Using DoD SSAE 16/18 Service Organization Control (SOC ... · Discussion Topics 2 Using DoD SSAE...
Transcript of Using DoD SSAE 16/18 Service Organization Control (SOC ... · Discussion Topics 2 Using DoD SSAE...
American Society of Military Comptrollers (ASMC) – PDI
June 2, 2017
Office of the Under Secretary of Defense (Comptroller)
Office of the Deputy Chief Financial Officer
Using DoD SSAE 16/18
Service Organization Control (SOC) Reports (to Support Your Audit and A-123 Compliance)
Bradley Keith
Director
PwC Public Sector, LLP
James Davila
Accountant, FIAR
Directorate, Office of the
Deputy Chief Financial
Officer, OUSD(C)
Discussion Topics
2
Using DoD SSAE 16/18 Service Organization Control (SOC) Reports
1) Service Organization Relationships Key Concepts• End-to-End Process Relationships
• Service Organization Identification
2) Addressing Service Organization Controls• Available Options
• Available SOC 1 Reports
• Relevant SOC 1 Reports
3) Using the Service Organization Controls Report• Desired Outcomes
• SOC 1 Report Sections
• Areas for Consideration
• CUECs and CSOCs
• Reliability of Data (and Reports)
• Common Evaluation Pitfalls
• Reporting / User Entity Responsibilities
4) OUSD(C) FIAR Support and Available Resources
Service Organization Relationships Key Concepts
The Reporting Entity is responsible for internal controls over financial reporting.4
End to End Business Process
Parts of audit relevant Reporting Entity business process are
performed by one or more Third Parties.
Reporting
Entity
Third
Party
Financial
Statements
Initiate / Execute
Initiate / Execute
5
What is the specific nature of the relationship (i.e., who does what)?
End to End Business Process
It is critical to determine which Third Parties meet the definition
of a “Service Organization” for A-123 and audit purposes (and which do not).
“Service Organizations”
“Service Providers”“Vendors”
“Third Parties”
“Working Capital Funds”
“Trading Partners”
6
The Financial Statement Auditor will follow the Auditing Standards
End to End Business Process
AU-C 402: Audit Considerations Relating to an Entity Using a Service Organization
.A7 The significance of the controls at the service organization to the user entity's internal control also
depends on the degree of interaction between the service organization's activities and those of
the user entity. The degree of interaction refers to the extent to which a user entity is able to and elects
to implement effective controls over the processing performed by the service organization.
For example, a high degree of interaction exists between the activities of the user entity and those at
the service organization when the user entity authorizes transactions and the service organization
processes and accounts for those transactions. In these circumstances, it may be practicable for
the user entity to implement effective controls over those transactions.
On the other hand, when the service organization initiates or initially records, processes, and
accounts for the user entity's transactions, a lower degree of interaction exists between the two
organizations. In these circumstances, the user entity may be unable to, or may elect not to, implement
effective controls over these transactions at the user entity and may rely on controls at the service
organization.
? and
Accounting Processing
and
InitiatesExecutes / Internally
Records
? ?
Who Does What?
7
You and / or your auditor can’t ignore / assume what happens inside the “Black Box”.
End to End Business Process
Why is this so important?
If a Service Organization relationship / dependency exists….
• The Reporting Entity must address Service Organization (and
Sub-service Organization) controls for OMB Circular A-123
(Appendix A) / ICOFR.
• The Reporting Entity financial statement auditor will also need to
address the Service Organization (and Sub-service Organization)
controls in financial statement audits and examinations.
Service
Organization
Controls
?
“Service Organizations”
“Service Providers”“Vendors”
“Third Parties”
“Working Capital Funds”
“Trading Partners”
8
If a Service Organization relationship exists, all of the pieces need to fit.
Roles and responsibilities must be aligned.
End to End Business Process
Sub-Service
Organizations
User
Auditors
Reporting /
User
Entities
Service
Organizations
Addressing Service Organization Controls
10
It is very inefficient for each / every Reporting Entity and their auditor to
redundantly test Service Organization controls versus relying on the SOC 1 Reports.
Addressing Service Organization Controls
How do I do this?
Financial Statement Audit (must comply with audit independence requirements)
• Reporting Entity financial statement auditors (User Auditor) documents and tests Service Organization
controls.
• Reporting Entity financial statement auditors (User Auditor) obtains / reviews Service Organization Controls
(SOC 1) Reports on the design and operating effectiveness of internal controls over financial reporting at
Service Organizations (and Sub-service Organizations).
Service
Organization
Controls
?
Compliance with OMB Circular A-123 (Appendix A) / ICOFR
• Reporting Entity team documents and tests Service Organization controls.
• Reporting Entity obtains controls documentation and testing performed by Service
Organization management and reviews for adequacy. Reporting Entity team or
Service Organization management addresses gaps.
• Reporting Entity obtains / reviews Service Organization Controls (SOC 1) Reports
on the design and operating effectiveness of internal controls over financial
reporting at Service Organizations (and Sub-service Organizations).
There are a few options.
11
Addressing Service Organization ControlsHow do I do this? What SOC 1 reports are available?
Significant progress has been achieved but much remains to be done.
DFAS Contract Pay
DFAS Standard
Disbursing
DFAS Financial
Reporting
DFAS FBWT Treasury
Distribution
DISA (ATAAPS)
DCMA Contract Pay
2013 2013
2014 20142014
2015
2016
DFAS FBWT Treasury
Reconciliation
DLA SOIDC
DFAS Vendor Pay
U.S. Army
GFEBS
2014
DFAS Military Pay
2013
DLA iRAPT
DMDC DTS
2014
2015
DMDC DCPDS US Bank SYNCADA
2013 2013
AT&L / DLA DPAS
2012
Retail Payment
Processing
2016
2016
2018
2017
DISA (EIS) DFAS Civilian Pay
2005 2005
FY
2018
FY
2018+
FY
2005
FY
2012
FY
2013
FY
2014
FY
2015
FY
2016
FY
2017
DLA DAAS
27
0
DLA DAI
U.S. Army
Conventional Munitions
2017
Treasury
Funds Management
Total Systems
Services
Elavon, Inc.
20162016 2016
2015
US Bank AXOL
2016
Compensation Benefit
& Payment
2016
(OWCP) Bill
Processing
2016
Citigroup Technology
Infrastructure (CTI)
2016
Treasury Admin
Resource Center
2016
Treasury Invest &
Borrowings
TBD
Unqualified /
Unmodified
Opinion
Qualified /
Modified
Opinion
Legend
12Multiple SOC 1s are underway or planned.
Addressing Service Organization ControlsHow do I do this? What SOC 1 reports are available?
Civilian Pay DCPS KPMG Unmodified Oct 2013 - Jun 2014 KPMG Unmodified Oct 2014 - Jun 2015 Yes KPMG Unmodified Oct 2015 - Jun 2016 Aug 12, 2016 Yes KPMG TBD Oct 2016 - Jun 2017 Aug 15, 2017
Military Pay DJMS-AC, DJMS-RC, DMO (Web) KPMG Unmodified Oct 2013 - Jun 2014 KPMG Modified Oct 2014 - Jun 2015 Yes KPMG Modified Oct 2015 - Jun 2016 Aug 17, 2016 Yes KPMG TBD Oct 2016 - Jun 2017 Aug 17,2017
Standard Disbursing Service
ADS, ADS IPAC MegaWizard
22 MicroApps:
DD 2657 Statement of Accountability, State Tax
Access Database, State Tax Microsoft Excel workbook,
Post Certification Validation Tracking Workbook,
GTN_Month_YR Excel Workbook, DJMSwkstmmyy
excel workbook, Defense Civilian Payroll System
(DCPS) Tracking Spreadsheet, 8522 IPAC Tracking
Workbook (Excel), SSN 8522 ACH Spreadsheet,
MMYYYY Batch Tracker, 6102 Voucher Workbook
(Excel), Cleveland Consolidated Workbook (Excel),
2657 Workbook (Excel), E&C Reconciliation Workbook
(Excel), DIT Tracker Workbook (Excel), IPAC Tracking
Workbook (Excel), Kansas City Central Site IPAC
Wizard (Access)
KPMG Unmodified Oct 2013 - Jun 2014 KPMG Unmodified Oct 2014 - Jun 2015 Yes KPMG Unmodified Oct 2015 - Jun 2016 Aug 15, 2016 Yes KPMG TBD Oct 2016 - Jun 2017 Aug 15, 2017
Contract PayMOCAS, EAS, EUD (APVM / PPVM), SCRT, BAM
ERMPGT Unmodified Nov 2013 - Apr 2014 GT Unmodified Oct 2014 - Jun 2015 Yes GT Unmodified Oct 2015 - Jun 2016 Aug 15, 2016 Yes GT TBD Oct 2016 - Jun 2017 Aug 15, 2017
Vendor PayOnePay, CAPS-W, CAPS-W Data Center, ODS,
DCD/DCW, STARS, BAM, APVMNA NA NA NA NA NA No NA NA NA NA Yes GT TBD Feb 2017 - Jul 2017 Sep 15, 2017
FBWT - Transaction Distribution DCAS, SAMS NA NA NA NA NA NA Yes KPMG Modified Mar 2016 - Sep 2016 Nov 14, 2016 Yes KPMG TBD Oct 2016 - Jun 2017 Aug 15, 2017
FBWT - Treasury Reconciliation DRRT, CMR NA NA NA NA NA NA No NA NA NA NA No NA NA NA NA
Financial Reporting
DDRS (AFS, B, DCM), 8 MicroApps:
NWCF Trading Partner DB, Eliminator, MOCAS Data
Call, Data Call Validation Tool, OMB Max Recon,
Inventory Control, Employee Benefits, Buyer & Seller
Side Elimations
Kearney Modified Mar 2014 - Nov 2014 Kearney Modified Dec 2014 - Jul 2015 Yes Kearney Modified Oct 2015 - Jul 2016 Sept 15, 2016 Yes Kearney TBD Oct 2016 - Jul 2017 Sept 15, 2017
GT = Grant Thornton
PwC - Price Waterhouse Coopers
Kearney = Kearney & Company
WACO= Williams Adley & Co.
E&Y = Ernst & Young
CBH = Cherry, Bekaert & Holland
RMA = RMA Associates
RESJ = Robins, Eskew, Smith & Jordan
FY 15
OpinionReporting PeriodIPA Firm
IPA
FirmReporting PeriodReporting PeriodIPA FirmAssessable Unit
Service
Provider
FY 14
Opinion
DFAS
DoD SSAE 16/18s as of May 2017
FY 2017
SSAE 16
for FY 17?
IPA
Firm
FY 17
Opinion
Projected
Reporting Period
for FY 17
Expected
Report
Issuance Date
FY 2014SSAE 16/18 FY 2016
SSAE 16 for
FY 16?
Report Issuance
Date / Expected
Issuance Date
System(s)
Included
FY 2015
FY 16
Opinion
13Multiple SOC 1s are underway or planned.
Addressing Service Organization ControlsHow do I do this? What SOC 1 reports are available?
Defense Civilian Personnel Data System (DCPDS) DCPDS PwC Modified Oct 2013 - Jun 2014 KPMG Unmodified Oct 2014 - Jun 2015 Yes KPMG Unmodified Oct 2015 - Jun 2016 Aug 15, 2016 Yes KPMG TBD Oct 2016 - Jun 2017 Aug 15, 2017
Defense Travel System (DTS) DTS N/A N/A N/A WACO Modified Oct 2014 - Jun 2015 Yes WACO Modified Oct 2015 - Jun 2016 Sep 08, 2016 Yes KPMG TBD Oct 2016 - Jun 2017 Aug 15, 2017
DCMA Contract Pay MOCAS, eTools GT Modified Feb 2014 - Oct 2014 GT Modified Feb 2015 - Sept 2015 Yes GT Modified Jan 2016 - June 2016 Aug 15, 2016 Yes GT TBD Oct 2016 - Jun 2017 Aug 15,2017
Wide Area Work Flow - Invoices Receipt Acceptance
and Property Transfer (WAWF - iRAPT)iRAPT RMA Modified Mar 2014 - Aug 2014 WACO Modified Oct 2014 - Jun 2015 Yes GT Modified Oct 2015 - Jun 2016 Aug 15, 2016 Yes RMA TBD Oct 2016 - Jun 2017 Aug 15, 2017
Defense Agency Initiative (DAI) DAI WACO Modified Jan 2014 - Jun 2014 WACO Unmodified Oct 2014 - Jun 2015 Yes GT Modified Oct 2015 - Jun 2016 Aug 15, 2016 Yes RMA TBD Oct 2016 - Jun 2017 Aug 15, 2017
Defense Automatic Addressing System (DAAS) DAAS E&Y Modified Sep 2013 - Feb 2014 WACO Modified Oct 2014 - Jun 2015 Yes GT Modified Oct 2015 - Jun 2016 Aug 15, 2016 Yes RMA TBD Oct 2016 - Jun 2017 Aug 15, 2017
Service Owned Items in DLA Custody (SOIDC) DSS NA NA NA NA NA NA Yes Kearney Modified Jan 2016 - Sept 2016 Apr 28, 2017 No NA NA NA NA
Defense Property Accountability System (DPAS) DPAS CBH Unmodified Oct 2013 - Jun 2014 CBH Unmodified Jul 2014 - Jun 2015 Yes CBH Unmodified Oct 2015 - Jun 2016 Aug 26, 2016 Yes CBH TBD Oct 2016 - Jun 2017 Aug 15, 2017
Operations Center (FY 15-16 Scope) Mechanicsburg, Ogden, Oklahoma City, Montgomery KPMG Unmodified Oct 2013 - Jun 2014 E&Y Unmodified Oct 2014 - Jun 2015 Yes E&Y Unmodified Oct 2015 - Jun 2016 15-Aug-16 Yes E&Y TBD Oct 2016 - Jun 2017 Aug 15, 2017
Automated Time Attendance and Production System
(ATAAPS)ATAAPS N/A N/A N/A E&Y Modified Oct 2014 - Jun 2015 Yes E&Y Modified Oct 2015 - Jun 2016 15-Aug-16 Yes E&Y TBD Oct 2016 - Jun 2017 Aug 15, 2017
Conventional Ammunition LMP, WARS-NT, SAAS-MOD Yes KPMG TBD Oct 2016 - Mar 2017 TBD
General Fund Enetrprise Business System (GFEBS) GFEBS No NA NA NA NA
Corporate Payment Systems (CPS)
U.S. Bank Freight Payment Transaction Procerssing
System
Syncada E&Y Unmodified Oct 2013 - Sept 2014 E&Y Unmodified Oct 2014 - Sept 2015 Yes E&Y Unmodified Oct 2015 - Jul 2016 Sept 19,2016 Yes E&Y TBD Aug 2016 - Jul 2017 Sept 15, 2017
Total Systems Services (TSYS), Subservice Org to
CPS, for credit management processingTS1 & TS2 Yes KPMG Unmodified Jan 2016 - Sep 2016 Oct 31, 2016 Yes KPMG TBD Jan 2017 - Sep 2017 Oct 2017
Elavon, Inc., Subservice Org to CPS, for daily
processing services related to carrier billingMerchant Processing System (MPS) Yes E&Y Unmodified Nov 2015 - Oct 2016 Dec 19, 2016 Yes E&Y TBD Nov 2016 - Oct 2017 Dec 2016
Retail Payment Processing (RPS), Subservice Org to
CPS, for processing check, electronic payments &
research payment discrepancies
Integrated Card System, Triad, ACAPS, Falcon,
SeQual, CASPER, CME, SAR, CA Web Viewer, IVR,
ARMS
Yes E&Y Unmodified Nov 2015 - Oct 2016 Dec 19, 2016 Yes E&Y TBD Nov 2016 - Oct 2017 Dec 2016
Commercial Card Transaction Processing System
(ELAN)
Access Online, SeQual, Corporate Payments Mgt
Information System (CPMIS), Automated Credit
Application Processing System (ACAPS)
N/A N/A N/A E&Y Unmodified Nov 2014 - Oct 2015 Yes E&Y Unmodified Nov 2015 - Oct 2016 Dec 15, 2016 Yes E&Y TBD Nov 2016 - Oct 2017 Dec 15, 2017
FY 15
OpinionReporting PeriodIPA Firm
IPA
Firm
U.S. Bancorp
DISA
Reporting PeriodReporting PeriodIPA FirmAssessable UnitService
Provider
FY 14
Opinion
DLA
DMDC
U.S. Army
DoD SSAE 16/18s as of May 2017
FY 2017
SSAE 16
for FY 17?
IPA
Firm
FY 17
Opinion
Projected
Reporting Period
for FY 17
Expected
Report
Issuance Date
FY 2014SSAE 16/18 FY 2016
SSAE 16 for
FY 16?
Report Issuance
Date / Expected
Issuance Date
System(s)
Included
FY 2015
FY 16
Opinion
14Multiple SOC 1s are underway or planned.
Addressing Service Organization ControlsHow do I do this? What SOC 1 reports are available?
Compensation Benefit & Payment for Medical
Services for Federal Civilian Employees
Integrated Federal Employees' Compensation System
(iFECS)
Office of the Assistant Secretary for Administration and
Management (OASAM) General Support System (GSS)
Yes KPMG Unmodified Oct 2015 - Jun 2016 Rec'd Oct 13 2016 Yes KPMG TBD Oct 2015 - Jun 2016 Early Sept
Office of Workers' Compensation Program (OWCP)
Bill Processing / Central Bill Processing SystemCentral Bill Processing System Yes RESJ Unmodified Oct 2015 - Mar 2016 Rec'd Oct 13 2016 Yes RESJ TBD Oct 2015 - Mar 2016 Early Sept
Citi
Travel Card
Citigroup Technology Infrastructure (CTI), Global
Information Security (GIS), Global Identity Admin
(GIDA)
Mainframe Systems Include: IBM z/OS, Unisys
ClearPath
Midrange include: Stratus, Nonstop Tandem, & IBM
series and various types of physical & virtual UNIX,
Linux Windows operating systems)
Yes KPMG Unmodified Jan 2016 - Sep 2016 Rec'd Jan 26, 2017 Yes KPMG TBD Jan 2017 - Sep 2017 Dec 2017
U.S. Treasury
Admin
Resource
Center
Accounting, Budgeting, Reporting, Travel,
Procurement, Systems Support & Platform Services
Oracle Federal Financials (Oracle) & Discoverer
Feeder Systems: PRISM, IPP, CGE, moveLINQ & E-
Payroll to Oracle Reporting (EOR). ARC provides
application admin of feeder systems.
Yes KPMG Unmodified Jul 2015 - Jun 2016 Sep 1, 2016 Yes KPMG TBD Jul 2016 - Jun 2017 Sep 2017
U.S. Treasury
Federal
Investments &
Borrowings
Investment Transactions for Government Securities InvestOne Accounting System & FedInvest Subsystem Yes KPMG Unmodified Aug 2015 - Jul 2016 Sep 23, 2016 Yes KPMG TBD Aug 2016 - Jul 2017 Sep 2017
U.S. Treasury
Funds
Management
Management & Accounting Services for Select Gov't
Trust Funds, Treasury managed accounts, accounts
of Treasury's Office of the Asst Sec for Int'l Affairs
InvestOne Accounting System & FedInvest Subsystem Yes KPMG Unmodified Aug 2015 - Jul 2016 Sep 23, 2016 Yes KPMG TBD Aug 2016 - Jul 2017 Sep 2017
FY 15
OpinionReporting PeriodIPA Firm
IPA
FirmReporting PeriodReporting PeriodIPA FirmAssessable Unit
Service
Provider
FY 14
Opinion
U.S.
Department of
Labor
DoD SSAE 16/18s as of May 2017
FY 2017
SSAE 16
for FY 17?
IPA
Firm
FY 17
Opinion
Projected
Reporting Period
for FY 17
Expected
Report
Issuance Date
FY 2014SSAE 16/18 FY 2016
SSAE 16 for
FY 16?
Report Issuance
Date / Expected
Issuance Date
System(s)
Included
FY 2015
FY 16
Opinion
15
User Entities are responsible for report distribution within their organizations.
DCMA - Service Provider
No. DoD Component Tier Standard Disbursing Services
(ADS)
Military Pay
(DJMS & DMO)
Financial Reporting
(DDRS)
Civilian Pay
(DCPS)
Contract Pay
(MOCAS, EAS, EUD
(APVM/PPVM), SCRT, BAM-
ERMP)
Vendor Pay
(CAPSW, OnePay, ODS,
DCD/DCW, STARS, CAPSW Data
Center, BAM-ERMP, APVM)
Fund Balance with Treasury -
Transaction Distribution
Defesne Cash Accountability System
(DCAS)
Defense Automatic Addressing System
(DAAS)
Wide Area Work Flow - Invoices Receipt
Acceptance and Property Transfer
(WAWF - iRAPT)
Defense Agency Initiative
(DAI)
Service Owned Items in DLA Custody - SOIDC
Distribution Standard System (DSS)
Corporate Payment Systems - Freight
Payments System
(Syncada)
Defense Property Accountability System
(DPAS)
Commercial Credit Card Processing System
(Access Online)
Defense Civilian Personnel Data System
(DCPDS)
Defense Travel System
(DTS)
Contract Pay
(MOCAS)
Automated Time Attendance
and Production System
(ATAAPS)
Enterprise Computing Service
1 Air Force GF 1
2 Air Force WCF 1
3 Army GF 1
4 Army WCF 1
5 Navy GF & WCF 1
6 USACE 1
7 USMC GF & WCF 1
8 DIA (Defense Intelligence Agency) 2
9 NGA (National Geospatial-Intelligence Agency) 2
10 NRO (National Reconnaissance Office) 2
11 NSA (National Security Agency) 2 See Note Below
12 DCAA 2
13 DeCA (GF & WCF) 2
14 DFAS (as reporting entity) 2
15 DHA-CRM 2
16 DHA (FOD, NCR, Comptroller) 2
17 SMA-Army 2
18 SMA-Navy 2
19 SMA-USAF 2
20 DISA (GF & WCF) 2
21 DLA (GF, WCF & Strategic Materials) 2
22 USSOCOM 2
23 USTRANSCOM 2 USTRANSCOM reviewing USTRANSCOM reviewing USTRANSCOM reviewing
24 USUHS 2
25 CBDP 3
26 DARPA 3
27 DCMA 3
28 DoDEA 3
29 DSCA 3
30 DTRA 3
31 MDA 3
32 Office of Chairman of JCS 3
33 WHS 3
34 DAU 4
35 DHRA 4
36 DLSA 4
37 DMA (Defense Media Activity) 4
38 DMEA (Defense Micro-Electronics Activity) 4
39 DoDIG 4
40 DPMO / DPAA (Def POW/MIA Accounting Agency) 4
41 DSS 4
42 DTIC 4
43 DTSA 4
44 NDU 4
45 OEA 4
46 AT&L DPAS (as a service provider) N/A
47 DCMA Contract Pay (as a service provider) N/A
48DFAS (Std Disb, Mil Pay, Fin Rpting, Civ Pay, Contract
Pay, FBWT-DCAS (as a service provider)N/A
49 DLA (iRAPT, DAI & DAAS) (as a service provider) N/A
50 DISA ATAAPS (as a service provider) N/A
51 DMDC DTS (as a service provider) N/A
Projected FY 2017 SSAE 18 Distribution List to DoD Components (Based on Components' Responses)As of Jan 27, 2017
DFAS - Service Provider DLA - Service Provider AT&L - Service Provider DoDHRA DMDC - Service Provider DISA - Service Provider
Addressing Service Organization ControlsHow do I do this? Which SOC 1s do I need?
16Expected FY 17 Subservice Organizations updates / changes are probable.
Addressing Service Organization ControlsHow do I do this? Which SOC 1s do I need?
Service Organization - SOC 1
(expected FY 17)
DIS
A E
nte
rpri
se S
ervi
ces
(ES
)
DIS
A J
oin
t In
tero
per
abili
ty T
est C
om
man
d (J
ITC
)
DF
AS
Acc
ou
ntin
g O
per
atio
ns
Dir
ecto
rate
Def
ense
Fin
ance
an
d A
cco
un
ting
Ser
vice
(DF
AS
)
DF
AS
(AT
AA
PS
)
DF
AS
(DC
PS
)
Def
ense
Lo
gis
tics
Ag
ency
(DL
A)
Def
ense
Co
ntr
act M
anag
emen
t
Ag
ency
(DC
MA
)
Def
ense
Man
po
wer
Dat
a C
ente
r (D
MD
C)
Fed
eral
Ret
irem
ent T
hri
ft In
vest
men
t Bo
ard
(FR
TIB
)
To
tal S
yste
m S
ervi
ces,
Inc.
(TS
YS
)
Ela
von
, In
c.
Car
pat
hia
(Ho
stin
g F
acili
ty C
on
trac
tor)
Co
nve
rgys
Co
rpo
ratio
n
U.S
. Ban
k R
etai
l Pay
men
t So
lutio
ns
(RP
S)
U.S
. Ban
k N
atio
nal
Ret
ail L
ock
bo
x
Xer
ox
Ver
izo
n
Fir
st F
eder
al
Sp
rin
t an
d S
un
Gar
d
Ed
gew
eb
DFAS - Civilian Pay X X X
DFAS - Military Pay X X X X
DFAS - Standard Disbursing X X
DFAS - Contract Pay X X X
DFAS - Vendor Pay* X
DFAS FBWT - Transaction Distribution X
DFAS FBWT - Treasury Reconciliation*
DFAS - Financial Reporting X
DMDC - Defense Civilian Personnel Data System (DCPDS)
DMDC - Defense Travel System (DTS) X
DCMA - Contract Pay X
DLA - Invoice Receipt Acceptance and Property Transfer (iRAPT) X X
DLA - Defense Agency Initiative (DAI) X X
DLA - Defense Automatic Addressing System (DAAS)
DLA - Service Owned Items in DLA Custody (SOIDC) X
DLA - Defense Property Accountability System (DPAS) X
DISA - Enterprise Services (Hosting)
DISA - Automated Time & Attendance Production System (ATAAPS) X X X
U.S. Bancorp - Freight Payment Transaction Processing X X X
U.S. Bancorp - Commercial Card Transaction Processing System X X X X
U.S Department of Labor Integrated Federal Employees'
Compensation System.
(Relates to Federal Employees' Compensation Act (FECA))
X X X X X
Subservice Organizations
DISA Other (Non-DoD)Other (DoD)
17
DFAS FBWT
Transaction
Distribution
(DCAS)
DISA
Enterprise
Services
Defense Civilian
Personnel Data
System
(DCPDS)
DFAS Civilian
Payroll
(DCPS)
DAI / ATAAPS
Time &
Attendance
Civilian Pay SOC 1 – Page 41- DISA ES provides the physical hosting and
administration of DCPS. Specific functions /
responsibilities include:
- Maintenance of the hardware and system
software supporting DCPS.
- Protection of computer platforms and resident
software and data from unauthorized physical
access and environmental hazards.
- Administration of logical access to ACF 2.
- Performance of certain computer operations
activities for the mainframe platforms
supporting DCPS, including monitoring of
processing, and resolution of any deviations
from the pre-defined processing schedule.
- Administration of data transmission utilities and
monitoring of data transmissions to and from
the mainframe platforms supporting DCPS.
- Performance of uptime monitoring and
assistance with the resolution of availability
issues related to DCPS.
- System software, application, and data backup
and recovery.
DFAS
Standardized
Disbursing
(ADS)
Civilian Pay SOC 1 – Page 29- Some user entities send their T&A data into DCPS
using batch files generated from separate, user-
entity operated T&A systems.
Civilian Pay SOC 1 – Page 41- DCPDS is and HR information support system for
maintaining civilian personnel data in the DoD.
DCPDS is used to provide HR / personnel support
such as applicant ratings, employee appointments,
reassignments, and promotions.
Civilian Pay SOC 1 – Page 33- The DD 592 file is sent to ADS for processing by
Disbursing Operations and to the Defense Cash
Accountability System (DCAS) for use in
downstream reconciliations and financial reporting.
- Check and EFT Payment Files: On a bi-weekly
basis, DCPS produces check and EFT payment
files interfaced to ADS for disbursement to user
entity civilian employees.
Note: The DLA DAAS SOC 1 may also be applicable for those entities routing interface files through this system.
Civilian Pay FY 16 SOC 1 “Family”
SOC 1 reports may point you / your auditor where to go.
Follow the End-to-End Process.
Addressing Service Organization ControlsHow do I do this? Which SOC 1s do I need?
Using the Service Organization Controls Report
19
An Unqualified SOC 1 does not automatically result in User Auditor reliance.
User Auditors Place Reliance on the SOC 1 Reports(as allowed by the auditing standards … ex., AU-C 402)
What are we trying to achieve?
Unqualified / Unmodified SOC 1 Opinions(performed under the examination standards SSAE 18,
AT-C 105, AT-C 205, AT-C 320)
User Entities Place Reliance on the SOC 1 Reports(following A-123 Appendix A / ICOFR requirements)
How do I use the SOC 1 report?Desired Outcomes
Controls Reliance
Rep
ort
ing
/ U
ser
En
tity
20
An Unqualified SOC 1 does not automatically result in User Auditor reliance.
How do I use the SOC 1 report?Desired Outcomes
Auditor Sample SizesLevel of Controls Reliance
Minimum Sample Sizes
High Internal Controls Reliance
Reduced Sample SizesSome Internal Controls Reliance
Optimum for a large financial statement audit
Sufficient for a financial statement audit
Maximum Sample Sizes
No Internal Controls Reliance
10s to 100s of thousands of
sample items across DoD
Inefficient and Unsustainable
The User Auditor’s ability to rely on internal controls
directly affects audit and audit support costs
21
Read the report and assess the impact on your risk of financial misstatement.
A SOC 1 Report typically includes the following sections:
Section 1Independent Service Auditor’s Report
Section 2Assertion Provided by Management of the Service Organization
Section 3Description of the Service Organization, including an overview of relevant operations and applications
• Complementary User Entity Controls (CUECs)
• Subservice Organizations and Complementary Subservice Organization Controls CSOCs
Section 4Service Organization’s Control Objectives and Related Controls (Control Objectives, Controls, and Test of
Operating Effectiveness)
Section 5Other Information Provided by Service Organization Management (UNAUDITED)
How do I use the SOC 1 report?SOC 1 Report Structure
22
Your auditor will consider these …. So should you.
How do I use the SOC 1 report?Areas for Consideration
Evaluation of relevant controlsService auditor competency
5
1
2
3
4 9
6
7
8
10
Scope exclusions
Carve-outs
CUECs
CSOCs
Reliability of data
Results of tests
Opinion
Gap Periods
23
Appropriate controls need to be in place at the Reporting Entity, Service Organization(s),
and Sub-service Organization(s) to achieve the Control Objective.
How do I use the SOC 1 report?What are CUECs and CSOCs
Example DFAS Control Objective:Controls provide reasonable assurance that logical access to DCPS programs and data is
restricted to authorized users.
DFAS ControlsDesigned & Operating Effectively
User Entity ControlsDISA Controls
CUECs (SAS 70, SSAE 16, and SSAE 18)
DFAS controls were designed assuming
certain controls were in place at the
customer (Reporting Entity).
These assumptions have been and will
continue to be included in Management’s
Description.
Some basis is needed for the assumptions
but DFAS is not responsible for monitoring
customers.
CSOCs (SSAE 18)
DFAS controls were designed assuming
certain controls were in place at the Sub-
service Organization (DISA).
These assumptions will now be included in
Management’s Description for each Sub-
service Organization.
Some basis is needed for the assumptions
and DFAS is responsible for monitoring
Sub-service providers.
24
Appropriate controls need to be in place at the Reporting Entity, Service Organization(s),
and Sub-service Organization(s) to achieve the Control Objective.
How do I use the SOC 1 report?What are CUECs and CSOCs
Controls
Controls
DISA Hosting
Services
SOC 1
Reporting
Entity / User
Auditors
Reporting /
User
Entities
DFAS Civilian
Pay Service
SOC 1
CUECs
CSOCs
CUECs
Controls
Controls
Controls
CUECs (SSAE 16 & 18)
DFAS controls were designed assuming
certain controls were in place at the
customer (Reporting Entity).
CUECs (SSAE 16 & 18)
DISA controls were designed assuming
certain controls were in place at the
customer (DFAS).
CSOCs (SSAE 18)
DFAS controls were designed assuming
certain controls were in place at the Sub-
service Organization (DISA).
25
User Entities should understand what reports are being generated by the Service Organization and
then confirm whether those reports are included in the SOC 1.
How do I use the SOC 1 report?Reliability of Data (and Reports)
Background:• The clarified standards require the service auditor to evaluate
whether system generated information is sufficiently reliable for the
service auditor’s purposes “by obtaining evidence about its
accuracy and completeness and evaluating whether the
information is sufficiently precise and detailed.”
• They also require the service auditors and the service organization
to validate system generated information and reports by detailing
how they are generated, who prepares such reports and ensuring
the requisite level of detail in such reports.
Classes of system generated information:The following are the types of data that should be evaluated as part of the SOC 1 attestation:
• Information used in the execution of controls within the SOC 1 report.
• Information provided by the service organization to the service auditor to perform testing of
controls.
• Information provided to the user entity.
Effectiveness of
controls depends in part
on the controls over the
accuracy and
completeness of the
system-generated data
or reports.
26
User Entities should understand what reports are being generated by the Service Organization and
then confirm whether those reports are included in the SOC 1.
How do I use the SOC 1 report?Reliability of Data (and Reports)
Translation:
1. Reports / data that are relied upon by the Service Organization to perform
controls in their SOC 1 (e.g., user access list, reconciliation reports,
spreadsheets, etc.)
2. Reports / data that are used by the Service Auditor to perform SOC 1
testing (e.g., user access listings, transaction populations).
3. Reports / data that are provided to the User Entity and are relied upon in
your financial reporting (e.g., reporting package, external outputs).
27
Your auditor will consider these …. So should you.
How do I use the SOC 1 report?Common Evaluation Pitfalls
• Certain applications, interface programs used by some user
entities might not be included in the scope of the report and / or
important IT controls may be scoped out.
• The report may be directed at only a limited number of user
entities or the coverage is only for certain locations.
• Relevant reports from the Service Organization may not be
included within the scope of the procedures performed by the
Service Auditor.
• All exceptions (not just those within qualified objectives) are not
considered for relevance and impact to the User Entity.
• Subservice Organization SOC 1 reports are not obtained and
reviewed.
Sub-Service
Organizations
User
Auditors
Reporting /
User
Entities
Service
Organizations
Reporting Entity Responsibilities for
Service Organization Controls
1. Identify all Service Organizations (Service Providers) that impact the
Reporting Entity’s internal controls over financial reporting.
2. Document an understanding of the Service Providers impact on the
Reporting Entity’s Financial Reporting and Associated Risks.
3. Document the Reporting Entity’s Understanding of Service Provider
Controls in Place to Mitigate Financial Reporting Risks.
4. Evaluate the Design and Operating Effectiveness of Service Provider
Controls in Place to Mitigate Financial Reporting Risks.
5. Address Complementary User Entity Controls (CUECs) Identified by
the Service Provider (i.e., implement effective controls within the
Reporting Entity).
6. Establish Regular Communications with Service Providers to Monitor
Performance and Identify Events that may Impact Internal Controls Over
Financial Reporting.
28
Establish MOUs that clearly identify who is responsible for what.
D
O
C
U
M
E
M
T
Attend and actively participate in the Service Provider Working Group meetings.
29
Communication Protocols Must be Established and Maintained
• Update the FIAR System Database (FSD) to reflect changes. At a minimum,
this should be completed to support the bi-annual FIAR Plan Status Report.
• Notify OUSD(C) FIAR of needed SOC 1s
• Notify OUSD(C) FIAR if points of contact for SOC 1 distribution have
changed.
• Distribute SOC 1 reports within your own organization, in a timely manner, to
all personnel who need them.
Reporting Entity Responsibilities for
Service Organization Controls
Other Important Responsibilities
OUSD(C) FIAR Support and Available Resources
31
User / Reporting Entity participation is essential.
• Service Provider Working Group Meetings (January, May, and August)• Dates / timing requested by User Auditor’s performing financial statement audits.
• Updates provided on SOC 1 scope changes, CUEC changes, status of NFRs, progress on
current SOC 1s, etc.
• IPA Roundtable Meetings• Periodic meetings with GAO, DOD IG, and IPA firms performing financial statement audits,
audit readiness examinations, and SOC 1 engagements to solicit input on SOC 1 report
usability and other audit relevant topics.
• CUEC Workshops• Nine separate workshops were conducted covering audit relevant SOC 1 reports.
• Included participants from User/Reporting Entities and Service Organizations.
• MILSTRIP workshops with DLA and customer entities.• Detailed walkthroughs of multiple MILSTRIP buy / sell scenarios.
• Focus on financial statement audit impacting roles and responsibilities.
OUSD(C) FIAR Support
& Available Resources
OUSD(C) FIAR Support Activities
Deputy Chief Financial Officer Policy Memo Issued in February 2016
Identified Ten Required Changes to SOC 1 Reports
1. SOC 1 Reports to be Issued by August 15th of each year.
2. Nine Month Attestation Period (October 1 – June 30).
3. Bridge Letters to be Issued by October 8th of each year.
4. CUECs to be Aligned to Control Objectives
5. Describe Service Provider Controls in Place to Monitor Subservice Providers and Identify Service Provider Controls in
Place to Address Subservice Provider CUECs.
6. Establish an Interim Milestone of April 30th to Obtain Service Auditor Feedback.
7. Identify Key Inputs and Management’s Rationale / Approach.
8. Identify Edit Checks and Management’s Rationale / Approach.
9. Identify Interfaces and Management’s Rationale / Approach.
10. Identify Outputs and Management’s Rationale / Approach.
32
Action has been taken on IPA feedback and status updates provided.
OUSD(C) FIAR Support
& Available Resources
Available Resources – SOC 1 Improvement Policy Memo
http://comptroller.defense.gov/fiar/fiarguidance/tools_tips_workproducts.aspx#policymemo
Memo was sent to Service Organizations for comment and addresses the
following key points:
1. Service Organizations to meet with their IPA(s) to establish an understanding of
SSAE 18 impact by January 13, 2017.
2. Service Organization to validate the reliability of key output reports / data.
3. Service Organizations to document Complementary Subservice Organization
Controls (CSOCs), their basis for assuming the CSOC is in place at the Subservice
Organization, and the associated monitoring controls in place at the Service
Organization.
4. Service Organizations to communicate of CSOCs to Subservice Organizations by
January 23, 2017.
5. Provides a deadline for Subservice Organizations to inform Service Organizations
that they do not plan to have controls in place to address the CSOCs.
6. Provides a deadline for Subservice Organizations to provide corrective plans to
Service Organizations for those instances where remediation is needed to put
controls in place to address the CSOCs..
33
Input was solicited from IPAs performing financial statement audits and SOC 1 engagements.
http://comptroller.defense.gov/fiar/fiarguidance/tools_tips_workproducts.aspx#policymemo
OUSD(C) FIAR Support
& Available Resources
Available Resources – SSAE 18 Policy Memo
34
Important to make timely updates to support FIAR Plan Status Report
and responses to ad-hoc requests.
OUSD(C) FIAR Support
& Available Resources
Available Resources – FIAR Systems Database
Home Page
System Owner
Data Entry
System User
Data Entry
http://comptroller.defense.gov/fiar/fiarguidance/tools_tips_workproducts.aspx#FIARToolAccess
35
• An Excel file containing all CUECs from all relevant SOC 1 reports (with additions,
deletions, changes from the prior year highlighted
• “Baseline” control descriptions that can be customized to address CUECs.
• Test plans for the “Baseline” controls.
OUSD(C) FIAR Support
& Available Resources
Available Resources – CUECs
OUSD(C) maintains and has distributed the following:
If you have questions or needs, please ask!
36
• Auditing Standards based Service Organization vs. Trading Partner Assessment Template
• Complementary Subservice Organization Controls (CSOCs) Identification Template
OUSD(C) FIAR Support
& Available Resources
Available Resources – Service Organization Vs. Trading Partner
Assessment & CSOCs
http://comptroller.defense.gov/fiar/fiarguidance/tools_tips_workproducts.aspx#supplementalGuidance
If you have questions or needs, please ask!
37
OUSD(C) FIAR Support
& Available Resources
Available Resources – Contact Information
If you have questions or needs, please ask!
James DavilaAccountant, FIAR Directorate, Office of the Deputy Chief Financial Officer, OUSD(C)
(703) 571-1654
Bradley Keith
Director, PwC Public Sector, LLP
(571) 256-2693
(703) 918-3564
Questions