Upload
tate-tryon-cpas
View
269
Download
7
Tags:
Embed Size (px)
DESCRIPTION
Presentation from nonprofit CPA firm - Tate & Tryon CPAs - on the transition from SAS 70 reports to SOC Standards and the impact they will have on your regulatory compliance requirements.
Citation preview
Your Audit Committee and the New SOC Standards
Jeffrey Stefan, CPAPartner
Douglas Boedeker, CPA, CMAPartner
September 8, 2011
Goals for Today
I. Obtain a basic understanding of the new
SOC reports.
II. Understand the differences between the
three types of SOC reports.
III. Understand other reporting options that
may be of interest to Boards and Audit
Committees.
Copyright © 2011 Tate & Tryon CPAs and ConsultantsSeptember 8. 2011
Course Outline
Why the new reporting options? What is SAS 70?
What are the new options: SOC 1 – the new “SAS 70”
SOC 2 – a “SAS 70” report that’s interesting!
SOC 3 – a “SAS 70” report for public
consumption
Copyright © 2011 Tate & Tryon CPAs and ConsultantsSeptember 8. 2011
Course Outline
The Trust Services Principles: Security Availability Processing integrity Confidentiality Privacy
What else is out there? Integrated Examination of Internal Control
Agreed-Upon Procedures
Copyright © 2011 Tate & Tryon CPAs and ConsultantsSeptember 8. 2011
Why the new reporting options?
SAS 70 became a catch-all for everything!
AICPA was not pleased with terms like:
“We’re SAS 70 Certified”
“We’re SAS 70 Compliant”
The movement to outsourced IT services made the problem more pronounced.
Copyright © 2011 Tate & Tryon CPAs and ConsultantsSeptember 8. 2011
What was SAS 70?
Statement on Auditing Standards Number 70, Service Organizations.
Designed to address a service organization’s controls affecting user entities’ financial statements.
Controls over financial reporting.
Either a “Type 1” or a “Type 2” report.
Primarily an auditor-to-auditor communication.Copyright © 2011 Tate & Tryon CPAs and ConsultantsSeptember 8. 2011
The New Reporting Options......
September 8. 2011 Copyright © 2011 Tate & Tryon CPAs and Consultants
SOC 1 – the new “SAS 70”
Report content: Controls at a service organization relevant to a user
entities’ internal control over financial reporting. Intended audience is:
Management of service & user organizations Auditors of the user organizations
Nature of reports: Type 1 – Control description Type 2 – Control description & operating
effectiveness
September 8. 2011 Copyright © 2011 Tate & Tryon CPAs and Consultants
SOC 2 – a more interesting “SAS 70”
Report Content: Service organization’s controls relevant to:
Security Availability Processing integrity Confidentiality Privacy
There is flexibility in choosing which controls to be included in the report.
September 8. 2011 Copyright © 2011 Tate & Tryon CPAs and Consultants
SOC 2 – a more interesting “SAS 70”
Intended audience is: Management of service organizations Management of user organizations
Nature of reports: Type 1 – Control description Type 2 – Control description & operating
effectiveness
Note: A SOC 2 report cannot be combined with a SOC 1 report. They must be separate.
September 8. 2011 Copyright © 2011 Tate & Tryon CPAs and Consultants
SOC 3 – A “SAS 70” for public consumption
Report Content: Service organization’s controls relevant to:
Security Availability Processing integrity Confidentiality Privacy
There is flexibility in choosing which controls to be included in the report.
September 8. 2011 Copyright © 2011 Tate & Tryon CPAs and Consultants
SOC 3 – A “SAS 70” for public consumption
Intended audience is: Any user with a need for confidence in the service
organization’s controls.
Nature of reports: Very short – similar to an auditor’s opinion on
financial statements. No detail of the organization’s controls
September 8. 2011 Copyright © 2011 Tate & Tryon CPAs and Consultants
SOC 3 – A “SAS 70” for public consumption
Limitations of SOC 3 Reports
An unqualified opinion cannot be issued if: Controls at subservice organizations have been
“carved out.” Complementary user-entity controls are significant.
September 8. 2011 Copyright © 2011 Tate & Tryon CPAs and Consultants
The Trust Services Principles(The foundation for SOC 2 & 3)
September 8. 2011 Copyright © 2011 Tate & Tryon CPAs and Consultants
The Security Principle
Refers to the protection of the system from unauthorized access, both logical and physical.
“Criteria” to be Tested Policies – were security policies defined and documented? Communications – were the policies communicated to the
appropriate parties? Procedures – are procedures in operation to achieve the goals of
the security policies? Monitoring – Is compliance with the policies monitored?
September 8. 2011 Copyright © 2011 Tate & Tryon CPAs and Consultants
The Availability Principle
Refers to the accessibility to the system, products, or services as advertised or committed by contract, service-level, or other agreements.
“Criteria” to be Tested Policies – were availability policies defined and documented? Communications – were the policies communicated to the
appropriate parties? Procedures – are procedures in operation to achieve the goals of
the availability policies? Monitoring – Is compliance with the policies monitored?
September 8. 2011 Copyright © 2011 Tate & Tryon CPAs and Consultants
The Processing Integrity Principle
Refers to the completeness, accuracy, validity, timeliness, and authorization of system processing.
“Criteria” to be Tested Policies – were processing integrity policies defined and
documented? Communications – were the policies communicated to the
appropriate parties? Procedures – are procedures in operation to achieve the goals of
the processing integrity policies? Monitoring – Is compliance with the policies monitored?
September 8. 2011 Copyright © 2011 Tate & Tryon CPAs and Consultants
The Confidentiality Principle
Refers to the system’s ability to protect the information designated as confidential, as committed or agreed.
“Criteria” to be Tested Policies – were confidential information policies defined and
documented? Communications – were the policies communicated to the
appropriate parties? Procedures – are procedures in operation to achieve the goals of
the processing integrity policies? Monitoring – Is compliance with the policies monitored?
September 8. 2011 Copyright © 2011 Tate & Tryon CPAs and Consultants
The Privacy Principle
Personal information is collected, used, retained, disclosed, and destroyed in conformity with the commitments in the entity’s privacy notice and with criteria set forth in generally accepted privacy principles (GAPP) issued by the AICPA and CICA.
September 8. 2011 Copyright © 2011 Tate & Tryon CPAs and Consultants
The Privacy Principle - Criteria
Policies - The entity defines, documents, communicates, and assigns accountability for its privacy policies and procedures.
Notice - The entity provides notice about its privacy policies and procedures and identifies the purposes for which personal information is collected, used, retained and disclosed.
September 8. 2011 Copyright © 2011 Tate & Tryon CPAs and Consultants
The Privacy Principle - Criteria
Choice and Consent – The entity describes the choices available to the individual and obtains implicit or explicit consent with respect to the collection, use, and disclosure of personal information.
Collection – The entity collects personal information only for the purposes identified in the notice.
September 8. 2011 Copyright © 2011 Tate & Tryon CPAs and Consultants
The Privacy Principle - Criteria
Use, Retention, & Disposal - The entity limits the use of personal information to the purposes identified in the notice and for which the individual has provided implicit or explicit consent. The entity retains personal information for only as long as necessary to fulfill the stated purposes or as required by law or regulations and thereafter appropriately disposes of such information.
September 8. 2011 Copyright © 2011 Tate & Tryon CPAs and Consultants
The Privacy Principle - Criteria
Access - The entity provides individuals with access to their personal information for review and update.
Disclosure to Third Parties – The entity discloses personal information to third parties only for the purposes identified in the notice and with the implicit or explicit consent of the individual.
Security – The entity protects personal information against unauthorized access.
September 8. 2011 Copyright © 2011 Tate & Tryon CPAs and Consultants
The Privacy Principle - Criteria
Quality – The entity maintains accurate, complete, and relevant personal information for the purposes identified in the notice.
Monitoring & Enforcement – The entity monitors compliance with its privacy policies and procedures and has procedures to address privacy related inquiries, complaints, and disputes.
September 8. 2011 Copyright © 2011 Tate & Tryon CPAs and Consultants
What else is out there......
September 8. 2011 Copyright © 2011 Tate & Tryon CPAs and Consultants
Integrated Examination of Internal Control
Essentially a “SOX 404” report.
Performed in conjunction with a financial statement audit.
Provides an opinion on the organization’s controls over financial reporting.
A control “criteria” must be set. COSO is the most common criteria used.
Not a restricted use report.September 8. 2011 Copyright © 2011 Tate & Tryon CPAs and Consultants
Agreed-Upon Procedures
Our favorite option!
Gives maximum flexibility regarding pricing and work to be performed.
However, no professional opinion is actually rendered.
Restricted-use report.
September 8. 2011 Copyright © 2011 Tate & Tryon CPAs and Consultants
Additional resources.....
For additional information on the new SOC reporting framework, here’s a handy web-site: http://www.aicpa.org/InterestAreas/FRC/AssuranceAdvisoryServi
ces/Pages/SORHome.aspx
Contact us with questions! Jeff Stefan, 202-419-5104, [email protected] Doug Boedeker, 202-419-5106,
September 8. 2011 Copyright © 2011 Tate & Tryon CPAs and Consultants
Speaker Biography
September 8. 2011 Copyright © 2011 Tate & Tryon CPAs and Consultants
Douglas Boedeker , is a partner within Tate & Tryon’s Audit and Assurance Services unit and is also actively involved in the Firm's exempt organization tax services group. He has more than 19 years of experience providing an array of audit, tax, and consulting services to a variety of nonprofit organizations and employee benefit plans. He takes particular pride that his family has contained at least one CPA every year since 1923. Doug graduated summa cum laude from Susquehanna University in Selinsgrove, Pennsylvania with a Bachelor of Science degree in accounting while simultaneously completing the coursework for a second major in arts administration. He was also named as the University’s recipient of The Wall Street Journal Outstanding Business Student Award.
Doug is a frequent speaker on a variety of exempt organization tax issues and the Form 990. He recently presented a session on easing the 990 preparation process for CFOs and auditors at the 2011 AICPA Not for Profit Industry Conference. Doug is a coauthor to Guide to the Newest IRS Form 990: Interpreting and Complying with the New Tax Reporting Requirements for Transparency and Accountability, (published by ASAE).
Speaker Biography
Jeff Stefan, is the partner in charge of Tate & Tryon’s auditing practice and has more than 25 years of experience serving the nonprofit sector. In addition to his extensive audit and tax experience, he has provided consulting services to organizations such as The World Bank, Public Company Accounting Oversight Board, and ASAE & The Center for Association Leadership in a variety of areas, including grant compliance, merger due diligence, and internal controls. He has also been called upon to consult on a variety of complex issues such as: Fair value accounting (FAS 157), Accounting for alternative investments (FAS 133), Split interest agreements, Endowment accounting (UPMIFA / FSP 117-1), and Uncertain tax positions (FIN 48).
Mr. Stefan has presented and authored articles on many recent accounting and auditing issues including: FASB Staff Position (FSP) FAS 117-1, “Endowments of Not-for-Profit Organizations: Net Asset Classification of Funds Subject to an Enacted Version of the Uniform Prudent Management of Institutional Funds Act, and Enhanced Disclosures for All Endowment Funds”, Educating Your Board About Audits, , and A Summary of the New Audit Risk Standards.
September 8. 2011 Copyright © 2011 Tate & Tryon CPAs and Consultants