the system and suitability of design
is for the period covered by the report.• Subsequent events disclosure following date of service auditor’s report• Subsequent events disclosure following date of service auditor s report
27
Changes To Service Auditor’s ResponsibilitiesResponsibilities
• Unchanged from current standards• Opinion on fairness of management’s description of the system• Opinion on fairness of management s description of the system
(formerly controls)• Opinion as to suitability of the design and operating effectiveness of controls to
achieve the control objectives• Perform tests of controls and present an opinion on operating effectiveness
• Changes in new standards• Standards move from audit standards to assurance/attestation standardsStandards move from audit standards to assurance/attestation standards• For Type II reports, fair presentation of the system and suitability of design is for the
period covered by the report.• Meant to improve clarity of guidance
S t d di f t l bj ti• Suggested wording for control objectives• Additional considerations on using the work of internal audit• Requires description of the internal auditor’s work • Description of service auditor’s procedures with respect to the workDescription of service auditor s procedures with respect to the work
28
ISAE 3402 Introduction
ISAE 3402 A R t C t l t S i O i ti• ISAE 3402 - Assurance Reports on Controls at a Service Organization• Work began in March 2006 to develop the standard.• ISAE would enhance the consistency of service auditor performance, and
consequently the consistency of user auditor performance when a serviceconsequently the consistency of user auditor performance when a service auditor’s report is used as audit evidence in an audit of financial statements.
• Need for substitute global standard rather than US SAS 70, for IFRS purposes p p
• Issued by the International Auditing and Assurance Standards Board in December 2009
• Effective for service organization’s reports ending on or after Dec. 15, 2011• Complements ISA 402 – Audit Considerations Relating to an Entity using a
Service Organization
29
Differences Between SSAE 16 And ISAE 3402SSAE 16 And ISAE 3402
• Deviations can be treated as “anomalies,” and not testing exceptions, under certain circumstances.
• SSAE 16 requires an assessment of the risk and impact on deviations if they were intentional, while ISAE 3402 does not.
• Must disclose only events that take place after the period of the audit but before the date of the service auditor’s report
• Requires disclosure of subsequent events that have a significant effect on the report; however, SSAE 16 requires disclosure after the report has been issued, if they existed as of the report date.
• Users of the report are more clearly defined in the SSAE 16 than ISAE 3402.
30
Differences Between SSAE 16 A d ISAE 3402 (C t )SSAE 16 And ISAE 3402 (Cont.)
• SSAE 16 permits the use of direct assistance of internal audit, while ISAE 3402 does not address it3402 does not address it.
• SSAE 16 requires engagement documentation to be completed on a timely basis after the date of the report and no later than 60 days following the report release date. p
• ISAE 3402 notes engagement documentation is to be completed timely, but does not specify a date.
• Engagement acceptance and continuance procedures require that the service organization’s management acknowledge and accept responsibility for providing written representations to the service auditor under SSAE 16, while ISAE 3402 requires only written representations and not acknowledgementacknowledgement.
• If service organization management doesn’t provide written representations, the service auditor must disclaim an opinion under ISAE 3402, while under SSAE 16 the service auditor may also withdraw from the engagement.
31
(A) Anticipated AICPA Audit Guide(A) Anticipated AICPA Audit Guide
• AICPA guide to cover non‐financial reporting controls is to be made available in early 2011.y
• Relevant topics covered
o Securityo Security
o Availability
o Processing integrity
o Confidentiality or privacy
33
(B) Changes To SEC Rule 206(4)‐2 On d fCustody Of Assets
• The amendments modernize the rule by conforming the rule to modern custodial practices and requiring advisers that have custody of client funds or securities to maintain those assets with broker‐dealers, banks or other qualified custodians.
• Key changesy g
o Surprise examinations
o Internal control reports (e.g., SAS 70)
o Delivery of account statementso Delivery of account statements
o Form ADV changes
34
(C) Dodd‐Frank Act And Push For Greater Transparency
With final approval of Dodd‐Frank Wall Street Reform and Consumer Protection Act in July of 2010, Congress took historic steps to ensure greater transparency and give investors and citizens new tools to hold companies and governments accountable for their actions.
The Act will greatly affect the following major topics:
Derivatives transparency
Clearing trading and reporting of swaps
I t t d i i t ti Investment advisor registration
Credit rating agencies
Executive compensation Executive compensation
35
(D) AT Standards In Lieu Of SSAE 16
• The AICPA issued an interpretation under AT Sect. 101 letting service auditors issue reports that are not focused on financial reporting controls, but rather include tests of controls similar to a service auditor’s report.
• Controls at the service organization are relevant to security, availability, processing integrity confidentiality or privacyprocessing integrity, confidentiality or privacy.
• AICPA Guide for AT 101 engagements is to be published in April 2011.
• Examples of engagements
36
(E) Service Organization Controls(E) Service Organization Controls
• SOC reports introduced by the AICPA• SOC reports introduced by the AICPA
• There are three different engagements: SOC 1, SOC 2 and SOC 3
• SOC 1 reports are performed under SSAE 16
• SOC 2 and SOC 3 relate to AT Sect. 101 attest engagements
37
(E) AICPA Guidance On SSAE 16(E) AICPA Guidance On SSAE 16
• AICPA Guide, Applying SSAE No. 16, Reporting on Controls at a Service Organization
• AICPA Alert ‐ Service Organizations: New Reporting Options
• AICPA FAQ• AICPA FAQ
• AICPA executive summary
38
George Fallon, Clifton Gunderson
PREPARING TYPE I AND TYPE
George Fallon, Clifton GundersonDaniel Schroeder, Habif Arogeti & Wynne
II REPORTS GOING FORWARD
AICPA SOC Reporting Options
AICPA SOC 1: Report on Controls at a Service Organization Relevant to User Entities’ Internal Control over Financial ReportingRelevant to User Entities Internal Control over Financial Reporting Service Auditors: See Statement on Standards for Attestation
Engagements (SSAE) No. 16, Reporting on Controls at a Service OrganizationService Organization
User Auditors: See clarified statement on auditing standards, Audit Considerations Relating to an Entity Using a Service OrganizationOrganization
AICPA SOC 2: Report on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality and/or PrivacyCo de t a ty a d/o acy
AICPA SOC 3: Trust Services Report
| 40
SOC 2 (Applying TS P&C In A SSAE 16 Framework)
Examination report performed in accordance with AT Sect. 101 Examination report performed in accordance with AT Sect. 101 attest engagements
Structure and content consistent with SSAE 16/SOC 1 Scope: System and controls associated with one or more Scope: System and controls associated with one or more
trust services principles No co-mingling/bundled reports
for both ICFR and non-ICFRfor both ICFR and non-ICFR scenarios (ICFR is exclusive to SSAE 16)
Management assertion Management assertion Service auditor’s report
| 41
SOC 2 Management Assertion
Description of system (using criteria similar to SSAE 16) Control objectives (specified in forthcoming guide based on Control objectives (specified in forthcoming guide, based on
trust services criteria) Control activities
Leverage trust services criteria as foundation Leverage trust services criteria as foundation Test of controls
Risk assessment as basis for asserting controls internal controls were applied
| 42
SOC 2 Differences With SOC 1 (SSAE 16)
Subject matter Trust services principles (security, availability, processing integrity,
confidentiality, privacy) Boundaries of the system
Defined by service provided Broader than SSAE 16 (e.g., privacy includes information life
cycle, processing integrity includes the purpose of the service other than financial transaction processing)May relate to operations May relate to operations
Control objectives proscribed Reasonable in the circumstances
P id bilit th h bj t tt i hi hl fl ibl Provides comparability, even though subject matter is highly flexible Not intended to provide assurance on controls, as they relate to user entity
ICFR
| 43
SOC 3: TS P&C Engagements
Performed in accordance with AT Sect. 101 attest engagementsg g
Examination report that includes opinion as to whether controls over a defined system were operating effectively to meet the criteria fora defined system were operating effectively to meet the criteria for security, confidentiality, processing integrity, availability or privacy
Practitioner may report on either: Practitioner may report on either: Management’s assertion, or The subject matter of the engagement.
| 44
SOC 3: Management Assertion
1. Management asserts that, during the period covered by the report g , g p y pand based on the AICPA trust services criteria, it maintained effective controls over the system under examination to satisfy the stated trust services principle(s) and criteria.
2. Addresses the principles covered by the engagement
3. For engagements covering an entity’s compliance with its commitments, those commitments covered by the report should be indentified in management’s assertionindentified in management s assertion.
| 45
SOC 1 And SOC 2 Opinion Structure
Scope Of Report/Opinion Type 1 Type 2Fairness of the presentation of management’s p gdescription of the service organization’s system As of a
specified date
Through-out a
specified period Suitability of the design of the controls to achieve the p
related control objectives included in the description
Operating effectiveness of the controls to achieve the related control objectives included in the description
n/athe related control objectives included in the description
SOC 1 reports are restricted-use reports intended for the service organization, user entities of the service organization, and auditors of the user entities.
SOC 2 reports may also be restricted-use reports in that the criteria used to evaluate or measure the subject matter are available only to specified parties, who have an adequate understanding of the criteriaunderstanding of the criteria.
| 46
Service Organization Controls: Decision Approach
Services
S iService Organization Inherent Risks
G & A R ti N d
User Entity
Service Organization User Entity (And Prospects)
Governance & Assurance Reporting Needs
Effective controls to ensure integrity of services
Fulfill control needs and requirements of users
Can the service organization be trusted? Do we understand how the service is
delivered? Do we understand inherent risks?
Provide reporting to user entities and prospective user entities that conveys assurance
Are risks effectively mitigated? Is reporting available that would, if
needed, provide a basis for reliance? Is provider complying with specified
agreed-upon procedures?
49
Service Organization Controls: Decision Approach
Service Organization
User Entity
Inherent Risks From services Pertain To: Governance & Assurance Reporting AlternativesTYPE I
Organization Entity
ICFR Operational/compliance: (Service
organization designed controls) Security
AICPA SOC 1 TYPE IITYPE I
TYPE I Security
Confidentiality
Availability
Processing integrity
P i
AICPA SOC 3
AICPA SOC 2 TYPE IITYPE I
Privacy
Compliance with user specified agreed-upon procedures
AICPA AT 201 agreed-upon procedure (AUP) engagements
50
Converting To SSAE 16
SSAE 16 reinforces significance of “fair presentation” and “suitability of design,” which too often were overlooked in SAS 70. SSAE 16 emphasizes:
Management’s description of system (complete and accurate for all services provided)
Appropriateness of control objectives in circumstances Risk basis for design of controlsg
| 51
Job #1: Establish Solid Foundation For Fair Presentation Opinion
Thorough understanding/documentation of system to which report (would) apply Sub-service organizations identified? Inclusive or carve-Out?
Is the system description complete/accurate?y p p Are control objectives appropriate in circumstances? Do one or more control objectives pertain to financial statement
assertions?assertions? If not, SSAE 16 may not be appropriate report Just because something was reported under SAS 70 is not a
basis for reporting under SSAE 16basis for reporting under SSAE 16. Are defined controls placed in operation?
| 52
#2: Establish Strong Basis For Suitability of Design Opinion
Conduct/confirm risk assessment that identifies inherent risks that would impede fulfillment of control objectives
Has the company established control activities that would prevent Has the company established control activities that would prevent, detect and correct inherent risks associated with control objectives? Are user entity controls identified?
| 53
Preparation: Step 1
Review existing monitoring and/or testing processes Sufficient to support the written management assertion
required by SSAE 16 Suitable criteria as basis of assertion?
| 54
Preparation: Step 2
Select and document criteria to support assertion Review system description, control objectives and control
descriptions User organizations encouraged to be involved in the
process
| 55
Preparation: Step 3
Identify risks to control objective achievement May need to revisit scope of controls to be covered by
report Evaluate risk management Document consideration of risks Determine if controls address risks
| 56
Preparation: Step 4
Determine if sub-service organization assertions are required Determine if sub-service organization assertions are required Inclusive vs. carve-out method Discuss requirements and timing with sub-service
organization(s)organization(s)
| 57
Preparation: Step 5
Review existing SAS 70 control descriptions and make adjustments if needed
D i ti f th i id d Description of the services provided Description of the procedures by which services are
provided Description of the process used to prepare reports
provided to customers Other aspects of COSO Any changes that occur during the audit period
| 58