SOC Reports – The 2017 Update:
What’s new, What’s not, and What you should be doing with the SOC Reports you receive!
Presented by Jeff Pershing
Page 1
SOC Reports – The 2017 Update
What’s new, What’s not, and What you
should be doing with the SOC Reports
you receive!
presented to Northeast Ohio ISACA
Thursday, April 20, 2017
Jeff Pershing, CISA, CISM, CISSP
Principal, Pershing Consulting, LLC
Slide 2
Introductions
SOC Reports – The 2017 Update:
What’s new, What’s not, and What you should be doing with the SOC Reports you receive!
Presented by Jeff Pershing
Page 2
Slide 3
� Brief history of reports on Service Organizations
� Overview of AT 101, SSAE 16/SOC 1, SOC 2, and SOC 3
� Attestation Standards Updates / SSAE 18 Overview
� What’s new with SOC Reports
� Trust Services Principles – Overview and Updates
� What’s new with SOC 2
� User Auditor Requirements
� Lessons learned from the first years of SOC reporting
Overview
Slide 4
Brief history of reports onService Organizations
SOC Reports – The 2017 Update:
What’s new, What’s not, and What you should be doing with the SOC Reports you receive!
Presented by Jeff Pershing
Page 3
Slide 5
SAS70
� In the beginning, the AICPA created the SAS70. The AICPA saw that the SAS70 was good and it was so. And then the AICPA rested . . .
� For nearly 20 years . . . .
� Okay, not quite . . . SAS78, SAS88, SAS94, . . .
� Until . . .
� “He’s dead, Jim . . . ”
� Leonard "Bones" McCoy
Slide 6
Why the need for a SAS70 Report anyway?
� Computers give rise to EDP – Electronic Data Processing
� Computers are very big and expensive (in the 60’s, 70’s, and 80’s)
� Okay, they’re still expensive now . . .
� Let’s share their use to be more efficient!
� This sounds like a business opportunity!
� Let’s create a company to provide processing to several companies at once
who can’t afford their own
� (Can anyone say, “cloud?”)
� Auditor: How do I know my financial calculations are correct and you have good
internal controls?
� Service Provider: “Trust us!”
� Auditor: “No, I will audit you. SAS55 says so. See you Monday. Here’s my
request list.”
� Service Provider: “Wait, I have hundreds of customers with auditors all saying
the say thing!”
SOC Reports – The 2017 Update:
What’s new, What’s not, and What you should be doing with the SOC Reports you receive!
Presented by Jeff Pershing
Page 4
Slide 7
Service Provider Audit Reports – A Short History
� AICPA – American Institute of Certified Public Accountants
� SAS - Statement on Auditing Standards
� SAS 55 – Consideration of the Internal Control Structure in a
Financial Statement Audit
� Released in 1988
� Created “death by auditing” for service providers
� SAS70 – Service Organizations
� Issued in 1992 as “Reports on the Processing of Transactions
by Service Organizations”, effective for reports issued March
31, 1993
� One report to meet the needs of multiple user auditors
� Amended by SAS 88 and renamed “Service Organizations”
Slide 8
Service Provider Audit Reports – A Short History (cont)
� SAS70 amended several times by subsequent SAS
� 1998 by SAS78 - “Consideration of Internal Control in a Financial
Statement Audit: An Amendment to Statement on Auditing Standards
No. 55”
� 1999 by SAS88 – Title changed to “Service Organizations”
� 2002 by SAS94 - The Effect of Information Technology on the
Auditor's Consideration of Internal Control in a Financial Statement
Audit
� 2002 by SAS98 - Omnibus Statement on Auditing Standards-2002
� Other minor adjustments (“conforming changes”) in 2006 by SAS105
& SAS106, and 2007 by SAS109 & SAS110
� SAS70 was superseded by three Service Organization Control
(SOC) reports - SOC 1, SOC 2 and SOC 3 - for reports issued on or
after June 15, 2011
� SOC Reports were based on Attestation Standard 101 (AT 101)
SOC Reports – The 2017 Update:
What’s new, What’s not, and What you should be doing with the SOC Reports you receive!
Presented by Jeff Pershing
Page 5
Slide 9
Why Change?
� SAS70 was abused - Intended for ICFR, but used for much more:
� To obtain assurance on controls regarding compliance and operations
� E.g. Hosted Data Centers providing no financial reporting
relevant services
� SysTrust or AT 101 should have been used instead
� SAS70 grew in familiarity outside the auditing world (e.g. IT), but not necessarily well understood
� Are you “SAS70 Certified?”
Slide 10
Why Change? (cont)
� ISAE 3402/SSAE16 (SOC1) for ICFR
� International Standard on Assurance Engagements (ISAE) 3402
issued in December of 2009
� AICPA issued SSAE No. 16 shortly afterwards as a US Standard
in alignment with ISAE 3402
� Minor differences between the two
� Drafted to help correct misuses of the SAS70
� SOC2 for matters other than ICFR
� Specifically, for Security, Availability, Processing Integrity,
Confidentiality, and Privacy
� SOC3, similar to SOC2, but with a general use report
� All three based on AT101 (SSAE 16 became AT801)
SOC Reports – The 2017 Update:
What’s new, What’s not, and What you should be doing with the SOC Reports you receive!
Presented by Jeff Pershing
Page 6
Slide 11
Overview of AT 101,SSAE 16/SOC 1, SOC 2, and SOC 3
Slide 12
Attestation Standards Section 101
� Section provides a framework for attestation engagements that are completed by practitioners
� SOC 1, SOC 2 and SOC 3 reports are completed in accordance with AT Section 101
� The subject matter of an attest engagement may take many forms, for example:
� Physical characteristics (for example, narrative descriptions, square footage of facilities)
� Historical events (for example, the price of a market basket of goods on a certain date)
� Systems and processes (for example, internal control)
� Suitability and Availability of Criteria
� Subject matter must be capable of evaluation against criteriathat are suitable and available to users
SOC Reports – The 2017 Update:
What’s new, What’s not, and What you should be doing with the SOC Reports you receive!
Presented by Jeff Pershing
Page 7
Slide 13
Attestation Standards
� SSAE = Statement on Standards for Attestation Engagements
� SSAE 10, issued in 2001, established:
� AT 101 - Attest Engagements
� AT 201 - Agreed-Upon Procedures Engagements
� AT 301 - Financial Forecasts and Projections
� AT 401 - Reporting on Pro Forma Financial Information
� AT 601 - Compliance Attestation
� AT 701 - Management's Discussion and Analysis
Slide 14
Other SSAEs
� SSAE 11 - Attest Documentation – Updated AT 101, 201, and 301
� SSAE 12 - Amendment to Statement on Standards for Attestation
Engagement No. 10, Attestation Standards: Revision and
Recodification – Updated AT 101
� SSAE 13 - Defining Professional Requirements in Statements on
Standards for Attestation Engagements – Created AT 20: “Defining
Professional Requirements for SSAE Engagements”
� SSAE 14 - SSAE Hierarchy – Created AT 50: “SSAE Hierarchy”
� SSAE 15 - An Examination of an Entity’s Internal Control Over
Financial Reporting That Is Integrated With an Audit of Its
Financial Statements – Created AT 501 (issued in 2008)
� SSAE 17 - Reporting on Compiled Prospective Financial Statements
When the Practitioner’s Independence is Impaired – Updated AT
301
SOC Reports – The 2017 Update:
What’s new, What’s not, and What you should be doing with the SOC Reports you receive!
Presented by Jeff Pershing
Page 8
Slide 15
NOTE: - SAS 130 withdrew AT 501
� SAS 130 – An Audit of Internal Control Over Financial Reporting
That Is Integrated With an Audit of Financial Statements (AICPA,
Professional Standards, AU-C sec. 940) - Issued in October 2015
� AICPA Auditing Standards Board (ASB) determined it is
appropriate to move the content of AT section 501 from the
attestation standards into generally accepted auditing
standards (GAAS).
� The ASB will consider developing, at a later date, an attestation
standard addressing examinations of internal control other than
internal control over financial reporting that is integrated with
an audit of financial statements.
� SAS No. 130 is effective for integrated audits for periods
ending on or after December 15, 2016, at which time AT 501
will be withdrawn.
Slide 16
What Changed moving from SAS to AT?
� Attestation Standard vs. Auditing Standard
� Management Assertion
� An assertion is any declaration or set of declarations about whether the subject
matter is based on or in conformity with the criteria selected.
� Description of “System” vs. Controls
� Use of suitable criteria
� Suitability of design opinion
� SAS70: point in time
� SSAE 16(SOC 1)/SOC 2: entire period
� Materiality
� “deviations” (not exceptions)
� Use of Internal Audit
� Must identify testing by IA in the report
� Opinion Format
SOC Reports – The 2017 Update:
What’s new, What’s not, and What you should be doing with the SOC Reports you receive!
Presented by Jeff Pershing
Page 9
Slide 17
What is a “System”?
� TSP sec. 100 paragraph .01 defines a “system” as follows:
� A system is designed, implemented, and operated to achieve specific business
objectives (for example, delivery of services, production of goods) in accordance
with management-specified requirements. System components can be classified
into the following five categories:
� Infrastructure. The physical structures, IT, and other hardware (for example,
facilities, computers, equipment, mobile devices, and telecommunications
networks).
� Software. The application programs and IT system software that supports
application programs (operating systems, middleware, and utilities).
� People. The personnel involved in the governance, operation, and use of a
system (developers, operators, entity users, vendor personnel, and managers).
� Processes. The automated and manual procedures.
� NOTE: SOC 2 Guide, par. 1.26a(ii)(4) uses “Procedures” rather than “Processes”
� Data. Transaction streams, files, databases, tables, and output used or
processed by a system.
Slide 18
SSAE 16 / SOC 1
� SSAE 16 - Reporting on Controls at a Service Organization
� Created AT 801
� As an attestation standard, it is built upon AT 101
� Established requirements for attestation engagements to report on
controls at organizations that provide services to user entities when those
controls are likely to be relevant to user entities' internal control over
financial reporting (ICFR)
� Effective for reports issued on or after June 15, 2011
� SOC 1 Audit Guide released May 2011, updated May 2013, new update
just released January 2017
� Two report types:
� SOC 1 Type I = SSAE 16 Type I Report
� SOC 1 Type II = SSAE 16 Type II Report
� “Branded” by AICPA as a SOC 1 - Service Organization Control Report 1
� AICPA now prefers “SOC 1” vs. “SSAE16”
SOC Reports – The 2017 Update:
What’s new, What’s not, and What you should be doing with the SOC Reports you receive!
Presented by Jeff Pershing
Page 10
Slide 19
SOC 2 Reports
� Reports on Controls at a Service Organization over Security, Availability, Processing Integrity, Confidentiality, or Privacy
� Can report again just one Principle, or any combination of the five
� SOC 2 Guide released May 2011, updated March 2012 and July 2015 – new update expected soon
� Report format designed to match the SSAE 16
� SOC 2 Type I
� SOC 2 Type II
� Criteria is prescribed: Must use TSP 100 - Trust Services Principles
Slide 20
SOC 3 Reports
� Similar to a SOC 2
� Uses TSP100 – Trust Service Principles
� Primary Differences
� Does not contain a description of the practitioner’s tests of controls and results of those tests
� Is a general use report rather than a restricted use report
� Unqualified Opinion allows use of SOC Seal (SysTrust for Service Organizations ) on Service Provider’s website, if the Service Auditor is licensed by CPA Canada (formerly CICA)
� SOC 3 Guide was planned for release in Q4, 2014 . . . . but we’re still waiting . . .
SOC Reports – The 2017 Update:
What’s new, What’s not, and What you should be doing with the SOC Reports you receive!
Presented by Jeff Pershing
Page 11
Slide 21
Reports Comparison
Slide 22
Attestation Standards Updates /SSAE 18 Overview
SOC Reports – The 2017 Update:
What’s new, What’s not, and What you should be doing with the SOC Reports you receive!
Presented by Jeff Pershing
Page 12
Slide 23
Attestation Clarity Project
� Designed to addressed concerns over the clarity, length, and
complexity of Attestation Standards
� Objective: to make AT sections easier to read, understand and
apply
� Redrafted standards utilizing “clarity drafting conventions”
� Resulted in SSAE 18 “Attestation Standards: Clarification and
Recodification”
� Desire to converge with standards of the International Audit and
Assurance Standards Board (IAASB)
� International Standard on Assurance Engagements (ISAE) 3000
(Revised), Assurance Engagements Other Than Audits or
Reviews of Historical Financial Information served as the
foundation for the common concepts, examination, and review
sections of SSAE 18
Slide 24
Clarity Drafting Conventions
� SSAE 18 was drafted utilizing clarity drafting conventions, including:
� Establishing objectives for each AT-C section
� Including a definitions section, where relevant, in each AT-C section
� Separating requirements from application and other explanatory material
� Numbering application and other explanatory material paragraphs using an A-
prefix and presenting them in a separate section that follows the requirements
section
� Using formatting techniques, such as bulleted lists, to enhance readability
� Including, when appropriate, special considerations relevant to audits of
smaller, less complex entities within the text of the AT-C section
� Including, when appropriate, special considerations relevant to examination,
review, or agreed-upon procedures engagements for governmental entities
within the text of the AT-C section
� The identifier “AT-C” is used to differentiate the sections of the clarified
attestation standards (“AT-C" sections) from the sections of the
attestation standards that are superseded by SSAE 18 (“AT” sections)
SOC Reports – The 2017 Update:
What’s new, What’s not, and What you should be doing with the SOC Reports you receive!
Presented by Jeff Pershing
Page 13
Slide 25
SSAE 18
� Supersedes SSAEs 10-17, except:
� SSAE 10, Chapter 7 (AT 701) - Management’s Discussion and Analysis
� Renamed AT-C 395
� SSAE 15 (AT 501 and 9501) - An Examination of an Entity’s Internal Control Over Financial Reporting That Is Integrated With an Audit of Its Financial Statements, and related interpretation no. 1
� However, SAS 130 withdrew AT 501 and related
interpretations for integrated audits for periods ending on
or after December 15, 2016
� Effective for reports dated on or after May 1, 2017
Slide 26
Contents of SSAE 18� AT-C Preface
� AT-C Section 100 - Common Concepts
� AT-C Section 105 - Concepts Common to All Attestation Engagements
� AT-C Section 200 - Level of Service
� AT-C Section 205 - Examination Engagements
� AT-C Section 210 - Review Engagements
� AT-C Section 215 - Agreed Upon Procedures Engagements
� AT-C Section 300 - Subject Matter
� AT-C Section 305 - Prospective Financial Information
� AT-C Section 310 - Reporting on Pro Forma Financial Information
� AT-C Section 315 - Compliance Attestation
� AT-C Section 320 - Reporting on an Examination of Controls at a Service
Organization Relevant to User Entities’ Internal Control Over Financial
Reporting
� AT-C Section 395 - Management’s Discussion and Analysis
SOC Reports – The 2017 Update:
What’s new, What’s not, and What you should be doing with the SOC Reports you receive!
Presented by Jeff Pershing
Page 14
Slide 27
What’s New in SSAE 18?� Separate discussion of review engagements
� AT 101 combined the discussion of examinations and reviews
� Required representation letters
� AT 101 allowed, but did not require, representation letters
� Risk assessment for examination engagements
� Requires obtaining a more in-depth understanding of the development of the
subject matter than currently required in order to better identify the risks of
material misstatement in an examination engagement
� Incorporation of detailed requirements
� Similar to SASs, specifies additional requirements (e.g. the need for an
engagement letter, or the need to obtain written representations)
� Scope limitation imposed by the engaging party or the responsible
party
� Now allows for a qualified opinion, not only disclaiming an opinion or
withdrawing from the engagement
Slide 28
Mapping AT to AT-CAT Sections Superseded by SSAE No. 18 AT-C Sections Designated by SSAE No. 18
AT Section Title AT-C Section Title
20 Defining Professional Requirements in Statements on Standards for Attestation Engagements
105 Concepts Common to All Attestation Engagements
50 SSAE Hierarchy 105 Concepts Common to All Attestation Engagements
101 Attest Engagements 105 Concepts Common to All Attestation Engagements
205 Examination Engagements
210 Review Engagements
201 Agreed-Upon Procedures Engagements 215 Agreed-Upon Procedures Engagements
301 Financial Forecasts and Projections 305 Prospective Financial Information
401 Reporting on Pro Forma Financial Information 310 Reporting on Pro Forma Financial Information
501 An Examination of an Entity's Internal Control Over Financial Reporting That Is Integrated With an Audit of Its Financial Statements
Statement on Auditing Standards No. 130, An Audit of Internal Control Over Financial Reporting That Is Integrated With an Audit of Financial Statements, withdraws AT section 501
601 Compliance Attestation 315 Compliance Attestation
701 Management’s Discussion and Analysis 395 Management’s Discussion and Analysis
801 Reporting on Controls at a Service Organization 320 Reporting on an Examination of Controls at a Service Organization Relevant to User Entities’ Internal Control Over Financial Reporting
SOC Reports – The 2017 Update:
What’s new, What’s not, and What you should be doing with the SOC Reports you receive!
Presented by Jeff Pershing
Page 15
Slide 29
Mapping AT-C to ATAT-C Sections Designated by SSAE No. 18 AT Sections Superseded by SSAE No. 18
AT-C Section Title AT Section Title
Preface Preface to the Attestation Standards Introduction Attestation Standards—Introduction
100 Common Concepts
105 Concepts Common to All Attestation Engagements
20 Defining Professional Requirements in Statements on Standards for Attestation Engagements
50 SSAE Hierarchy
101 Attest Engagements
200 Level of Service
205 Examination Engagements 101 Attest Engagements
210 Review Engagements 215 Agreed-Upon Procedures Engagements 201 Agreed-Upon Procedures Engagements 300 Subject Matter
305 Prospective Financial Information 301 Financial Forecasts and Projections 310 Reporting on Pro Forma Financial Information 401 Reporting on Pro Forma Financial Information 315 Compliance Attestation 601 Compliance Attestation 320 Reporting on an Examination of Controls
at a Service Organization Relevant to User Entities’Internal Control Over Financial Reporting
801 Reporting on Controls at a Service Organization
395 Management’s Discussion and Analysis 701 Management’s Discussion and Analysis
Slide 30
What’s new with SOC Reports
SOC Reports – The 2017 Update:
What’s new, What’s not, and What you should be doing with the SOC Reports you receive!
Presented by Jeff Pershing
Page 16
Slide 31
SOC 2 ® + Additional Subject Matter
� Introduced in (approximately) 2015
� Allows for addressing additional criteria, additional subject matter
using additional suitable criteria, or both
� E.g. In addition to addressing the Security Principle, also address the
HIPAA Security Rule
� Mappings created from 2014 version of the Trust Services Principle
to:
� CSA Cloud Controls Matrix
� HITRUST CSF
� COBIT 5
� COSO 2013
� ISO 27001
� NIST SP 800-53 R4
Slide 32
Underlying Standard has Changed
� SOC 1
� Old Standard – AT 801 (with attestation guidance provided by
the SOC 1 Guide)
� New Standards – AT-C 105, AT-C 205, AT-C 320 (and a brand
new SOC 1 Guide!)
� SOC 2 / SOC 3
� Old Standard – AT 101 (with attestation guidance provided by
the SOC 2 Guide issued in July 2015)
� New Standards – AT-C 105, AT-C 205 (and the existing SOC 2
Guide)
� For all three SOC Reports, any dated on or after May 1, 2017, must follow the new AT-C standards (SSAE 18)
SOC Reports – The 2017 Update:
What’s new, What’s not, and What you should be doing with the SOC Reports you receive!
Presented by Jeff Pershing
Page 17
Slide 33
But that not all!
� SOC Report = Service Organization Control Report
� NO LONGER!!!
� SOC has been redefined to mean “System and Organization Controls”
� According to the AICPA:
� “By redefining that acronym, the AICPA enables the introduction of new internal control examinations that may be performed (a) for other types of organizations, in addition to service organizations and (b) on either system-level or entity-level controls of such organizations.”
Slide 34
SOC Suite of Services
� SOC 1® – SOC for Service Organizations: ICFR
� AT-C 320 (and AT-C 105 / AT-C 205) plus a new SOC 1 Guide
� SOC 2 ® – SOC for Service Organizations: Trust Services Criteria
� AT-C 205 (and AT-C 105) plus existing SOC 2 Guide
� SOC 3 ® – SOC for Service Organizations: Trust Services Criteria
for General Use Report
� AT-C 205 (and AT-C 105) plus existing SOC 2 Guide
� SOC for Cybersecurity (coming soon!)
� AT-C 205 (and AT-C 105) plus forthcoming Guide “Reporting on an
Entity’s Cybersecurity Risk Management Program and Controls”
� SOC for vendor supply chains (planned for 2018)
SOC Reports – The 2017 Update:
What’s new, What’s not, and What you should be doing with the SOC Reports you receive!
Presented by Jeff Pershing
Page 18
Slide 35
SOC for Cybersecurity
� Called a “Cybersecurity Examination,” it will include:
� A description of the entity’s cybersecurity risk management program
� An assessment of the effectiveness of the controls within that program to
achieve the entity’s cybersecurity objectives
� Management is responsible for selecting both the description criteria and
the control criteria to be used in the engagement
� Proposed Description Criteria for Management’s Description of the Entity’s
Cybersecurity Risk Management Program
� Issued 9/15/16; Comment period closed 12/5/16
� Currently the only option for description criteria
� Proposed Revision of Trust Services Principles and Criteria for Security,
Availability, Processing Integrity, Confidentiality, and Privacy
� Issued 9/15/16; Comment period closed 12/5/16
� Includes updates to better address Cybersecurity risks
� Other cybersecurity control criteria may be used
Slide 36
BREAK (?)
SOC Reports – The 2017 Update:
What’s new, What’s not, and What you should be doing with the SOC Reports you receive!
Presented by Jeff Pershing
Page 19
Slide 37
Trust Services PrinciplesOverview and Updates
Slide 38
The Trust Services Principles
� Security
� Availability
� Processing Integrity
� Confidentiality
� Privacy
SOC Reports – The 2017 Update:
What’s new, What’s not, and What you should be doing with the SOC Reports you receive!
Presented by Jeff Pershing
Page 20
Slide 39
Trust Service Principles (TSP) Revisions
� AICPA, Technical Practice Aids, TSP sec. 100
� Originally released in 2006, then updated in 2009
� Major Revision to TSP sec. 100 in March/April 2014
� Removed significant redundancies in wording between the
Principles
� Reorganized in a set “Common Criteria” applicable to all
Principles, plus addition principle-specific criteria� Criteria Common to All [Security, Availability, Processing Integrity,
and Confidentiality] Principles – 28 criteria statements
� Availability – 3 more criteria statements
� Processing Integrity – 6 more criteria statements
� Confidentiality – 6 more criteria statements
� Mandatory adoption for reporting periods ending on or after
Dec. 15, 2014
� Privacy was updated separately
Slide 40
2016 Revisions to theTrust Service Principles
� New version released mid-year 2016
� Minor and clarifying updates to various criteria
� Two additional confidentiality criteria were added to address the retention and disposal of confidential information (total of 8 criteria statements now)
� Incorporated new criteria for Privacy to bring it back into TSP framework (removing the cross references to Generally Accepted Privacy Principles)
� Early adoption permitted, mandatory use beginning with reports ending on or after December 15, 2016
SOC Reports – The 2017 Update:
What’s new, What’s not, and What you should be doing with the SOC Reports you receive!
Presented by Jeff Pershing
Page 21
Slide 41
Even more Trust Services Revisions!� Proposed Revision of Trust Services Principles and Criteria for
Security, Availability, Processing Integrity, Confidentiality, and
Privacy
� Issued 9/15/16; Comment period closed 12/5/16
� The proposed revision indicates these are expected to become
mandatory by 6/15/2018 with early adoption permitted. However, a
final version has not yet been issued.
� Significant Changes
� Renaming:
� “trust services principles and criteria” are now “trust services criteria”
� the five principles (security, availability, processing integrity,
confidentiality, and privacy) are now “trust services categories”
� Aligns the Trust Services Criteria to the COSO 2013 Framework
� Includes updates to better address Cybersecurity risks
� Adds points of focus to all criteria (in a similar manner as COSO 2013)
Slide 42
TSP – Common Criteria
� Criteria Common to All [Security, Availability, Processing Integrity, and
Confidentiality] Principles
� CC1.0 - Common Criteria Related to Organization and Management
� CC2.0 - Common Criteria Related to Communications
� CC3.0 - Common Criteria Related to Risk Management and Design and
Implementation of Controls
� CC4.0 - Common Criteria Related to Monitoring of Controls
� CC5.0 - Common Criteria Related to Logical and Physical Access
Controls
� CC6.0 - Common Criteria Related to System Operations
� CC7.0 - Common Criteria Related to Change Management
� Additional Criteria when reporting on Availability, Processing Integrity, or
Confidentiality
SOC Reports – The 2017 Update:
What’s new, What’s not, and What you should be doing with the SOC Reports you receive!
Presented by Jeff Pershing
Page 22
Slide 43
What’s new with SOC2
Slide 44
Contents of a SOC 2 Report
� Auditor’s Report –What Does It Cover:
� Fairness of Presentation of the Description
� Suitability of Design of the Controls
� Operating Effectiveness of Controls (Type 2 only)
� Criteria related to the auditor’s evaluation
� Test of Controls and Results (Type 2 only)
� Whether carve out or inclusive was used
� Other Information from Service Organization (unaudited)
SOC Reports – The 2017 Update:
What’s new, What’s not, and What you should be doing with the SOC Reports you receive!
Presented by Jeff Pershing
Page 23
Slide 45
SOC 2 Guide� Updated SOC 2 Guide Released
July 1, 2015
� Provides how-to guidance for service
auditors performing examinations
under AT section 101
� Incorporates TSP sec. 100 updates
from 2014
� Updated guide expected in 2017(?)
� Other updates fall into two major categories
� Scoping Updates - Drive changes to
the examination process
� Language Updates - Will be reflected
in reporting deliverables
Slide 46
Scoping Updates
� Non-Continuous exam periods
� Recommendation to either expand the period to cover the gap
period or evaluate the potential effect of the excluded time
period to users of the report [ref. par. 2.26]
� If addressing Confidentiality or Privacy
� System boundary must include information life cycle:
collection, use, retention, disclosure, and disposal or
anonymization of personal information [ref. par. 1.39 and 3.05]
� Monitoring of a Service Organization
� Regardless of subservice organization (carve-out or inclusive)
approach, controls to monitor services provided by third parties
should be included in the description. [ref. par. 1.26a(iv)(2)
and 3.5]
SOC Reports – The 2017 Update:
What’s new, What’s not, and What you should be doing with the SOC Reports you receive!
Presented by Jeff Pershing
Page 24
Slide 47
Scoping Updates (cont)
� Complementary User Entity Controls (CUECs) and User Entity Responsibilities
� CUECs - Now emphasized as controls necessary to meet one or
more criteria
� Otherwise, considered a User Entity Responsibility (new
concept introduced in the current guide)
� User Entity Responsibilities are not required to be included in
the system description.
� Ref. par. 3.32 through 3.37
Slide 48
Language Updates
� Representation Letter
� Additional representations by Management to the Service
Auditor [ref. par. 3.151]
� Communications from regulators and others have been disclosed
� Acknowledge responsibility for the subject matter
� Effect of uncorrected misstatements are immaterial
� System Description
� Additional guidance to the service auditor on evaluating what
“fair presentation” is [ref. par. 3.02]
SOC Reports – The 2017 Update:
What’s new, What’s not, and What you should be doing with the SOC Reports you receive!
Presented by Jeff Pershing
Page 25
Slide 49
Language Updates (cont)
� Control Activities
� Additional guidance to the service auditor on describing
controls, including [ref. par. 3.07]
� What – The subject matter to which the control applies
� Who – The party responsible for performing the control
� How – The nature of the activity performed, including sources of
information used in performing the control
� When – The frequency with which the control is performed or the
timing of its occurrence
� Control Testing Conclusions
� Example wording for greatly clarity in particular situations
� Sampling Size, when there are deviations [ref. par. 4.09]
� Controls with no activity during the period [ref. par. 4.50]
Slide 50
SOC 2 Guide - Other Useful Information
� Appendix C – Illustrative Management Assertion and Related Service Auditor’s Report
� Appendix D – Illustrative Type 2 Service Organization Controls Report
� Appendix E – Information for Management of a Service Organization
� Generally a restatement of Management’s responsibilities from
various other portions of the guide, but pulled together in one
place, and in a more reader-friendly format and writing style.
SOC Reports – The 2017 Update:
What’s new, What’s not, and What you should be doing with the SOC Reports you receive!
Presented by Jeff Pershing
Page 26
Slide 51
SOC 2 Guide - Other Useful Information
� Appendix F – Service Auditor Considerations in Performing SOC 2 or SOC 3 Engagements for Cloud Service Organizations (CSOs)
� Provides an overview of CSOs, deployment models, and
challenges unique to CSOs and their impact on performing a
SOC 2 / SOC 3 engagement
� Appendix H – Additional Considerations for the Service Auditor Regarding the Trust Services Criteria
� Provides explanatory information on the seven Common
Criteria categories and the additional criteria for Availability,
Processing Integrity, and Confidentiality
� Adds additional context beyond the illustrative risk and controls
provided in TSP sec. 100, Appendix B
Slide 52
User Auditor Requirements
SOC Reports – The 2017 Update:
What’s new, What’s not, and What you should be doing with the SOC Reports you receive!
Presented by Jeff Pershing
Page 27
Slide 53
User Auditor Requirements
� Read the report!!!
� Does it cover the relevant services?� Service Auditor’s Opinion
� Unqualified? (Good)
� Qualified? (Not as good, but can be okay)
� Adverse? (Typically bad)
� Disclaim an opinion? (Typically very bad)
� Any deficiencies/deviations?� If so, how does is affect the User Entity?
� SAS 122 / AU-C Section 402 - Audit Considerations Relating to an Entity Using a Service Organization
� Outlines various requirements for User Auditors when evaluating attestation reports
� Particularly important when evaluating in support of ICFR
Slide 54
User Auditor Requirements (cont)
� Understand the Service Organization / Evaluate appropriateness of
the report in support of the User Organization audit (Ref. AU-C 402
par. .13-.14, .17)
� Service Auditor’s Professional Competence
� Adequacy of Standards utilized
� Time period covered
� Sufficiency and appropriateness of the evidence provided for the
understanding of the user entity's internal control
� Description of the system sufficient/understandable?
� Control Objectives/Criteria relevant, sufficient, understandable?
� Controls relevant, sufficient, understandable?
� Sufficiency and appropriateness of the tests of controls performed by
the Service Auditor
� Evaluate complementary user entity controls for relevance, design and
implementation
SOC Reports – The 2017 Update:
What’s new, What’s not, and What you should be doing with the SOC Reports you receive!
Presented by Jeff Pershing
Page 28
Slide 55
User Auditor Requirements (cont)
� Complementary User Entity Controls
� From AU-C 402, par. .08: “Controls that management of the
service organization assumes, in the design of its service, will
be implemented by user entities, and which, if necessary to
achieve the control objectives stated in management's
description of the service organization's system, are identified
as such in that description.”
� User auditor should determine which are relevant to the user entity audit, then evaluate the User Entity for design and implementation of those controls
� One way is to map Complementary User Entity Controls to User
Entity Controls
Slide 56
User Auditor Requirements (cont)
� What if the report is insufficient for the audit need?
� Contact the service organization, through the user entity, to
obtain specific information
� Visit the service organization and perform procedures that will
provide the necessary information about the relevant controls
at the service organization
� Use another auditor to perform procedures that will provide the
necessary information about the relevant controls at the
service organization
� Refer to AU-C 402 par. .12 for additional information
SOC Reports – The 2017 Update:
What’s new, What’s not, and What you should be doing with the SOC Reports you receive!
Presented by Jeff Pershing
Page 29
Slide 57
Common Issues / Lessons Learned
� SOC 1
� Control Objectives included which are not relevant to ICFR
� System Descriptions insufficient to understand flow of
transactions/processes
� Description of control insufficient to understand control activity
� Report only covers ITGC, but services provided include transaction or
other information processing, etc.
� SOC 2
� Description includes controls that have not been implemented.
� Descriptions of processes and related controls are incomplete and user
unable to understand processing flow through system (who?, what?,
where?, when?, how?)
� Applicable trust services criteria are intended to be met by controls at
the subservice organization and description does not identify the
controls expected to be implemented at a carved-out service
organization
Slide 58
Questions?
SOC Reports – The 2017 Update:
What’s new, What’s not, and What you should be doing with the SOC Reports you receive!
Presented by Jeff Pershing
Page 30
Slide 59
References and Sources:� AICPA.org – Links to all current SAS and SSAEs, including SSAE 18 (AT-C 105, AT-C 205, AT-C 320, etc.)
� http://www.aicpa.org/Research/Standards/AuditAttest/Pages/SAS.aspx
� http://www.aicpa.org/Research/Standards/AuditAttest/Pages/SSAE.aspx
� AICPA SOC Reports home page
� http://www.aicpa.org/InterestAreas/FRC/AssuranceAdvisoryServices/Pages/SORHome.aspx
� AICPA Guides, Alerts (available in a variety of formats for purchase), and Information
� SOC 1: http://www.aicpastore.com/AST/Main/CPA2BIZ_Primary/SOC/PRDOVR~PC-0127910/PC-0127910.jsp
� SOC 2: http://www.aicpastore.com/AST/Main/CPA2BIZ_Primary/SOC/PRDOVR~PC-0128210/PC-0128210.jsp
� SOC 2+: http://www.aicpa.org/InterestAreas/FRC/AssuranceAdvisoryServices/Pages/SOC2AdditionalSubjectMatter.aspx
� Trust Services Principles and Criteria (2016) (download or online subscription):http://www.aicpastore.com/AuditAttest/TopicSpecificGuidance/trust-services-principles-and-criteria/PRDOVR~PC-TSPC13/PC-TSPC13.jsp
� Proposed Trust Services Criteria Updates
� Exposure Draft http://www.aicpa.org/interestareas/frc/assuranceadvisoryservices/downloadabledocuments/exposuredrafts/asec_ed_rev_trust_services.pdf
� Mapping proposed criteria to existing (2016) criteria http://www.aicpa.org/interestareas/frc/assuranceadvisoryservices/downloadabledocuments/cybersecurity/mapping_proposed_tsc_current_tspc.pdf
� Cloud Security Alliance Position Paper on AICPA SOC Reports
� https://cloudsecurityalliance.org/research/collaborate/#_aicpa
� Brief History of all SAS with links to full text for many
� http://en.wikipedia.org/wiki/Statements_on_Auditing_Standards_(United_States)
� AICPA Cybersecurity Resources
� AICPA Cybersecurity Initiative: http://www.aicpa.org/interestareas/frc/assuranceadvisoryservices/pages/aicpacybersecurityinitiative.aspx
� AICPA Cybersecurity Resource Center: http://www.aicpa.org/interestareas/frc/assuranceadvisoryservices/pages/cyber-security-resource-center.aspx
Thank You!
Jeff Pershing, CISA, CISM, CISSP