Baker Tilly refers to Baker Tilly Virchow Krause, LLP, an independently owned and managed member of Baker Tilly International. Understanding SOC 3

Transcription

1 Baker Tilly refers to Baker Tilly Virchow Krause, LLP, an independently owned and managed member of Baker Tilly International. Understanding SOC 3

2 Agenda 1) A brief perspective on where SOC 3 originated Presented by Tom Wojcinski 2) SOC 3 defined and clarified Presented by Dan Steiner 3) Key focuses for SOC 3 reporting Presented by Jackie Hensgen 2

3 Section 1 A BRIEF PERSPECTIVE ON WHERE SOC 3 ORIGINATED 3

4 New assurance standards AICPA replaced SAS 70 > Effective for audit periods ending after June 15 > Established the Statement of Control Framework (SOC Framework) Why > Confusion in the market we are SAS 70 certified > Frequently misused to report on controls not relevant to financial reporting market demand for expanded scope of report Security Availability Processing integrity Confidentiality Privacy 4

5 Moving beyond SAS 70 Why - continued > Growth of the service organization landscape New technologies Cloud computing (SAAS, PAAS, IAAS) > Convergence of US and international standards > Need for public report So what s next? > New attestation standard: SSAE 16 for SOC 1 reports > Clarified guidance for SOC 2 and SOC 3 reports 5

6 SOC framework SOC 1 SOC 2 SOC 3 Applicable to services that are likely to be relevant to user entities internal control over financial reporting Applicable to services that don t directly impact financial reporting Applicable to services that don t directly impact financial reporting Reports on controls supporting financial statement audits Reports on controls related to operations Reports on controls related to operations Restricted to customers during the audit period Restricted to those familiar with the subject matter General use report Example organizations: payroll processors, transaction processors Example organizations: Direct mailers, call centers Example organizations: Direct mailers, call centers 6

7 SOC 3 introduction What s in the report? > Audit report with limited opinion > Abbreviated system description Impacts to service organization > Enhanced marketing potential > May not be possible in scenarios with subservice organizations or significant reliance on user control considerations > Must be a type 2 Impacts to user entities > Useful where detailed understanding of controls isn t required > Requires an understanding of the scope and limitations of the report 7

8 Continued need to provide control assurance 67% of respondents listed security concerns as a reason they are unwilling to consider SaaS ERP. They may be wary of exposing internal financial or customer data to competitors, or the potential for data to become corrupt. - SaaS and Cloud ERP Trends, Observations, and Performance 2011, Aberdeen Group, December 2011 > New York State Electric & Gas (NYSEG) and Rochester Gas and Electric (RG&E) data breach of Social Security numbers, dates of birth and financial institution account numbers through an independent software development consulting firm employee who allowed unauthorized access to one of the companies customer information systems. ( January 24, 2012) Contractor data breach > Telstra (an internet and service provider) data breach of detailed information outlining the customer's account number, what broadband plan they are on, other Telstra services they were signed up to and notes associated with the accounts, including user names and passwords causing the company to suspend services to almost 1 million users. ( December 10, 2011) Unspecified internal staff error 8

9 Section 2 SOC 3 DEFINED AND CLARIFIED 9

10 Trust services What are trust services ( TS )? A set of professional attestation and advisory services > based on a core set of principles and criteria that addresses the risks and opportunities of IT-enabled systems and privacy programs. Consists of five key components organized to achieve a specified objective. 10

11 Key components of trust services Infrastructure > The physical and hardware components of a system (facilities, equipment, and networks) Software > The programs and operating software of a system (systems, applications, and utilities) People > The personnel involved in the operation and use of a system (e.g. developers, operators, users, and managers) Procedures > The programmed and manual procedures involved in the operation of a system (automated or manual) Data > The information used and supported by a system (e.g. transaction streams, files, databases, and tables) 11

12 Trust services principles and criteria Principles Objectives Privacy Security Security Availability The protection of the system from unauthorized access, both logical and physical The accessibility to the system, products, or services as advertized or committed by contact, service-level, or other agreements Confidentiality Availability Processing integrity The completeness, accuracy, validity, timeliness, and authorization of system processing Processing integrity Confidentiality Privacy The system s ability to protect the information designated as confidential, as committed or agreed Personal information is collected, used, retained, disclosed, and disposed of in conformity with the commitments in the privacy notice 12

13 Trust services principles and criteria Defined criteria in five trust principle areas > Further subdivided into trust services criteria domains: Policies Communication Procedures Monitoring A lot of overlap built into the criteria > 51 unique criteria across security, availability, processing integrity, confidentiality > Separate criteria specific to privacy 13

14 Generally accepted privacy principles Privacy principles > Provides criteria and related material for protecting the privacy of personal information > Incorporates concepts from significant domestic and international privacy laws, regulations, and guidelines > Used to guide and assist organizations in implementing privacy programs 14

15 Generally accepted privacy principles (cont.) 1) Management 2) Notice 3) Choice and consent 4) Collection 5) Use and retention 6) Access 7) Disclosure to third parties 8) Security for privacy 9) Quality 10) Monitoring and enforcement 15

16 Generally accepted privacy principles (cont.) Management > The entity defines, documents, communicates, and assigns accountability for its privacy policies and procedures. Notice > The entity provides notice about its privacy policies & procedures and identifies the purposes for which personal information is collected, used, retained, and disclosed. Choice and consent > The entity describes the choices available to the individual and obtains implicit or explicit consent with respect to the collection, use, and disclosure of personal information. 16

17 Generally accepted privacy principles (cont.) Collection > The entity collects personal info only for the purposes identified in the notice. Use and retention > The entity limits the use of personal information to the purposes identified in the notice and for which the individual has provided implicit or explicit consent. The entity retains personal information for only as long as necessary to fulfill the stated purposes. Access > The entity provides individuals with access to their personal information for review and update. 17

18 Generally accepted privacy principles (cont.) Disclosure to third parties > The entity discloses personal information to third parties only for the purposes identified in the notice and with the implicit or explicit consent of the individual. Security for privacy > The entity protects personal info against unauthorized access (both physical and logical). 18

19 Generally accepted privacy principles (cont.) Quality > The entity maintains accurate, complete, and relevant personal information for the purposes identified in the notice. Monitoring and enforcement > The entity monitors compliance with its privacy policies and procedures and has procedures to address privacy-related complaints and disputes. 19

20 Report structure What s in the report? 1. Service auditor s report (the opinion) 2. Management s assertion 3. Description of Management s System and Their Boundaries (less detailed than SOC 2) 20

21 Service auditor s report (the opinion) Management s assertion > The controls in place at the service organization were suitably designed and operating effectively to meet the applicable trust services criteria throughout the specified period > If the privacy principle is included in the report there should be an opinion as to whether or not the service organization complied with privacy notice commitments > Unlike a SOC 2 there is not an opinion on the fairness of the presentation of the description System description and boundaries > Components, system boundaries, error handling, subservice organizations, user controls and other topics > Copy of the service organization s privacy notice if the report addresses the privacy principle 21

22 Section 3 KEY FOCUSES FOR SOC 3 REPORTING 22

23 Key focus for SOC 3 reporting 1. Differences from SOC 2 2. What does it mean? 3. SOC 3 seal 4. Examples 5. Other considerations 23

24 Differences from SOC 2 Description of the system prepared by management > SOC 3 does not require a detailed description of controls or testing procedures > No opinion on the fairness of the presentation of the description > Distribution of the report is not restricted Intended users > Valuable to organizations who do not want to reveal the details of its controls and would like to display the SysTrust seal on its website > General use report 24

25 Differences from SOC 2 SOC 3 reports on if the service organization achieved one or more of the trust services principles and criteria > The audit must be a Type 2 > Need unqualified opinion > No carved out subservice organizations > No complimentary user-entity controls that are significant to achieving the criteria 25

26 What does it mean? It s an opinion on controls, not a security audit. No direct security testing completed in a SOC 2 / SOC 3. Verifies that the company has procedures in place to protect against, not prevent completely. Requires further judgment by the auditor and the reader. 26

27 What does it mean? Management of a service organization may wish to have SOC 2 and SOC3. User entity usage: > Marketing confidence without the detail Report coverage: > Minimum 2 month period 27

28 SOC 3 seal Only available for SOC 3 engagements: > Displayed on website > Offers assurance Linked to audit report. Difference from logos: > SOC 1, SOC 2, SOC 3 > No assurance 28

29 Examples of public use of SOC 3 completions

30 Examples of public use of SOC 3 completions

31 Example of SOC 3 report Example DBSi SOC 3 webpage located at 31

32 Other considerations The newness factor. > Minimal examples available User organizations and those in charge of governance don t fully understand yet. > Unfamiliarity with trust criteria > Read through the trust principles > Not just an IT report 32

33 Other considerations Key resources available: > AT 101 > AICPA Technical Practice Aids: TSP 100 > Generally Accepted Privacy Principles > AICPA Guide Reporting on SOC 2 33

34 Questions to ask when looking for a SOC report service provider > How do I know if my organization is ready for a SOC report? > Which report do you recommend for my situation and why? > What staff involvement will you need from my organization? > What access will you need to my systems? > What timeframe do you recommend for the SOC report? > What deliverables will result from the engagement? > Describe the communication process before, during, and after the engagement between you and my organization. > How many SOC reporting engagements has your organization completed? 34

35 QUESTIONS? Contact us: bakertilly.com Christine Anderson, CPA, CISA Recordings of our service organization webinar series are available online at: An with the link will be sent to all attendees after the Understanding SOC 3 webinar recording has been posted. 35

36 Disclosure Pursuant to the rules of professional conduct set forth in Circular 230, as promulgated by the United States Department of the Treasury, nothing contained in this communication was intended or written to be used by any taxpayer for the purpose of avoiding penalties that may be imposed on the taxpayer by the Internal Revenue Service, and it cannot be used by any taxpayer for such purpose. No one, without our express prior written permission, may use or refer to any tax advice in this communication in promoting, marketing, or recommending a partnership or other entity, investment plan, or arrangement to any other party. Baker Tilly refers to Baker Tilly Virchow Krause, LLP, an independently owned and managed member of Baker Tilly International. The information provided here is of a general nature and is not intended to address specific circumstances of any individual or entity. In specific circumstances, the services of a professional should be sought Baker Tilly Virchow Krause, LLP 36