Upload
lebao
View
216
Download
0
Embed Size (px)
Citation preview
THE CHALLENGE KPMG APPROACH CREDENTIALSYOUR BENEFITS CONTACT
• New IT technologies (virtualization, cloud computing,mobile computing)arebecomingincreasinglypartofyourserviceofferingand/orsupportingyouroperationalprocesses
• Yourclientsarebecomingincreasinglydemandingtothemeasurestakentoprotecttheirprivateand/orconfidentialinformationandtoensureavailabilityoftheirsystems
• Deficienciesinthesecurityofferedbyyoumayresultinthereleaseofclientinformationandleadtoreputationaldamagebothtoyouandyourclients
• Realorperceivedsecuritybreachesmaycauseyourclientstobelievethatyourorganizationisunabletoconductbusinesssecurelyandresponsibly
• Yourclients’assuranceneedsarenotfullysatisfiedbycurrentlyemployedcertifications(e.g.,ISO27001).
• Clients are demanding additional insight into the system and relatedcontrols,designandcontrolimplementation,aswellasassuranceregardingtheoperatingeffectivenessofthesecontrols
• You are confronted with multiple visits from your clients’ auditors andrequeststocompletedetailedsecurityquestionnairesorchecklistsaboutyourcontrolsenvironment
• Youmustdemonstrateyourabilitytomeetyourclients’complianceneedsandstrengthentheirconfidenceinyourabilityinanincreasinglycompetitiveenvironment.
IT ADVISORYKPMGADVISORY
THE CHALLENGE
How to effectively use Service Organization Control (SOC 2 and SOC 3) Reports for increased Assurance over Outsourced Controls regarding Security, Availability, Processing Integrity, Confidentiality and Privacy
You are a service organization managing critical systems, storing and processing private and/or confidential client information, and/or processing transactions for multiple clients.
KPMG APPROACH
CREDENTIALS
Diagnostic Review
ForserviceorganizationsthatarenewtotheSOC2examinationprocess,werecommendthata“SOC2DiagnosticReview”beperformed.ThepurposesofthereviewaretofocusonkeyareasthatwillbecoveredintheupcomingSOC2examinationandidentifythecontrolweaknessesthatmayneedtobecorrectedbeforetheattestationengagementperiodbegins.
In addition, during the Diagnostic Review, we will assist you in identifyingand documenting your controls. This is ordinarily a significant component ofmanagement’seffortduringthepreparationofthefirstsuchreport.
Type I report
ATypeI reportcontainsadescriptionoftheserviceorganization’ssystemataspecificpoint intime.InaTypeIreport,theserviceauditorwillexpressanopinionon(1)whethermanagement’sdescriptionofitssystemfairlypresentsthesystemthatwasdesignedandimplementedasofaspecificdateand(2)whether thecontrolsstated inmanagement’sdescriptionof itssystemweresuitablydesignedtomeettheapplicabletrustservicescriteriaasofaspecifieddate.AninitialTypeIreportnormallyservesasthestartingpointforsubsequentTypeIIexaminations.
Type II report
ATypeIIreportcontainsadescriptionoftheserviceorganization’scontrolsforadefinedperiodoftime.InaTypeIIreport,theserviceauditorwillexpressanopiniononthetwoitemsincludedinaTypeIreport.He/shewillalsoconcludewhether the controlswereoperatingwith sufficienteffectiveness toprovidereasonableassurancethattheapplicabletrustservicescriteriaweremetduringtheexaminedperiod.ATypeIIreportalsoincludesdetailedresultsoftestingoftheserviceorganization’scontroloverthespecifiedperiodoftime.
KPMG is a global leader in delivering Service Organization Control (SOC)reporting services. KPMG’s IT Attestation practice consists of a globallyaccreditednetworkofpartnersandprofessionalstaffwhoprovidearangeofITattestationservicestohelporganizationssatisfytheirthird-partyassurancerequirements.Wehaveestablishedaglobalaccreditationprocesstohelpensureconsistency andquality in thedeliveryof attestation and assurance servicesincludingSOC1,SOC2andSOC3examinationsandAgreedUponProcedures.Wehaveover1,000professionalsfullytrainedintheSOCexaminationprocessthroughourglobalITAttestationInstructornetwork.
YOUR BENEFITS• A traditional SOC 1 report (ISAE 3402 report, formerly known as SAS
70 report) is designed to meet your clients’ related needs for financialstatement audits, but does not necessarily meet needs related tooperationsandcompliance.ASOC2reportthatfocusesononeormoreofthetrustservicesprinciples–security,availability,processing,integrity,confidentialityandprivacy–does
• ASOC2reporthasthesamelookandfeelasaSOC1reportandprovidesyour clients with sufficient information (independent service auditor’sopinion,management assertion, systemdescription, tests performed byserviceauditorandtestresults)tosatisfytheirassuranceneeds
• Under certain conditions, a short form report (a SOC 3 report) may begenerallydistributed,withtheoptionofdisplayingawebsiteseal
CompetitiveAdvantage/Necessity
ReducedEffortSupportingClient-SpecificSecurity
Questionnaires/Audits
IncreasedInternalAssurance
RegardingSecurityandRelatedControls
ProactiveResponsetoCustomerOversightof
Security,Privacy,andDataRisks
©2012KPMGAdvisory, aBelgiancivilCVBA/SCRLandamemberfirmof theKPMGnetworkof independentmemberfirmsaffiliatedwithKPMGInternationalCooperative (“KPMGInternational”),aSwissentity.All rightsreserved.PrintedinBelgium.
CONTACT
Stephan Claes Partner
KPMGITAdvisory
T:+32)27084850E:[email protected]
Dirk Timmerman
Executive Director
KPMGITAdvisory
T:+3227084359E:[email protected]