Moss Adams SSAE 16 SOC Audits
-
Upload
aisdc -
Category
Technology
-
view
1.861 -
download
6
description
Transcript of Moss Adams SSAE 16 SOC Audits
MOSS ADAMS LLP | 1
SOC AuditsService Organization Reporting
MOSS ADAMS LLP | 2SLIDE 2
INTRODUCTION
Chris Kradjan, CPA, CITP, CRISC
Chris Kradjan is the National SSAE 16 Leader for Moss Adams. He has been with Moss Adams since 1994, and has been auditing and consulting since 1992. He works routinely with a wide range of complex service organizations to meet their needs. His practice areas include SSAE 16 SOC 1/2/3 auditing, PCI-DSS compliance services, internal controls reviews, Sarbanes-Oxley compliance services, SysTrust/WebTrust audits, and independent technology assessments. Furthermore, Chris is regularly involved with technology and financial controls assessments based on the COSO, COBIT, PCI-DSS, NIST, FISMA, and ISO 27002 frameworks. He serves on the AICPA SOC 2 Task Force and was recently appointed to the AICPA Assurance Services Executive Committee.
MOSS ADAMS LLP | 3SLIDE 3
• Overview of SOC reporting• Scope and coverage of SOC audits for AIS• Background about Moss Adams as your auditors• Key terminology• Customers’ responsibilities• AIS internal contact
OBJECTIVES
MOSS ADAMS LLP | 4SLIDE 4
• Increased competition• Sarbanes-Oxley – SEC/publicly traded companies• HIPAA Security and Privacy Rules – Healthcare• GLBA – Financial services• FERPA – Education• PCI-DSS – Payment card data• State and local security and privacy laws• NIST 800-53 – Federal compliance• ISO 27001 – Security• Safe Harbor – International
MARKET / REGULATORY PRESSURES
MOSS ADAMS LLP | 5SLIDE 5
• Represents that AIS has been through an in-depth audit of its system/controls
• For business unit(s) or entire organization• Discloses controls relevant to customers• Demonstrates design and operating effectiveness of
controls in place• Follows AICPA standards - can only be issued by CPAs• Even more important given Sarbanes-Oxley, heightened
regulatory conditions, and increasing competition
SOC AUDITS
MOSS ADAMS LLP | 6SLIDE 6
• Provide customers independent assurance about AIS’ controls
• Satisfy multiple customers through a single audit • Help AIS differentiate itself from its competition• Provide independent feedback to management to
define and monitor adherence to established operational metrics
• Identify potential opportunities to strengthen the business practices and operating environment at AIS
VALUE OF SOC AUDITS
MOSS ADAMS LLP | 7SLIDE 7
RELEVANT PARTIES
User Entities
American Internet Services
UserAuditors
UserAuditors
UserAuditors
UserAuditors
User Entities
User Entities
User Entities
Moss Adams
MOSS ADAMS LLP | 8SLIDE 8
• Audit of “system”/controls (vs. financial audit)
• AIS performs services (as “service organization”) for its own customers
• In turn, its customers (“user entities”) and their auditors (“user auditors”) want assurance over the AIS systems/controls
• AIS then hired Moss Adams (“service auditor”) to opine on AIS’ systems/controls
RELEVANT PARTIES - DEFINED
MOSS ADAMS LLP | 9SLIDE 9
• 11th largest accounting and consulting firm• Reputable and nationally recognized, celebrating 100 years• Over 1,800 professionals and 240 partners in 22 offices• Strong acceptance to relevant customers and industries/markets• Well established in the tech and data center space• Professionals serving in important leadership roles through the
AICPA, COSO, and other national committees • Proven technical expertise and industry credentials • Established SOC auditing and testing processes• Practical, solution-oriented approach
MOSS ADAMS
MOSS ADAMS LLP | 10SLIDE 10
Leads• Chris Kradjan, Partner• Francis Tam, Partner• JP Langlois, Supervisor
Highlights• Lead by SSAE 16 National Practice Leader• Comprised of seasoned SOC team• Security, operations and controls advisors• SOC, Sarbanes-Oxley, HIPAA, PCI, internal controls specialist• CPA, CISA, CISM, CITP, CRISC, PCI QSA
AUDIT TEAM
MOSS ADAMS LLP | 11SLIDE 11
Reports• SOC 1 Type 2 Audit (SSAE 16 and ISAE 3402)• SOC 2 Type 2 Audit• SOC 3 Type 2 Audit
Audit Period Ending: April 30, 2012, April 30, 2013, etc.
Sites• Lightwave Data Center (LWDC)• San Diego Tech Center (SDTC) • Fiber Alley Data Centers #1/#2/#3 (FADC)• One Wilshire Point of Presence (OWPOP)• Van Buren Data Center (VBDC)
SCOPE
MOSS ADAMS LLP | 12SLIDE 12
SOC 1/ISAE 3402
Control Areas:• Service Delivery• Solutions Design• Computer Operations• Logical and Physical Security• Change Management• Incident Management• Disaster Recovery Planning• Business Continuity Planning
CONTROL AREAS
SOC 2 and SOC 3
Principles:• Security• Availability
Control Areas:• Policies• Communication• Procedures• Monitoring
MOSS ADAMS LLP | 13SLIDE 13
Historical with SAS 70SAS 70 Reporting AU 324
New with SSAE 16• SOC 1 – Internal Controls Over Financial Reporting AT
801
• SOC 2 – AT 101 and Trust Services Principles (Detailed Reporting) AT 101
• SOC 3 – Trust Services Principles (SysTrust/WebTrust) AT 101
Type 1 and 2 reporting both still applicable
ALPHABET SOUP
MOSS ADAMS LLP | 14SLIDE 14
• AICPA SOC 2 ReportAT 101 Attest Engagements
Report on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality and/or Privacy(Type 1 and 2 Reports)
• AICPA SOC 3 ReportTrust Services ReportTrust Services Principles, Criteria and Illustrations (Including WebTrust® and SysTrust®)
SOC 2 AND 3 REPORTING
MOSS ADAMS LLP | 15SLIDE 15
• Follows Trust Services Principles, Criteria and Illustrations (Including WebTrust® and SysTrust®)
• The engagement is used to emphasize system reliability
• Based on a prescribed set of control objectives and criteria
Principleso Securityo Availabilityo Processing Integrityo Confidentialityo Privacy
• Intended audience is system stakeholders
• No restrictions on report distribution
TRUST SERVICES
Control Areaso Policieso Communicationo Procedureso Monitoring
MOSS ADAMS LLP | 16SLIDE 16
ISAE 3402
SSAE 16United States
CICA 5970Canada
HKCPA 860.2HK/China
AUS 810Australia
AAF 01/06United Kingdom Others
MOSS ADAMS LLP | 17SLIDE 17
REPORT COMPARISON
Source: AICPA © 2011
SOC 1/ISAE 3402
1. Auditors report2. Detail system description 3. Management assertion4. Management controls5. Auditor tests of controls and
results of those tests – control objectives
SOC 3
1. Auditors report2. Detail system description 3. Management assertion4. Management controls5. Auditor tests of controls
and results of those tests
SOC 2
1. Auditors report2. Detail system description 3. Management assertion4. Management controls5. Auditor tests of controls and
results of those tests – criteria
MOSS ADAMS LLP | 18SLIDE 18
CUSTOMERS’ FIDUCIARY RESPONSIBILITY
• Periodically monitor AIS in formal manner• Obtain and maintain an understanding of AIS operations• Assess policies, procedures and controls in place• Identify recent changes and reportable issues• Use the latest SOC Type 2 reports to reduce their own
compliance efforts• Obtain a gap letter/negative assurance letter between reports
MOSS ADAMS LLP | 19SLIDE 19
CUSTOMERS’ BENEFITS OF SOC REPORTS
• Streamlined way to obtain detailed and regular input on the performance of the service organization
• Provides a clear description of the controls in place• Independently affirms the controls were (1) designed
appropriately, and (2) operating effectively.• Simplifies ability to fulfill fiduciary responsibilities• Helps focus on exceptions and issues• May provide them cost savings through reduced audit fees
MOSS ADAMS LLP | 20SLIDE 20
REVIEWING AN SSAE 16 REPORT
• Audit period covered and whether it is a SOC Type 2 report• Firm engaged to perform the SOC audits• Nature of the opinion and if there are any modifications• Any subservice organizations included or carved out• Scope of controls and level of detail within control description• Coverage and sufficiency of the specified control activities• Extent of changes since prior report• Nature, timing and extent of testing performed by service auditor• Nature and extent of exceptions, and their significance• Review and consideration of the user control considerations
MOSS ADAMS LLP | 21SLIDE 21
AIS INTERNAL CONTACT
Frank GaffVP Service Assurance & Chief Compliance Officer(858) 576-4272 [email protected]
“In successfully completing its current suite of SOC 1, SOC 2 and SOC 3 Type 2 audit reports, AIS has reinforced its strong commitment to the security and availability of its data center facilities and operations.”
Chris Kradjan, Partner, National IT/SOC Practice Leader, Moss Adams
MOSS ADAMS LLP | 2222
The material appearing in this presentation is for informational purposes only and is not legal or accounting advice. Communication of this information is not intended to create, and receipt does not constitute, a legal relationship, including, but not limited to, an accountant-client relationship. Although these materials may have been prepared by professionals, they should not be used as a substitute for professional services. If legal, accounting, or other professional advice is required, the services of a professional should be sought.
Chris Kradjan, CPA, CITP, CRISCPartner , SSAE 16 National Practice Leader (206) [email protected]