1

Leveraging SSAE 16 Reports

Matt Church and Matt Howell

2

Agenda

• Course Objectives

• Background and Overview

• Management & Auditor Considerations

• Key Takeaways and Questions

3

Course Objectives

4

Course Objectives

• Course Objectives

– Differences between SOC 1, SOC 2 and SOC 3 reports and the differences between Type I and II

– Reliance that can be placed on the report by the exam team

– Considerations when management and auditors plan to rely upon SOC reports

5

Background and Overview

6

Overview

• Many insurers use non-affiliated organizations to perform services, such as premiums and claims processing

• Types of Service Organization Controls (“SOC”) Reports– SOC 1 (SSAE 16)

• Understand the impact a service organization’s role has on the insurer’s internal control over financial reporting (“ICFR”)

– SOC 2 and 3 (AT 101)• Address system controls based on AICPA Trust Services

Principles, Criteria, and Illustrations

7

SSAE 16

• Standards on Statements for Attestation Engagements (“SSAE”) 16:

– Attestation standard developed by the AICPA

– Guidance to enable an independent auditor to issue an opinion on an organization’s ICFR

– Supersedes SAS 70 guidance for reports issued on or after June 15, 2011

– Service Organization Controls report 1 (“SOC 1”)

– Focus on controls at the service organization that are likely to be relevant in a financial statement audit

8

SSAE 16

• SSAE 16 (Continued):

– The standard does not include pre-determined control objectives or control activities

– Service organization’s management states control objectives

– Provides information about the service organization’s ICFR environment to user organizations and user auditors

9

SOC 1

• SOC 1:

– Attestation standard developed by the AICPA (SSAE 16)

– Purpose: Report on ICFR at the service organization that are likely to be relevant to the user organizations financial statements

– Scope: Internal controls over financial reporting

– Restricted use report

– Type I or Type II

10

SOC 2

• SOC 2:– Attestation standard developed by the AICPA under

AT section 101; new reporting option– Purpose: Reports on predefined controls related to

compliance or operations– Provides guidance to enable an independent auditor

to issue an opinion on the following principles (Trust Service Principles):• Security• Availability• Processing integrity• Confidentiality• Privacy

– Typically restricted use report

11

SOC 2

– Scope: Controls at service organization intended to mitigate risks related to the trust service principles

– AICPA supplies the criteria whereas SSAE 16/SOC 1, service organization’s management specifies the objectives and controls

– SOC 2 reports more consistent across the marketplace– Type I or Type II– Examples

• Cloud computing service provider• Managed network security provider• Data center hosting• Call center services

12

SOC 3

• SOC 3:

– Attestation standard developed by the AICPA under AT section 101; new option replaces previous SysTrust and Privacy principle documents

– Purpose: Reports on predefined controls to compliance or operations

– Provides guidance to enable an independent auditor to issue an opinion on the Trust Service Principles

– Typically general use report with “public seal”

13

SOC 3

• Scope: Controls at service organization intended to mitigate risks related to the trust service principles

• Summary report – does not contain a description of service auditor’s tests and results

• Intended for users lacking expertise to understand SOC 2

• Least relevant for financial audits

14

Type I and Type II

• SOC 1 and SOC 2 reports are classified as either Type I or Type II:– Type I and Type II:

• Specific point in time and includes independent auditor’s report

• Opinion - description of controls versus actual controls and were the controls suitably designed to achieve specified control objectives

– Type II Only:• Includes detailed testing of the organization’s controls for

the period specified (typically one year)• Indicates whether the controls were operating with

sufficient effectiveness to provide reasonable, not absolute, assurance that the control objectives were achieved during the period specified

15

Overview – Report Type

SOC 1 SOC 2 SOC 3

Scope

ICFR Trust Principles (Security,Availability, Processing Integrity, Confidentiality and/or Privacy)

Trust Principles (Security,Availability, Processing Integrity, Confidentiality and/or Privacy)

Audience

User organizations, auditors and others wishing to gain an understanding of the control environment

User organization and prospective customers

Anyone interested in the report

UsersFinancial audits and examinations and SOX audits

Operational and regulatory audits General

Format

A detailed report that includes results of tests performed to obtain assurance of operating effectiveness of controls (Type II)

A detailed report that includes results of operating effectiveness (Type II)

A summary report

Report Components

Service Auditor Opinion, Management Assertion, System Description, and Controls (including tests of operating effectiveness and results) (Type II)

Service Auditor Opinion, Management Assertion, System Description, and Controls (including tests of operating effectiveness and results) (Type II)

Service Auditor Opinion, Management Assertion, System Description

16

Management & Auditor Considerations

17

Considerations

• SOC 1 Report:

– Provides significant information regarding the ICFR environment at the service organization

– Type II reports are most useful for management and auditors

– Management should obtain these reports and analyze how it impacts their internal control over financial reporting

– Auditors should obtain and review based on risk, as applicable

– Standard report layout

18

SOC 1 Report Section Contents

• Independent Auditor’s Report (Opinion)

• Management Assertion

• System Description

• Information Provided by the Service Auditor

• Other Information Provided by the Organization

19

SOC 1 Report Section - Independent Auditor’s Report

• What to look for?

– Scope appropriate?

– Time period covered?

– Type I or II?

– Qualified or unqualified?

• Implications of qualified opinion– What control objectives failed?

– How significant is the failure?

– Consider impact over financial reporting

– Opinion inclusive or carve-out of sub-servicer(s)?

20

SOC 1 Report Section – Management Assertion

• Written assertion to accompany service auditor’s report or included with system description:

– Fair presentation of management’s description of the system

– Suitability of the design of controls

– Operating effectiveness of controls (Type II only)

– Subservice organization assertion

21

SOC 1 Report Section – System Description

• What’s in the description provided by management

– Management’s systems descriptions

– Control objective specified by management

– Controls supporting each objective

– User Control Considerations

– What to consider?

– Description adequate?

– Control objectives adequate?

22

SOC 1 Report Section – Information Provided by Service Auditor

• Optional for Type I

• Description of auditor’s test of operating effectiveness (Type II Only)

• The following elements should be included in the description:

– Controls tested and objectives the controls were designed to achieve

– Nature, timing, extent and results of tests for the user to determine effect on control risk assessment

23

SOC 1 Report Section – Other Information Provided by the Organization

• Management provided information• Not a part of system descriptions

• Unaudited information; Service auditor only required to read for material inconsistencies

• Examples include:• Responses to exceptions noted in report• Other certifications • Forward looking information• Business continuity and disaster recovery plans• Discussion of future service enhancements• Planned infrastructure upgrades

24

UCCs

• User Control Considerations (“UCCs”)

– Reside outside of the service organization

– Work in conjunction with service organization controls to achieve the related control objective

– Included in SOC 1 reports

– Example: User organization should have controls in place to restrict access to the secure web portal that is used to transmit data to the service organization to only authorized individuals.

25

Other Considerations

• SOC 2 Report:– Provides reporting options beyond financial controls

• SOC 3 Report:– Least relevant in regards to audits/examinations– Not expected that SOC 3 reports would be obtained by an

auditor but may support other objectives of management

– Type I – May be helpful in planning audit of user organization

(insurer); Significant component of ICFR?– Without an opinion on operating effectiveness of internal

control you can’t reduce control risk – Does not satisfy the needs of external auditors

26

Other Considerations

• Type II

• Report should be requested and obtained by management

• Management to determine impact over ICFR

• Significant over ICFR? Management should identify controls to address UCCs

• Auditor decide to place reliance on the report and reduce substantive testing

27

Other Considerations

• User Control Considerations (“UCCs”)

– Review the UCCs within the SOC report

– For reliance on SOC report, must ensure that the UCCs noted are in place and operating at the user organization

– Other Considerations

– Not all identified controls and results are relevant to management or the auditor

– Carefully consider whether exceptions identified will affect reliance upon those controls

28

Key Takeaways and Questions

29

Key Takeaways

• Most useful reports today are SSAE 16/SOC 1; Type II reports

• Has management reviewed the report and concluded on effectiveness?

• Review report for UCCs and management’s controls

• Determine if exceptions noted in report will affect reliance upon those controls

• Match operating effectiveness of controls to each assertion for proper coverage of a reporting cycle

30

QUESTIONS?