For the SOC reporting space, the re codification of attestation standards (SSAE No. 18) is largely a simplified version of the existing standards. The net effect is that an “SSAE 16” SOC 1 will look nearly identical to an “SSAE 18” SOC 1 (those aren’t the authoritative terms for SOC 1 reports — they’re just for illustrative purposes). The practitioners performing the attestation engagements for SOC reports will not notice very many material changes in the standards; however, there are a few key areas of emphasis worth noting for SOC 1 reports:
1. Modification to assertion criteria
2.Monitoring the effectiveness of controls at a sub-service organization
-Reviewing and reconciling output reports
3. Evaluating the reliability of evidence produced by the service organization.
Below lines will give you an outline of the side-headings:
1. Modification to assertion criteria
Periodic discussion with the subservice organization personnel. An effective way for the service organization’s management to determine the sufficiency of the subservice organization’s controls and their operation may also include periodic discussions with the relevant subservice organization personnel. Due to the limitations on the reliability of inquiry-based assurance methods, however, service organizations may consider both the use of comprehensive and structured written questionnaires with requests for corroborative documented evidence, and that the questionnaires (or discussions) be completed by members of the subservice organization with the requisite knowledge, skills and familiarity with the applicable controls and the service organization’s system. Management of the service organization should be prepared to describe the process for these discussions in its system description.
-Periodic discussion with the sub-service organization personnel
-Regular site visits
-Testing controls at the sub-service organization
-Monitoring external communications
-Reviewing SOC reports of the sub-service organization’s system
An additional description criterion related to subservience organizations (relevant third-party organizations used by the service organization) is included within the re-codified attestation standard. The services performed by sub-service organizations and whether the sub-service organization’s controls have been included or carved out of the scope of the examination have always been part of the SOC 1 examination and resulting report. This change, however, does re-emphasize the importance of describing this specific relationship and disclosing it in a fair manner.
2. Monitoring the effectiveness of controls at a sub-service organization
In keeping with the aforementioned additional criterion specific to sub-service organizations, the revised attestation standard does promote the requirement for the auditor to determine and report on the controls the service organization has implemented to monitor the relevant controls at sub-service organizations. It addresses the question as to whether the service organization has effective oversight of their sub-service organizations.
· Reviewing and reconciling output reports. Service organizations may implement procedures to verify the accuracy and completeness of output reports (or files) received from their subservice organizations. Management of the service organization should be prepared to describe the review and/or reconciliation procedures performed (including the nature, timing and extent of the review procedures), the source of the data or information used for reconciling against the subservice organization’s output reports, and the process for remediation or corrective action if deviations are determined.
Regular site visits. In many instances, the service organization may determine an on-site walkthrough and tour of the relevant portions of the subservice organization’s operations is warranted. This may include an on-site discussion during the site visit as well. Management of the service organization should be prepared to describe the frequency and extent of the site visit processes, including the process for handling nonconformities or deviations that may affect the services organization’s services.
· Testing controls at the subservice organization. Perhaps the most effective method service organizations may use to monitor the performance of the controls at their relevant subservice organizations is to use the service organization’s internal audit personnel to conduct tests of controls at the subservice organization. Several factors can be considered with this approach, including a risk assessment of key or critical controls when developing the audit plan(s), the rotation or frequency of the audits if multiple subservice organizations are used for the services, the skills and knowledge of the service organization’s internal audit personnel who would perform the audits, and whether the audits would be efficient and provide the relevant control performance information in a timely manner. It remains, however, that controls testing can provide very effective information on the controls performance of subservice organizations, particularly when combined with the other monitoring methods described in this article. Management of the service organization should be prepared to describe the process for conducting testing of controls at subservice organizations, including the process for determining which controls to test, the frequency of the controls testing, the method of documenting and reporting the results of those tests, and the process for ensuring that identified deficiencies and deviations are resolved by the subservice organization in a timely manner.
· Monitoring external communications. Service organizations may decide, alone or in combination with other monitoring methods, that monitoring external communications such as customer complaints, regulatory agency reports, or other communications on the effectiveness of the control operations at subservice organizations is an appropriate method for determining the sufficiency of controls at those organizations. Management should be prepared to describe these monitoring processes within its description of its system.
· Reviewing SOC reports of the subservice organization’s system. An increasingly popular trend for service organizations to get the information they need regarding the control performance at subservice organizations is to receive and read the SOC reports from those subservice organizations. Typically, Type 2 SOC 1 or Type 2 SOC 2 reports are likely to provide the necessary information regarding the control performance over their Type 1 counterparts or SOC 3 reports, but service organizations may also consider other types of properly prepared attestations that are relevant to their services. Many organizations use this monitoring method, particularly if the service organizations use multiple subservice organizations, and performing the audits of those subservice organizations would be too time-consuming or expensive. Organizations that use SOC or other attestation reports to monitor those subservice organizations should pay additional attention to any complementary user entity controls described in those reports, as those CUECs represent the control assumptions that their subservice organization assumed the service organization would implement when the subservice organization designed its controls.
Service organizations can expect these or similar monitoring controls to be a more prominent subject within their SOC 1 reports going forward.
3. Evaluating the reliability of evidence produced by the service organization
This has long been a tenet of effective auditing and included in prior and existing auditing and attestation standards, and, for most auditors and service organizations, is unlikely to present major changes in the performance of the SOC 1 examination. However, in the previous standards governing SOC 1 reporting, it had not been described in such clear and definitive terms. Although this writing is focused on SOC 1, auditors of SOC 2 and SOC 3 examinations alike are required to ensure that the evidence provided by the service organizations is sufficiently accurate, complete and detailed for their audit purposes. SSAE No. 18 provides the following listing of examples of information that a service auditor receives, which may likely require additional evaluation going forward:
· Population lists used for sample tests;
· Exception reports;
· Lists of data with specific characteristics;
· Transaction reconciliations;
· System-generated reports;
· Other system-generated data (e.g., configurations, parameters, etc.); and,
· Documentation that provides evidence of the operating effectiveness of controls, such as user access listing.
For SOC auditors, this may require more detailed and documented qualitative procedures to determine the sufficiency of the evidence provided by the service organization. For service organizations, this may require more detailed or corroborative artifacts supporting the evidence provided to auditors.
Comments
Post a Comment