Docstoc

Your Audit Committee and New SOC Standards

Document Sample
Your Audit Committee and New SOC Standards Powered By Docstoc
					Your Audit Committee and the New
SOC Standards
 Jeffrey Stefan, CPA   Douglas Boedeker, CPA, CMA
 Partner               Partner




                                     September 8, 2011
 Goals for Today


I.      Obtain a basic understanding of the new
        SOC reports.
II.     Understand the differences between the
        three types of SOC reports.
III.    Understand other reporting options that
        may be of interest to Boards and Audit
        Committees.

 September 8. 2011               Copyright © 2011 Tate & Tryon CPAs and Consultants
Course Outline


   Why the new reporting options?
          What is SAS 70?

   What are the new options:
          SOC 1 – the new “SAS 70”
          SOC 2 – a “SAS 70” report that’s interesting!
          SOC 3 – a “SAS 70” report for public
             consumption

September 8. 2011                       Copyright © 2011 Tate & Tryon CPAs and Consultants
Course Outline


   The Trust Services Principles:
                Security
                Availability
                Processing integrity
                Confidentiality
                Privacy

   What else is out there?
          Integrated Examination of Internal Control
          Agreed-Upon Procedures

September 8. 2011                       Copyright © 2011 Tate & Tryon CPAs and Consultants
Why the new reporting options?


SAS 70 became a catch-all for everything!


AICPA was not pleased with terms like:
    “We’re SAS 70 Certified”
    “We’re SAS 70 Compliant”


The movement to outsourced IT services made
  the problem more pronounced.
September 8. 2011              Copyright © 2011 Tate & Tryon CPAs and Consultants
What was SAS 70?


   Statement on Auditing Standards Number 70,
    Service Organizations.
   Designed to address a service organization’s
    controls affecting user entities’ financial
    statements.
   Controls over financial reporting.
   Either a “Type 1” or a “Type 2” report.


Primarily an auditor-to-auditor communication.
September 8. 2011               Copyright © 2011 Tate & Tryon CPAs and Consultants
    The New Reporting Options......




September 8. 2011      Copyright © 2011 Tate & Tryon CPAs and Consultants
SOC 1 – the new “SAS 70”


   Report content:
         Controls at a service organization relevant to a user
          entities’ internal control over financial reporting.
   Intended audience is:
         Management of service & user organizations
         Auditors of the user organizations
   Nature of reports:
         Type 1 – Control description
         Type 2 – Control description & operating
          effectiveness
September 8. 2011                         Copyright © 2011 Tate & Tryon CPAs and Consultants
SOC 2 – a more interesting “SAS 70”


   Report Content:
         Service organization’s controls relevant to:

                Security
                Availability
                Processing integrity
                Confidentiality
                Privacy


   There is flexibility in choosing which controls to
    be included in the report.
September 8. 2011                         Copyright © 2011 Tate & Tryon CPAs and Consultants
SOC 2 – a more interesting “SAS 70”


   Intended audience is:
         Management of service organizations
         Management of user organizations


   Nature of reports:
         Type 1 – Control description
         Type 2 – Control description & operating
          effectiveness

    Note: A SOC 2 report cannot be combined with a
    SOC 1 report. They must be separate.
September 8. 2011                        Copyright © 2011 Tate & Tryon CPAs and Consultants
SOC 3 – A “SAS 70” for public
consumption

   Report Content:
         Service organization’s controls relevant to:

                Security
                Availability
                Processing integrity
                Confidentiality
                Privacy


   There is flexibility in choosing which controls to
    be included in the report.
September 8. 2011                         Copyright © 2011 Tate & Tryon CPAs and Consultants
SOC 3 – A “SAS 70” for public
consumption

   Intended audience is:
         Any user with a need for confidence in the service
          organization’s controls.


   Nature of reports:
         Very short – similar to an auditor’s opinion on
          financial statements.
         No detail of the organization’s controls




September 8. 2011                         Copyright © 2011 Tate & Tryon CPAs and Consultants
SOC 3 – A “SAS 70” for public
consumption

Limitations of SOC 3 Reports
   An unqualified opinion cannot be issued if:
         Controls at subservice organizations have been
          “carved out.”
         Complementary user-entity controls are significant.




September 8. 2011                        Copyright © 2011 Tate & Tryon CPAs and Consultants
    The Trust Services Principles
    (The foundation for SOC 2 & 3)




September 8. 2011       Copyright © 2011 Tate & Tryon CPAs and Consultants
The Security Principle


   Refers to the protection of the system from
    unauthorized access, both logical and
    physical.
   “Criteria” to be Tested
         Policies – were security policies defined and documented?
         Communications – were the policies communicated to the
          appropriate parties?
         Procedures – are procedures in operation to achieve the goals of
          the security policies?
         Monitoring – Is compliance with the policies monitored?



September 8. 2011                              Copyright © 2011 Tate & Tryon CPAs and Consultants
The Availability Principle


   Refers to the accessibility to the system,
    products, or services as advertised or
    committed by contract, service-level, or other
    agreements.
   “Criteria” to be Tested
         Policies – were availability policies defined and documented?
         Communications – were the policies communicated to the
          appropriate parties?
         Procedures – are procedures in operation to achieve the goals of
          the availability policies?
         Monitoring – Is compliance with the policies monitored?

September 8. 2011                              Copyright © 2011 Tate & Tryon CPAs and Consultants
The Processing Integrity Principle


   Refers to the completeness, accuracy,
    validity, timeliness, and authorization of
    system processing.
   “Criteria” to be Tested
         Policies – were processing integrity policies defined and
          documented?
         Communications – were the policies communicated to the
          appropriate parties?
         Procedures – are procedures in operation to achieve the goals of
          the processing integrity policies?
         Monitoring – Is compliance with the policies monitored?


September 8. 2011                              Copyright © 2011 Tate & Tryon CPAs and Consultants
The Confidentiality Principle


   Refers to the system’s ability to protect the
    information designated as confidential, as
    committed or agreed.
   “Criteria” to be Tested
         Policies – were confidential information policies defined and
          documented?
         Communications – were the policies communicated to the
          appropriate parties?
         Procedures – are procedures in operation to achieve the goals of
          the processing integrity policies?
         Monitoring – Is compliance with the policies monitored?


September 8. 2011                              Copyright © 2011 Tate & Tryon CPAs and Consultants
The Privacy Principle


   Personal information is collected, used,
    retained, disclosed, and destroyed in
    conformity with the commitments in the
    entity’s privacy notice and with criteria set
    forth in generally accepted privacy principles
    (GAPP) issued by the AICPA and CICA.




September 8. 2011              Copyright © 2011 Tate & Tryon CPAs and Consultants
The Privacy Principle - Criteria


   Policies - The entity defines, documents,
    communicates, and assigns accountability for its
    privacy policies and procedures.


   Notice - The entity provides notice about its
    privacy policies and procedures and identifies
    the purposes for which personal information is
    collected, used, retained and disclosed.



September 8. 2011                Copyright © 2011 Tate & Tryon CPAs and Consultants
The Privacy Principle - Criteria


   Choice and Consent – The entity describes the
    choices available to the individual and obtains
    implicit or explicit consent with respect to the
    collection, use, and disclosure of personal
    information.


   Collection – The entity collects personal
    information only for the purposes identified in the
    notice.

September 8. 2011                 Copyright © 2011 Tate & Tryon CPAs and Consultants
The Privacy Principle - Criteria


   Use, Retention, & Disposal - The entity limits
    the use of personal information to the purposes
    identified in the notice and for which the
    individual has provided implicit or explicit
    consent. The entity retains personal information
    for only as long as necessary to fulfill the stated
    purposes or as required by law or regulations
    and thereafter appropriately disposes of such
    information.



September 8. 2011                  Copyright © 2011 Tate & Tryon CPAs and Consultants
The Privacy Principle - Criteria


   Access - The entity provides individuals with
    access to their personal information for review
    and update.
   Disclosure to Third Parties – The entity
    discloses personal information to third parties
    only for the purposes identified in the notice and
    with the implicit or explicit consent of the
    individual.
   Security – The entity protects personal
    information against unauthorized access.
September 8. 2011                 Copyright © 2011 Tate & Tryon CPAs and Consultants
The Privacy Principle - Criteria


   Quality – The entity maintains accurate,
    complete, and relevant personal information for
    the purposes identified in the notice.
   Monitoring & Enforcement – The entity
    monitors compliance with its privacy policies and
    procedures and has procedures to address
    privacy related inquiries, complaints, and
    disputes.



September 8. 2011                Copyright © 2011 Tate & Tryon CPAs and Consultants
    What else is out there......




September 8. 2011        Copyright © 2011 Tate & Tryon CPAs and Consultants
Integrated Examination of Internal Control


   Essentially a “SOX 404” report.
   Performed in conjunction with a financial
    statement audit.
   Provides an opinion on the organization’s
    controls over financial reporting.
   A control “criteria” must be set.
         COSO is the most common criteria used.


   Not a restricted use report.
September 8. 2011                      Copyright © 2011 Tate & Tryon CPAs and Consultants
Agreed-Upon Procedures


   Our favorite option!
   Gives maximum flexibility regarding pricing
    and work to be performed.
   However, no professional opinion is actually
    rendered.
   Restricted-use report.




September 8. 2011              Copyright © 2011 Tate & Tryon CPAs and Consultants
Additional resources.....


   For additional information on the new SOC
    reporting framework, here’s a handy web-
    site:
         http://www.aicpa.org/InterestAreas/FRC/AssuranceAdvisoryServi
          ces/Pages/SORHome.aspx


   Contact us with questions!
         Jeff Stefan, 202-419-5104, Jstefan@tatetryon.com
         Doug Boedeker, 202-419-5106,
           Dboedeker@tatetryon.com


September 8. 2011                            Copyright © 2011 Tate & Tryon CPAs and Consultants
Speaker Biography

Douglas Boedeker , is a partner within Tate & Tryon’s Audit
and Assurance Services unit and is also actively involved in
the Firm's exempt organization tax services group. He has
more than 19 years of experience providing an array of audit,
tax, and consulting services to a variety of nonprofit
organizations and employee benefit plans. He takes
particular pride that his family has contained at least one CPA
every year since 1923. Doug graduated summa cum laude
from Susquehanna University in Selinsgrove, Pennsylvania
with a Bachelor of Science degree in accounting while
simultaneously completing the coursework for a second major
in arts administration. He was also named as the University’s
recipient of The Wall Street Journal Outstanding Business
Student Award.

 Doug is a frequent speaker on a variety of exempt organization tax issues and the
 Form 990. He recently presented a session on easing the 990 preparation process
 for CFOs and auditors at the 2011 AICPA Not for Profit Industry Conference. Doug
 is a coauthor to Guide to the Newest IRS Form 990: Interpreting and Complying
 with the New Tax Reporting Requirements for Transparency and Accountability,
 (published by ASAE).
September 8. 2011                                      Copyright © 2011 Tate & Tryon CPAs and Consultants
Speaker Biography


Jeff Stefan, is the partner in charge of Tate & Tryon’s auditing
practice and has more than 25 years of experience serving the
nonprofit sector. In addition to his extensive audit and tax
experience, he has provided consulting services to organizations
such as The World Bank, Public Company Accounting Oversight
Board, and ASAE & The Center for Association Leadership in a
variety of areas, including grant compliance, merger due
diligence, and internal controls. He has also been called upon to
consult on a variety of complex issues such as: Fair value
accounting (FAS 157), Accounting for alternative investments
(FAS 133), Split interest agreements, Endowment accounting
(UPMIFA / FSP 117-1), and Uncertain tax positions (FIN 48).

Mr. Stefan has presented and authored articles on many recent accounting and auditing
issues including: FASB Staff Position (FSP) FAS 117-1, “Endowments of Not-for-Profit
Organizations: Net Asset Classification of Funds Subject to an Enacted Version of the
Uniform Prudent Management of Institutional Funds Act, and Enhanced Disclosures for All
Endowment Funds”, Educating Your Board About Audits, , and A Summary of the New
Audit Risk Standards.

September 8. 2011                                      Copyright © 2011 Tate & Tryon CPAs and Consultants

				
DOCUMENT INFO
Description: Presentation from Tate & Tryon about how the new SOC Reporting standards will impact your nonprofits audit committee.