Tag: soc 1

User Access Reviews

User access reviews are a critical control in almost any IT control framework because they help ensure that users have the appropriate level of access to sensitive data and systems. Without integrity of system access how can you know the data is trustworthy? In many industries, regulatory bodies have strict requirements for how organizations must manage access to sensitive information. SOC 1 and SOC 2 expect user access to be appropriate for all in-scope systems, one of such controls includes the review of privileged access – whether that be administrative permissions, confidential data, or just even the system or network itself. A user access review is considered to be a detective control because it is performed after the fact (access was already provided) to detect potential issues overlooked due to inadequate preventative controls (on-boarding/off-boarding). Performing a user access review that should be sufficient to meet your SOC 1 or SOC 2 controls is straightforward, but like anything takes planning and time to execute properly. 1. Define the Access Review Requirements: Establish the systems, boundaries, criteria, and objectives for the access review in order to ensure compliance with regulations, company policies, and industry best practices. 2. Identify the System Owners: Identify system and business owners of in-scope systems who need to be included in the review. 3. Collect User Access Information: Collect user access information, such as user name, roles, groups, applications, and any other relevant data from in-scope systems. 4. Analyze Access Information: Compare user access information to the previously

Read More »

SSAE 16, The New Standard

So you have been performing a SAS 70 for the last couple years, or, are getting ready prepared to embark on your first SAS 70, and all of a sudden you hear that a brand new standard has been issued! Don’t worry about it! SSAE 16 is an improvement to the current standard for Reporting on Controls at a Service Organization, the SAS70, with some changes that will help bring your company and the rest of the companies in the US up to date with new international service organization reporting standards, ISAE 3402. This will help allow you and your counterparts in the US be able to compete on an international level, allowing for companies around the world to be able to use YOU as their service organization with complete comfort. One very important issue that you should be very aware of is that SSAE 16 will formally be issued in June 2010 with an effective date of June 15, 2011, meaning that if you are not on top of this new standard soon, you need to be. Many organizations have a 12 month testing period that begins in July, and if this sounds like your company, you will be required to be compliant with the New Standards as of July 1, 2010. Major differences between SAS 70 and the New Standard, SSAE 16 and ISAE 3042: 1) Management of the Service Organization will be required to provide the service auditor with a written assertion about the following, when performing

Read More »

SOC 1 Report

A SOC 1 Report (System and Organization Controls Report) is a report on Controls at a Service Organization which are relevant to user entities’ internal control over financial reporting. The SOC1 Report is what you would have previously considered to be the standard SAS70, complete with a Type I and Type II reports, but falls under the SSAE 16 guidance (and soon to be SSAE 18). Please see the following articles discussing the SSAE 16 guidance and additional information related to the SOC 1 (Type I and Type II) Reports: SSAE 16 Type I Report Background Information SSAE 16, The New Standard SSAE 16 Preparation Tips In addition to the SOC 1 report which is restricted to controls relevant to an audit of a user entity’s financial statements, the SOC 2 and SOC 3 reports have been created to address controls relevant to operations and compliance and will be discussed in further detail in the future. Please see the SOC 1 Reporting Guide page for additional information.

Read More »

SSAE 16 Terminology – Criteria

Criteria, as defined by the SSAE 18 (formerly SSAE 16) guidance are: The standards or benchmarks used to measure and present the subject matter and against which the service auditor evaluates the subject matter. Criteria are the overarching goals that the control objectives and activities that are in place are designed to meet and that the final report is to give assurance on, for example, “The system is protected against unauthorized access (both physical and logical).” To meet this criteria, a company may decide to include controls such as “Firewalls are installed at all external entry points” or “A User Access Review of Access Badges is performed on a Monthly Basis”. Criteria are used as a benchmark to assess the design and operating effectiveness of internal controls at an organization, however, Management is responsible for making sure that the controls in place support the defined criteria sufficiently. There are best practice criteria available for most industries that reflect prevailing internal controls best practices and requirements from around the world, some of these can be found on the AICPA website if you would like some additional examples. This definition and information is consistent in SSAE-18.

Read More »

The SSAE16 Auditing Standard

SSAE 16 is an enhancement to the current standard for Reporting on Controls at a Service Organization, the SAS70. The changes made to the standard will bring your company, and the rest of the companies in the US, up to date with new international service organization reporting standards, the ISAE 3402. The adjustments made from SAS 70 to SSAE 16 will help you and your counterparts in the US compete on an international level; allowing companies around the world to give you their business with complete confidence. SSAE16 is now effective as of June 15, 2011, and if you have not made the necessary adjustments required, now is the time to find a quality provider to discuss the proper steps. All organizations are now required to issue their Service Auditor Reports under the SSAE 16 standards in an SOC 1 Report. The soon to be effective, SSAE-18, is expected to follow a similar reporting structure to the SSAE-16 within a SOC 1 report. Who Needs an SSAE 16 (SOC 1) Audit? If your Company (the ‘Service Organization’) performs outsourced services that affect the financial statements of another Company (the ‘User Organization’), you will more than likely be asked to provide an SSAE16 Type II Report, especially if the User Organization is publicly traded.Some example industries include: Payroll Processing Loan Servicing Data Center/Co-Location/Network Monitoring Services Software as a Service (SaaS) Medical Claims Processors What you Need to Know: Before starting the SSAE 16 process, there are a number of considerations one must

Read More »

Get Our Emails

SOC Reporting Guide

Popular SSAE Resources