Presenting a live 110‐minute teleconference with interactive Q&A

SSAE 16 and ISAE 3402: Preparing for New Service Company Control StandardsMastering Requirements Governing Your Next Controls Report

1pm Eastern | 12pm Central | 11am Mountain | 10am Pacific

WEDNESDAY, FEBRUARY 16, 2011

Today’s faculty features:

1pm Eastern | 12pm Central | 11am Mountain | 10am Pacific

Scott Price Director A-lign CPAs Tampa FlaScott Price, Director, A lign CPAs, Tampa, Fla.

Daniel Schroeder, Partner, Habif Arogeti & Wynne, Atlanta

George Fallon, Partner, Clifton Gunderson, Calverton, Maryland

Victor Eckstein, Principal, Grant Thornton, New York

For this program, attendees must listen to the audio over the telephone.

Victor Eckstein, Principal, Grant Thornton, New York

Please refer to the instructions emailed to the registrant for the dial-in information.Attendees can still view the presentation slides online. If you have any questions, pleasecontact Customer Service at1-800-926-7926 ext. 10.

Continuing Education Credits FOR LIVE EVENT ONLY

Attendees must listen to the audio over the telephone. Attendees can still view the presentation slides online but there is no online audio for this program.

Please refer to the instructions emailed to the registrant for additional information. If you have any questions, please contact Customer Service at 1-800-926-7926 ext. 10.at 1 800 926 7926 ext. 10.

Tips for Optimal Quality

S d Q litSound Quality

For this program, you must listen via the telephone by dialing 1-866-873-1442 and entering your PIN when prompted. There will be no sound over the web connection.co ect o .

If you dialed in and have any difficulties during the call, press *0 for assistance. You may also send us a chat or e-mail sound@straffordpub.com immediately so we can address the problem.

Viewing QualityTo maximize your screen, press the F11 key on your keyboard. To exit full screen, press the F11 key againpress the F11 key again.

SSAE 16 and ISAE 3402: Preparing for N  S i  C  C t l New Service Company Control Standards Webinar

Feb. 16, 2011

Scott Price, A-lign CPAsscott.price@aligncpa.com

George Fallon, Clifton Gundersongeorge.fallon@cliftoncpa.com

Victor Eckstein, Grant Thornton victor.eckstein@us.gt.com

Daniel Schroeder, Habif Arogeti & Wynne dan.schroeder@hawcpa.com

Today’s Program

Historical Perspective On Service Company Controls[George Fallon]

Slide 6 – Slide 10

Key Terms Of SSAE 16 And ISAE 3402[Daniel Schroeder and Scott Price]

Slide 11 – Slide 31

Other Legal And Regulatory Developments[Victor Eckstein]

Slide 32 – Slide 38

Preparing Type I And Type II Reports Going Forward[George Fallon And Daniel Schroeder]

Slide 39 – Slide 60

HISTORICAL PERSPECTIVE ON George Fallon, Clifton Gunderson

HISTORICAL PERSPECTIVE ON SERVICE COMPANY CONTROLS

History Of SAS No. 70

C Issued by AICPA in 1992

Represents an in-depth audit of a third-party service

organization

Service organization defines scope of audit

7

Historical Uses

To reduce internal control testing of service providers by user

auditors

Comply with contractual obligation

Comply with regulatory requirements

8

Misuses And Misconceptions

S S f SAS 70 audit is for marketing

SAS 70 audit is a certification

SAS 70 audit is a security audit

SAS 70 audit is mandatory under the Sarbanes-Oxley Act of

2002 (SOX)

9

Factors For Change

Uses of SAS 70 straying from intent

Globalization

Growth in outsourcing

New technologiesg

Sarbanes-Oxley Sect. 404 Convergence: International Standard on Assurance Engagements g g g

(ISAE) 3402

10

D i l S h d  H bif A i & W

KEY TERMS OF SSAE 16 AND 

Daniel Schroeder, Habif Arogeti & WynneScott Price, A‐lign CPAs

KEY TERMS OF SSAE 16 AND ISAE 3402

SSSSAE 16 is replacing SAS 0SAS 70.

Released April 2010 Effective June 15, 2011Early adoption permitted

| 12

SSAE 16 Changes From SAS 70 ICFR controls focus

Alignment with International Standards on Attestation Engagements (ISAE) 3402

Attestation standard, no longer an auditing standard

Auditor evaluation is based on suitable criteria relative to Auditor evaluation is based on suitable criteria relative to written management assertions – which are included in the report.

Suitability of design opinion (point in time vs entire period) Suitability of design opinion (point in time vs. entire period) Materiality Use of internal audit – more info provided in report as to role of IA Opinion format

| 13

SSAE 16 Focused On Financial Reporting SSAE 16, like SAS No. 70 before it, is focused on controls likely to

be relevant to user entities’ internal control over financial reporting. Intended for limited specific users Intended for limited specific users

User auditors User entities

Limited purpose User entity financial audits Examinations of internal control over financial reporting of

user entities integrated with a financial audit User entity evaluation of internal control over financial

reporting (e.g., Sarbanes-Oxley Act compliance)

Use beyond the intended purpose is likely to create misunderstandingg

| 14

SSAE 16: Management Assertion

“… We confirm, to the best of our knowledge and belief, that...”: 1. The description fairly present the [system name] made available

to user entities from [date 1] to [date 2] …[ ] [ ] Description includes relevant details of changes ...

2. Controls were suitably designed throughout the period to achieve control objectivesachieve control objectives.

3. Controls operated effectively throughout the specified period to achieve the control objectives.

| 15

SSAE 16: Assessing Suitability Of Criteria

Service auditor should assess whether, in all material respects, management has used suitable criteria:

1. In preparing description of service organization system, i.e., “Opinion on Fair Presentation of Managements description of S i O i ti ’ S t ”Service Organization’s System”

2. In evaluating whether controls were suitably designed to achieve stated control objectives, i.e., “Opinion on Suitability of Design”

3. For Type 2 reports, in evaluating whether controls operated yp p g peffectively throughout the period to provide reasonable assurance that control objectives are achieved, i.e., “Opinion on Operating Effectiveness”

| 16

SSAE 16: Fair Presentation Criteria

Description of the system should present how system was designed and implemented, including: Types of services provided and classes of transactions processed Procedures (automated and manual) for transaction flow Related accounting recordsg How system captures and addresses significant events and

conditions other than transactions Process used to prepare reports and other info for user entities Process used to prepare reports and other info for user entities Specified control objectives and controls and, as applicable,

complementary user entity controls Other aspects of the service organization’s control environment risk Other aspects of the service organization s control environment, risk

assessment, info and communication systems, control activities and monitoring that are relevant to the services provided

| 17

SSAE 16: Fair Presentation Criteria cont’d

Management’s description of the system is fairly presented if it: Provides details of changes to the service organization system Provides details of changes to the service organization system

during the period (in the case of Type 2 report) Does not omit or distort information relevant to the system, while

meeting common needs of a broad range of user entity/usermeeting common needs of a broad range of user entity/user auditor needs

| 18

Evidence Regarding Fair Presentation Of Management’s System DescriptionManagement s System Description

Service auditor considerations include: A ll j t f th i id d th t ld bl b Are all major aspects of the service provided that could reasonably be

expected to be relevant to common needs of broad range of user auditors, included in the scope of the engagement?

A t l bj ti bl i i t D th l t t Are control objectives reasonable in circumstances: Do they relate to assertions of financial statements for users that services could be expected to affect?

H ll t l id tifi d b i l t d? Have all controls identified been implemented? Have complementary user entity controls, if any, been adequately

described? Are services provided by sub-service organization(s), if any, adequately

described, including whether the inclusive or carve-out method has been used?

| 19

SSAE 16: Suitability Of Design Criteria

Controls are suitably designed to achieve the control objectives stated inControls are suitably designed to achieve the control objectives stated in management’s description of the service organization system if:

Management has identified the risks that threaten the achievement1. Management has identified the risks that threaten the achievement of the stated control objectives.

2. The controls would (if operating as described) provide reasonable assurance that those risks would be mitigated.

| 20

Evidence Regarding Suitability Of The Design of Controlsg

Service auditor considerations include: Assess which of the controls at the service organization are necessary

to achieve the control objectives Identify risks that threaten the achievement of the control objectivesy j Evaluate the linkage between the controls defined in management’s

description and the identified risks User auditor perspective User auditor perspective Reasonable assurance that material misstatement prevented, or

detected and corrected Service auditor perspective Service auditor perspective Reasonable assurance that control objectives are achieved

| 21

Operating Effectiveness Criteria

Criteria should include at a minimum, whether:

The controls were consistently applied as designed throughout the specified period, and

Manual controls were applied by individuals having appropriate competence and authority.

| 22

Evidence Regarding Operational Effectiveness Controls

Service auditor considerations include: Test controls necessary to achieve control objectives Test controls necessary to achieve control objectives Understand changes to system during the period Designing and performing tests of control: Perform other procedures in combination with inquiry to obtain

evidenceo How the control was appliedo Consistency of control applicationo By whom or what means control applied

Determine whether control depends on other controlsete e et e co t o depe ds o ot e co t o s Determine effective method for selecting items to be tested;

e.g., AU Sect. 350 (audit sampling)

| 23

Using Work Of Internal Audit Function

When planning the engagement, service auditor needs to determine whether work of IA function is likely to be adequate.

To use the work from the IA function, the service auditor should evaluate and perform procedures on that work to determine its adequacy for the service auditor’s purposesadequacy for the service auditor’s purposes.

| 24

Effects Of Internal Audit Work On Service Auditor’s ReportService Auditor s Report

No reference to internal audit in the opinion Service auditor has sole responsibility for the opinion expressed,

regardless of whether IA is involved.

If internal audit work used in performing tests of controls (for Type 2 report), the description of tests should include description of IA’s work and service auditor’s procedures with respect to that work.

| 25

Role In Reducing Audit Risk

Type I Report Does not provide the user

Type II Report A user auditor may be able toDoes not provide the user

auditor with a basis for reducing the assessed level of control risk and thereby reducing

b t ti d

A user auditor may be able to reduce risk below max for certain financial statement assertions … and may therefore be able to reduce the extent of substantive testingsubstantive procedures

Type I report is intended to assist user auditors in obtaining a

the extent of substantive testing performed for those assertions.

A user auditor should not use only the service auditor’s report as a basis for assessing the control risk below maxuser auditors in obtaining a

sufficient understanding of the user organization’s internal control, in order to plan the financial statement

assessing the control risk below max. The user auditor should read the service organization’s description of controls as well as the service auditor’s tests of operating and effectiveness theaudit. tests of operating and effectiveness the results of those tests, and relate this information to assertions in the user organizations’ financial statements.

| 26

Changes To Service Organization’s ResponsibilitiesResponsibilities

• Unchanged from current standards• Specifying the control objectives• Specifying the control objectives• Designing, implementing and maintaining controls• Complementary user organization controls• Control environment elementsControl environment elements

• Changes in new standards• Written assertion by management is required and must include the suitable

criteria used for its assessment.• Audit report must include a written assertion by the sub-service

organization, if inclusive method is used.• Description of systems/processes, as opposed to description of controls• Identifying risks that threaten the achievement of the control objectives• For Type II reports, fair presentation of the system and suitability of design

is for the period covered by the report.• Subsequent events disclosure following date of service auditor’s report• Subsequent events disclosure following date of service auditor s report

27

Changes To Service Auditor’s ResponsibilitiesResponsibilities

• Unchanged from current standards• Opinion on fairness of management’s description of the system• Opinion on fairness of management s description of the system

(formerly controls)• Opinion as to suitability of the design and operating effectiveness of controls to

achieve the control objectives• Perform tests of controls and present an opinion on operating effectiveness

• Changes in new standards• Standards move from audit standards to assurance/attestation standardsStandards move from audit standards to assurance/attestation standards• For Type II reports, fair presentation of the system and suitability of design is for the

period covered by the report.• Meant to improve clarity of guidance

S t d di f t l bj ti• Suggested wording for control objectives• Additional considerations on using the work of internal audit• Requires description of the internal auditor’s work • Description of service auditor’s procedures with respect to the workDescription of service auditor s procedures with respect to the work

28

ISAE 3402 Introduction

ISAE 3402 A R t C t l t S i O i ti• ISAE 3402 - Assurance Reports on Controls at a Service Organization• Work began in March 2006 to develop the standard.• ISAE would enhance the consistency of service auditor performance, and

consequently the consistency of user auditor performance when a serviceconsequently the consistency of user auditor performance when a service auditor’s report is used as audit evidence in an audit of financial statements.

• Need for substitute global standard rather than US SAS 70, for IFRS purposes p p

• Issued by the International Auditing and Assurance Standards Board in December 2009

• Effective for service organization’s reports ending on or after Dec. 15, 2011• Complements ISA 402 – Audit Considerations Relating to an Entity using a

Service Organization

29

Differences Between SSAE 16 And ISAE 3402SSAE 16 And ISAE 3402

• Deviations can be treated as “anomalies,” and not testing exceptions, under certain circumstances.

• SSAE 16 requires an assessment of the risk and impact on deviations if they were intentional, while ISAE 3402 does not.

• Must disclose only events that take place after the period of the audit but before the date of the service auditor’s report

• Requires disclosure of subsequent events that have a significant effect on the report; however, SSAE 16 requires disclosure after the report has been issued, if they existed as of the report date.

• Users of the report are more clearly defined in the SSAE 16 than ISAE 3402.

30

Differences Between SSAE 16 A d ISAE 3402 (C t )SSAE 16 And ISAE 3402 (Cont.)

• SSAE 16 permits the use of direct assistance of internal audit, while ISAE 3402 does not address it3402 does not address it.

• SSAE 16 requires engagement documentation to be completed on a timely basis after the date of the report and no later than 60 days following the report release date. p

• ISAE 3402 notes engagement documentation is to be completed timely, but does not specify a date.

• Engagement acceptance and continuance procedures require that the service organization’s management acknowledge and accept responsibility for providing written representations to the service auditor under SSAE 16, while ISAE 3402 requires only written representations and not acknowledgementacknowledgement.

• If service organization management doesn’t provide written representations, the service auditor must disclaim an opinion under ISAE 3402, while under SSAE 16 the service auditor may also withdraw from the engagement.

31

OTHER LEGAL AND Victor Eckstein, Grant Thornton 

REGULATORY DEVELOPMENTSDEVELOPMENTS

(A) Anticipated AICPA Audit Guide(A) Anticipated AICPA Audit Guide

• AICPA guide to cover non‐financial reporting controls is to be made available in early 2011.y

• Relevant topics covered

o Securityo Security

o Availability

o Processing integrity

o Confidentiality or privacy

33

(B) Changes To SEC Rule 206(4)‐2 On d fCustody Of Assets

• The amendments modernize the rule by conforming the rule to modern custodial practices and requiring advisers that have custody of client funds or securities to maintain those assets with broker‐dealers, banks or other qualified custodians.

• Key changesy g

o Surprise examinations

o Internal control reports (e.g., SAS 70)

o Delivery of account statementso Delivery of account statements

o Form ADV changes

34

(C) Dodd‐Frank Act And Push For Greater Transparency

With final approval of Dodd‐Frank Wall Street Reform and Consumer Protection Act in July of 2010, Congress took historic steps to ensure greater transparency and give investors and citizens new tools to hold companies and governments accountable for their actions.

The Act will greatly affect the following  major topics:

Derivatives transparency

Clearing trading and reporting of swaps

I t t d i i t ti Investment advisor registration

Credit rating agencies

Executive compensation Executive compensation

35

(D) AT Standards In Lieu Of SSAE 16

• The AICPA issued an interpretation under AT Sect. 101 letting service auditors  issue reports that are not focused on financial reporting controls, but rather include tests of controls similar to a service auditor’s report.

• Controls at the service organization are relevant to security, availability, processing integrity confidentiality or privacyprocessing integrity, confidentiality or privacy.

• AICPA Guide for AT 101 engagements is to be published in April 2011.

• Examples of engagements 

36

(E) Service Organization Controls(E) Service Organization Controls

• SOC reports introduced by the AICPA• SOC reports introduced by the AICPA

• There are three different engagements: SOC 1, SOC 2 and SOC 3

• SOC 1 reports are performed under SSAE 16 

• SOC 2 and SOC 3 relate to AT Sect. 101 attest engagements

37

(E) AICPA Guidance On SSAE 16(E) AICPA Guidance On SSAE 16

• AICPA Guide, Applying SSAE No. 16, Reporting on Controls at a Service Organization

• AICPA Alert ‐ Service Organizations:  New Reporting Options

• AICPA FAQ• AICPA FAQ

• AICPA executive summary 

38

George Fallon, Clifton Gunderson

PREPARING TYPE I AND TYPE 

George Fallon, Clifton GundersonDaniel Schroeder, Habif Arogeti & Wynne 

II REPORTS GOING FORWARD

AICPA SOC Reporting Options

AICPA SOC 1: Report on Controls at a Service Organization Relevant to User Entities’ Internal Control over Financial ReportingRelevant to User Entities Internal Control over Financial Reporting Service Auditors: See Statement on Standards for Attestation

Engagements (SSAE) No. 16, Reporting on Controls at a Service OrganizationService Organization

User Auditors: See clarified statement on auditing standards, Audit Considerations Relating to an Entity Using a Service OrganizationOrganization

AICPA SOC 2: Report on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality and/or PrivacyCo de t a ty a d/o acy

AICPA SOC 3: Trust Services Report

| 40

SOC 2 (Applying TS P&C In A SSAE 16 Framework)

Examination report performed in accordance with AT Sect. 101 Examination report performed in accordance with AT Sect. 101 attest engagements

Structure and content consistent with SSAE 16/SOC 1 Scope: System and controls associated with one or more Scope: System and controls associated with one or more

trust services principles No co-mingling/bundled reports

for both ICFR and non-ICFRfor both ICFR and non-ICFR scenarios (ICFR is exclusive to SSAE 16)

Management assertion Management assertion Service auditor’s report

| 41

SOC 2 Management Assertion

Description of system (using criteria similar to SSAE 16) Control objectives (specified in forthcoming guide based on Control objectives (specified in forthcoming guide, based on

trust services criteria) Control activities

Leverage trust services criteria as foundation Leverage trust services criteria as foundation Test of controls

Risk assessment as basis for asserting controls internal controls were applied

| 42

SOC 2 Differences With SOC 1 (SSAE 16)

Subject matter Trust services principles (security, availability, processing integrity,

confidentiality, privacy) Boundaries of the system

Defined by service provided Broader than SSAE 16 (e.g., privacy includes information life

cycle, processing integrity includes the purpose of the service other than financial transaction processing)May relate to operations May relate to operations

Control objectives proscribed Reasonable in the circumstances

P id bilit th h bj t tt i hi hl fl ibl Provides comparability, even though subject matter is highly flexible Not intended to provide assurance on controls, as they relate to user entity

ICFR

| 43

SOC 3: TS P&C Engagements

Performed in accordance with AT Sect. 101 attest engagementsg g

Examination report that includes opinion as to whether controls over a defined system were operating effectively to meet the criteria fora defined system were operating effectively to meet the criteria for security, confidentiality, processing integrity, availability or privacy

Practitioner may report on either: Practitioner may report on either: Management’s assertion, or The subject matter of the engagement.

| 44

SOC 3: Management Assertion

1. Management asserts that, during the period covered by the report g , g p y pand based on the AICPA trust services criteria, it maintained effective controls over the system under examination to satisfy the stated trust services principle(s) and criteria.

2. Addresses the principles covered by the engagement

3. For engagements covering an entity’s compliance with its commitments, those commitments covered by the report should be indentified in management’s assertionindentified in management s assertion.

| 45

SOC 1 And SOC 2 Opinion Structure

Scope Of Report/Opinion Type 1 Type 2Fairness of the presentation of management’s p gdescription of the service organization’s system As of a

specified date

Through-out a

specified period Suitability of the design of the controls to achieve the p

related control objectives included in the description

Operating effectiveness of the controls to achieve the related control objectives included in the description

n/athe related control objectives included in the description

SOC 1 reports are restricted-use reports intended for the service organization, user entities of the service organization, and auditors of the user entities.

SOC 2 reports may also be restricted-use reports in that the criteria used to evaluate or measure the subject matter are available only to specified parties, who have an adequate understanding of the criteriaunderstanding of the criteria.

| 46

SOC 3: Opinion Based On Assertion

| 47

SOC 3 Opinion Based On Subject Matter

| 48

Service Organization Controls: Decision Approach

Services

S iService Organization Inherent Risks

G & A R ti N d

User Entity

Service Organization User Entity (And Prospects)

Governance & Assurance Reporting Needs

Effective controls to ensure integrity of services

Fulfill control needs and requirements of users

Can the service organization be trusted? Do we understand how the service is

delivered? Do we understand inherent risks?

Provide reporting to user entities and prospective user entities that conveys assurance

Are risks effectively mitigated? Is reporting available that would, if

needed, provide a basis for reliance? Is provider complying with specified

agreed-upon procedures?

49

Service Organization Controls: Decision Approach

Service Organization

User Entity

Inherent Risks From services Pertain To: Governance & Assurance Reporting AlternativesTYPE I

Organization Entity

ICFR Operational/compliance: (Service

organization designed controls) Security

AICPA SOC 1 TYPE IITYPE I

TYPE I Security

Confidentiality

Availability

Processing integrity

P i

AICPA SOC 3

AICPA SOC 2 TYPE IITYPE I

Privacy

Compliance with user specified agreed-upon procedures

AICPA AT 201 agreed-upon procedure (AUP) engagements

50

Converting To SSAE 16

SSAE 16 reinforces significance of “fair presentation” and “suitability of design,” which too often were overlooked in SAS 70. SSAE 16 emphasizes:

Management’s description of system (complete and accurate for all services provided)

Appropriateness of control objectives in circumstances Risk basis for design of controlsg

| 51

Job #1: Establish Solid Foundation For Fair Presentation Opinion

Thorough understanding/documentation of system to which report (would) apply Sub-service organizations identified? Inclusive or carve-Out?

Is the system description complete/accurate?y p p Are control objectives appropriate in circumstances? Do one or more control objectives pertain to financial statement

assertions?assertions? If not, SSAE 16 may not be appropriate report Just because something was reported under SAS 70 is not a

basis for reporting under SSAE 16basis for reporting under SSAE 16. Are defined controls placed in operation?

| 52

#2: Establish Strong Basis For Suitability of Design Opinion

Conduct/confirm risk assessment that identifies inherent risks that would impede fulfillment of control objectives

Has the company established control activities that would prevent Has the company established control activities that would prevent, detect and correct inherent risks associated with control objectives? Are user entity controls identified?

| 53

Preparation: Step 1

Review existing monitoring and/or testing processes Sufficient to support the written management assertion

required by SSAE 16 Suitable criteria as basis of assertion?

| 54

Preparation: Step 2

Select and document criteria to support assertion Review system description, control objectives and control

descriptions User organizations encouraged to be involved in the

process

| 55

Preparation: Step 3

Identify risks to control objective achievement May need to revisit scope of controls to be covered by

report Evaluate risk management Document consideration of risks Determine if controls address risks

| 56

Preparation: Step 4

Determine if sub-service organization assertions are required Determine if sub-service organization assertions are required Inclusive vs. carve-out method Discuss requirements and timing with sub-service

organization(s)organization(s)

| 57

Preparation: Step 5

Review existing SAS 70 control descriptions and make adjustments if needed

D i ti f th i id d Description of the services provided Description of the procedures by which services are

provided Description of the process used to prepare reports

provided to customers Other aspects of COSO Any changes that occur during the audit period

| 58

Preparation: Step 6

Develop a communication plan For customers Internallyy

| 59

Preparation: Step 7

Review existing contracts and templates Revise to account for transition to new standards

| 60