Академический Документы
Профессиональный Документы
Культура Документы
September 8, 2011
I.
II.
III.
Understand other reporting options that may be of interest to Boards and Audit Committees.
September 8. 2011
Course Outline
SOC 1 the new SAS 70 SOC 2 a SAS 70 report thats interesting! SOC 3 a SAS 70 report for public consumption
September 8. 2011
Course Outline
September 8. 2011
AICPA was not pleased with terms like: Were SAS 70 Certified Were SAS 70 Compliant
Statement on Auditing Standards Number 70, Service Organizations. Designed to address a service organizations controls affecting user entities financial statements. Controls over financial reporting. Either a Type 1 or a Type 2 report.
September 8. 2011
Report content:
Controls at a service organization relevant to a user entities internal control over financial reporting.
Nature of reports:
September 8. 2011
Report Content:
September 8. 2011
Nature of reports:
Note: A SOC 2 report cannot be combined with a SOC 1 report. They must be separate.
September 8. 2011 Copyright 2011 Tate & Tryon CPAs and Consultants
Report Content:
September 8. 2011
Any user with a need for confidence in the service organizations controls.
Nature of reports:
Very short similar to an auditors opinion on financial statements. No detail of the organizations controls
September 8. 2011
Controls at subservice organizations have been carved out. Complementary user-entity controls are significant.
September 8. 2011
September 8. 2011
Refers to the protection of the system from unauthorized access, both logical and physical. Criteria to be Tested
Policies were security policies defined and documented? Communications were the policies communicated to the appropriate parties? Procedures are procedures in operation to achieve the goals of the security policies? Monitoring Is compliance with the policies monitored?
September 8. 2011
Refers to the accessibility to the system, products, or services as advertised or committed by contract, service-level, or other agreements. Criteria to be Tested
Policies were availability policies defined and documented? Communications were the policies communicated to the appropriate parties? Procedures are procedures in operation to achieve the goals of the availability policies? Monitoring Is compliance with the policies monitored?
Copyright 2011 Tate & Tryon CPAs and Consultants
September 8. 2011
Refers to the completeness, accuracy, validity, timeliness, and authorization of system processing. Criteria to be Tested
Policies were processing integrity policies defined and documented? Communications were the policies communicated to the appropriate parties? Procedures are procedures in operation to achieve the goals of the processing integrity policies? Monitoring Is compliance with the policies monitored?
September 8. 2011
Refers to the systems ability to protect the information designated as confidential, as committed or agreed. Criteria to be Tested
Policies were confidential information policies defined and documented? Communications were the policies communicated to the appropriate parties? Procedures are procedures in operation to achieve the goals of the processing integrity policies? Monitoring Is compliance with the policies monitored?
September 8. 2011
Personal information is collected, used, retained, disclosed, and destroyed in conformity with the commitments in the entitys privacy notice and with criteria set forth in generally accepted privacy principles (GAPP) issued by the AICPA and CICA.
September 8. 2011
Policies - The entity defines, documents, communicates, and assigns accountability for its privacy policies and procedures.
Notice - The entity provides notice about its privacy policies and procedures and identifies the purposes for which personal information is collected, used, retained and disclosed.
September 8. 2011
Choice and Consent The entity describes the choices available to the individual and obtains implicit or explicit consent with respect to the collection, use, and disclosure of personal information.
Collection The entity collects personal information only for the purposes identified in the notice.
September 8. 2011
Use, Retention, & Disposal - The entity limits the use of personal information to the purposes identified in the notice and for which the individual has provided implicit or explicit consent. The entity retains personal information for only as long as necessary to fulfill the stated purposes or as required by law or regulations and thereafter appropriately disposes of such information.
September 8. 2011
Access - The entity provides individuals with access to their personal information for review and update. Disclosure to Third Parties The entity discloses personal information to third parties only for the purposes identified in the notice and with the implicit or explicit consent of the individual. Security The entity protects personal information against unauthorized access.
Copyright 2011 Tate & Tryon CPAs and Consultants
September 8. 2011
Quality The entity maintains accurate, complete, and relevant personal information for the purposes identified in the notice. Monitoring & Enforcement The entity monitors compliance with its privacy policies and procedures and has procedures to address privacy related inquiries, complaints, and disputes.
September 8. 2011
September 8. 2011
Essentially a SOX 404 report. Performed in conjunction with a financial statement audit. Provides an opinion on the organizations controls over financial reporting. A control criteria must be set.
September 8. 2011
Agreed-Upon Procedures
Our favorite option! Gives maximum flexibility regarding pricing and work to be performed. However, no professional opinion is actually rendered. Restricted-use report.
September 8. 2011
Additional resources.....
For additional information on the new SOC reporting framework, heres a handy website:
http://www.aicpa.org/InterestAreas/FRC/AssuranceAdvisoryServi ces/Pages/SORHome.aspx
September 8. 2011
Speaker Biography
Douglas Boedeker , is a partner within Tate & Tryons Audit and Assurance Services unit and is also actively involved in the Firm's exempt organization tax services group. He has more than 19 years of experience providing an array of audit, tax, and consulting services to a variety of nonprofit organizations and employee benefit plans. He takes particular pride that his family has contained at least one CPA every year since 1923. Doug graduated summa cum laude from Susquehanna University in Selinsgrove, Pennsylvania with a Bachelor of Science degree in accounting while simultaneously completing the coursework for a second major in arts administration. He was also named as the Universitys recipient of The Wall Street Journal Outstanding Business Student Award. Doug is a frequent speaker on a variety of exempt organization tax issues and the Form 990. He recently presented a session on easing the 990 preparation process for CFOs and auditors at the 2011 AICPA Not for Profit Industry Conference. Doug is a coauthor to Guide to the Newest IRS Form 990: Interpreting and Complying with the New Tax Reporting Requirements for Transparency and Accountability, (published by ASAE).
September 8. 2011 Copyright 2011 Tate & Tryon CPAs and Consultants
Speaker Biography
Jeff Stefan, is the partner in charge of Tate & Tryons auditing practice and has more than 25 years of experience serving the nonprofit sector. In addition to his extensive audit and tax experience, he has provided consulting services to organizations such as The World Bank, Public Company Accounting Oversight Board, and ASAE & The Center for Association Leadership in a variety of areas, including grant compliance, merger due diligence, and internal controls. He has also been called upon to consult on a variety of complex issues such as: Fair value accounting (FAS 157), Accounting for alternative investments (FAS 133), Split interest agreements, Endowment accounting (UPMIFA / FSP 117-1), and Uncertain tax positions (FIN 48). Mr. Stefan has presented and authored articles on many recent accounting and auditing issues including: FASB Staff Position (FSP) FAS 117-1, Endowments of Not-for-Profit Organizations: Net Asset Classification of Funds Subject to an Enacted Version of the Uniform Prudent Management of Institutional Funds Act, and Enhanced Disclosures for All Endowment Funds, Educating Your Board About Audits, , and A Summary of the New Audit Risk Standards.
September 8. 2011 Copyright 2011 Tate & Tryon CPAs and Consultants