Evolution of SOC Reporting and SSAE18 - Chapters Site · Evolution of SOC Reporting and SSAE18 ......

Evolution of SOC Reporting and SSAE18Denver IIA Chapter Meeting

July 18, 2017

kpmg.com

1© 2016 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. NDPPS 551743

Agenda

Evolution of SOC Reporting

With you today

Nina CurriganManaging Director, Advisory, IT Audit and Assurance

Transition from SSAE 16 to SSAE 18

A “How To” Guide on using a SOC Report

Evolution of SOC Reporting


Organizations are increasingly outsourcing systems, business processes, and data processing to service providers in an effort to focus on core competencies, reduce costs, and more quickly deploy new application functionality.

Many organizations have historically relied upon Statement on Auditing Standards (SAS) 70 reports to gain broad comfort over outsourced activities. SAS 70 was intended to focus specifically on risks related to internal control over financial reporting (ICOFR), and not broader objectives such as system availability and security.

With the retirement of the SAS 70 report in 2011, Service Organization Control (SOC) reports have been defined by the American Institute of Certified Public Accountants (AICPA) to replace SAS 70 reports and more clearly address the assurance needs of the users of outsourced services.

Three types of SOC reports— SOC 1®, SOC 2®, and SOC 3®

— have been defined to address a broader set of specific user needs.

Where we are TodayA broader suite of “System and Organization Control” reports are now offered which include mapping to other frameworks, or opinions issued for other additional SOC2®+ criteria and other standards.

SOC History


System & Organization Controls (SOC)

• Report on Controls at a Service Organization Relevant to User Entities’ Internal Control over Financial Reporting (ICFR)

SOC 1® - SOC for Service Organizations ICFR

• Report on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality or Privacy

• SOC for Service Organizations: SOC 2® HiTrust (SOC 2+)• SOC for Service Organizations: SOC 2® CSA STAR Attestation (SOC 2+)• Enhanced SOC 2 Reporting

SOC 2® - SOC for Service Organizations: Trust Services Criteria

• These reports are designed to meet the needs of users who need assurance about the controls at a service organization.

SOC 3® - SOC for Service Organizations: Trust Services Criteria for General Use Report

• A reporting framework for communicating information about the effectiveness of cybersecurity risk management program to a broad range of stakeholders

New: SOC for Cyber Security

• An internal controls report on a vendor’s manufacturing processes for customers of manufacturers and distributors to better understand the cybersecurity risk in their supply chains.

Under Development: SOC for Vendor Supply Chains


Overview of SOC 1®, SOC 2®, and SOC 3® reports

— Internal control over financial reporting — Operational controls

Summary — Detailed report for users and their auditors

— Detailed report for users, their auditors, and specified parties

— Short report that can be more generally distributed

Defined scope of system

— Classes of transactions— Procedures for processing and reporting

transactions— Accounting records of the system— Handling of significant events and

conditions other than transactions— Report preparation for users— Other aspects relevant to processing and

reporting user transactions

— Infrastructure— Software— Procedures— People— Data

Control domain options

— Transaction processing controls— Supporting information technology

general controls

— Security— Availability— Confidentiality— Processing integrity— Privacy— SOC 2®+ additional criteria

Level ofstandardization

— Control objectives are defined by the service provider, and may vary depending on the type of service provided.

— Principles are selected by the service provider.— Specific predefined criteria are evaluated against rather than

control objectives.

SOC1® SOC2 ® SOC3 ®


SOC reports for different scenariosSOC 1® Financial

Reporting Controls SOC 2 ® and SOC 3 ®

— Financial services

— Asset management and custody services

— Healthcare claims processing

— Payroll processing

— Payment processing

— Cloud ERP service

— Data centercolocation

— IT systems management

— Cloud-based services (SaaS, PaaS, IaaS)

— HR services

— Security services

— E-mail, collaboration, and communications

— Any service where customers’ primary concern is security, availability, or privacy

Financial/Business Process and Supporting System Controls

SecurityAvailability

ConfidentialityProcessing Integrity

Privacy


Overview of SOC 2 ® and SOC 3 ® trust services principles

Security — The system is protected against unauthorized access, use, or modification.

Availability — The system is available for operation and use as committed or agreed.

Confidentiality — Information designated as confidential is protected as committed or agreed.

Processing Integrity — System processing is complete, valid, accurate, timely, and authorized.

Privacy— Personal information is collected, used, retained, disclosed, and destroyed in conformity with the

commitments in the entity’s privacy notice and with criteria set forth in generally accepted privacy principles (GAPP) issued by the AICPA and CPA Canada.

PrincipleDomain


How companies are considering SOC 2® and SOC 3 ®

reports

Third-party Relationships

(all)

Data Management and Analysis Services

(Security, Availability, Confidentiality,

Processing Integrity) Asset Management(Security,

Confidentiality)

Cyber Security (Security)

SOC2 Over Processing Centers

(Security, Processing integrity)

HIPAA Business Associates(Security,

Confidentiality, SOC 2+ HITRUST)

Regulatory and Client Due Diligence Purposes

(Availability, Security)

Corporate Services, Fiduciary Asset Management,

and Client Accounting Services (Security and

Processing Integrity)

Data Center Hosting

(Security and Availability)

Electronic Banking(Security,

Confidentiality)

Business Outsourcing

Services(Security,

Processing Integrity)

Billing and ClaimPayment Services

(Security, Processing

Integrity)

Infrastructure(Availability,

Security)


Enhanced Reporting / SOC 2® +Option 2

To issue an opinion not only on the SOC 2® criteria but also on additional criteria (SOC 2® +), such as:

Option 1

Add mapping documents to other reporting frameworks in the unaudited section of the report, such as:

ISO 27001 CCM 3.0.1 (CSA)

NIST 800-53 R4 COSO 2013COBIT 5

HITRUST


Example SOC 2® + CSA CCM

— Application and Interface Security

— Audit Assurance and Compliance

— Business Continuity Management and Operational Resilience

— Change Control and Configuration Management

— Data Security and Information Life Cycle Management

— Datacenter Security

— Encryption and Key Management

— Governance and Risk Management

— Human Resources

— Identity and Access Management

— Infrastructure and Virtualization Security

— Interoperability and Portability

— Mobile Security

— Security Incident Management, E-Discovery and Cloud Forensics

— Supply Chain Management, Transparency and Accountability

— Threat and Vulnerability Management

SOC 2® Confidentiality CriteriaSOC 2® Availability Criteria

SOC 2® Common Criteria (Security)

Additional Criteria based on CSA Cloud Controls Matrix


Example SOC 2 + NIST 800-53 framework

IDENTIFY

— Asset Management

— Business Environment

— Governance

— Risk Assessment

— Risk Assessment Strategy

PROTECT

— Access Control

— Awareness and Training

— Data Security

— Information Protection Processes and Procedures

— Maintenance

— Protective Technology

DETECT

— Anomalies and Events

— Security Continuous Monitoring

— Detection Processes

RESPOND

— Response Planning

— Communications

— Analysis

— Mitigation

— Improvements

RECOVER

— Recovery Planning

— Improvements

— Communications



Additional Criteria based on NIST 800-53 Framework


HITRUST

ISO 27001/2

PCI

COBIT

HIPAASecurity

HITECH Act

States

CMS MU

NISTSP 800-

53

HITRUST CSF

—Framework driven from Healthcare and protection of Personal Health Information (PHI)

—Impacts industries that are Business Associates (BAs) to covered entities

—Can be done as a SOC 2® + HITRUST Report or a HITRUST CSF Certification


Example SOC 2® + HITRUST common security framework

The additional controls listed above are not intended to be all-compassing, and additional controls may be necessary based on each organization’s environment.

— Clear Desk and Clear Screen Policy

— Remote Diagnostic and Config Port Protection

— Network Connection Control

— Mobile Computing and Communications

— Teleworking

— Contact with Authorities

— Contact with Special Interest Groups

— Addressing Security When Dealing with Customers

— Addressing Security in Third-party Agreements

— Identification of Applicable Legislation

— Intellectual Property Rights

— Regulation of Cryptographic Controls

— Inventory of Assets

— Ownership of Assets

— Acceptable Use of Assets

— Cabling Security

— Outsourced Software Development

— Control of Technical Vulnerabilities

— Including InfoSec in the BC Management Process



Additional Criteria based on HITRUST Common Security Framework (CSF) Version 7


Cybersecurity AttestationThe AICPA has released guidance for attestation services related to Cybersecurity in April 2017.

Subject matter of the cybersecurity examination will include: —A description of the entity’s cybersecurity risk

management program in accordance with the description criteria

—An assessment of the design and/or effectiveness of the controls within that program to achieve the entity’s cybersecurity objectives based on the control criteria


SOC for Cybersecurity— Based on two sets of criteria:

- Description Criteria

- Control Criteria

— Can be the SOC 2 criteria related to Security (Common Criteria), Availability, and Confidentiality, or

— Other established control criteria such as:

- NIST Critical Infrastructure Cybersecurity Framework or

- ISO 27001/27002

Transition from SSAE 16 to SSAE 18


Change from SSAE 16 to SSAE 18

The Auditing Standards Board (ASB) has a multiyear project to redraft all of the standards that it issues into a new “clarity format.” The intent of this format is to address concerns over the clarity, length, and complexity of its standards.

— Statement on Standards for Attestation Engagements No. 18 (SSAE 18):- In April 2016, the ASB issued SSAE 18 –Attestation Standards: Clarification and

Recodification

- SSAE 18 redrafts all previous SSAEs except for:

— AT 701 Chapter 7, “Management’s Discussion and Analysis” of SSAE 10, Attestation Standards: Revision and Recodification, which will now be codified as AT-C 395

— SSAE 15, An Examination of an Entity’s Internal Control Over Financial Reporting That is Integrated with an Audit of Its Financial Statements(AT Section 501). This standard is being moved to the Auditing Standards AU-C 940.

Full Text of SSAE 18 http://www.aicpa.org/Research/Standards/AuditAttest/DownloadableDocuments/SSAE_No_18.pdf


SSAE 18 – Scope and Effective Date

Scope of SSAE 18• Impacts all attestation engagements except as noted in the previous

slide• Will impact all System and Organization Control (SOC) reports (i.e.,

SOC 1®, SOC 2®, and SOC 3®)

Effective Date• Service Auditor’s reports dated on or after May 1, 2017• Early adoption permitted• Since the required implementation is based on the date of the Service

Auditor’s Report, the new standards have the potential to impact a wide range of reporting periods.


SSAE 18 – Impact on SOC ReportingThe below summary includes the more significant revisions to the attestation standards that directly affect SOC 1® reporting. These revisions include the following topics:

Summary of revisions

— Complementary subservice organization controls (CSOC)

— Completeness and accuracy of information produced by the service organization

— Complementary user entity controls (CUECs)

— Review of internal audit reports and regulatory examinations

— Risk assessment

— Materiality language in management’s assertion

— Management’s assertion versus management’s description

— Obtaining evidence regarding the design of controls

A “How To” Guide on using a

SOC Report


Leading practices for user organization adoption of SOC reports

Inventory vendor relationships

— Inventory existing outsourced vendor relationships to determine where the organization has obtained, and requires third-party assurance going forward.

Assess vendor risks — Assess the key risks associated with significant outsourced vendors (e.g., Security, Availability, other risks).

Identify relevant reports

— Determine whether a SOC 1® report is required for financial reporting purposes.

— Determine whether detailed SOC 2® reports or summary level SOC 3® reports are required for key service providers. Also determine which principles should be covered within the SOC 2®/SOC 3® reports (i.e., Security, Availability, Confidentiality, Processing Integrity, and/or Privacy).

Contractual provisions

— Assess what, if any, specific audit reports are required by contract, and whether contracts have right to audit clauses.

— Determine how any historical SAS 70 (now SSAE 16) references should be updated to the relevant types of SOC report.

— Determine whether SOC 2®/SOC 3® reports should be required by contract.

Vendor monitoring

— Determine the frequency with which key outsourced vendors will be assessed.

— Build the process of obtaining and reviewing SOC reports, and following up on any areas of concern into the vendor monitoring process.

Criteria DescriptionsKey Activities


Leading practices for user organization adoption of SOC reports (continued)

Vendor due diligence

— Consider requesting relevant SOC reports as part of the due diligence process for assessing, and on-boarding new outsourced service providers.

Communication plan

— Where assurance reports are desirable, key points should be communicated, and confirmed with the service providers:

- Scope of the system covered

- Specific report to be provided (SOC 1®, SOC 2®, SOC 3®)

- Type of report to be provided, and period covered (i.e., Type 2 for a specified period, or in certain cases, Type 1 as of a specified point in time)

- Control domains covered (included control objectives for SOC 1®, included principles for SOC 2®/SOC 3®)

- Existence of any key supporting subservice providers (e.g., data center providers, IaaS providers), and whether they are included in scope

- Expected report delivery date.

DescriptionsKey Activities


Leading practices for user organization evaluation of SOC reports

Opinion

— What is the scope of the report?— What is the period covered; is the gap period greater than 3 – 4 months?— Is a subservice organization disclosed, was the “Inclusive” or “Carve-out” method used?— If the “Carve-out” method was used, based on the significance and relevance of the service being provided by

the subservice organization, you may need to obtain and evaluate an assurance report from that subservice organization.

— Was the opinion unqualified or qualified?

Description of System and Controls

— Understanding the system and its related processes and determining the relevancy and significance to your control environment

— Do the control objectives and controls (SOC 1®), principles, and criteria (SOC 2®/3®) address the risks relevant to your processing environment?

Complementary User Entity/Subservice Organization Controls

— To achieve the stated control objectives, or principles and criteria, does the report highlight specific control activities for which the user entity or subservice organization is responsible?

— Were these complementary user entity controls present and operating effectively during the period, or— Is there a SOC report for the carved out subservice organization that addressed the CSOCs?

Control Objectives (SOC 1®)Principle/Criteria(SOC 2® and SOC 3®)

— Does the report cover all of the relevant control objectives for the user organization’s purposes? (SOC 1®)— Do the controls and testing adequately support the objectives? (SOC 1®)— Does the report cover the relevant principle(s) and criteria? (SOC 2®/3®)— Is the report properly scoped to cover all of the relevant areas for the user organization’s purposes? (SOC

2®/3®)— Do the controls and testing adequately support the criteria? (SOC 2®)

Results of Tests(N/A for SOC 3®)

— Does the report need to include the service auditor’s test procedures and associated results?— Were there exceptions noted by the service auditor; how might the exception(s) impact your risk assessments?

Changes noted during the period

— Have any significant changes in systems, subservice providers, or controls occurred during the examination period and, if so, do they have any impact on the user?

Description of Considerations to EvaluateKey Areas


SOC 2 and SOC 3 adoption – Frequently asked questions

What is the process to initiate a SOC 2®/3®?

— Identification and scoping of report subject matter and selection of criteria— Define the scope of the system including infrastructure, software, people, procedures and data— Perform SOC 2®/3® Diagnostic/Readiness Assessment— Remediate items identified during the Diagnostic Assessment— Execute the SOC 2®/3® report engagement

How much do they cost?

— Cost depends on the scope of the report (selected principles, number of controls, locations, etc.) — Similar pricing structure to SOC 1® reports— Ability to leverage dual purpose testing between reports

How long does it take to perform a SOC 2®/3®?

— Duration of a SOC 2®/3® engagement also depends on the scope of the report, but is similar to a SOC 1®

Who typically owns the administration of SOC reports from the service provider?

— Firms issuing multiple SOC reports often select a central contact to administer their SOC reporting program

— Responsibilities may include inventorying reports, tracking distribution, approving requests for new reports, and monitoring customer inquiries.


Conclusion— SOC Reporting has evolved

- SOC 1 ® focuses on matters relevant to user entities’ internal control over financial reporting.

- SOC 2 ® and SOC 3 ® reports apply more broadly to operational controls covering security, availability, confidentiality, processing integrity, and/or privacy across a variety of systems.

- SOC 2 ® and 3 ® can supplement a SOC 1 report by taking a “deeper dive” into key areas.

- Emerging OC options exist: SOC 2+, SOC 2 Enhanced, SOC for Cybersecurity, etc.

— In April 2016, the ASB issued SSAE 18 which replaces SSAE 16

- Has an impact on all SOC reports

- Impacts reports dated on or after May 1, 2017

- Several revisions to SOC reports will need to be made as a result of this change

— Using a SOC report should include consideration of:

- Report type (SOC 1, SOC 2, SOC 3, Type 1, Type 2, etc.)

- Report scope

- Report period

- Opinion (Unqualified, Qualified, Adverse)

- Testing Exceptions


Questions and Answers

© 2016 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. NDPPS 551743

The KPMG name and logo are registered trademarks or trademarks of KPMG International.

Some or all of the services described herein may not be permissible for KPMG Audit clients and their affiliates.

The information contained herein is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavor to provide accurate and timely information, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act on such information without appropriate professional advice after a thorough examination of the particular situation.

kpmg.com/socialmedia

Evolution of SOC Reporting and SSAE18 - Chapters Site · Evolution of SOC Reporting and SSAE18 ......

Documents

Transcript of Evolution of SOC Reporting and SSAE18 - Chapters Site · Evolution of SOC Reporting and SSAE18 ......