leveraging ssae 16 reports · 2016-12-08 · likely to be relevant in a financial statement audit....
TRANSCRIPT
1
Leveraging SSAE 16 Reports
Matt Church and Matt Howell
2
Agenda
• Course Objectives
• Background and Overview
• Management & Auditor Considerations
• Key Takeaways and Questions
3
Course Objectives
4
Course Objectives
• Course Objectives
– Differences between SOC 1, SOC 2 and SOC 3 reports and the differences between Type I and II
– Reliance that can be placed on the report by the exam team
– Considerations when management and auditors plan to rely upon SOC reports
5
Background and Overview
6
Overview
• Many insurers use non-affiliated organizations to perform services, such as premiums and claims processing
• Types of Service Organization Controls (“SOC”) Reports– SOC 1 (SSAE 16)
• Understand the impact a service organization’s role has on the insurer’s internal control over financial reporting (“ICFR”)
– SOC 2 and 3 (AT 101)• Address system controls based on AICPA Trust Services
Principles, Criteria, and Illustrations
7
SSAE 16
• Standards on Statements for Attestation Engagements (“SSAE”) 16:
– Attestation standard developed by the AICPA
– Guidance to enable an independent auditor to issue an opinion on an organization’s ICFR
– Supersedes SAS 70 guidance for reports issued on or after June 15, 2011
– Service Organization Controls report 1 (“SOC 1”)
– Focus on controls at the service organization that are likely to be relevant in a financial statement audit
8
SSAE 16
• SSAE 16 (Continued):
– The standard does not include pre-determined control objectives or control activities
– Service organization’s management states control objectives
– Provides information about the service organization’s ICFR environment to user organizations and user auditors
9
SOC 1
• SOC 1:
– Attestation standard developed by the AICPA (SSAE 16)
– Purpose: Report on ICFR at the service organization that are likely to be relevant to the user organizations financial statements
– Scope: Internal controls over financial reporting
– Restricted use report
– Type I or Type II
10
SOC 2
• SOC 2:– Attestation standard developed by the AICPA under
AT section 101; new reporting option– Purpose: Reports on predefined controls related to
compliance or operations– Provides guidance to enable an independent auditor
to issue an opinion on the following principles (Trust Service Principles):• Security• Availability• Processing integrity• Confidentiality• Privacy
– Typically restricted use report
11
SOC 2
– Scope: Controls at service organization intended to mitigate risks related to the trust service principles
– AICPA supplies the criteria whereas SSAE 16/SOC 1, service organization’s management specifies the objectives and controls
– SOC 2 reports more consistent across the marketplace– Type I or Type II– Examples
• Cloud computing service provider• Managed network security provider• Data center hosting• Call center services
12
SOC 3
• SOC 3:
– Attestation standard developed by the AICPA under AT section 101; new option replaces previous SysTrust and Privacy principle documents
– Purpose: Reports on predefined controls to compliance or operations
– Provides guidance to enable an independent auditor to issue an opinion on the Trust Service Principles
– Typically general use report with “public seal”
13
SOC 3
• Scope: Controls at service organization intended to mitigate risks related to the trust service principles
• Summary report – does not contain a description of service auditor’s tests and results
• Intended for users lacking expertise to understand SOC 2
• Least relevant for financial audits
14
Type I and Type II
• SOC 1 and SOC 2 reports are classified as either Type I or Type II:– Type I and Type II:
• Specific point in time and includes independent auditor’s report
• Opinion - description of controls versus actual controls and were the controls suitably designed to achieve specified control objectives
– Type II Only:• Includes detailed testing of the organization’s controls for
the period specified (typically one year)• Indicates whether the controls were operating with
sufficient effectiveness to provide reasonable, not absolute, assurance that the control objectives were achieved during the period specified
15
Overview – Report Type
SOC 1 SOC 2 SOC 3
Scope
ICFR Trust Principles (Security,Availability, Processing Integrity, Confidentiality and/or Privacy)
Trust Principles (Security,Availability, Processing Integrity, Confidentiality and/or Privacy)
Audience
User organizations, auditors and others wishing to gain an understanding of the control environment
User organization and prospective customers
Anyone interested in the report
UsersFinancial audits and examinations and SOX audits
Operational and regulatory audits General
Format
A detailed report that includes results of tests performed to obtain assurance of operating effectiveness of controls (Type II)
A detailed report that includes results of operating effectiveness (Type II)
A summary report
Report Components
Service Auditor Opinion, Management Assertion, System Description, and Controls (including tests of operating effectiveness and results) (Type II)
Service Auditor Opinion, Management Assertion, System Description, and Controls (including tests of operating effectiveness and results) (Type II)
Service Auditor Opinion, Management Assertion, System Description
16
Management & Auditor Considerations
17
Considerations
• SOC 1 Report:
– Provides significant information regarding the ICFR environment at the service organization
– Type II reports are most useful for management and auditors
– Management should obtain these reports and analyze how it impacts their internal control over financial reporting
– Auditors should obtain and review based on risk, as applicable
– Standard report layout
18
SOC 1 Report Section Contents
• Independent Auditor’s Report (Opinion)
• Management Assertion
• System Description
• Information Provided by the Service Auditor
• Other Information Provided by the Organization
19
SOC 1 Report Section - Independent Auditor’s Report
• What to look for?
– Scope appropriate?
– Time period covered?
– Type I or II?
– Qualified or unqualified?
• Implications of qualified opinion– What control objectives failed?
– How significant is the failure?
– Consider impact over financial reporting
– Opinion inclusive or carve-out of sub-servicer(s)?
20
SOC 1 Report Section – Management Assertion
• Written assertion to accompany service auditor’s report or included with system description:
– Fair presentation of management’s description of the system
– Suitability of the design of controls
– Operating effectiveness of controls (Type II only)
– Subservice organization assertion
21
SOC 1 Report Section – System Description
• What’s in the description provided by management
– Management’s systems descriptions
– Control objective specified by management
– Controls supporting each objective
– User Control Considerations
– What to consider?
– Description adequate?
– Control objectives adequate?
22
SOC 1 Report Section – Information Provided by Service Auditor
• Optional for Type I
• Description of auditor’s test of operating effectiveness (Type II Only)
• The following elements should be included in the description:
– Controls tested and objectives the controls were designed to achieve
– Nature, timing, extent and results of tests for the user to determine effect on control risk assessment
23
SOC 1 Report Section – Other Information Provided by the Organization
• Management provided information• Not a part of system descriptions
• Unaudited information; Service auditor only required to read for material inconsistencies
• Examples include:• Responses to exceptions noted in report• Other certifications • Forward looking information• Business continuity and disaster recovery plans• Discussion of future service enhancements• Planned infrastructure upgrades
24
UCCs
• User Control Considerations (“UCCs”)
– Reside outside of the service organization
– Work in conjunction with service organization controls to achieve the related control objective
– Included in SOC 1 reports
– Example: User organization should have controls in place to restrict access to the secure web portal that is used to transmit data to the service organization to only authorized individuals.
25
Other Considerations
• SOC 2 Report:– Provides reporting options beyond financial controls
• SOC 3 Report:– Least relevant in regards to audits/examinations– Not expected that SOC 3 reports would be obtained by an
auditor but may support other objectives of management
– Type I – May be helpful in planning audit of user organization
(insurer); Significant component of ICFR?– Without an opinion on operating effectiveness of internal
control you can’t reduce control risk – Does not satisfy the needs of external auditors
26
Other Considerations
• Type II
• Report should be requested and obtained by management
• Management to determine impact over ICFR
• Significant over ICFR? Management should identify controls to address UCCs
• Auditor decide to place reliance on the report and reduce substantive testing
27
Other Considerations
• User Control Considerations (“UCCs”)
– Review the UCCs within the SOC report
– For reliance on SOC report, must ensure that the UCCs noted are in place and operating at the user organization
– Other Considerations
– Not all identified controls and results are relevant to management or the auditor
– Carefully consider whether exceptions identified will affect reliance upon those controls
28
Key Takeaways and Questions
29
Key Takeaways
• Most useful reports today are SSAE 16/SOC 1; Type II reports
• Has management reviewed the report and concluded on effectiveness?
• Review report for UCCs and management’s controls
• Determine if exceptions noted in report will affect reliance upon those controls
• Match operating effectiveness of controls to each assertion for proper coverage of a reporting cycle
30
QUESTIONS?