SlideShare a Scribd company logo

Aronson's Technology Risk Services SOC Reports Overview

Download as PPTX, PDF
Aronson LLC
Aronson LLC

Service Organization Control (SOC) reports are designed to help service organizations build trust and confidence in their service delivery processes and controls through a report by an independent Certified Public Accountant. Service providers are organizations that operate information systems and provide information system services to other entities. SOC engagements have become a gold standard for assessing and reporting on financial reporting controls or on controls deployed to protect the privacy and confidentiality of your customer’s data as well as the security, availability and integrity of your systems. A SOC report can enhance trust in your organization through increased transparency and is a worthwhile investment. This report is valuable for retaining current and attracting prospective customers. Aronson is a premier provider of SOC reports for service organizations that must provide assurances to customers and stakeholders about their systems. Interested in more guidance to determine if a SOC report is right for you? Learn more about the topic and Aronson’s methodology here in our SOC Reports Overview presentation. Learn more about Aronson's Technology Risk Services: https://tribl.io/hub?id=kYBW

Technology
1 of 15
Service Organization Control (SOC) Reports Overview Technology Risk Services
2© 2016 | www.aronsonllc.com | www.aronsonllc.com/blogs | Table of Contents  About SOC Reports  Why obtain a SOC Report?  What are the different types of SOC Reports?  Which one to choose?  What is the difference between the SOC Reports?  When is a SOC Report not applicable?  What is the Aronson Methodology?  Why choose Aronson as the attestation provider?  Case studies
3© 2016 | www.aronsonllc.com | www.aronsonllc.com/blogs | About SOC Reports “Service Organization Controls reports are designed to help service organizations, organizations that operate information systems and provide information system services to other entities, build trust and confidence in their service delivery processes and controls through a report by an independent certified public accountant.” – American Institute of Certified Public Accountants (AICPA)
4© 2016 | www.aronsonllc.com | www.aronsonllc.com/blogs | Why obtain a SOC Report? Why do Service Organizations obtain a SOC Audit? Over time, companies have increased their reliance on third-party service providers to conduct business functions Service providers can maintain stakeholder trust & provide transparency through an independent auditor’s report conducted using AICPA guidance and standards It helps Service Organizations differentiate themselves from their competition SOC audits can reduce or eliminate other customer audits and vendor risk management questionnaires What are the benefits of obtaining a SOC Audit?  Ability to obtain a greater market share & competitive advantage through increased customer confidence  Independent assessment of the control environment including people, process and technology  One audit can satisfy multiple customers and various audit requirements  Reduce third-party vendor risk management questionnaires  Decrease client costs for other audits/compliance projects by relying on SOC reports
5© 2016 | www.aronsonllc.com | www.aronsonllc.com/blogs | What is SSAE 16 or SOC 1? Statement on Standards for Attestation Engagements (SSAE) No. 16 is an attestation standard put forth by the Auditing Standards Board (ASB) of the American Institute of Certified Public Accountants (AICPA) that addresses engagements undertaken by a service auditor for reporting on controls at organizations (i.e., service organizations) that provide services to user entities, for which a service organization's controls are likely to be relevant to a user entities internal control over financial reporting (ICFR). What is it? Based on the internal controls over financial reporting of the service provider. This includes control objectives and activities that have been defined by the organization.  Services, systems and locations covered  Control objectives and activities What is the scope?  Type I report covers the design and implementation of the controls  Type II report covers the design, implementation and operating effectiveness of the controls What are the different types?
6© 2016 | www.aronsonllc.com | www.aronsonllc.com/blogs | What is AT 101 or SOC 2? A SOC 2 report is designed to provide various users with assurances regarding internal controls related to the Trust Principles of a service provider. The report can apply to an application, platform, hosting services, data center infrastructure, and related areas. The service provider determines the areas that will be evaluated based on the determined in-scope Trust Principles. What is it? What is the scope?  Type I report covers the design and implementation of the controls  Type II report covers the design, implementation and operating effectiveness of the controls What are the different types? Based on the five trust principles of:  Security  Confidentiality  Availability  Processing Integrity  Privacy
7© 2016 | www.aronsonllc.com | www.aronsonllc.com/blogs | What is SOC 3? SOC 3 report is a general-use report that provides information on whether the system achieved the trust services criteria (no description of tests and results or opinion on the description of the system are provided). What is it? What is the scope?  Limited environment details  Limited description of controls and systems  Short report What are the different types? Based on the five trust principles of:  Security  Confidentiality  Availability  Processing Integrity  Privacy
8© 2016 | www.aronsonllc.com | www.aronsonllc.com/blogs | Which one to choose? HOW TO IDENTIFY THE SOC REPORT THAT IS RIGHT FOR YOU? Will the report be used by your customers and their auditors to plan and perform an audit or integrated audit of your customer’s financial statements? Yes SOC 1 Report Will the report be used by your customers as part of their compliance with the Sarbanes-Oxley Act or similar law or regulation? Yes SOC 1 Report Will the report be used by your customers or stakeholders to gain confidence and place trust in a service organization’s systems? Yes SOC 2 or 3 Report Do you need to make the report generally available or seal? Yes SOC 3 Report Do your customers have the need for and ability to understand the details of the processing and controls at a service organization, the tests performed by the service auditor and results of those tests? Yes SOC 2 Report No SOC 3 Report
9© 2016 | www.aronsonllc.com | www.aronsonllc.com/blogs | Focus & Distribution Report Report’s Focus Format Intended Users Distribution SOC 1 Report on a service organization’s internal control over financial reporting  Type I  Type II  Control Descriptions  Tests Performed & Results  Financial Statement Auditors of the user entity (UE)  Management of the UE  Management of the service provider Restricted use to current customers; can be shared with prospective customers if a third-party access letter is obtained SOC 2 Report on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality or Privacy (Trust Principles)  Type I  Type II  Trust Principle Controls  Tests Performed & Results  Management of the UE  Management of the service provider  Other relevant parties e.g., regulators & business parties Restricted use to “customers with sufficient knowledge” e.g., current & prospective customers, regulators, business partners SOC 3 Report on Trust Principles but does not contain all of the details of a SOC 2 report because users do not have the required knowledge/need for a SOC 2; processing details and control test results are omitted  Brief Report  Limited Details on Tests Performed & Results Same as SOC 2 Can be freely distributed
10© 2016 | www.aronsonllc.com | www.aronsonllc.com/blogs | What is the difference between SOC 1 vs. SOC 2? Similarities  Contain an opinion & an assertion  Contain Management Representation Letter from provider  Contain processing environment description  Contain control objectives, activities, and test results Differences  SOC 2 does not address ICFR and isn’t expected to support the financial reporting process for customers  SOC 2 has a wider distribution to include “specified parties”, which includes anyone who understands the providers’ operations, internal controls, or services  SOC 2 can offer more technical information through descriptions and control details
11© 2016 | www.aronsonllc.com | www.aronsonllc.com/blogs | When is a SOC Report Not Applicable? SOC Reports are not applicable for the following circumstances:  Service organization is 100% professional services and has no systems or platform that stores, processes or transmits customer data  Customers of the service organization are not relying upon services to support their financial reporting process
12© 2016 | www.aronsonllc.com | www.aronsonllc.com/blogs | What is the Aronson Methodology? 1. Develop audit plan 2. Conduct controls testing for design and operational effectiveness using AICPA SOC Report Audit Protocol 3. Develop audit report 4. Hold report briefing 5. Perform continuous control improvement Planning 1. Develop Remediation Roadmap 2. Develop or update policies and procedures 3. Develop or revise processes and controls depending on the areas of deficiency 4. Implement revised controls 5. Conduct trainings for new or revised processes 1. Conduct interviews and walkthroughs to assess the current control environment 2. Review existing documents & conduct control analysis 3. Develop Gap Analysis & Recommendations Report 1. Develop project plan 2. Confirm system boundary 3. Confirm in-scope ICFR objectives or Trust Principles 4. Schedule interviews and walkthroughs Key Activities Assessment Remediation Audit
13© 2016 | www.aronsonllc.com | www.aronsonllc.com/blogs | Why choose Aronson as the attestation provider?  Collaborative teaming approach to drive better context and value of audit and knowledge transfer  View of wider business implication and not just the immediate effect  Relevant technical skills, practical knowledge and thought leadership  Proven technical skills and understanding of emerging risks in key audit areas  Tailored practical approach focused on the client’s environment  Focused on importance of knowledge transfer and alignment of cultures  Leading provider of assurance services in the Mid-Atlantic region (peer reviewed, national ranked CPA firm) that provides assurance services across a board range of industries
14© 2016 | www.aronsonllc.com | www.aronsonllc.com/blogs | Case Study 1 – SSAE 16 Client Issue ABC Company requires a third-party report on ICFR for services/products provided to private/public companies. ABC Company recognizes that an SSAE 16 report will provide assurance over in-scope controls to foster confidence in its control environment and enhance marketability. Without a favorable SSAE 16 report business opportunities will be limited. TRS Delivery  Conduct SSAE 16 audit readiness assessment  Conduct SSAE 16 audit TRS Value  Understood and clearly articulated emerging risks in key areas  Provide guidance on their remediation activities that helped them become ‘audit ready’ in a short period of time  Focused on wider business implication
15© 2016 | www.aronsonllc.com | www.aronsonllc.com/blogs | Case Study 2 – SOC 2 Client Issue ABC Company is a pioneer in political technology, servicing many of the largest grassroots organizations, PACs and political campaigns in the U.S. and abroad. Their technology processes and stores sensitive client data. Many of their clients (especially large financial institutions) require them to fill out a detailed security questionnaire around the confidentiality, security, integrity and availability of the data. This is a time consuming exercise which has to be done annually for many of their clients. Instead of repeating this process for each client, they decided to get a SOC 2 Type 2 audit for the following Trust Principles – Security, Confidentiality, Integrity, and Availability. TRS Delivery  Conduct SOC 2 audit readiness assessment  Conduct SOC 2 audit TRS Value  Deep technical skills and use of accelerators that helped jump start the engagement  Provide guidance on their remediation activities that helped them become ‘audit ready’ in a short period of time  Provided guidance on how to reduce time spent on responding to multiple customer vendor management questionnaires

Recommended

Achieving SSAE 16 Certification
Achieving SSAE 16 Certification Achieving SSAE 16 Certification
Achieving SSAE 16 Certification
Gary Pennington
 
SOC 1 Overview
SOC 1 OverviewSOC 1 Overview
SOC 1 Overview
Schellman & Company
 
Auditor Reporting on Controls at Service Organizations
Auditor Reporting on Controls at Service OrganizationsAuditor Reporting on Controls at Service Organizations
Auditor Reporting on Controls at Service Organizations
University of Waterloo
 
#OOW16 - • Implement the Best Practice for Oracle Fusion Advanced Financial C...
#OOW16 - • Implement the Best Practice for Oracle Fusion Advanced Financial C...#OOW16 - • Implement the Best Practice for Oracle Fusion Advanced Financial C...
#OOW16 - • Implement the Best Practice for Oracle Fusion Advanced Financial C...
Dane Roberts
 
Introducing DiveNation
Introducing DiveNationIntroducing DiveNation
Introducing DiveNation
Annette Wadsworth
 
Kompetenčni centri za razvoj kadrov: Z razvojem ljudi - uspevamo
Kompetenčni centri za razvoj kadrov: Z razvojem ljudi - uspevamoKompetenčni centri za razvoj kadrov: Z razvojem ljudi - uspevamo
Kompetenčni centri za razvoj kadrov: Z razvojem ljudi - uspevamo
Aleš Vidmar
 
Praevid_Ltd_Presentation
Praevid_Ltd_PresentationPraevid_Ltd_Presentation
Praevid_Ltd_Presentation
Christos Strimmenos
 
sagar CV
sagar CVsagar CV
sagar CV
Sagar Misal
 

Recommended

Achieving SSAE 16 Certification
Achieving SSAE 16 Certification Achieving SSAE 16 Certification
Achieving SSAE 16 Certification
Gary Pennington
 
SOC 1 Overview
SOC 1 OverviewSOC 1 Overview
SOC 1 Overview
Schellman & Company
 
Auditor Reporting on Controls at Service Organizations
Auditor Reporting on Controls at Service OrganizationsAuditor Reporting on Controls at Service Organizations
Auditor Reporting on Controls at Service Organizations
University of Waterloo
 
#OOW16 - • Implement the Best Practice for Oracle Fusion Advanced Financial C...
#OOW16 - • Implement the Best Practice for Oracle Fusion Advanced Financial C...#OOW16 - • Implement the Best Practice for Oracle Fusion Advanced Financial C...
#OOW16 - • Implement the Best Practice for Oracle Fusion Advanced Financial C...
Dane Roberts
 
Introducing DiveNation
Introducing DiveNationIntroducing DiveNation
Introducing DiveNation
Annette Wadsworth
 
Kompetenčni centri za razvoj kadrov: Z razvojem ljudi - uspevamo
Kompetenčni centri za razvoj kadrov: Z razvojem ljudi - uspevamoKompetenčni centri za razvoj kadrov: Z razvojem ljudi - uspevamo
Kompetenčni centri za razvoj kadrov: Z razvojem ljudi - uspevamo
Aleš Vidmar
 
Praevid_Ltd_Presentation
Praevid_Ltd_PresentationPraevid_Ltd_Presentation
Praevid_Ltd_Presentation
Christos Strimmenos
 
sagar CV
sagar CVsagar CV
sagar CV
Sagar Misal
 
La liposucción aporta beneficios a la salud
La liposucción aporta beneficios a la saludLa liposucción aporta beneficios a la salud
La liposucción aporta beneficios a la salud
akirha
 
Presentation1 prakt gigi
Presentation1 prakt gigiPresentation1 prakt gigi
Presentation1 prakt gigi
damai_uca
 
Drzava za gospodarstvo, 24.03.16 Vidmar, samovrteca
Drzava za gospodarstvo, 24.03.16 Vidmar, samovrtecaDrzava za gospodarstvo, 24.03.16 Vidmar, samovrteca
Drzava za gospodarstvo, 24.03.16 Vidmar, samovrteca
Aleš Vidmar
 
presentación de lo que es pinterest
presentación de lo que es pinterestpresentación de lo que es pinterest
presentación de lo que es pinterest
mirizurda
 
BO NADAL E BOAS LECTURAS
BO NADAL E BOAS LECTURASBO NADAL E BOAS LECTURAS
BO NADAL E BOAS LECTURAS
Marisé Roca Garcia
 
SDOA 2.2 Service | Design | Management
SDOA 2.2 Service | Design | ManagementSDOA 2.2 Service | Design | Management
SDOA 2.2 Service | Design | Management
Florian Vollmer
 
Java Wars: Então você quer ser um Desenvolvedor?
Java Wars: Então você quer ser um Desenvolvedor?Java Wars: Então você quer ser um Desenvolvedor?
Java Wars: Então você quer ser um Desenvolvedor?
Allan Silva
 
Spring cloud + netflix oss
Spring cloud + netflix ossSpring cloud + netflix oss
Spring cloud + netflix oss
Felipe Adorno
 
IT - Enterprise Service Operation Center
IT - Enterprise Service Operation CenterIT - Enterprise Service Operation Center
IT - Enterprise Service Operation Center
Sameer Paradia
 
Prof. douaa m. sayed validation and verification of flowcytometry areas
Prof. douaa m. sayed validation and verification of flowcytometry areasProf. douaa m. sayed validation and verification of flowcytometry areas
Prof. douaa m. sayed validation and verification of flowcytometry areas
Hitham Esam
 
Los movimientos poeticos
Los movimientos poeticosLos movimientos poeticos
Los movimientos poeticos
Ambar Zyanya
 
Experiment on BPM and SOA transformations
Experiment on BPM and SOA transformationsExperiment on BPM and SOA transformations
Experiment on BPM and SOA transformations
Akira Tanaka
 
Audit presentation
Audit presentationAudit presentation
Audit presentation
Metafrique group
 
Padgett and Company - Architecture
Padgett and Company - ArchitecturePadgett and Company - Architecture
Padgett and Company - Architecture
Jamie Padgett
 
C-Suite’s Guide to Enterprise Risk Management and Emerging Risks
C-Suite’s Guide to Enterprise Risk Management and Emerging RisksC-Suite’s Guide to Enterprise Risk Management and Emerging Risks
C-Suite’s Guide to Enterprise Risk Management and Emerging Risks
Aronson LLC
 
Allocating Direct and Indirect Costs for Nonprofits
Allocating Direct and Indirect Costs for NonprofitsAllocating Direct and Indirect Costs for Nonprofits
Allocating Direct and Indirect Costs for Nonprofits
Aronson LLC
 
To Bid or Not to Bid, That Is the Question
To Bid or Not to Bid, That Is the QuestionTo Bid or Not to Bid, That Is the Question
To Bid or Not to Bid, That Is the Question
Aronson LLC
 
Webinar: Understanding Business Tax Returns - A Case Study for Family Lawyers
Webinar: Understanding Business Tax Returns - A Case Study for Family LawyersWebinar: Understanding Business Tax Returns - A Case Study for Family Lawyers
Webinar: Understanding Business Tax Returns - A Case Study for Family Lawyers
Aronson LLC
 
Virginia Businesses: STOP Overpaying Local BPOL Tax\
Virginia Businesses: STOP Overpaying Local BPOL Tax\Virginia Businesses: STOP Overpaying Local BPOL Tax\
Virginia Businesses: STOP Overpaying Local BPOL Tax\
Aronson LLC
 
Cybersecurity for Real Estate & Construction
Cybersecurity for Real Estate & ConstructionCybersecurity for Real Estate & Construction
Cybersecurity for Real Estate & Construction
Aronson LLC
 
Ready to Scale: Moving from Commercial to Government for Construction, Engine...
Ready to Scale: Moving from Commercial to Government for Construction, Engine...Ready to Scale: Moving from Commercial to Government for Construction, Engine...
Ready to Scale: Moving from Commercial to Government for Construction, Engine...
Aronson LLC
 
Structuring Indirect Rates
Structuring Indirect RatesStructuring Indirect Rates
Structuring Indirect Rates
Aronson LLC
 

More Related Content

Viewers also liked

Viewers also liked (14)

La liposucción aporta beneficios a la salud
La liposucción aporta beneficios a la saludLa liposucción aporta beneficios a la salud
La liposucción aporta beneficios a la salud
 
Presentation1 prakt gigi
Presentation1 prakt gigiPresentation1 prakt gigi
Presentation1 prakt gigi
 
Drzava za gospodarstvo, 24.03.16 Vidmar, samovrteca
Drzava za gospodarstvo, 24.03.16 Vidmar, samovrtecaDrzava za gospodarstvo, 24.03.16 Vidmar, samovrteca
Drzava za gospodarstvo, 24.03.16 Vidmar, samovrteca
 
presentación de lo que es pinterest
presentación de lo que es pinterestpresentación de lo que es pinterest
presentación de lo que es pinterest
 
BO NADAL E BOAS LECTURAS
BO NADAL E BOAS LECTURASBO NADAL E BOAS LECTURAS
BO NADAL E BOAS LECTURAS
 
SDOA 2.2 Service | Design | Management
SDOA 2.2 Service | Design | ManagementSDOA 2.2 Service | Design | Management
SDOA 2.2 Service | Design | Management
 
Java Wars: Então você quer ser um Desenvolvedor?
Java Wars: Então você quer ser um Desenvolvedor?Java Wars: Então você quer ser um Desenvolvedor?
Java Wars: Então você quer ser um Desenvolvedor?
 
Spring cloud + netflix oss
Spring cloud + netflix ossSpring cloud + netflix oss
Spring cloud + netflix oss
 
IT - Enterprise Service Operation Center
IT - Enterprise Service Operation CenterIT - Enterprise Service Operation Center
IT - Enterprise Service Operation Center
 
Prof. douaa m. sayed validation and verification of flowcytometry areas
Prof. douaa m. sayed validation and verification of flowcytometry areasProf. douaa m. sayed validation and verification of flowcytometry areas
Prof. douaa m. sayed validation and verification of flowcytometry areas
 
Los movimientos poeticos
Los movimientos poeticosLos movimientos poeticos
Los movimientos poeticos
 
Experiment on BPM and SOA transformations
Experiment on BPM and SOA transformationsExperiment on BPM and SOA transformations
Experiment on BPM and SOA transformations
 
Audit presentation
Audit presentationAudit presentation
Audit presentation
 
Padgett and Company - Architecture
Padgett and Company - ArchitecturePadgett and Company - Architecture
Padgett and Company - Architecture
 

More from Aronson LLC

Allocating Direct and Indirect Costs for Nonprofits
Allocating Direct and Indirect Costs for NonprofitsAllocating Direct and Indirect Costs for Nonprofits
Allocating Direct and Indirect Costs for Nonprofits
Aronson LLC
 
Webinar: Understanding Business Tax Returns - A Case Study for Family Lawyers
Webinar: Understanding Business Tax Returns - A Case Study for Family LawyersWebinar: Understanding Business Tax Returns - A Case Study for Family Lawyers
Webinar: Understanding Business Tax Returns - A Case Study for Family Lawyers
Aronson LLC
 
Virginia Businesses: STOP Overpaying Local BPOL Tax\
Virginia Businesses: STOP Overpaying Local BPOL Tax\Virginia Businesses: STOP Overpaying Local BPOL Tax\
Virginia Businesses: STOP Overpaying Local BPOL Tax\
Aronson LLC
 
Cybersecurity for Real Estate & Construction
Cybersecurity for Real Estate & ConstructionCybersecurity for Real Estate & Construction
Cybersecurity for Real Estate & Construction
Aronson LLC
 
Surviving the GSA Schedule Contractor Assessment: What They'll Test and How t...
Surviving the GSA Schedule Contractor Assessment: What They'll Test and How t...Surviving the GSA Schedule Contractor Assessment: What They'll Test and How t...
Surviving the GSA Schedule Contractor Assessment: What They'll Test and How t...
Aronson LLC
 

More from Aronson LLC (9)

C-Suite’s Guide to Enterprise Risk Management and Emerging Risks
C-Suite’s Guide to Enterprise Risk Management and Emerging RisksC-Suite’s Guide to Enterprise Risk Management and Emerging Risks
C-Suite’s Guide to Enterprise Risk Management and Emerging Risks
 
Allocating Direct and Indirect Costs for Nonprofits
Allocating Direct and Indirect Costs for NonprofitsAllocating Direct and Indirect Costs for Nonprofits
Allocating Direct and Indirect Costs for Nonprofits
 
To Bid or Not to Bid, That Is the Question
To Bid or Not to Bid, That Is the QuestionTo Bid or Not to Bid, That Is the Question
To Bid or Not to Bid, That Is the Question
 
Webinar: Understanding Business Tax Returns - A Case Study for Family Lawyers
Webinar: Understanding Business Tax Returns - A Case Study for Family LawyersWebinar: Understanding Business Tax Returns - A Case Study for Family Lawyers
Webinar: Understanding Business Tax Returns - A Case Study for Family Lawyers
 
Virginia Businesses: STOP Overpaying Local BPOL Tax\
Virginia Businesses: STOP Overpaying Local BPOL Tax\Virginia Businesses: STOP Overpaying Local BPOL Tax\
Virginia Businesses: STOP Overpaying Local BPOL Tax\
 
Cybersecurity for Real Estate & Construction
Cybersecurity for Real Estate & ConstructionCybersecurity for Real Estate & Construction
Cybersecurity for Real Estate & Construction
 
Ready to Scale: Moving from Commercial to Government for Construction, Engine...
Ready to Scale: Moving from Commercial to Government for Construction, Engine...Ready to Scale: Moving from Commercial to Government for Construction, Engine...
Ready to Scale: Moving from Commercial to Government for Construction, Engine...
 
Structuring Indirect Rates
Structuring Indirect RatesStructuring Indirect Rates
Structuring Indirect Rates
 
Surviving the GSA Schedule Contractor Assessment: What They'll Test and How t...
Surviving the GSA Schedule Contractor Assessment: What They'll Test and How t...Surviving the GSA Schedule Contractor Assessment: What They'll Test and How t...
Surviving the GSA Schedule Contractor Assessment: What They'll Test and How t...
 

Recently uploaded

+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
Igalia
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
WSO2
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
panagenda
 

Recently uploaded (20)

+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot ModelNavi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
A Beginners Guide to Building a RAG App Using Open Source Milvus
A Beginners Guide to Building a RAG App Using Open Source MilvusA Beginners Guide to Building a RAG App Using Open Source Milvus
A Beginners Guide to Building a RAG App Using Open Source Milvus
 
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 

Aronson's Technology Risk Services SOC Reports Overview

  • 1. Service Organization Control (SOC) Reports Overview Technology Risk Services
  • 2. 2© 2016 | www.aronsonllc.com | www.aronsonllc.com/blogs | Table of Contents  About SOC Reports  Why obtain a SOC Report?  What are the different types of SOC Reports?  Which one to choose?  What is the difference between the SOC Reports?  When is a SOC Report not applicable?  What is the Aronson Methodology?  Why choose Aronson as the attestation provider?  Case studies
  • 3. 3© 2016 | www.aronsonllc.com | www.aronsonllc.com/blogs | About SOC Reports “Service Organization Controls reports are designed to help service organizations, organizations that operate information systems and provide information system services to other entities, build trust and confidence in their service delivery processes and controls through a report by an independent certified public accountant.” – American Institute of Certified Public Accountants (AICPA)
  • 4. 4© 2016 | www.aronsonllc.com | www.aronsonllc.com/blogs | Why obtain a SOC Report? Why do Service Organizations obtain a SOC Audit? Over time, companies have increased their reliance on third-party service providers to conduct business functions Service providers can maintain stakeholder trust & provide transparency through an independent auditor’s report conducted using AICPA guidance and standards It helps Service Organizations differentiate themselves from their competition SOC audits can reduce or eliminate other customer audits and vendor risk management questionnaires What are the benefits of obtaining a SOC Audit?  Ability to obtain a greater market share & competitive advantage through increased customer confidence  Independent assessment of the control environment including people, process and technology  One audit can satisfy multiple customers and various audit requirements  Reduce third-party vendor risk management questionnaires  Decrease client costs for other audits/compliance projects by relying on SOC reports
  • 5. 5© 2016 | www.aronsonllc.com | www.aronsonllc.com/blogs | What is SSAE 16 or SOC 1? Statement on Standards for Attestation Engagements (SSAE) No. 16 is an attestation standard put forth by the Auditing Standards Board (ASB) of the American Institute of Certified Public Accountants (AICPA) that addresses engagements undertaken by a service auditor for reporting on controls at organizations (i.e., service organizations) that provide services to user entities, for which a service organization's controls are likely to be relevant to a user entities internal control over financial reporting (ICFR). What is it? Based on the internal controls over financial reporting of the service provider. This includes control objectives and activities that have been defined by the organization.  Services, systems and locations covered  Control objectives and activities What is the scope?  Type I report covers the design and implementation of the controls  Type II report covers the design, implementation and operating effectiveness of the controls What are the different types?
  • 6. 6© 2016 | www.aronsonllc.com | www.aronsonllc.com/blogs | What is AT 101 or SOC 2? A SOC 2 report is designed to provide various users with assurances regarding internal controls related to the Trust Principles of a service provider. The report can apply to an application, platform, hosting services, data center infrastructure, and related areas. The service provider determines the areas that will be evaluated based on the determined in-scope Trust Principles. What is it? What is the scope?  Type I report covers the design and implementation of the controls  Type II report covers the design, implementation and operating effectiveness of the controls What are the different types? Based on the five trust principles of:  Security  Confidentiality  Availability  Processing Integrity  Privacy
  • 7. 7© 2016 | www.aronsonllc.com | www.aronsonllc.com/blogs | What is SOC 3? SOC 3 report is a general-use report that provides information on whether the system achieved the trust services criteria (no description of tests and results or opinion on the description of the system are provided). What is it? What is the scope?  Limited environment details  Limited description of controls and systems  Short report What are the different types? Based on the five trust principles of:  Security  Confidentiality  Availability  Processing Integrity  Privacy
  • 8. 8© 2016 | www.aronsonllc.com | www.aronsonllc.com/blogs | Which one to choose? HOW TO IDENTIFY THE SOC REPORT THAT IS RIGHT FOR YOU? Will the report be used by your customers and their auditors to plan and perform an audit or integrated audit of your customer’s financial statements? Yes SOC 1 Report Will the report be used by your customers as part of their compliance with the Sarbanes-Oxley Act or similar law or regulation? Yes SOC 1 Report Will the report be used by your customers or stakeholders to gain confidence and place trust in a service organization’s systems? Yes SOC 2 or 3 Report Do you need to make the report generally available or seal? Yes SOC 3 Report Do your customers have the need for and ability to understand the details of the processing and controls at a service organization, the tests performed by the service auditor and results of those tests? Yes SOC 2 Report No SOC 3 Report
  • 9. 9© 2016 | www.aronsonllc.com | www.aronsonllc.com/blogs | Focus & Distribution Report Report’s Focus Format Intended Users Distribution SOC 1 Report on a service organization’s internal control over financial reporting  Type I  Type II  Control Descriptions  Tests Performed & Results  Financial Statement Auditors of the user entity (UE)  Management of the UE  Management of the service provider Restricted use to current customers; can be shared with prospective customers if a third-party access letter is obtained SOC 2 Report on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality or Privacy (Trust Principles)  Type I  Type II  Trust Principle Controls  Tests Performed & Results  Management of the UE  Management of the service provider  Other relevant parties e.g., regulators & business parties Restricted use to “customers with sufficient knowledge” e.g., current & prospective customers, regulators, business partners SOC 3 Report on Trust Principles but does not contain all of the details of a SOC 2 report because users do not have the required knowledge/need for a SOC 2; processing details and control test results are omitted  Brief Report  Limited Details on Tests Performed & Results Same as SOC 2 Can be freely distributed
  • 10. 10© 2016 | www.aronsonllc.com | www.aronsonllc.com/blogs | What is the difference between SOC 1 vs. SOC 2? Similarities  Contain an opinion & an assertion  Contain Management Representation Letter from provider  Contain processing environment description  Contain control objectives, activities, and test results Differences  SOC 2 does not address ICFR and isn’t expected to support the financial reporting process for customers  SOC 2 has a wider distribution to include “specified parties”, which includes anyone who understands the providers’ operations, internal controls, or services  SOC 2 can offer more technical information through descriptions and control details
  • 11. 11© 2016 | www.aronsonllc.com | www.aronsonllc.com/blogs | When is a SOC Report Not Applicable? SOC Reports are not applicable for the following circumstances:  Service organization is 100% professional services and has no systems or platform that stores, processes or transmits customer data  Customers of the service organization are not relying upon services to support their financial reporting process
  • 12. 12© 2016 | www.aronsonllc.com | www.aronsonllc.com/blogs | What is the Aronson Methodology? 1. Develop audit plan 2. Conduct controls testing for design and operational effectiveness using AICPA SOC Report Audit Protocol 3. Develop audit report 4. Hold report briefing 5. Perform continuous control improvement Planning 1. Develop Remediation Roadmap 2. Develop or update policies and procedures 3. Develop or revise processes and controls depending on the areas of deficiency 4. Implement revised controls 5. Conduct trainings for new or revised processes 1. Conduct interviews and walkthroughs to assess the current control environment 2. Review existing documents & conduct control analysis 3. Develop Gap Analysis & Recommendations Report 1. Develop project plan 2. Confirm system boundary 3. Confirm in-scope ICFR objectives or Trust Principles 4. Schedule interviews and walkthroughs Key Activities Assessment Remediation Audit
  • 13. 13© 2016 | www.aronsonllc.com | www.aronsonllc.com/blogs | Why choose Aronson as the attestation provider?  Collaborative teaming approach to drive better context and value of audit and knowledge transfer  View of wider business implication and not just the immediate effect  Relevant technical skills, practical knowledge and thought leadership  Proven technical skills and understanding of emerging risks in key audit areas  Tailored practical approach focused on the client’s environment  Focused on importance of knowledge transfer and alignment of cultures  Leading provider of assurance services in the Mid-Atlantic region (peer reviewed, national ranked CPA firm) that provides assurance services across a board range of industries
  • 14. 14© 2016 | www.aronsonllc.com | www.aronsonllc.com/blogs | Case Study 1 – SSAE 16 Client Issue ABC Company requires a third-party report on ICFR for services/products provided to private/public companies. ABC Company recognizes that an SSAE 16 report will provide assurance over in-scope controls to foster confidence in its control environment and enhance marketability. Without a favorable SSAE 16 report business opportunities will be limited. TRS Delivery  Conduct SSAE 16 audit readiness assessment  Conduct SSAE 16 audit TRS Value  Understood and clearly articulated emerging risks in key areas  Provide guidance on their remediation activities that helped them become ‘audit ready’ in a short period of time  Focused on wider business implication
  • 15. 15© 2016 | www.aronsonllc.com | www.aronsonllc.com/blogs | Case Study 2 – SOC 2 Client Issue ABC Company is a pioneer in political technology, servicing many of the largest grassroots organizations, PACs and political campaigns in the U.S. and abroad. Their technology processes and stores sensitive client data. Many of their clients (especially large financial institutions) require them to fill out a detailed security questionnaire around the confidentiality, security, integrity and availability of the data. This is a time consuming exercise which has to be done annually for many of their clients. Instead of repeating this process for each client, they decided to get a SOC 2 Type 2 audit for the following Trust Principles – Security, Confidentiality, Integrity, and Availability. TRS Delivery  Conduct SOC 2 audit readiness assessment  Conduct SOC 2 audit TRS Value  Deep technical skills and use of accelerators that helped jump start the engagement  Provide guidance on their remediation activities that helped them become ‘audit ready’ in a short period of time  Provided guidance on how to reduce time spent on responding to multiple customer vendor management questionnaires