Latest Blogs

Understanding a SOC Report

Understanding a SOC Report 

In current scenario of emerging technologies, most of the organizations outsource few aspects of their business to vendors which can either include performing a specific task or replacing an entire business function. Vendors can handle various functions like customer support, financial technology, data storage, software development etc. With all these advantages, organizations should also consider various inherent risks associated with outsourcing. 
To get a comfort on the vendor’s environment and internal controls, organizations usually ask them for a either SOC 1 or SOC report. However, on receiving a SOC 1 or SOC 2 report, most of the organizations do not know how to read it, what exactly a qualified opinion is and whether the risks you are looking to mitigate are addressed in the report. SOC 1 and SOC 2 reports are lengthy and complex, but play extremely important role in understanding the risks to your organization. In this article, we will touch upon some key components of SOC 1 and SOC 2 reports that will help you analyze the security of your vendors. 

Categories and Types of SOC Reports 

SOC reports are majorly of two categories i.e. SOC 1 & SOC 2 each of either Type I or Type II.  
 
The SOC 1 report attests the company’s financial reporting. IT is particularly important for a service organization that impacts the user entity’s financial reporting. Some examples of organizations which may require SOC 1 reports are: 

? Payroll processors

? Medical claims processors

? Data center companies

? Lending services

? Data centers

? Cloud service providers

? Human resources support services 

A SOC 2 report highlights the security and protection of customer data. A SOC 2 report follows a similar approach as SOC 1, but includes the controls over IT and systems processing confidential client data. SOC 2 audits focus on controls at a service organization relevant to security, availability, processing integrity, confidentiality or privacy. A SOC 2 audit is one of the best practice for any servicebased organizations that store, manage, or process client information in the cloud. The report is beneficial for any service organization processing or maintaining information that requires a controlled or secure system. 

 

Further, each of the above reports can be of following two types: 
 
Type I – A report on the fairness of the presentation of management’s description of the service organization’s system and the suitability of the design of the controls to achieve the related control objectives included in the description as of a specified date. 
Type II – A report on the fairness of the presentation of management’s description of the service organization’s system and the suitability of the design and operating effectiveness of the controls to achieve the related control objectives included in the description throughout a specified period. 

Structure of a SOC Report 

A SOC report broadly consists of following sections each having its own purpose and containing specific information about the client’s environment. 

Section 1: Independent service auditors’ report 

This section generally starts with ‘To the management’ and is signed by the service auditor /CPA. It is more of the service auditor oriented and contains following key aspects related to service organization: 

? Scope explaining the type of report, testing date/duration (Type I or Type II) , in scope locations and any omissions

? Responsibilities pertaining to both the service organization and the service auditor

? Inherent Limitations

? Service auditor’s opinion on the system description, design, and operating effectiveness to meet the control objectives ? Statement around the restricted user of the report and the intended users

Section 2: Management’s assertion regarding the effectiveness of its controls 

This section provides the reader the facts and assertions made by the service organization’s management related to the system(s) under audit

? It provides the contents that will be covered in the description, i.e. the types of services provided, the components of the system, how the system captures and processes significant events, any applicable trust services criteria, and etc., as well as make the statement that the controls described are suitably designed and are operating effectively

.  ? It also provides the signed Management Assertion letter accepting responsibility for the description provided

Section 3: Management’s description of its system and controls 

This section is the heart of the report and provides the details of the systems being reported on (written by management). Following are the key components of Section 3:

? Scope and purpose of the report explaining the type of report, testing date/duration (Type I or Type II) , in scope locations and any omissions

? Company overview and background and Overview of products and service which provides a brief introduction about the organization, it’s background and the products / services company offers

? Details related to company’s IT infrastructure including the network overview, servers, tools & softwares used and the data management

. ? Company’s organizational structure, policies & procedures, risk assessment, governance & oversight and details about the control environment. ? All the control descriptions with their functioning, subservice organizations, user entity controls, and other system information

? Inclusions in this section should be capable of being audited to meet the control objectives 

Section 4: Applicable trust services principles’ criteria and control activities 

This section depicts the test results and the overall effectiveness of the control objectives. For a type 1 report, you can only see the conclusion and for a type 2 report both the test procedures and the conclusions. It shows the following four columns of information: 

? Control objective (related to the applicable trust service principles/ controls over financial reporting)

? Controls in place at the service organization to meet the objectives

? Auditor's tests (explaining the test procedures performed)of the controls

? Overall results and conclusion of the tests 

Section 5: Other information provided

Lastly, we come to Section 5, which is other information not covered by the auditor’s report.  This section is available for any additional information that you would like to provide to the users of the SOC report concerning your services system. In this Section, management can discuss items such as a strategic plan or a business continuity plan, or any other items that they feel would be beneficial for the report users. All sections listed above apart from the Independent Service Auditors Report (Section 1), are the responsibility of management of the service organization. It is important to be as detailed as possible when creating your SOC report in order to explain the services system and the controls over that system in way that is helpful to the report users, and supportive in trying to arrive at a desired audit opinion. 
 
You can also visit below link to read AICPA articles related impact of COVID 19 on audit and assurance.  
 

2020-09-11 06:29:46

SOC Reporting and COVID 19

Brief Overview 

COVID-19, the most buzzed word these days, a virus that has not only impacted health of the humans but has also affected almost each and every industry in the world including organizations (user organization) relying on other companies (service organization) to provide their services. Companies have either shifted their staff to remote environments or laid off their workers. Organizations looking for a SOC (System and Organization Controls) report from their service organizations are in a dilemma whether they will be able to get a renewed report or not for the COVID year.  

SOC examinations are designed to test the information technology and business process control systems that a company has implemented to protect the security of its customer’s data (SOC 2), or ensure the accuracy and completeness of financial transaction processing and reporting (SOC 1). If your customers and the related stakeholders do not perform SOC reports on a timely basis, it could influence their business objectives. 
Further, the entities who issue SOC reports (i.e. independent third party audit firms) , are anxious on how to support the remote attestation of controls during this time where companies have a reduced headcount, decreased revenues, ceased operations due to government / mandatory requirements to continue operations. Remote assessment of risks and attestation either of internal controls over financial reporting (SOC 1) or AICPA’s trust service criteria (SOC2) without being physically present at the client location has become a big challenge. However, the business must go on so should the SOC reporting.  
In this article, we will be touching upon the considerations that should be taken care by service & user organizations as well the third party auditors during the pandemic scenario. 

Service Organizations 

? The company should examine any impact on functioning of controls caused by reduced number of employees and any SoD (segregation of duties) conflicts should be addressed using additional monitoring controls 

? The company employees accessing the regulated data should receive appropriate trainings on handling that data in a remote work environment. 

? The new user provisioning / user termination processes should operate effectively with sufficient authentication of remote users. 

? Supplementary guidance on remote work cyber security practices should be communicated to staff working from a remote location. 

? Security of applications enabled for remote work should be taken care along with the implementation of multi-factor authentication (MFA) which should be required for all critical systems.

? Service organizations should discuss the procedures around video conferencing to perform virtual walkthroughs with their service auditors. Most common procedures include physical security walkthroughs of buildings and data centers that ensure security measures and environmental protections are in place.  

User Organizations 

They as a receiver of the SOC 1 and/or SOC 2 reports, should have frequent communications with their vendors to discuss whether COVID-19 has impacted their operations and their SOC report. Following things should be considered as one reviews the SOC reports where evaluation period includes the timing of the pandemic. 

? The SOC report should be reviewed for any disclosures on changes to the system, operations or controls due to the impact of COVID-19. An assessment should be done to identify if any change impacts you and your reliance on the SOC report.

? The SOC report should also be reviewed for any exceptions and you can expect to have increased number of exceptions within your service organizations due to the pandemic. These exceptions and their corresponding impacts should also be evaluated. 

? The complementary user entity considerations should be reviewed. Analysis should be done if the service provider has included any additional items due to any changes in the controls or system description.

Assessors / Auditors 

Following key aspects should be considered by the auditor while performing a third party assessment remotely. 

? Risk associated with key personnel should be evaluated and the organization should have adequate personnel available to support critical business and IT functions. 

? Changes related to the organizational structure should be assessed and their possible impact on segregation of duties should be analyzed. 

? Organization’s Disaster Recovery and Business Continuity Plans should be evaluated and appropriate changes should be suggested as required in a pandemic situation. 

? Keeping in consideration the travel restrictions, Distance Audit methods such as video conferencing should be used to perform virtual walkthroughs like physical security walkthroughs of buildings and data centers to ensure security measures and environmental protection methods are adopted. 

? Video conferencing can also be used to communicate with client personnel and gain an understanding of client’s systems for a new engagement, or test the effectiveness of controls for on-going engagements.

? For the controls not operating during the testing period due to pandemic situation, auditors should simply add an additional rationale in the report explaining the reason. However, the overall report opinion is not modified.

? The critical functions such as review of risk assessments, reviewing policies, periodic user access reviews, or ticketing for timely removal of terminated user access should continue to operate uninterruptedly and should be tested as usual. For exceptional cases, an annual control can be rescheduled to occur in future months, as long as it is still within your SOC examination period. In other instances, those activities may can be performed virtually.  

You can also visit below link to read AICPA articles related impact of COVID 19 on audit and assurance. 

Please reach out to us in case you would like to discuss more on this topic or if you have any queries related to SOC reporting.  
 

2020-09-11 06:30:43

The US and UK attestation standards SSAE and ISAE

Usually, when you look out to get an independent controls attestation for your organization by a third party service auditor, you may come across many ways of getting that done. You can either get a SOC 1 or SOC2 audit done (Type I or Type II) based on your requirements and choose your attestation standards for the report i.e. either ISAE the UK standard, No. 3402 being the latest one or the SSAE (the US standard, No. 18 being the latest). In this article, we will touch upon both the standards, their managing authorities and the key differences which will help you understand what exactly they are and identify the best one for yourself.

ISAE stands for International Standards on Attestation Engagements (the UK standard) which is managed by IAASB (International Auditing & Assurance Standards Board) which in turn reports to IFAC (International Federation of accountants).

SSAE stands for Statement on Standards of Attestation Engagements (the US standard) and is managed by AICPA (American Institute of Certified Public Accountants) which reports to FASB (Financial Accounting Standards Board).

Principally both the standards are designed to achieve the same objective in terms of reporting the establishment of effectively designed controls over financial reporting and each service organizations may need to provide reports to their clients (user entities) according to different standards. For the service organizations catering services within United States, SSAE18 is best suited. While for the ones providing services outside US, reporting can be done in accordance with the ISAE 3402 standards (termed as a combined report).

Further, there are a few key differences when it comes to performance and reporting style of both the standards. Below are the major key differences which one should know:

• Investigation of the Intentional Acts

Both the standards require the investigation of any deviations identified during the testing. They direct the service auditor to investigate the noted deviations that could have been caused by an intentional act of service organization’s (SO) personnel. The SSAE 18 directs that the auditor should receive a written representation from SO management detailing any actual or suspected intentional acts (like employee committing frauds) that could impact the fair presentation of management’s description of the system. However, the ISAE 3402 does not explicitly require auditors to obtain the written representations.

• Dealing with Operating Anomalies

Any finding that deviates from the standard is an Operating Anomaly. SSAE 18 treats all deviations in the same manner, rather than as an anomaly. However, ISAE 3402 contains a requirement that allows a service auditor to conclude that any identified deviation while testing a sample of the control can be considered an anomaly. The idea is that when controls are sampled, they are not necessarily representative of the entire population from the samples drawn.

• Assistance from Internal Audit Team

SSAE 18 enables the use of direct assistance from the service organization’s internal audit function in accordance with the U.S. audit standards guidance. ISAE 3402 does not allows the use of the internal audit function for direct assistance.

• Subsequent Events

SSAE 18 calls out that the service auditor should report any event that could be significant in order to prevent users from being misled. A subsequent event would be something that could change management’s assertion after the audit period has ended. However, ISAE 3402 restricts the types of subsequent events that would be disclosed in the service auditor’s report to only those that could have a significant effect on the service auditor’s report.

• Statement on Restricting Use of the Service Auditor’s Report

SSAE 18 requires that the auditor’s report should include a statement restricting the use of the report to management of the service organization, user entities, and user auditors. However, ISAE 3402 requires that the service auditor’s report include a statement that indicates that the report is intended for the service organization, user entities & user auditors but does not require a statement restricting its use.

• Acceptance of Engagement and Continuation

SSAE 18 directs that management should acknowledge and accept the responsibility of providing the service auditor with written representations at the conclusion of the engagement. However, ISAE 3402 does not requires this acknowledgment.

• Disclaimer of Opinion

If the service provider does not provide the assessor with specific written representation, ISAE 3402 requires that the auditor deny an opinion after discussing the concern with management. If this happens, the auditor can carry out the required action. SSAE 18 requires that the service auditor takes an action or withdraws from the engagement. The SSAE 18 also contains certain incremental requirements for a situation where auditor plans to deny any opinion.

• Elements of the Section 801 Report That Are Not Required in the ISAE 3402 Report

SSAE 18 contains certain requirements that are additional to those in ISAE 3402. These requirements are as follows:

o The identification of any information included in the documentation that is not covered by the service auditor’s report.

o A reference to management’s assertion, and a statement that management is responsible for identifying any of the risks that threaten the fulfillment of the control objectives

o A statement that the examination included assessing the risks that management’s description of the service organization’s system is not fairly presented and that the controls were not suitably designed or operating effectively to achieve the related control objectives.

o A statement that an examination engagement of this type also includes evaluating the overall presentation of management’s description of the service organization’s system and suitability of the control objectives stated in the description.

We believe, that the article what have enhance your understanding of the two standards and their key differences. Please reach out us if you still have any queries or for any further information.

2020-09-11 06:31:11

Advantages of SOC Reporting

In today’s world, you would hardly find an organization that does not outsource at least one function or component of their control environment to a third-party service provider. From payroll processing to invoice creation and cloud storage to backup solutions, third party vendors have provided companies with cost-effective and efficient ways to reduce the need for internal resources for performing reoccurring or computerized tasks.

While this has helped organizations reduce headcount, stress, and certain costs, it does not eliminate the company’s responsibility to ensure their processes are functioning correctly, their data is secure, and their control environment is integrated. Since, these types of associations have become more common, the demand from clients (or “user entities”) and their external auditors for service organizations to provide assurance that their processes and controls are designed, and operating, effectively has also increased. Complying a SOC 2 audit gives your organization an edge as you can assure your customers that you are taking all necessary steps to keep their data safe and safeguard against damaging breaches.

Following are the key benefits of having a compliant SOC report:

Attracts your buyers

Organizations concerned with security are more likely to become customers if you can provide a SOC 2 report, which shows that you are following best practices for implementing and reporting on control systems.

Acts as Differentiator

Your competitors may claim to be secure, however they cannot prove that without an audit. Getting a SOC 2 report can differentiate your organization from other companies in the marketplace that have not made as significant an investment of time and capital.

Enhancing Services

As SOC audit helps you learn to be more secure and efficient. You can streamline your processes and controls based on your understanding of the risks that your customers face. This in-turn will help you improve your services.

Establish Trust

While working with other people’s financial data / sensitive information, trust is the key thing you offer to your client. A SSAE 18 report performed by an independent auditor proves to clients that the systems and controls you have in place are secure and effective.

Save Time and Money

Audits can be time consuming and utilize valuable company resources. However, if you have a current report, it can be utilized by an external auditor and will help you save a lot of re-work. If you don’t a SOC report, you could face multiple user organizations’ auditors individually, repeating the process with each and every request

Identify and Remediate Deficiencies

Apart from having an internal audit function, a third-party auditor can bring in new perspective on control environment and help catch inefficiencies or areas for improvement within your service organization that will end up saving you time and money in the long run.

Make Public Companies your client

Publicly traded companies are required to use service providers that are SSAE 16 qualified. Having a SSAE 16/SOC audit will expand your market beyond privately held companies to include public corporations.

Establish relationship with your Auditor

By the end of your SSAE 18/SOC audit, your auditors will know your business inside and out. You’ll be able to take advantage of this valuable resource long after the audit is complete. Any time you have a question you can refer to this trusted, knowledgeable resource to help navigate even the toughest business decisions.

2020-08-10 09:02:28

What is SOC 2 Audit

What is SOC 2 Audit

The Service organization control (SOC) 2 Audit is an auditing procedure focuses on non-financial reporting controls which rely on five trust services criteria- Security, Confidentiality, Availability, Privacy and Processing Integrity. A SOC 2 report designed to ensure the user entity that that the non-financial reporting controls at the service organizations are adequately designed and operating effectively so that they can protect the crucial and sensitive client and customer data. For many businesses and user entity organizations, compliance to this auditing procedure is a utmost important or prerequisite in looking for a service provider. So, like SOC 1 Audit, the SOC 2 Audit is also performed and attested by a certified public accountant (CPA).

Likewise, SOC 1, SOC 2 reports is also of two types which is generally known as SOC 2 Type I report and SOC 2 Type II report. The description of Type I and Type II reports is:

 

SOC 2 Type I Report

 

SOC 2 Type I report generally require when a user entity management requires a report on the fairness and presentation of the service organization’s system and the suitability and adequacy of the design of controls at a specified date. Also, when the service organization first time go for the implementation of system’s controls or during the readiness of the system’s controls then they may start with a SOC 2 Type I report. The SOC 2 Type I report describe the suitability of the design of control at the service organization’s system. The SOC 2 Type I report is referred to as point in time reports (or as of a particular date) and the report talks about reporting on management’s description of the controls which are in placed into service organization’s operations and systems. The key difference between type I and Type II report is ‘as of’ date i.e. it deals with the specifics of a system within a particular point of time.

 

SOC 2 Type I report is now important and crucial to ensure the user entity that they (service organization) can handle customer date like healthcare firms, data centre service companies and financial organizations adequately. The service organization can prove their reliance on any (or all) of the trust service criteria which are security, availability, confidentiality, privacy and process integrity. The service organizations need to design and implement the controls keeping in mind the trust service criteria and related security controls to ensure the compliance during processing of sensitive data.

 

The Type I report details with the Auditor’s opinion about the service organization controls and scoped trust service criteria which constitute Section I of the report, then Section 2 of the reports present the Service organization Management assertion which is provided by the service organization’s management by stating that the description of the business system is fairly presents and the control objectives and controls were suitably designed during the Audit period of time. Therefore, the Section 3 of the report details about the description of the system followed by the Section 4 of the report which details out the description of test of controls and procedure of testing of the controls with result/outcome of testing. The last

section ‘V’ provides other information which service organization usually provides about relevant processes that were not tested during the Audit such as Business continuity planning and Disaster recovery etc.      

 

SOC 2 Type II report

 

SOC 2 Type II report gives higher assurance in comparison to SOC 2 Type I report as it gives reliance on design and operating effectiveness of controls on third party service provider i.e. about service organization to user entity. Therefore, in order to provide assurance on the fairness and presentation of the service organization’s system and the suitability and adequacy of the design and implementation of controls during a specified audit period, the user entity requires Type II report. This audit period can range from six months to 12 months period time.

 

The Type II Audit is performed on a particular audit period duration and the report talks about reporting on management’s description of the controls which are in placed into service organization’s operations and systems and with Type 2 report, a service organization is able to send a strong message to exiting or potential prospect clients that they have applied the best practices on data security and control of the systems. Likewise Type I report, SOC 2 Type II report deals with any (or all) of the five trust service criteria or principles of data processing and storage. The five Trust Service Criteria (TSC) are security, confidentiality, availability, processing integrity and privacy.

 

Since the main difference between Type I and Type II reports is of specified date and audit period duration respectively. So, the Type II report includes the Auditor’s opinion about the service organization controls and scoped trust service criteria which mention in Section I of the report, then Section 2 of the reports present the Service organization Management assertion which is provided by the service organization’s management by stating that the description of the business system is fairly presents and the control objectives were suitably designed and operating effectively during the Audit period. The Section 3 of the report talks about the description of the system followed by the Section 4 of the report which represents the description of test of controls and procedure of testing of the IT and security controls with result or outcome of testing. The last section ‘V’ provides other information which service organization usually provides about relevant processes that were not tested during the Audit such as Business continuity planning and Disaster recovery etc.

2020-07-23 06:17:21

SERVICE COMPARISON

  FINANCIAL STATEMENT PREPARATION COMPILATION REVIEW AUDIT
Level of assurance that the financial statements are not materially misstated CPA does not obtain or provide any assurance that there are no material modifications that should be made to the financial statements CPA does not obtain or provide any assurance that there are no material modifications that should be made to the financial statements. CPA obtains limited assurance that there are no material modifications that should be made to the financial statements The CPA obtains reasonable (defined as high, but not absolute) assurance about whether the financial statements are free of material misstatement.
Objective To prepare financial statements pursuant to a specified financial reporting framework. To apply accounting and financial reporting expertise to assist management in the presentation of financial statements. To obtain limited assurance as a basis for reporting whether the CPA is aware of any material modifications that should be made to the financial statements for them to be in accordance with the applicable financial reporting framework, primarily through the performance of inquiry and analytical procedures. To obtain reasonable assurance about whether the financial statements as a whole are free of material misstatement thereby enabling the CPA to express an opinion on whether the financial statements are presented fairly, in all material respects, in accordance with an applicable financial reporting framework and to report on the financial statements in accordance with the auditor’s findings.
The CPA is required to be independent No No — but if the CPA is not independent, the CPA is required to indicate lack of independence in the CPA’s compilation report.    
The CPA is required to obtain an understanding of the entity’s internal control and assess fraud risk
The CPA is required to perform inquiry and analytical procedures
The CPA is required to perform verification and substantiation procedures
The CPA issues a formal report on the financial statements
Situations requiring different levels of service Intended for the business owner’s own use to have the current information needed to know the financial standing of the business and to make business decisions accordingly. Similar to what an in-house controller or CFO would provide for management in a larger company. The financial statements may be shared with third parties. Typically appropriate when initial or lower amounts of financing or credit are sought or there is significant collateral in place. Outside parties may appreciate the business’s association with a CPA, which is readily apparent in the formal compilation report. Typically appropriate as a business grows and is seeking larger and more complex levels of financing and credit. It is also useful when business owners themselves are seeking greater confidence in their financial statements to evaluate results and make key business decisions. An audit is typically appropriate and often required when seeking complex or high levels of financing and credit. Also appropriate when seeking outside investors, seeking to sell the business or considering a merger.
Differences in cost for each level of service Varies based on the financial records provided. Least time consuming of the services in which the CPA issues a formal report. More time consuming than a compilation but substantially less than an audit. Involves the most work and, therefore, the most CPA time.

2020-07-09 05:11:16

SERVICE COMPARISON

  FINANCIAL STATEMENT PREPARATION COMPILATION REVIEW AUDIT
Level of assurance that the financial statements are not materially misstated CPA does not obtain or provide any assurance that there are no material modifications that should be made to the financial statements CPA does not obtain or provide any assurance that there are no material modifications that should be made to the financial statements. CPA obtains limited assurance that there are no material modifications that should be made to the financial statements The CPA obtains reasonable (defined as high, but not absolute) assurance about whether the financial statements are free of material misstatement.
Objective To prepare financial statements pursuant to a specified financial reporting framework. To apply accounting and financial reporting expertise to assist management in the presentation of financial statements. To obtain limited assurance as a basis for reporting whether the CPA is aware of any material modifications that should be made to the financial statements for them to be in accordance with the applicable financial reporting framework, primarily through the performance of inquiry and analytical procedures. To obtain reasonable assurance about whether the financial statements as a whole are free of material misstatement thereby enabling the CPA to express an opinion on whether the financial statements are presented fairly, in all material respects, in accordance with an applicable financial reporting framework and to report on the financial statements in accordance with the auditor’s findings.
The CPA is required to be independent No No — but if the CPA is not independent, the CPA is required to indicate lack of independence in the CPA’s compilation report.    

2020-10-27 23:14:01