An Overview of SSAE 16 (Statement on Standards for Attestation Engagements No. 16)
Presentation Objectives
2
Background Information
Types and Uses of Internal Control Reports
(SOC 1, SOC 2, SOC 3)
User Entity Considerations
Industry Trends & Advantages
Answer Questions
Background
Terminology
4
• Organization which provides services relevant to a user entity’s (customer) internal controls. Issuer of the internal controls report. Service Organization
• The customer of the service organization. User of the internal control report. User Entity (Customer)
• Internal control reports on the services provided by a Service Organization (SOC 1, SOC 2 and SOC 3).
Service Organization Control (SOC) reports
• Professional standard used by auditors when issuing a report on internal controls related to financial reporting (SOC 1). SSAE 16
• Professional standard used by auditors when issuing a report on internal controls related to non-financial related topics (SOC 2 & 3). AT 101
• Standardized principles used to measure an entity’s controls around specific IT areas.
Trust Services Principles (SOC 2 & 3)
• Standards used by auditors to evaluate a company’s controls around the Trust Services Principles specifically associated with the web (WebTrust) and Systems (SysTrust).
WebTrust & SysTrust
Types of Service Organizations &
User Entities
• Outsourced service processors (e.g. Payroll, Actuarial, Claims)
• Datacenters and co-location facilities
• Software as a Service (SaaS)
• IT support
• Data analytics providers
• Public companies (subject to Sarbanes-Oxley)
• Financial institutions
• Healthcare entities
• Governmental agencies
• Companies with other compliance requirements (e.g. PCI, FFIEC)
Service Organizations
User Entities
5
Trust Services Principles
6
Principle What It Means # of Criteria
Security The system is protected against unauthorized
access (both physical and logical).
32
Availability The system is available for operation and use as
committed or agreed.
34
Processing
Integrity
System processing is complete, accurate, timely
and authorized.
49
Confidentiality Information designated as confidential is
protected as committed and agreed.
47
Privacy Personal information is collected, used,
retained, disclosed and destroyed in conformity
with the commitments in the entity’s privacy
notice and with criteria set forth in generally
accepted privacy principles (GAPP) issued by
the AICPA.
66
Trust Services Principles
History of Internal Control Reports
7
SAS 70 SOC 1
(SSAE 16)
Web Trust
&
Sys Trust
SOC 2
(AT 101)
SOC 3
(AT 101)
Focus Historical Current
Evaluation
of controls
related to
Financial
Reporting
Evaluation
of controls
related to IT
processes
Types of Internal Control
Reports
SOC 1 Report (SSAE 16)
9
• 4 Sections
• Type I or Type II
• Management Assertion required
• User Entity Considerations
• Objectives defined by management
• Focus on procedures impacting customer’s financial information
• Customers (and/or their auditors) may wish to modify
• Audit Report
• SOC Logo (available for website)
• Primarily by financial auditors of customers
• Supports control reliance
• Avoid duplication of effort by customer’s auditors.
Use Audit
Outcome
Audit Report Composition
Control Objectives
SOC 2 Report (AT 101)
10
• Same as SOC 1
• Principle(s) selected by management
• Pre-defined criteria (not modifiable) support Principles
• Audit covers all criteria of selected Principle(s)
• Same as SOC 1
• Used by customer’s to evaluate IT controls
• May impact decision to use service organization
• May impact customer’s other compliance requirements Use
Audit Outcome
Audit Report Composition
Trust Services
Principles
SOC 3 Report (AT 101)
11
• Audit Opinion and scope of services only
• No process description or test results
• No Type I or II
• Same as SOC 2
• SOC Seal (available for website)
• Audit Opinion
• Same as SOC 2
Use Audit
Outcome
Audit Report Composition
Trust Services
Principles
Types of SOC 1 & 2 Reports
• Report on the design (only) of a user entity’s control structure
• Auditor Opinion is as of a point in time (similar to a balance sheet)
• Usually performed during first year only
• Involves performing “walkthroughs” of controls
• Not as useful to the auditors of user entities
• Report on the design and operating effectiveness of controls
• Auditor Opinion covers a period of time (generally 6 months)
• Report usually issued one time per year
• Period ending driven by year ends of customers (user entities)
• Provide description of tests performed and results of tests (including
exceptions)
• More useful to auditors of user entities
Type I
Type II
12
SOC 1 & 2 Report Components
• Independent Service Auditor’s Report (Opinion)
• Management’s Assertion
• Description of the Service Organization’s Processes and Controls
• Information Provided by the Independent Service Auditor
– Type I – Listing of Controls
– Type II – Listing of Controls and Tests Performed by the Independent
Service Auditor (and Results of Tests)
Section I
Section II
Section III
Section IV
13
Other Information
User Entity Considerations
15
Procedure Purpose
Review contract with
Service Organization
Ensure that your service is included in the scope of the
report (including location of service being provided).
Applicability of Control
Objectives/Principles
(SOC 1 & 2)
Determine if objectives meet your requirements and if they
do not, discuss changes with service organization.
Evaluate impact of qualified
auditor opinion
Determine if the issues impact your reliance on the report.
Evaluate impact of testing
exceptions (section IV)
Determine if the exceptions impact your reliance on the
report.
Evaluate User Entity
Considerations section of
report
Determine if your organization is performing the procedures
required.
Verify audit period Determine if the end of the audit period is within 6 months of
your company’s year end (stale considerations).
Industry Trends
Increase proliferation of SaaS applications and outsourcing of IT systems to Datacenters
SOC 1 report continues to be most popular report issued
Report consistency & robustness has not yet been achieved with new SSAE 16 guidance
Service Organizations are moving toward obtaining SOC 2 reports (in addition to SOC 1)
SOC 3 report is not pervasive at this time
16
Reporting Advantages
SOC Reports
Leads to strengthening of internal control
structure
Marketing differentiator
Avoids duplication of
audit effort
Auditor reliance on controls for
financial audit of service
organization
Cost savings for user entities
17
Appendices
Logo for SOC 1 & 2 Reports
Example
20
Seal for SOC 3 Reports
Example
21