Your Audit Committee and the New SOC Standards

Jeffrey Stefan, CPA Partner Douglas Boedeker, CPA, CMA Partner

September 8, 2011

Goals for Today

I.

Obtain a basic understanding of the new SOC reports.

II.

Understand the differences between the three types of SOC reports.

III.

Understand other reporting options that may be of interest to Boards and Audit Committees.

September 8. 2011

Copyright 2011 Tate & Tryon CPAs and Consultants

Course Outline

Why the new reporting options?

What is SAS 70?

What are the new options:

SOC 1 the new SAS 70 SOC 2 a SAS 70 report thats interesting! SOC 3 a SAS 70 report for public consumption

September 8. 2011

Copyright 2011 Tate & Tryon CPAs and Consultants

Course Outline

The Trust Services Principles:

Security Availability Processing integrity Confidentiality Privacy

What else is out there?

Integrated Examination of Internal Control Agreed-Upon Procedures

Copyright 2011 Tate & Tryon CPAs and Consultants

September 8. 2011

Why the new reporting options?

SAS 70 became a catch-all for everything!

AICPA was not pleased with terms like: Were SAS 70 Certified Were SAS 70 Compliant

The movement to outsourced IT services made the problem more pronounced.

September 8. 2011 Copyright 2011 Tate & Tryon CPAs and Consultants

What was SAS 70?

Statement on Auditing Standards Number 70, Service Organizations. Designed to address a service organizations controls affecting user entities financial statements. Controls over financial reporting. Either a Type 1 or a Type 2 report.

Primarily an auditor-to-auditor communication.

September 8. 2011 Copyright 2011 Tate & Tryon CPAs and Consultants

The New Reporting Options......

September 8. 2011

Copyright 2011 Tate & Tryon CPAs and Consultants

SOC 1 the new SAS 70

Report content:

Controls at a service organization relevant to a user entities internal control over financial reporting.

Intended audience is:

Management of service & user organizations Auditors of the user organizations

Nature of reports:

Type 1 Control description Type 2 Control description & operating effectiveness

Copyright 2011 Tate & Tryon CPAs and Consultants

September 8. 2011

SOC 2 a more interesting SAS 70

Report Content:

Service organizations controls relevant to:

Security Availability Processing integrity Confidentiality Privacy

There is flexibility in choosing which controls to be included in the report.

Copyright 2011 Tate & Tryon CPAs and Consultants

September 8. 2011

SOC 2 a more interesting SAS 70

Intended audience is:

Management of service organizations Management of user organizations

Nature of reports:

Type 1 Control description Type 2 Control description & operating effectiveness

Note: A SOC 2 report cannot be combined with a SOC 1 report. They must be separate.
September 8. 2011 Copyright 2011 Tate & Tryon CPAs and Consultants

SOC 3 A SAS 70 for public consumption

Report Content:

Service organizations controls relevant to:

Security Availability Processing integrity Confidentiality Privacy

There is flexibility in choosing which controls to be included in the report.

Copyright 2011 Tate & Tryon CPAs and Consultants

September 8. 2011

SOC 3 A SAS 70 for public consumption

Intended audience is:

Any user with a need for confidence in the service organizations controls.

Nature of reports:

Very short similar to an auditors opinion on financial statements. No detail of the organizations controls

September 8. 2011

Copyright 2011 Tate & Tryon CPAs and Consultants

SOC 3 A SAS 70 for public consumption

Limitations of SOC 3 Reports

An unqualified opinion cannot be issued if:

Controls at subservice organizations have been carved out. Complementary user-entity controls are significant.

September 8. 2011

Copyright 2011 Tate & Tryon CPAs and Consultants

The Trust Services Principles (The foundation for SOC 2 & 3)

September 8. 2011

Copyright 2011 Tate & Tryon CPAs and Consultants

The Security Principle

Refers to the protection of the system from unauthorized access, both logical and physical. Criteria to be Tested

Policies were security policies defined and documented? Communications were the policies communicated to the appropriate parties? Procedures are procedures in operation to achieve the goals of the security policies? Monitoring Is compliance with the policies monitored?

September 8. 2011

Copyright 2011 Tate & Tryon CPAs and Consultants

The Availability Principle

Refers to the accessibility to the system, products, or services as advertised or committed by contract, service-level, or other agreements. Criteria to be Tested

Policies were availability policies defined and documented? Communications were the policies communicated to the appropriate parties? Procedures are procedures in operation to achieve the goals of the availability policies? Monitoring Is compliance with the policies monitored?
Copyright 2011 Tate & Tryon CPAs and Consultants

September 8. 2011

The Processing Integrity Principle

Refers to the completeness, accuracy, validity, timeliness, and authorization of system processing. Criteria to be Tested

Policies were processing integrity policies defined and documented? Communications were the policies communicated to the appropriate parties? Procedures are procedures in operation to achieve the goals of the processing integrity policies? Monitoring Is compliance with the policies monitored?

September 8. 2011

Copyright 2011 Tate & Tryon CPAs and Consultants

The Confidentiality Principle

Refers to the systems ability to protect the information designated as confidential, as committed or agreed. Criteria to be Tested

Policies were confidential information policies defined and documented? Communications were the policies communicated to the appropriate parties? Procedures are procedures in operation to achieve the goals of the processing integrity policies? Monitoring Is compliance with the policies monitored?

September 8. 2011

Copyright 2011 Tate & Tryon CPAs and Consultants

The Privacy Principle

Personal information is collected, used, retained, disclosed, and destroyed in conformity with the commitments in the entitys privacy notice and with criteria set forth in generally accepted privacy principles (GAPP) issued by the AICPA and CICA.

September 8. 2011

Copyright 2011 Tate & Tryon CPAs and Consultants

The Privacy Principle - Criteria

Policies - The entity defines, documents, communicates, and assigns accountability for its privacy policies and procedures.

Notice - The entity provides notice about its privacy policies and procedures and identifies the purposes for which personal information is collected, used, retained and disclosed.

September 8. 2011

Copyright 2011 Tate & Tryon CPAs and Consultants

The Privacy Principle - Criteria

Choice and Consent The entity describes the choices available to the individual and obtains implicit or explicit consent with respect to the collection, use, and disclosure of personal information.

Collection The entity collects personal information only for the purposes identified in the notice.

September 8. 2011

Copyright 2011 Tate & Tryon CPAs and Consultants

The Privacy Principle - Criteria

Use, Retention, & Disposal - The entity limits the use of personal information to the purposes identified in the notice and for which the individual has provided implicit or explicit consent. The entity retains personal information for only as long as necessary to fulfill the stated purposes or as required by law or regulations and thereafter appropriately disposes of such information.

September 8. 2011

Copyright 2011 Tate & Tryon CPAs and Consultants

The Privacy Principle - Criteria

Access - The entity provides individuals with access to their personal information for review and update. Disclosure to Third Parties The entity discloses personal information to third parties only for the purposes identified in the notice and with the implicit or explicit consent of the individual. Security The entity protects personal information against unauthorized access.
Copyright 2011 Tate & Tryon CPAs and Consultants

September 8. 2011

The Privacy Principle - Criteria

Quality The entity maintains accurate, complete, and relevant personal information for the purposes identified in the notice. Monitoring & Enforcement The entity monitors compliance with its privacy policies and procedures and has procedures to address privacy related inquiries, complaints, and disputes.

September 8. 2011

Copyright 2011 Tate & Tryon CPAs and Consultants

What else is out there......

September 8. 2011

Copyright 2011 Tate & Tryon CPAs and Consultants

Integrated Examination of Internal Control

Essentially a SOX 404 report. Performed in conjunction with a financial statement audit. Provides an opinion on the organizations controls over financial reporting. A control criteria must be set.

COSO is the most common criteria used.

Not a restricted use report.

Copyright 2011 Tate & Tryon CPAs and Consultants

September 8. 2011

Agreed-Upon Procedures

Our favorite option! Gives maximum flexibility regarding pricing and work to be performed. However, no professional opinion is actually rendered. Restricted-use report.

September 8. 2011

Copyright 2011 Tate & Tryon CPAs and Consultants

Additional resources.....

For additional information on the new SOC reporting framework, heres a handy website:

http://www.aicpa.org/InterestAreas/FRC/AssuranceAdvisoryServi ces/Pages/SORHome.aspx

Contact us with questions!

Jeff Stefan, 202-419-5104, Jstefan@tatetryon.com Doug Boedeker, 202-419-5106, Dboedeker@tatetryon.com

September 8. 2011

Copyright 2011 Tate & Tryon CPAs and Consultants

Speaker Biography
Douglas Boedeker , is a partner within Tate & Tryons Audit and Assurance Services unit and is also actively involved in the Firm's exempt organization tax services group. He has more than 19 years of experience providing an array of audit, tax, and consulting services to a variety of nonprofit organizations and employee benefit plans. He takes particular pride that his family has contained at least one CPA every year since 1923. Doug graduated summa cum laude from Susquehanna University in Selinsgrove, Pennsylvania with a Bachelor of Science degree in accounting while simultaneously completing the coursework for a second major in arts administration. He was also named as the Universitys recipient of The Wall Street Journal Outstanding Business Student Award. Doug is a frequent speaker on a variety of exempt organization tax issues and the Form 990. He recently presented a session on easing the 990 preparation process for CFOs and auditors at the 2011 AICPA Not for Profit Industry Conference. Doug is a coauthor to Guide to the Newest IRS Form 990: Interpreting and Complying with the New Tax Reporting Requirements for Transparency and Accountability, (published by ASAE).
September 8. 2011 Copyright 2011 Tate & Tryon CPAs and Consultants

Speaker Biography
Jeff Stefan, is the partner in charge of Tate & Tryons auditing practice and has more than 25 years of experience serving the nonprofit sector. In addition to his extensive audit and tax experience, he has provided consulting services to organizations such as The World Bank, Public Company Accounting Oversight Board, and ASAE & The Center for Association Leadership in a variety of areas, including grant compliance, merger due diligence, and internal controls. He has also been called upon to consult on a variety of complex issues such as: Fair value accounting (FAS 157), Accounting for alternative investments (FAS 133), Split interest agreements, Endowment accounting (UPMIFA / FSP 117-1), and Uncertain tax positions (FIN 48). Mr. Stefan has presented and authored articles on many recent accounting and auditing issues including: FASB Staff Position (FSP) FAS 117-1, Endowments of Not-for-Profit Organizations: Net Asset Classification of Funds Subject to an Enacted Version of the Uniform Prudent Management of Institutional Funds Act, and Enhanced Disclosures for All Endowment Funds, Educating Your Board About Audits, , and A Summary of the New Audit Risk Standards.
September 8. 2011 Copyright 2011 Tate & Tryon CPAs and Consultants