2. INTRODUCTION
Chris Kradjan, CPA, CITP, CRISC
Chris Kradjan is the National SSAE 16 Leader for Moss
Adams. He has been with Moss Adams since 1994, and has
been auditing and consulting since 1992. He works
routinely with a wide range of complex service
organizations to meet their needs. His practice areas
include SSAE 16 SOC 1/2/3 auditing, PCI-DSS compliance
services, internal controls reviews, Sarbanes-Oxley
compliance services, SysTrust/WebTrust audits, and
independent technology assessments. Furthermore, Chris
is regularly involved with technology and financial
controls assessments based on the COSO, COBIT, PCI-DSS,
NIST, FISMA, and ISO 27002 frameworks. He serves on the
AICPA SOC 2 Task Force and was recently appointed to the
AICPA Assurance Services Executive Committee.
SLIDE 2
MOSS ADAMS
LLP
| 2
3. OBJECTIVES
•
•
•
•
•
•
Overview of SOC reporting
Scope and coverage of SOC audits for AIS
Background about Moss Adams as your auditors
Key terminology
Customers’ responsibilities
AIS internal contact
SLIDE 3
MOSS ADAMS
LLP
| 3
4. MARKET / REGULATORY PRESSURES
•
•
•
•
•
•
•
•
•
•
Increased competition
Sarbanes-Oxley – SEC/publicly traded companies
HIPAA Security and Privacy Rules – Healthcare
GLBA – Financial services
FERPA – Education
PCI-DSS – Payment card data
State and local security and privacy laws
NIST 800-53 – Federal compliance
ISO 27001 – Security
Safe Harbor – International
SLIDE 4
MOSS ADAMS
LLP
| 4
5. SOC AUDITS
• Represents that AIS has been through an in-depth audit
of its system/controls
• For business unit(s) or entire organization
• Discloses controls relevant to customers
• Demonstrates design and operating effectiveness of
controls in place
• Follows AICPA standards - can only be issued by CPAs
• Even more important given Sarbanes-Oxley, heightened
regulatory conditions, and increasing competition
SLIDE 5
MOSS ADAMS
LLP
| 5
6. VALUE OF SOC AUDITS
• Provide customers independent assurance about AIS’
controls
• Satisfy multiple customers through a single audit
• Help AIS differentiate itself from its competition
• Provide independent feedback to management to
define and monitor adherence to established
operational metrics
• Identify potential opportunities to strengthen the
business practices and operating environment at AIS
SLIDE 6
MOSS ADAMS
LLP
| 6
8. RELEVANT PARTIES - DEFINED
• Audit of “system”/controls (vs. financial audit)
• AIS performs services (as “service organization”) for its
own customers
• In turn, its customers (“user entities”) and their auditors
(“user auditors”) want assurance over the AIS
systems/controls
• AIS then hired Moss Adams (“service auditor”) to opine on
AIS’ systems/controls
SLIDE 8
MOSS ADAMS
LLP
| 8
9. MOSS ADAMS
11th largest accounting and consulting firm
Reputable and nationally recognized, celebrating 100 years
Over 1,800 professionals and 240 partners in 22 offices
Strong acceptance to relevant customers and industries/markets
Well established in the tech and data center space
Professionals serving in important leadership roles through the
AICPA, COSO, and other national committees
• Proven technical expertise and industry credentials
• Established SOC auditing and testing processes
• Practical, solution-oriented approach
•
•
•
•
•
•
SLIDE 9
MOSS ADAMS
LLP
| 9
10. AUDIT TEAM
Leads
• Chris Kradjan, Partner
• Francis Tam, Partner
• JP Langlois, Supervisor
Highlights
• Lead by SSAE 16 National Practice Leader
• Comprised of seasoned SOC team
• Security, operations and controls advisors
• SOC, Sarbanes-Oxley, HIPAA, PCI, internal controls specialist
• CPA, CISA, CISM, CITP, CRISC, PCI QSA
SLIDE 10
MOSS ADAMS
LLP
| 10
11. SCOPE
Reports
• SOC 1 Type 2 Audit (SSAE 16 and ISAE 3402)
• SOC 2 Type 2 Audit
• SOC 3 Type 2 Audit
Audit Period Ending: April 30, 2012, April 30, 2013, etc.
Sites
• Lightwave Data Center (LWDC)
• San Diego Tech Center (SDTC)
• Fiber Alley Data Centers #1/#2/#3 (FADC)
• One Wilshire Point of Presence (OWPOP)
• Van Buren Data Center (VBDC)
SLIDE 11
MOSS ADAMS
LLP
| 11
12. CONTROL AREAS
SOC 1/ISAE 3402
Control Areas:
• Service Delivery
• Solutions Design
• Computer Operations
• Logical and Physical Security
• Change Management
• Incident Management
• Disaster Recovery Planning
• Business Continuity Planning
SLIDE 12
SOC 2 and SOC 3
Principles:
• Security
• Availability
Control Areas:
• Policies
• Communication
• Procedures
• Monitoring
MOSS ADAMS
LLP
| 12
13. ALPHABET SOUP
Historical with SAS 70
SAS 70 Reporting
AU 324
New with SSAE 16
• SOC 1 – Internal Controls Over Financial Reporting
• SOC 2 – AT 101 and Trust Services Principles (Detailed Reporting)
• SOC 3 – Trust Services Principles (SysTrust/WebTrust)
AT 801
AT 101
AT 101
Type 1 and 2 reporting both still applicable
SLIDE 13
MOSS ADAMS
LLP
| 13
14. SOC 2 AND 3 REPORTING
• AICPA SOC 2 Report
AT 101 Attest Engagements
Report on Controls at a Service Organization Relevant to Security,
Availability, Processing Integrity, Confidentiality and/or Privacy
(Type 1 and 2 Reports)
• AICPA SOC 3 Report
Trust Services Report
Trust Services Principles, Criteria and Illustrations
(Including WebTrust® and SysTrust®)
SLIDE 14
MOSS ADAMS
LLP
| 14
15. TRUST SERVICES
• Follows Trust Services Principles, Criteria and
Illustrations (Including WebTrust® and SysTrust®)
• The engagement is used to emphasize system reliability
• Based on a prescribed set of control objectives and
criteria
Principles
Control Areas
o
o
o
o
o
Security
Availability
Processing Integrity
Confidentiality
Privacy
o
o
o
o
Policies
Communication
Procedures
Monitoring
• Intended audience is system stakeholders
• No restrictions on report distribution
SLIDE 15
MOSS ADAMS
LLP
| 15
16. ISAE 3402
SSAE 16
HKCPA 860.2
United States
HK/China
CICA 5970
AUS 810
Canada
Australia
AAF 01/06
United Kingdom
SLIDE 16
Others
MOSS ADAMS
LLP
| 16
18. CUSTOMERS’ FIDUCIARY RESPONSIBILITY
Periodically monitor AIS in formal manner
Obtain and maintain an understanding of AIS operations
Assess policies, procedures and controls in place
Identify recent changes and reportable issues
Use the latest SOC Type 2 reports to reduce their own
compliance efforts
• Obtain a gap letter/negative assurance letter between reports
•
•
•
•
•
SLIDE 18
MOSS ADAMS
LLP
| 18
19. CUSTOMERS’ BENEFITS OF SOC REPORTS
• Streamlined way to obtain detailed and regular input on the
performance of the service organization
• Provides a clear description of the controls in place
• Independently affirms the controls were (1) designed
appropriately, and (2) operating effectively.
• Simplifies ability to fulfill fiduciary responsibilities
• Helps focus on exceptions and issues
• May provide them cost savings through reduced audit fees
SLIDE 19
MOSS ADAMS
LLP
| 19
20. REVIEWING AN SSAE 16 REPORT
Audit period covered and whether it is a SOC Type 2 report
Firm engaged to perform the SOC audits
Nature of the opinion and if there are any modifications
Any subservice organizations included or carved out
Scope of controls and level of detail within control description
Coverage and sufficiency of the specified control activities
Extent of changes since prior report
Nature, timing and extent of testing performed by service
auditor
• Nature and extent of exceptions, and their significance
• Review and consideration of the user control considerations
•
•
•
•
•
•
•
•
SLIDE 20
MOSS ADAMS
LLP
| 20
21. AIS INTERNAL CONTACT
Frank Gaff
VP Service Assurance & Chief Compliance Officer
(858) 576-4272 x128
fgaff@americanis.net
“In successfully completing its current suite of
SOC 1, SOC 2 and SOC 3 Type 2 audit reports, AIS
has reinforced its strong commitment to the
security and availability of its data center
facilities and operations.”
Chris Kradjan, Partner, National IT/SOC Practice Leader, Moss Adams
SLIDE 21
MOSS ADAMS
LLP
| 21
22. Chris Kradjan, CPA, CITP, CRISC
Partner , SSAE 16 National Practice Leader
(206) 302-6511
chris.kradjan@mossadams.com
The material appearing in this presentation is for informational purposes only and is not
legal or accounting advice. Communication of this information is not intended to create, and
receipt does not constitute, a legal relationship, including, but not limited to, an accountantclient relationship. Although these materials may have been prepared by professionals, they
should not be used as a substitute for professional services. If legal, accounting, or other
professional advice is required, the services of a professional should be sought.
MOSS ADAMS
LLP
| 22
22
Notas del editor
Security. The system is protected against unauthorized access (both physical and logical). Availability. The system is available for operation and use as committed or agreed.Processing Integrity. System processing is complete, accurate, timely, and authorized.Confidentiality. Information designated as confidential is protected as committed or agreed. Privacy. Personal information is collected, used, retained, disclosed, and destroyed in conformity with the commitments in the entity’s privacy notice and with criteria set forth in generally accepted privacy principles (GAPP) issued by the AICPA and CICA.Policies. The entity has defined and documented its policies relevant to the particular principle. (The term policies as used here refer to written statements that communicate management's intent, objectives, requirements, responsibilities, and standards for a particular subject). Communications. The entity has communicated its defined policies to responsible parties and authorized users of the system.Procedures. The entity placed in operation procedures to achieve its objectives in accordance with its defined policies.Monitoring. The entity monitors the system and takes action to maintain compliance with its defined policies.