SlideShare a Scribd company logo

Auditor Reporting on Controls at Service Organizations

Download as PPTX, PDF
U
University of Waterloo
BusinessTechnology
1 of 23
Auditor Reporting on Controls at Service OrganizationsS. 5970, CSAE 3416, SAS 70,SSAE 16, IAS 3402 ACC 626 Podcast brought to you by: Jessica Leung
Agenda Background Introduction to Standards Section 5970 and CSAE 3416 SAS 70 and SSAE 16 ISAE 3402 Guidance on Use of Reports Benefits and Limitations Transition to New Standard and Key Changes Hot Topic: Cloud Computing Key Take Away
Background Practice of outsourcing has grown especially for IT related services Service organizations operate, collect, transmit, store, organize, maintain or dispose information for user entities ,[object Object],Changes in regulatory landscape (SOX) and globalization of business process outsourcing also calls for more stringent audit requirement on internal controls reporting
Service Organization and Users Outsource Service Organizations User Organizations Purpose of Audit Report: ,[object Object],Users of Report: ,[object Object]
Stakeholders
Regulators
Government
Board of Directors
Financial Statement UsersAudit Report User Auditors Service Auditors
Introduction to Standards Section 5970: Auditor’s report on controls at a service organization Effective on December 15, 2011 Canadian Standard on Assurance Engagements (CSAE) 3416: Reporting on Controls at a Service Organization Statement on Auditing Standards (SAS) No. 70: Service Organizations Effective on June 15, 2011 Statement on Standards for Attestation Engagements (SSAE) 16 : Reporting on Controls at a Service Organization International Standard on Assurance Engagements (ISAE) 3402: Assurance Reports on Controls at a Service Organization
Section 5970 and CSAE 3416 Section 5970: Auditor’s report on controls at a service organization Effective on December 15, 2011 Canadian Standard on Assurance Engagements (CSAE) 3416: Reporting on Controls at a Service Organization Section 5970 is effective for engagements for the periods beginning on or after January 1, 2006 Harmonized with SAS No. 70 CASE 3416 will superseded Section 5970 on December 15, 2011 Both standards very similar to US standards
SAS 70 Statement on Auditing Standards (SAS) No. 70: Service Organizations Effective on June 15, 2011 Statement on Standards for Attestation Engagements (SSAE) 16 : Reporting on Controls at a Service Organization Service Organization Controls (SOC) 1 Report Report on controls at a service organization relevant to user entities’ internal control over financial reporting Provides guidance for service auditors to issue an opinion on service organization’s description of controls
ISAE 3402 International Standard on Assurance Engagements (ISAE) 3402: Assurance Reports on Controls at a Service Organization ISAE 3402 is a default standard for countries without existing standards and basis for updates to other countries standards SSAE 16 mirrors the global standard - ISAE 3402 In Canada, CSAE 3416 is modeled after SSAE 16; Also aligns with ISAE 3402 is most respects All three new standards (SSAE 16, ISAE 3402, and CSAE 3416) are substantially the same
Guidance on Use of Reports Reporting on controls is not a “checklist” audit Control objectives and activities at service organization vary Service auditor expresses an opinion on the presentation of the described controls and whether the controls included in the description are well designed and operating effectively to meet the control objectives The report is intended for user organizations and their auditors only
Guidance on Use of Reports The report encompasses: ,[object Object]
description of controls
description of observations and testing of control (include nature, timing, and extent)
additional information provided by the service organization,[object Object]
Example of a Type I Report
Example of a Type II Report
Benefits of Service Auditor Report Cost Savings for Users ,[object Object],Service auditors could deal directly with user auditors for questions related to their reports Monitoring tool for regulatory compliance in service level agreements (SLAs)
Limitation of Reports The term SAS 70 certified or SAS 70 compliant is misused as a “data security rubber stamp” for marketing purposes Report is misinterpreted that it addresses non-financial subject matters, such as availability, processing integrity, privacy or confidentiality
Limitation of Reports Service organization predetermined the controls service auditors to examine on Service organizations might fail to disclose all related controls of user organization ,[object Object],[object Object]

Recommended

Payment Gateway by iPay88
Payment Gateway by iPay88Payment Gateway by iPay88
Payment Gateway by iPay88sitecmy
 
Customer Service in Salesforce: Managing Cases Effectively
Customer Service in Salesforce: Managing Cases EffectivelyCustomer Service in Salesforce: Managing Cases Effectively
Customer Service in Salesforce: Managing Cases EffectivelyInternetCreations
 
Sales Cloud Best Practices
Sales Cloud Best PracticesSales Cloud Best Practices
Sales Cloud Best PracticesSales Support Systematics Sp. z o.o.
 
Scalable data pipeline at Traveloka - Facebook Dev Bandung
Scalable data pipeline at Traveloka - Facebook Dev BandungScalable data pipeline at Traveloka - Facebook Dev Bandung
Scalable data pipeline at Traveloka - Facebook Dev BandungRendy Bambang Junior
 
ATM Processing and Location Strategy
ATM Processing and Location StrategyATM Processing and Location Strategy
ATM Processing and Location StrategyINDIAN OVERSEAS BANK
 
Salesforce Release Marketing Loyalty Management
Salesforce Release Marketing Loyalty Management Salesforce Release Marketing Loyalty Management
Salesforce Release Marketing Loyalty Management Cloud Analogy
 
What Is CRM - Sales Activity Management
What Is CRM - Sales Activity ManagementWhat Is CRM - Sales Activity Management
What Is CRM - Sales Activity Managementtjbarker
 
Cybersecurity in Banking Sector
Cybersecurity in Banking SectorCybersecurity in Banking Sector
Cybersecurity in Banking SectorQuick Heal Technologies Ltd.
 

Recommended

Payment Gateway by iPay88
Payment Gateway by iPay88Payment Gateway by iPay88
Payment Gateway by iPay88sitecmy
 
Customer Service in Salesforce: Managing Cases Effectively
Customer Service in Salesforce: Managing Cases EffectivelyCustomer Service in Salesforce: Managing Cases Effectively
Customer Service in Salesforce: Managing Cases EffectivelyInternetCreations
 
Sales Cloud Best Practices
Sales Cloud Best PracticesSales Cloud Best Practices
Sales Cloud Best PracticesSales Support Systematics Sp. z o.o.
 
Scalable data pipeline at Traveloka - Facebook Dev Bandung
Scalable data pipeline at Traveloka - Facebook Dev BandungScalable data pipeline at Traveloka - Facebook Dev Bandung
Scalable data pipeline at Traveloka - Facebook Dev BandungRendy Bambang Junior
 
ATM Processing and Location Strategy
ATM Processing and Location StrategyATM Processing and Location Strategy
ATM Processing and Location StrategyINDIAN OVERSEAS BANK
 
Salesforce Release Marketing Loyalty Management
Salesforce Release Marketing Loyalty Management Salesforce Release Marketing Loyalty Management
Salesforce Release Marketing Loyalty Management Cloud Analogy
 
What Is CRM - Sales Activity Management
What Is CRM - Sales Activity ManagementWhat Is CRM - Sales Activity Management
What Is CRM - Sales Activity Managementtjbarker
 
Cybersecurity in Banking Sector
Cybersecurity in Banking SectorCybersecurity in Banking Sector
Cybersecurity in Banking SectorQuick Heal Technologies Ltd.
 
Salesforce shield by manish
Salesforce shield by manishSalesforce shield by manish
Salesforce shield by manishManish Thaduri
 
Freshdesk- Customer Support Software
Freshdesk- Customer Support SoftwareFreshdesk- Customer Support Software
Freshdesk- Customer Support SoftwareDigi InfoFabrica
 
Data Breach Response is a Team Sport
Data Breach Response is a Team SportData Breach Response is a Team Sport
Data Breach Response is a Team SportQuarles & Brady
 
Salesforce Shield: How to Deliver a New Level of Trust and Security in the Cloud
Salesforce Shield: How to Deliver a New Level of Trust and Security in the CloudSalesforce Shield: How to Deliver a New Level of Trust and Security in the Cloud
Salesforce Shield: How to Deliver a New Level of Trust and Security in the CloudDreamforce
 
Customer Journey PowerPoint Presentation Slides
Customer Journey PowerPoint Presentation SlidesCustomer Journey PowerPoint Presentation Slides
Customer Journey PowerPoint Presentation SlidesSlideTeam
 
SSAE 16 Transitions Overview
SSAE 16 Transitions OverviewSSAE 16 Transitions Overview
SSAE 16 Transitions OverviewJeffrey Paulette
 
phishing-awareness-powerpoint.pptx
phishing-awareness-powerpoint.pptxphishing-awareness-powerpoint.pptx
phishing-awareness-powerpoint.pptxvdgtkhdh
 
Unlock the opportunities of wealth management with salesforce financial servi...
Unlock the opportunities of wealth management with salesforce financial servi...Unlock the opportunities of wealth management with salesforce financial servi...
Unlock the opportunities of wealth management with salesforce financial servi...Katy Slemon
 
3D-Secure 2.2 Webinar
3D-Secure 2.2 Webinar3D-Secure 2.2 Webinar
3D-Secure 2.2 WebinarIvona M
 
How Salesforce Uses the Marketing Cloud
How Salesforce Uses the Marketing CloudHow Salesforce Uses the Marketing Cloud
How Salesforce Uses the Marketing CloudSalesforce Marketing Cloud
 
Security and Your Salesforce Org
Security and Your Salesforce OrgSecurity and Your Salesforce Org
Security and Your Salesforce OrgSalesforce Admins
 
The Best Kept Secret in Customer Success: Customer Advocacy
The Best Kept Secret in Customer Success: Customer Advocacy The Best Kept Secret in Customer Success: Customer Advocacy
The Best Kept Secret in Customer Success: Customer Advocacy Gainsight
 
Salesforce Platform Encryption Developer Strategy
Salesforce Platform Encryption Developer StrategySalesforce Platform Encryption Developer Strategy
Salesforce Platform Encryption Developer StrategyPeter Chittum
 
Introduction to the Salesforce Security Model
Introduction to the Salesforce Security ModelIntroduction to the Salesforce Security Model
Introduction to the Salesforce Security ModelSalesforce Developers
 
Salesforce
SalesforceSalesforce
SalesforceBharatSirvi8
 
Cybersecurity Risk Management for Financial Institutions
Cybersecurity Risk Management for Financial InstitutionsCybersecurity Risk Management for Financial Institutions
Cybersecurity Risk Management for Financial InstitutionsSarah Cirelli
 
If SharePoint is your answer, do you know what your question is?
If SharePoint is your answer, do you know what your question is?If SharePoint is your answer, do you know what your question is?
If SharePoint is your answer, do you know what your question is?John Mancini
 
Lightning customization with lightning app builder
Lightning customization with lightning app builderLightning customization with lightning app builder
Lightning customization with lightning app builderSalesforce Developers
 
A primer on Salesforce Knowledge - what why how!
A primer on Salesforce Knowledge - what why how!A primer on Salesforce Knowledge - what why how!
A primer on Salesforce Knowledge - what why how!Avi Verma
 
Everything You Need To Know About SOC 1
Everything You Need To Know About SOC 1Everything You Need To Know About SOC 1
Everything You Need To Know About SOC 1Schellman & Company
 
Achieving SSAE 16 Certification
Achieving SSAE 16 Certification Achieving SSAE 16 Certification
Achieving SSAE 16 Certification Gary Pennington
 
SOC 1 Overview
SOC 1 OverviewSOC 1 Overview
SOC 1 OverviewSchellman & Company
 

More Related Content

What's hot

Salesforce shield by manish
Salesforce shield by manishSalesforce shield by manish
Salesforce shield by manishManish Thaduri
 
Freshdesk- Customer Support Software
Freshdesk- Customer Support SoftwareFreshdesk- Customer Support Software
Freshdesk- Customer Support SoftwareDigi InfoFabrica
 
Data Breach Response is a Team Sport
Data Breach Response is a Team SportData Breach Response is a Team Sport
Data Breach Response is a Team SportQuarles & Brady
 
Salesforce Shield: How to Deliver a New Level of Trust and Security in the Cloud
Salesforce Shield: How to Deliver a New Level of Trust and Security in the CloudSalesforce Shield: How to Deliver a New Level of Trust and Security in the Cloud
Salesforce Shield: How to Deliver a New Level of Trust and Security in the CloudDreamforce
 
Customer Journey PowerPoint Presentation Slides
Customer Journey PowerPoint Presentation SlidesCustomer Journey PowerPoint Presentation Slides
Customer Journey PowerPoint Presentation SlidesSlideTeam
 
SSAE 16 Transitions Overview
SSAE 16 Transitions OverviewSSAE 16 Transitions Overview
SSAE 16 Transitions OverviewJeffrey Paulette
 
phishing-awareness-powerpoint.pptx
phishing-awareness-powerpoint.pptxphishing-awareness-powerpoint.pptx
phishing-awareness-powerpoint.pptxvdgtkhdh
 
Unlock the opportunities of wealth management with salesforce financial servi...
Unlock the opportunities of wealth management with salesforce financial servi...Unlock the opportunities of wealth management with salesforce financial servi...
Unlock the opportunities of wealth management with salesforce financial servi...Katy Slemon
 
3D-Secure 2.2 Webinar
3D-Secure 2.2 Webinar3D-Secure 2.2 Webinar
3D-Secure 2.2 WebinarIvona M
 
Security and Your Salesforce Org
Security and Your Salesforce OrgSecurity and Your Salesforce Org
Security and Your Salesforce OrgSalesforce Admins
 
The Best Kept Secret in Customer Success: Customer Advocacy
The Best Kept Secret in Customer Success: Customer Advocacy The Best Kept Secret in Customer Success: Customer Advocacy
The Best Kept Secret in Customer Success: Customer Advocacy Gainsight
 
Salesforce Platform Encryption Developer Strategy
Salesforce Platform Encryption Developer StrategySalesforce Platform Encryption Developer Strategy
Salesforce Platform Encryption Developer StrategyPeter Chittum
 
Introduction to the Salesforce Security Model
Introduction to the Salesforce Security ModelIntroduction to the Salesforce Security Model
Introduction to the Salesforce Security ModelSalesforce Developers
 
Cybersecurity Risk Management for Financial Institutions
Cybersecurity Risk Management for Financial InstitutionsCybersecurity Risk Management for Financial Institutions
Cybersecurity Risk Management for Financial InstitutionsSarah Cirelli
 
If SharePoint is your answer, do you know what your question is?
If SharePoint is your answer, do you know what your question is?If SharePoint is your answer, do you know what your question is?
If SharePoint is your answer, do you know what your question is?John Mancini
 
Lightning customization with lightning app builder
Lightning customization with lightning app builderLightning customization with lightning app builder
Lightning customization with lightning app builderSalesforce Developers
 
A primer on Salesforce Knowledge - what why how!
A primer on Salesforce Knowledge - what why how!A primer on Salesforce Knowledge - what why how!
A primer on Salesforce Knowledge - what why how!Avi Verma
 

What's hot (19)

Salesforce shield by manish
Salesforce shield by manishSalesforce shield by manish
Salesforce shield by manish
 
Freshdesk- Customer Support Software
Freshdesk- Customer Support SoftwareFreshdesk- Customer Support Software
Freshdesk- Customer Support Software
 
Data Breach Response is a Team Sport
Data Breach Response is a Team SportData Breach Response is a Team Sport
Data Breach Response is a Team Sport
 
Salesforce Shield: How to Deliver a New Level of Trust and Security in the Cloud
Salesforce Shield: How to Deliver a New Level of Trust and Security in the CloudSalesforce Shield: How to Deliver a New Level of Trust and Security in the Cloud
Salesforce Shield: How to Deliver a New Level of Trust and Security in the Cloud
 
Customer Journey PowerPoint Presentation Slides
Customer Journey PowerPoint Presentation SlidesCustomer Journey PowerPoint Presentation Slides
Customer Journey PowerPoint Presentation Slides
 
SSAE 16 Transitions Overview
SSAE 16 Transitions OverviewSSAE 16 Transitions Overview
SSAE 16 Transitions Overview
 
phishing-awareness-powerpoint.pptx
phishing-awareness-powerpoint.pptxphishing-awareness-powerpoint.pptx
phishing-awareness-powerpoint.pptx
 
Unlock the opportunities of wealth management with salesforce financial servi...
Unlock the opportunities of wealth management with salesforce financial servi...Unlock the opportunities of wealth management with salesforce financial servi...
Unlock the opportunities of wealth management with salesforce financial servi...
 
3D-Secure 2.2 Webinar
3D-Secure 2.2 Webinar3D-Secure 2.2 Webinar
3D-Secure 2.2 Webinar
 
How Salesforce Uses the Marketing Cloud
How Salesforce Uses the Marketing CloudHow Salesforce Uses the Marketing Cloud
How Salesforce Uses the Marketing Cloud
 
Security and Your Salesforce Org
Security and Your Salesforce OrgSecurity and Your Salesforce Org
Security and Your Salesforce Org
 
The Best Kept Secret in Customer Success: Customer Advocacy
The Best Kept Secret in Customer Success: Customer Advocacy The Best Kept Secret in Customer Success: Customer Advocacy
The Best Kept Secret in Customer Success: Customer Advocacy
 
Salesforce Platform Encryption Developer Strategy
Salesforce Platform Encryption Developer StrategySalesforce Platform Encryption Developer Strategy
Salesforce Platform Encryption Developer Strategy
 
Introduction to the Salesforce Security Model
Introduction to the Salesforce Security ModelIntroduction to the Salesforce Security Model
Introduction to the Salesforce Security Model
 
Salesforce
SalesforceSalesforce
Salesforce
 
Cybersecurity Risk Management for Financial Institutions
Cybersecurity Risk Management for Financial InstitutionsCybersecurity Risk Management for Financial Institutions
Cybersecurity Risk Management for Financial Institutions
 
If SharePoint is your answer, do you know what your question is?
If SharePoint is your answer, do you know what your question is?If SharePoint is your answer, do you know what your question is?
If SharePoint is your answer, do you know what your question is?
 
Lightning customization with lightning app builder
Lightning customization with lightning app builderLightning customization with lightning app builder
Lightning customization with lightning app builder
 
A primer on Salesforce Knowledge - what why how!
A primer on Salesforce Knowledge - what why how!A primer on Salesforce Knowledge - what why how!
A primer on Salesforce Knowledge - what why how!
 

Viewers also liked

Everything You Need To Know About SOC 1
Everything You Need To Know About SOC 1Everything You Need To Know About SOC 1
Everything You Need To Know About SOC 1Schellman & Company
 
Achieving SSAE 16 Certification
Achieving SSAE 16 Certification Achieving SSAE 16 Certification
Achieving SSAE 16 Certification Gary Pennington
 
Moss Adams SSAE 16 SOC Audits
Moss Adams SSAE 16 SOC AuditsMoss Adams SSAE 16 SOC Audits
Moss Adams SSAE 16 SOC AuditsAISDC
 
University of Waterloo Presentation (2009)
University of Waterloo Presentation (2009)University of Waterloo Presentation (2009)
University of Waterloo Presentation (2009)HEFContest
 
#OOW16 - • Implement the Best Practice for Oracle Fusion Advanced Financial C...
#OOW16 - • Implement the Best Practice for Oracle Fusion Advanced Financial C...#OOW16 - • Implement the Best Practice for Oracle Fusion Advanced Financial C...
#OOW16 - • Implement the Best Practice for Oracle Fusion Advanced Financial C...Dane Roberts
 
The Basics: Punctuation, Capitalization, and Numbers
The Basics: Punctuation, Capitalization, and NumbersThe Basics: Punctuation, Capitalization, and Numbers
The Basics: Punctuation, Capitalization, and NumbersOttawa University
 
Introduction to Deep Learning with TensorFlow
Introduction to Deep Learning with TensorFlowIntroduction to Deep Learning with TensorFlow
Introduction to Deep Learning with TensorFlowTerry Taewoong Um
 

Viewers also liked (9)

Everything You Need To Know About SOC 1
Everything You Need To Know About SOC 1Everything You Need To Know About SOC 1
Everything You Need To Know About SOC 1
 
Achieving SSAE 16 Certification
Achieving SSAE 16 Certification Achieving SSAE 16 Certification
Achieving SSAE 16 Certification
 
SOC 1 Overview
SOC 1 OverviewSOC 1 Overview
SOC 1 Overview
 
Moss Adams SSAE 16 SOC Audits
Moss Adams SSAE 16 SOC AuditsMoss Adams SSAE 16 SOC Audits
Moss Adams SSAE 16 SOC Audits
 
University of Waterloo Presentation (2009)
University of Waterloo Presentation (2009)University of Waterloo Presentation (2009)
University of Waterloo Presentation (2009)
 
#OOW16 - • Implement the Best Practice for Oracle Fusion Advanced Financial C...
#OOW16 - • Implement the Best Practice for Oracle Fusion Advanced Financial C...#OOW16 - • Implement the Best Practice for Oracle Fusion Advanced Financial C...
#OOW16 - • Implement the Best Practice for Oracle Fusion Advanced Financial C...
 
The Basics: Punctuation, Capitalization, and Numbers
The Basics: Punctuation, Capitalization, and NumbersThe Basics: Punctuation, Capitalization, and Numbers
The Basics: Punctuation, Capitalization, and Numbers
 
Introduction to Deep Learning with TensorFlow
Introduction to Deep Learning with TensorFlowIntroduction to Deep Learning with TensorFlow
Introduction to Deep Learning with TensorFlow
 
Audit presentation
Audit presentationAudit presentation
Audit presentation
 

Similar to Auditor Reporting on Controls at Service Organizations

Evaluating Service Organization Control Reports
Evaluating Service Organization Control ReportsEvaluating Service Organization Control Reports
Evaluating Service Organization Control ReportsJay Crossland
 
Account Right SOC Services brochure.pptx
Account Right SOC Services brochure.pptxAccount Right SOC Services brochure.pptx
Account Right SOC Services brochure.pptxGaneshMeenakshiSunda4
 
SOC Certification for Service Providers: Securing Customer Data
SOC Certification for Service Providers: Securing Customer DataSOC Certification for Service Providers: Securing Customer Data
SOC Certification for Service Providers: Securing Customer DataShyamMishra72
 
Audit clauses in IT agreements
Audit clauses in IT agreementsAudit clauses in IT agreements
Audit clauses in IT agreementsRichard Austin
 
An IT Service Reporting Framework for Effective Implementation of ITIL Contin...
An IT Service Reporting Framework for Effective Implementation of ITIL Contin...An IT Service Reporting Framework for Effective Implementation of ITIL Contin...
An IT Service Reporting Framework for Effective Implementation of ITIL Contin...Nancy Ideker
 
Iso 20000 standard implementation
Iso 20000 standard implementationIso 20000 standard implementation
Iso 20000 standard implementationIITSW Company
 
The Retirement Of Sas 70 Article
The Retirement Of Sas 70 ArticleThe Retirement Of Sas 70 Article
The Retirement Of Sas 70 ArticleDTIMMERMAN
 
SOC 2 Compliance and Certification
SOC 2 Compliance and CertificationSOC 2 Compliance and Certification
SOC 2 Compliance and CertificationControlCase
 
Asset Manager’s Guide to SOC 1
Asset Manager’s Guide to SOC 1Asset Manager’s Guide to SOC 1
Asset Manager’s Guide to SOC 1Grant Thornton LLP
 
information system and computers
information system and computersinformation system and computers
information system and computers9535814851
 
Internal Control Certification – It’s Not Just an Accounting Thing (Credit Un...
Internal Control Certification – It’s Not Just an Accounting Thing (Credit Un...Internal Control Certification – It’s Not Just an Accounting Thing (Credit Un...
Internal Control Certification – It’s Not Just an Accounting Thing (Credit Un...NAFCU Services Corporation
 
Gaining assurance over 3rd party soc 1 and soc 2 reporting 7-2014
Gaining assurance over 3rd party soc 1 and soc 2 reporting 7-2014Gaining assurance over 3rd party soc 1 and soc 2 reporting 7-2014
Gaining assurance over 3rd party soc 1 and soc 2 reporting 7-2014Accounting_Whitepapers
 
ISO9001_2015_Frequently_Asked_Questions.docx
ISO9001_2015_Frequently_Asked_Questions.docxISO9001_2015_Frequently_Asked_Questions.docx
ISO9001_2015_Frequently_Asked_Questions.docxSunil Arora
 
September article SSAE 16 the SAS 70 Final Version (mp)
September article SSAE 16 the SAS 70 Final Version (mp)September article SSAE 16 the SAS 70 Final Version (mp)
September article SSAE 16 the SAS 70 Final Version (mp)Amara Omar Kuyateh
 
How to effectively use ISO 27001 Certification and SOC 2 Reports
How to effectively use ISO 27001 Certification and SOC 2 ReportsHow to effectively use ISO 27001 Certification and SOC 2 Reports
How to effectively use ISO 27001 Certification and SOC 2 ReportsSalvi Jansen
 
Planning for a new Service Organization Control (SOC) report
Planning for a new Service Organization Control (SOC) reportPlanning for a new Service Organization Control (SOC) report
Planning for a new Service Organization Control (SOC) reportJay Crossland
 

Similar to Auditor Reporting on Controls at Service Organizations (20)

Isae 3402 Abstract
Isae 3402 AbstractIsae 3402 Abstract
Isae 3402 Abstract
 
Evaluating Service Organization Control Reports
Evaluating Service Organization Control ReportsEvaluating Service Organization Control Reports
Evaluating Service Organization Control Reports
 
Due dilligence on a cpa firm or other accounting services provdier
Due dilligence on a cpa firm or other accounting services provdierDue dilligence on a cpa firm or other accounting services provdier
Due dilligence on a cpa firm or other accounting services provdier
 
Account Right SOC Services brochure.pptx
Account Right SOC Services brochure.pptxAccount Right SOC Services brochure.pptx
Account Right SOC Services brochure.pptx
 
SOC Certification for Service Providers: Securing Customer Data
SOC Certification for Service Providers: Securing Customer DataSOC Certification for Service Providers: Securing Customer Data
SOC Certification for Service Providers: Securing Customer Data
 
Audit clauses in IT agreements
Audit clauses in IT agreementsAudit clauses in IT agreements
Audit clauses in IT agreements
 
An IT Service Reporting Framework for Effective Implementation of ITIL Contin...
An IT Service Reporting Framework for Effective Implementation of ITIL Contin...An IT Service Reporting Framework for Effective Implementation of ITIL Contin...
An IT Service Reporting Framework for Effective Implementation of ITIL Contin...
 
Iso 20000 standard implementation
Iso 20000 standard implementationIso 20000 standard implementation
Iso 20000 standard implementation
 
The Retirement Of Sas 70 Article
The Retirement Of Sas 70 ArticleThe Retirement Of Sas 70 Article
The Retirement Of Sas 70 Article
 
SOC 2 Compliance and Certification
SOC 2 Compliance and CertificationSOC 2 Compliance and Certification
SOC 2 Compliance and Certification
 
Asset Manager’s Guide to SOC 1
Asset Manager’s Guide to SOC 1Asset Manager’s Guide to SOC 1
Asset Manager’s Guide to SOC 1
 
New ISO 20000-1:2018 Changes, Implementation Steps
New ISO 20000-1:2018 Changes, Implementation StepsNew ISO 20000-1:2018 Changes, Implementation Steps
New ISO 20000-1:2018 Changes, Implementation Steps
 
information system and computers
information system and computersinformation system and computers
information system and computers
 
Internal Control Certification – It’s Not Just an Accounting Thing (Credit Un...
Internal Control Certification – It’s Not Just an Accounting Thing (Credit Un...Internal Control Certification – It’s Not Just an Accounting Thing (Credit Un...
Internal Control Certification – It’s Not Just an Accounting Thing (Credit Un...
 
SMKI vs SMAP vs SMM vs SML v04
SMKI vs SMAP vs SMM vs SML v04SMKI vs SMAP vs SMM vs SML v04
SMKI vs SMAP vs SMM vs SML v04
 
Gaining assurance over 3rd party soc 1 and soc 2 reporting 7-2014
Gaining assurance over 3rd party soc 1 and soc 2 reporting 7-2014Gaining assurance over 3rd party soc 1 and soc 2 reporting 7-2014
Gaining assurance over 3rd party soc 1 and soc 2 reporting 7-2014
 
ISO9001_2015_Frequently_Asked_Questions.docx
ISO9001_2015_Frequently_Asked_Questions.docxISO9001_2015_Frequently_Asked_Questions.docx
ISO9001_2015_Frequently_Asked_Questions.docx
 
September article SSAE 16 the SAS 70 Final Version (mp)
September article SSAE 16 the SAS 70 Final Version (mp)September article SSAE 16 the SAS 70 Final Version (mp)
September article SSAE 16 the SAS 70 Final Version (mp)
 
How to effectively use ISO 27001 Certification and SOC 2 Reports
How to effectively use ISO 27001 Certification and SOC 2 ReportsHow to effectively use ISO 27001 Certification and SOC 2 Reports
How to effectively use ISO 27001 Certification and SOC 2 Reports
 
Planning for a new Service Organization Control (SOC) report
Planning for a new Service Organization Control (SOC) reportPlanning for a new Service Organization Control (SOC) report
Planning for a new Service Organization Control (SOC) report
 

Recently uploaded

8447779800, Low rate Call girls in Shivaji Enclave Delhi NCR
8447779800, Low rate Call girls in Shivaji Enclave Delhi NCR8447779800, Low rate Call girls in Shivaji Enclave Delhi NCR
8447779800, Low rate Call girls in Shivaji Enclave Delhi NCRashishs7044
 
FULL ENJOY Call girls in Paharganj Delhi | 8377087607
FULL ENJOY Call girls in Paharganj Delhi | 8377087607FULL ENJOY Call girls in Paharganj Delhi | 8377087607
FULL ENJOY Call girls in Paharganj Delhi | 8377087607dollysharma2066
 
MAHA Global and IPR: Do Actions Speak Louder Than Words?
MAHA Global and IPR: Do Actions Speak Louder Than Words?MAHA Global and IPR: Do Actions Speak Louder Than Words?
MAHA Global and IPR: Do Actions Speak Louder Than Words?Olivia Kresic
 
Memorándum de Entendimiento (MoU) entre Codelco y SQM
Memorándum de Entendimiento (MoU) entre Codelco y SQMMemorándum de Entendimiento (MoU) entre Codelco y SQM
Memorándum de Entendimiento (MoU) entre Codelco y SQMVoces Mineras
 
Global Scenario On Sustainable and Resilient Coconut Industry by Dr. Jelfina...
Global Scenario On Sustainable and Resilient Coconut Industry by Dr. Jelfina...Global Scenario On Sustainable and Resilient Coconut Industry by Dr. Jelfina...
Global Scenario On Sustainable and Resilient Coconut Industry by Dr. Jelfina...ictsugar
 
Annual General Meeting Presentation Slides
Annual General Meeting Presentation SlidesAnnual General Meeting Presentation Slides
Annual General Meeting Presentation SlidesKeppelCorporation
 
Traction part 2 - EOS Model JAX Bridges.
Traction part 2 - EOS Model JAX Bridges.Traction part 2 - EOS Model JAX Bridges.
Traction part 2 - EOS Model JAX Bridges.Anamaria Contreras
 
Buy gmail accounts.pdf Buy Old Gmail Accounts
Buy gmail accounts.pdf Buy Old Gmail AccountsBuy gmail accounts.pdf Buy Old Gmail Accounts
Buy gmail accounts.pdf Buy Old Gmail AccountsBuy Verified Accounts
 
Investment in The Coconut Industry by Nancy Cheruiyot
Investment in The Coconut Industry by Nancy CheruiyotInvestment in The Coconut Industry by Nancy Cheruiyot
Investment in The Coconut Industry by Nancy Cheruiyotictsugar
 
Intro to BCG's Carbon Emissions Benchmark_vF.pdf
Intro to BCG's Carbon Emissions Benchmark_vF.pdfIntro to BCG's Carbon Emissions Benchmark_vF.pdf
Intro to BCG's Carbon Emissions Benchmark_vF.pdfpollardmorgan
 
Call US-88OO1O2216 Call Girls In Mahipalpur Female Escort Service
Call US-88OO1O2216 Call Girls In Mahipalpur Female Escort ServiceCall US-88OO1O2216 Call Girls In Mahipalpur Female Escort Service
Call US-88OO1O2216 Call Girls In Mahipalpur Female Escort Servicecallgirls2057
 
8447779800, Low rate Call girls in Rohini Delhi NCR
8447779800, Low rate Call girls in Rohini Delhi NCR8447779800, Low rate Call girls in Rohini Delhi NCR
8447779800, Low rate Call girls in Rohini Delhi NCRashishs7044
 
8447779800, Low rate Call girls in New Ashok Nagar Delhi NCR
8447779800, Low rate Call girls in New Ashok Nagar Delhi NCR8447779800, Low rate Call girls in New Ashok Nagar Delhi NCR
8447779800, Low rate Call girls in New Ashok Nagar Delhi NCRashishs7044
 
8447779800, Low rate Call girls in Tughlakabad Delhi NCR
8447779800, Low rate Call girls in Tughlakabad Delhi NCR8447779800, Low rate Call girls in Tughlakabad Delhi NCR
8447779800, Low rate Call girls in Tughlakabad Delhi NCRashishs7044
 
Pitch Deck Teardown: Geodesic.Life's $500k Pre-seed deck
Pitch Deck Teardown: Geodesic.Life's $500k Pre-seed deckPitch Deck Teardown: Geodesic.Life's $500k Pre-seed deck
Pitch Deck Teardown: Geodesic.Life's $500k Pre-seed deckHajeJanKamps
 
Cybersecurity Awareness Training Presentation v2024.03
Cybersecurity Awareness Training Presentation v2024.03Cybersecurity Awareness Training Presentation v2024.03
Cybersecurity Awareness Training Presentation v2024.03DallasHaselhorst
 
Kenya Coconut Production Presentation by Dr. Lalith Perera
Kenya Coconut Production Presentation by Dr. Lalith PereraKenya Coconut Production Presentation by Dr. Lalith Perera
Kenya Coconut Production Presentation by Dr. Lalith Pereraictsugar
 
Contemporary Economic Issues Facing the Filipino Entrepreneur (1).pptx
Contemporary Economic Issues Facing the Filipino Entrepreneur (1).pptxContemporary Economic Issues Facing the Filipino Entrepreneur (1).pptx
Contemporary Economic Issues Facing the Filipino Entrepreneur (1).pptxMarkAnthonyAurellano
 

Recently uploaded (20)

8447779800, Low rate Call girls in Shivaji Enclave Delhi NCR
8447779800, Low rate Call girls in Shivaji Enclave Delhi NCR8447779800, Low rate Call girls in Shivaji Enclave Delhi NCR
8447779800, Low rate Call girls in Shivaji Enclave Delhi NCR
 
FULL ENJOY Call girls in Paharganj Delhi | 8377087607
FULL ENJOY Call girls in Paharganj Delhi | 8377087607FULL ENJOY Call girls in Paharganj Delhi | 8377087607
FULL ENJOY Call girls in Paharganj Delhi | 8377087607
 
MAHA Global and IPR: Do Actions Speak Louder Than Words?
MAHA Global and IPR: Do Actions Speak Louder Than Words?MAHA Global and IPR: Do Actions Speak Louder Than Words?
MAHA Global and IPR: Do Actions Speak Louder Than Words?
 
Japan IT Week 2024 Brochure by 47Billion (English)
Japan IT Week 2024 Brochure by 47Billion (English)Japan IT Week 2024 Brochure by 47Billion (English)
Japan IT Week 2024 Brochure by 47Billion (English)
 
Memorándum de Entendimiento (MoU) entre Codelco y SQM
Memorándum de Entendimiento (MoU) entre Codelco y SQMMemorándum de Entendimiento (MoU) entre Codelco y SQM
Memorándum de Entendimiento (MoU) entre Codelco y SQM
 
Global Scenario On Sustainable and Resilient Coconut Industry by Dr. Jelfina...
Global Scenario On Sustainable and Resilient Coconut Industry by Dr. Jelfina...Global Scenario On Sustainable and Resilient Coconut Industry by Dr. Jelfina...
Global Scenario On Sustainable and Resilient Coconut Industry by Dr. Jelfina...
 
Annual General Meeting Presentation Slides
Annual General Meeting Presentation SlidesAnnual General Meeting Presentation Slides
Annual General Meeting Presentation Slides
 
Traction part 2 - EOS Model JAX Bridges.
Traction part 2 - EOS Model JAX Bridges.Traction part 2 - EOS Model JAX Bridges.
Traction part 2 - EOS Model JAX Bridges.
 
Buy gmail accounts.pdf Buy Old Gmail Accounts
Buy gmail accounts.pdf Buy Old Gmail AccountsBuy gmail accounts.pdf Buy Old Gmail Accounts
Buy gmail accounts.pdf Buy Old Gmail Accounts
 
Investment in The Coconut Industry by Nancy Cheruiyot
Investment in The Coconut Industry by Nancy CheruiyotInvestment in The Coconut Industry by Nancy Cheruiyot
Investment in The Coconut Industry by Nancy Cheruiyot
 
Intro to BCG's Carbon Emissions Benchmark_vF.pdf
Intro to BCG's Carbon Emissions Benchmark_vF.pdfIntro to BCG's Carbon Emissions Benchmark_vF.pdf
Intro to BCG's Carbon Emissions Benchmark_vF.pdf
 
No-1 Call Girls In Goa 93193 VIP 73153 Escort service In North Goa Panaji, Ca...
No-1 Call Girls In Goa 93193 VIP 73153 Escort service In North Goa Panaji, Ca...No-1 Call Girls In Goa 93193 VIP 73153 Escort service In North Goa Panaji, Ca...
No-1 Call Girls In Goa 93193 VIP 73153 Escort service In North Goa Panaji, Ca...
 
Call US-88OO1O2216 Call Girls In Mahipalpur Female Escort Service
Call US-88OO1O2216 Call Girls In Mahipalpur Female Escort ServiceCall US-88OO1O2216 Call Girls In Mahipalpur Female Escort Service
Call US-88OO1O2216 Call Girls In Mahipalpur Female Escort Service
 
8447779800, Low rate Call girls in Rohini Delhi NCR
8447779800, Low rate Call girls in Rohini Delhi NCR8447779800, Low rate Call girls in Rohini Delhi NCR
8447779800, Low rate Call girls in Rohini Delhi NCR
 
8447779800, Low rate Call girls in New Ashok Nagar Delhi NCR
8447779800, Low rate Call girls in New Ashok Nagar Delhi NCR8447779800, Low rate Call girls in New Ashok Nagar Delhi NCR
8447779800, Low rate Call girls in New Ashok Nagar Delhi NCR
 
8447779800, Low rate Call girls in Tughlakabad Delhi NCR
8447779800, Low rate Call girls in Tughlakabad Delhi NCR8447779800, Low rate Call girls in Tughlakabad Delhi NCR
8447779800, Low rate Call girls in Tughlakabad Delhi NCR
 
Pitch Deck Teardown: Geodesic.Life's $500k Pre-seed deck
Pitch Deck Teardown: Geodesic.Life's $500k Pre-seed deckPitch Deck Teardown: Geodesic.Life's $500k Pre-seed deck
Pitch Deck Teardown: Geodesic.Life's $500k Pre-seed deck
 
Cybersecurity Awareness Training Presentation v2024.03
Cybersecurity Awareness Training Presentation v2024.03Cybersecurity Awareness Training Presentation v2024.03
Cybersecurity Awareness Training Presentation v2024.03
 
Kenya Coconut Production Presentation by Dr. Lalith Perera
Kenya Coconut Production Presentation by Dr. Lalith PereraKenya Coconut Production Presentation by Dr. Lalith Perera
Kenya Coconut Production Presentation by Dr. Lalith Perera
 
Contemporary Economic Issues Facing the Filipino Entrepreneur (1).pptx
Contemporary Economic Issues Facing the Filipino Entrepreneur (1).pptxContemporary Economic Issues Facing the Filipino Entrepreneur (1).pptx
Contemporary Economic Issues Facing the Filipino Entrepreneur (1).pptx
 

Auditor Reporting on Controls at Service Organizations

  • 1. Auditor Reporting on Controls at Service OrganizationsS. 5970, CSAE 3416, SAS 70,SSAE 16, IAS 3402 ACC 626 Podcast brought to you by: Jessica Leung
  • 2. Agenda Background Introduction to Standards Section 5970 and CSAE 3416 SAS 70 and SSAE 16 ISAE 3402 Guidance on Use of Reports Benefits and Limitations Transition to New Standard and Key Changes Hot Topic: Cloud Computing Key Take Away
  • 3.
  • 4.
  • 9. Financial Statement UsersAudit Report User Auditors Service Auditors
  • 10. Introduction to Standards Section 5970: Auditor’s report on controls at a service organization Effective on December 15, 2011 Canadian Standard on Assurance Engagements (CSAE) 3416: Reporting on Controls at a Service Organization Statement on Auditing Standards (SAS) No. 70: Service Organizations Effective on June 15, 2011 Statement on Standards for Attestation Engagements (SSAE) 16 : Reporting on Controls at a Service Organization International Standard on Assurance Engagements (ISAE) 3402: Assurance Reports on Controls at a Service Organization
  • 11. Section 5970 and CSAE 3416 Section 5970: Auditor’s report on controls at a service organization Effective on December 15, 2011 Canadian Standard on Assurance Engagements (CSAE) 3416: Reporting on Controls at a Service Organization Section 5970 is effective for engagements for the periods beginning on or after January 1, 2006 Harmonized with SAS No. 70 CASE 3416 will superseded Section 5970 on December 15, 2011 Both standards very similar to US standards
  • 12. SAS 70 Statement on Auditing Standards (SAS) No. 70: Service Organizations Effective on June 15, 2011 Statement on Standards for Attestation Engagements (SSAE) 16 : Reporting on Controls at a Service Organization Service Organization Controls (SOC) 1 Report Report on controls at a service organization relevant to user entities’ internal control over financial reporting Provides guidance for service auditors to issue an opinion on service organization’s description of controls
  • 13. ISAE 3402 International Standard on Assurance Engagements (ISAE) 3402: Assurance Reports on Controls at a Service Organization ISAE 3402 is a default standard for countries without existing standards and basis for updates to other countries standards SSAE 16 mirrors the global standard - ISAE 3402 In Canada, CSAE 3416 is modeled after SSAE 16; Also aligns with ISAE 3402 is most respects All three new standards (SSAE 16, ISAE 3402, and CSAE 3416) are substantially the same
  • 14. Guidance on Use of Reports Reporting on controls is not a “checklist” audit Control objectives and activities at service organization vary Service auditor expresses an opinion on the presentation of the described controls and whether the controls included in the description are well designed and operating effectively to meet the control objectives The report is intended for user organizations and their auditors only
  • 15.
  • 17. description of observations and testing of control (include nature, timing, and extent)
  • 18.
  • 19. Example of a Type I Report
  • 20. Example of a Type II Report
  • 21.
  • 22. Limitation of Reports The term SAS 70 certified or SAS 70 compliant is misused as a “data security rubber stamp” for marketing purposes Report is misinterpreted that it addresses non-financial subject matters, such as availability, processing integrity, privacy or confidentiality
  • 23.
  • 24. Key Changes in SSAE 16 and ISAE 3402
  • 25. How can Service Auditors help? Assess any changes necessary to comply with new standards Understand impact of the change or review system description Level of effort and costs will vary depending how prepared service organizations were, their experience with their service auditors, and internal control environment. Advise on selection of standards, such as selecting ISAE 3402 for international users
  • 26.  Hot Topic: Providing Assurance on Cloud Computing Services Outsourcing to a cloud service provider requires more assurance other than financial subject matters reliability, privacy compliance, and the security of the system and data
  • 27.  Hot Topic: Providing Assurance on Cloud Computing Services No recognized assurance standards in place to address the unique risk issues of cloud services No specific assessment procedures for evaluating controls in the cloud environment SSAE 16 and Trust Services likely to provide assurance of controls over financial reporting and security of the system.
  • 28. Final Take Away New standards require a more comprehensive disclosure from management Provide higher level of assurance for users that controls are secured operating effectively to prevent or detect material misstatement in financial statements
  • 29. Reference SAS70.com. "06. How Do I Read a SAS 70 Audit Report?" SAS 70 Service Organization Auditing Standards, Public Accounting Information. Web. 01 July 2011. <http://sas70.com/FAQRetrieve.aspx?ID=33284>. PWC. "Navigating the Transition to CSAE 3416." Web. 1 July 2011. <http://www.pwc.com/en_CA/ca/controls/business-process-controls/publications/navigating-transition-csae-3416-2011-03-en.pdf>. SSAE16.org. "SSAE 16 | Description of the Service Organization's System." SSAE 16 Resource Guide | The Global Authority on SSAE 16. Web. 01 July 2011. <http://ssae16.org/important-elements-ssae16/description-of-the-service-organiations-qsystemq.html>. Gartner. "SAS 70 is not Proof of Security, Continuity or Privacy Compliance." Express Computer (2010). Reilly, S. "New assurance standard required for cloud confidence." Computer Weekly (2011). Fajardo, A, R. "Suits the C-suite; Meeting today's challenges of service organizations." BusinessWorld (2011).