Evolution of SOC

Reporting and
SSAE18
Denver IIA Chapter Meeting
July 18, 2017

kpmg.com
Agenda With you today

Nina Currigan
Managing Director, Advisory, IT Audit and Assurance

Evolution of Transition from A “How To”

SOC Reporting SSAE 16 to Guide on using
SSAE 18 a SOC Report

© 2016 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International
Cooperative (“KPMG International”), a Swiss entity. All rights reserved. NDPPS 551743
1
Evolution of SOC Reporting
 SOC History
With the retirement of the
SAS 70 report in 2011,
Organizations are Service Organization
increasingly outsourcing Where we are Today
Control (SOC) reports
systems, business have been defined by the A broader suite of
processes, and data American Institute of “System and Organization
processing to service Certified Public Control” reports are now
providers in an effort to Accountants (AICPA) to offered which include
focus on core replace SAS 70 reports mapping to other
competencies, reduce and more clearly address frameworks, or opinions
costs, and more quickly the assurance needs of issued for other additional
deploy new application the users of outsourced SOC2®+ criteria and other
functionality. services. standards.

Many organizations have Three types of SOC

historically relied upon reports
Statement on Auditing — SOC 1®, SOC 2®, and
Standards (SAS) 70 SOC 3®
reports to gain broad — have been defined to
comfort over outsourced address a broader set of
activities. SAS 70 was specific user needs.
intended to focus
specifically on risks
related to internal control
over financial reporting
(ICOFR), and not broader
objectives such as system
availability and security.

© 2016 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International
Cooperative (“KPMG International”), a Swiss entity. All rights reserved. NDPPS 551743
3
System & Organization Controls (SOC)
SOC 1® - SOC for Service Organizations ICFR

• Report on Controls at a Service Organization Relevant to User Entities’ Internal Control over
Financial Reporting (ICFR)

SOC 2® - SOC for Service Organizations: Trust Services Criteria

• Report on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity,

Confidentiality or Privacy
• SOC for Service Organizations: SOC 2® HiTrust (SOC 2+)
• SOC for Service Organizations: SOC 2® CSA STAR Attestation (SOC 2+)
• Enhanced SOC 2 Reporting

SOC 3® - SOC for Service Organizations: Trust Services Criteria for General Use Report

• These reports are designed to meet the needs of users who need assurance about the controls at a
service organization.

New: SOC for Cyber Security

• A reporting framework for communicating information about the effectiveness of cybersecurity risk
management program to a broad range of stakeholders

Under Development: SOC for Vendor Supply Chains

• An internal controls report on a vendor’s manufacturing processes for customers of manufacturers

and distributors to better understand the cybersecurity risk in their supply chains.

© 2016 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International
Cooperative (“KPMG International”), a Swiss entity. All rights reserved. NDPPS 551743
4
Overview of SOC 1®, SOC 2®, and SOC 3® reports
SOC1® SOC2 ® SOC3 ®
— Internal control over financial
— Operational controls
reporting
— Detailed report for users and their — Detailed report for users, their — Short report that can be
Summary
auditors auditors, and specified parties more generally distributed
— Classes of transactions
— Procedures for processing and reporting
transactions — Infrastructure
— Accounting records of the system — Software
Defined scope of
— Handling of significant events and — Procedures
system
conditions other than transactions — People
— Report preparation for users — Data
— Other aspects relevant to processing and
reporting user transactions
— Security
— Availability
— Transaction processing controls
Control domain — Confidentiality
options — Supporting information technology
— Processing integrity
general controls
— Privacy
— SOC 2®+ additional criteria
— Control objectives are defined by the
— Principles are selected by the service provider.
Level of service provider, and may vary
standardization depending on the type of service — Specific predefined criteria are evaluated against rather than
provided. control objectives.

© 2016 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International
Cooperative (“KPMG International”), a Swiss entity. All rights reserved. NDPPS 551743
5
SOC reports for different scenarios
SOC 1® Financial
SOC 2 ® and SOC 3 ®
Reporting Controls

— Financial services — Cloud ERP service — Cloud-based services

(SaaS, PaaS, IaaS)
— Asset management and — Data center
custody services colocation — HR services

— Healthcare claims processing — IT systems management — Security services

— Payroll processing — E-mail, collaboration, and

communications
— Payment processing
— Any service where
customers’ primary concern
is security, availability, or
privacy

Security
Availability
Financial/Business Process and
Confidentiality
Supporting System Controls
Processing Integrity
Privacy

© 2016 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International
Cooperative (“KPMG International”), a Swiss entity. All rights reserved. NDPPS 551743
6
Overview of SOC 2 ® and SOC 3 ® trust services
principles
Domain Principle

Security — The system is protected against unauthorized access, use, or modification.

Availability — The system is available for operation and use as committed or agreed.

Confidentiality — Information designated as confidential is protected as committed or agreed.

Processing Integrity — System processing is complete, valid, accurate, timely, and authorized.

— Personal information is collected, used, retained, disclosed, and destroyed in conformity with the
Privacy commitments in the entity’s privacy notice and with criteria set forth in generally accepted privacy
principles (GAPP) issued by the AICPA and CPA Canada.

© 2016 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International
Cooperative (“KPMG International”), a Swiss entity. All rights reserved. NDPPS 551743
7
How companies are considering SOC 2® and SOC 3 ®
reports
Regulatory and
Client Due Electronic
Diligence HIPAA Business Banking
Data Management and Associates (Security,
Purposes
Analysis Services (Security, Confidentiality)
(Availability,
(Security, Availability, Confidentiality,
Security)
Confidentiality, SOC 2+ HITRUST)
Processing Integrity)
Asset Management
(Security,
Billing and Claim Confidentiality)
Payment Services
Cyber Security (Security, Corporate
(Security) Processing Services, Fiduciary
Integrity) Asset Management,
Third-party and Client Accounting
Relationships Services (Security and
Business Processing
Outsourcing (all)
SOC2 Over Integrity)
Services Processing Centers Data Center
(Security, (Security, Hosting
Processing Processing integrity) (Security and Infrastructure
Integrity) Availability) (Availability,
Security)

© 2016 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International
Cooperative (“KPMG International”), a Swiss entity. All rights reserved. NDPPS 551743
8
Enhanced Reporting / SOC 2® +
Option 1 Option 2

Add mapping documents to To issue an opinion not only

other reporting frameworks in on the SOC 2® criteria but
the unaudited section of the also on additional criteria
report, such as: (SOC 2® +), such as:

ISO 27001 HITRUST CCM 3.0.1 (CSA)

NIST 800-53 R4 COBIT 5 COSO 2013

© 2016 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International
Cooperative (“KPMG International”), a Swiss entity. All rights reserved. NDPPS 551743
9
Example SOC 2® + CSA CCM
SOC 2® Common Criteria (Security)

SOC 2® Availability Criteria SOC 2® Confidentiality Criteria

Additional Criteria based on CSA Cloud Controls Matrix

— Application and Interface — Data Security and — Human Resources — Mobile Security
Security Information Life Cycle
— Identity and Access — Security Incident
Management
— Audit Assurance and Management Management, E-Discovery
Compliance — Datacenter Security and Cloud Forensics
— Infrastructure and
— Business Continuity — Encryption and Key Virtualization Security — Supply Chain Management,
Management and Management Transparency and
— Interoperability and
Operational Resilience Accountability
— Governance and Risk Portability
— Change Control and Management — Threat and Vulnerability
Configuration Management Management

© 2016 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International
Cooperative (“KPMG International”), a Swiss entity. All rights reserved. NDPPS 551743
10
Example SOC 2 + NIST 800-53 framework
SOC 2® Common Criteria (Security)

SOC 2® Availability Criteria SOC 2® Confidentiality Criteria

Additional Criteria based on NIST 800-53 Framework

IDENTIFY PROTECT DETECT RESPOND RECOVER
— Asset Management — Access Control — Anomalies and — Response Planning — Recovery Planning
Events
— Business — Awareness and — Communications — Improvements
Environment Training — Security Continuous
— Analysis — Communications
Monitoring
— Governance — Data Security
— Mitigation
— Detection
— Risk Assessment — Information
Processes — Improvements
Protection
— Risk Assessment
Processes and
Strategy
Procedures
— Maintenance
— Protective
Technology

© 2016 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International
Cooperative (“KPMG International”), a Swiss entity. All rights reserved. NDPPS 551743
11
 HITRUST
ISO
27001/2
COBIT

—Framework driven from Healthcare PCI

and protection of Personal Health
HITEC
Information (PHI) H Act
—Impacts industries that are Business HITRUST CSF
Associates (BAs) to covered entities HIPAA
Security
—Can be done as a SOC 2® + HITRUST
Report or a HITRUST CSF CMS MU
Certification
NIST States
SP 800-
53

© 2016 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International
Cooperative (“KPMG International”), a Swiss entity. All rights reserved. NDPPS 551743
12
Example SOC 2® + HITRUST common security
framework
SOC 2® Common Criteria (Security)

SOC 2® Availability Criteria SOC 2® Confidentiality Criteria

Additional Criteria based on HITRUST Common Security Framework (CSF) Version 7

— Clear Desk and Clear — Teleworking — Identification of Applicable — Cabling Security
Screen Policy Legislation
— Contact with Authorities — Outsourced Software
— Remote Diagnostic and — Intellectual Property Rights Development
— Contact with Special
Config Port Protection
Interest Groups — Regulation of — Control of Technical
— Network Connection Cryptographic Controls Vulnerabilities
— Addressing Security When
Control
Dealing with Customers — Inventory of Assets — Including InfoSec in the
— Mobile Computing and BC Management Process
— Addressing Security in — Ownership of Assets
Communications
Third-party Agreements
— Acceptable Use of Assets

The additional controls listed above are not intended to be all-compassing, and additional controls may be necessary based on each
organization’s environment.

© 2016 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International
Cooperative (“KPMG International”), a Swiss entity. All rights reserved. NDPPS 551743
13
Cybersecurity Attestation
The AICPA has released guidance for attestation
services related to Cybersecurity in April 2017.

Subject matter of the cybersecurity examination will

include:
—A description of the entity’s cybersecurity risk
management program in accordance with the
description criteria
—An assessment of the design and/or effectiveness
of the controls within that program to achieve the
entity’s cybersecurity objectives based on the
control criteria

© 2016 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International
Cooperative (“KPMG International”), a Swiss entity. All rights reserved. NDPPS 551743
14
SOC for Cybersecurity
— Based on two sets of criteria:
- Description Criteria
- Control Criteria
— Can be the SOC 2 criteria related to Security (Common Criteria),
Availability, and Confidentiality, or
— Other established control criteria such as:
- NIST Critical Infrastructure Cybersecurity Framework or
- ISO 27001/27002

© 2016 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International
Cooperative (“KPMG International”), a Swiss entity. All rights reserved. NDPPS 551743
15
Transition from SSAE 16 to SSAE 18
Change from SSAE 16 to SSAE 18
The Auditing Standards Board (ASB) has a multiyear project to redraft all of the standards
that it issues into a new “clarity format.” The intent of this format is to address concerns
over the clarity, length, and complexity of its standards.

— Statement on Standards for Attestation Engagements No. 18 (SSAE 18):

- In April 2016, the ASB issued SSAE 18 –Attestation Standards: Clarification and
Recodification

- SSAE 18 redrafts all previous SSAEs except for:

— AT 701 Chapter 7, “Management’s Discussion and Analysis” of SSAE 10, Attestation

Standards: Revision and Recodification, which will now be codified as AT-C 395
— SSAE 15, An Examination of an Entity’s Internal Control Over Financial Reporting That
is Integrated with an Audit of Its Financial Statements(AT Section 501). This standard is
being moved to the Auditing Standards AU-C 940.

Full Text of SSAE 18

http://www.aicpa.org/Research/Standards/AuditAttest/DownloadableDocuments/SSAE_No_18.pdf

© 2016 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International
Cooperative (“KPMG International”), a Swiss entity. All rights reserved. NDPPS 551743
17
SSAE 18 – Scope and Effective Date
Scope of SSAE 18
• Impacts all attestation engagements except as noted in the previous
slide
• Will impact all System and Organization Control (SOC) reports (i.e.,
SOC 1®, SOC 2®, and SOC 3®)

Effective Date
• Service Auditor’s reports dated on or after May 1, 2017
• Early adoption permitted
• Since the required implementation is based on the date of the Service
Auditor’s Report, the new standards have the potential to impact a
wide range of reporting periods.

© 2016 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International
Cooperative (“KPMG International”), a Swiss entity. All rights reserved. NDPPS 551743
18
SSAE 18 – Impact on SOC Reporting
The below summary includes the more significant revisions to the attestation standards that directly affect SOC 1® reporting. These
revisions include the following topics:

Summary of revisions

— Complementary subservice organization — Risk assessment

controls (CSOC)
— Materiality language in management’s
— Completeness and accuracy of information assertion
produced by the service organization
— Management’s assertion versus
— Complementary user entity controls (CUECs) management’s description

— Review of internal audit reports and regulatory — Obtaining evidence regarding the design of
examinations controls

© 2016 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International
Cooperative (“KPMG International”), a Swiss entity. All rights reserved. NDPPS 551743
19
A “How To” Guide on using a
SOC Report
Leading practices for user organization adoption of
SOC reports
Key Activities Criteria Descriptions

Inventory vendor — Inventory existing outsourced vendor relationships to determine where the organization has obtained, and
relationships requires third-party assurance going forward.
Assess vendor
— Assess the key risks associated with significant outsourced vendors (e.g., Security, Availability, other risks).
risks
— Determine whether a SOC 1® report is required for financial reporting purposes.
Identify relevant — Determine whether detailed SOC 2® reports or summary level SOC 3® reports are required for key service
reports providers. Also determine which principles should be covered within the SOC 2®/SOC 3® reports
(i.e., Security, Availability, Confidentiality, Processing Integrity, and/or Privacy).
— Assess what, if any, specific audit reports are required by contract, and whether contracts have right to
audit clauses.
Contractual
— Determine how any historical SAS 70 (now SSAE 16) references should be updated to the relevant types of
provisions
SOC report.
— Determine whether SOC 2®/SOC 3® reports should be required by contract.
— Determine the frequency with which key outsourced vendors will be assessed.
Vendor
monitoring — Build the process of obtaining and reviewing SOC reports, and following up on any areas of concern into
the vendor monitoring process.

© 2016 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International
Cooperative (“KPMG International”), a Swiss entity. All rights reserved. NDPPS 551743
21
Leading practices for user organization adoption of
SOC reports (continued)
Key Activities Descriptions

Vendor due — Consider requesting relevant SOC reports as part of the due diligence process for assessing, and
diligence on-boarding new outsourced service providers.
— Where assurance reports are desirable, key points should be communicated, and confirmed with the
service providers:
- Scope of the system covered
- Specific report to be provided (SOC 1®, SOC 2®, SOC 3®)
- Type of report to be provided, and period covered (i.e., Type 2 for a specified period, or in certain cases,
Communication
Type 1 as of a specified point in time)
plan
- Control domains covered (included control objectives for SOC 1®, included principles for SOC 2®/SOC
3®)
- Existence of any key supporting subservice providers (e.g., data center providers, IaaS providers), and
whether they are included in scope
- Expected report delivery date.

© 2016 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International
Cooperative (“KPMG International”), a Swiss entity. All rights reserved. NDPPS 551743
22
Leading practices for user organization evaluation
of SOC reports
Key Areas Description of Considerations to Evaluate

— What is the scope of the report?

— What is the period covered; is the gap period greater than 3 – 4 months?
— Is a subservice organization disclosed, was the “Inclusive” or “Carve-out” method used?
Opinion — If the “Carve-out” method was used, based on the significance and relevance of the service being provided by
the subservice organization, you may need to obtain and evaluate an assurance report from that subservice
organization.
— Was the opinion unqualified or qualified?
— Understanding the system and its related processes and determining the relevancy and significance to your
Description of control environment
® ® ®
System and Controls — Do the control objectives and controls (SOC 1 ), principles, and criteria (SOC 2 /3 ) address the risks relevant
to your processing environment?
— To achieve the stated control objectives, or principles and criteria, does the report highlight specific control
Complementary User activities for which the user entity or subservice organization is responsible?
Entity/Subservice — Were these complementary user entity controls present and operating effectively during the period, or
Organization Controls — Is there a SOC report for the carved out subservice organization that addressed the CSOCs?
®
— Does the report cover all of the relevant control objectives for the user organization’s purposes? (SOC 1 )
®
Control Objectives (SOC — Do the controls and testing adequately support the objectives? (SOC 1 )
® ®
1 ®) — Does the report cover the relevant principle(s) and criteria? (SOC 2 /3 )
Principle/Criteria — Is®the report properly scoped to cover all of the relevant areas for the user organization’s purposes? (SOC
®
(SOC 2® and SOC 3®) 2 /3 )
®
— Do the controls and testing adequately support the criteria? (SOC 2 )

Results of Tests — Does the report need to include the service auditor’s test procedures and associated results?
(N/A for SOC 3®) — Were there exceptions noted by the service auditor; how might the exception(s) impact your risk assessments?

Changes noted during the — Have any significant changes in systems, subservice providers, or controls occurred during the examination
period period and, if so, do they have any impact on the user?
© 2016 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International
Cooperative (“KPMG International”), a Swiss entity. All rights reserved. NDPPS 551743
23
SOC 2 and SOC 3 adoption – Frequently asked
questions
— Identification and scoping of report subject matter and selection of criteria
— Define the scope of the system including infrastructure, software, people, procedures and data
What is the process to —
® ®
Perform SOC 2 /3 Diagnostic/Readiness Assessment
initiate a SOC 2®/3®?
— Remediate items identified during the Diagnostic Assessment
® ®
— Execute the SOC 2 /3 report engagement
— Cost depends on the scope of the report (selected principles, number of controls, locations, etc.)
How much do they —
®
Similar pricing structure to SOC 1 reports
cost?
— Ability to leverage dual purpose testing between reports
® ®
How long does it take to — Duration of a SOC 2 /3 engagement also depends on the scope of the report, but is similar to a
®
perform a SOC 2®/3®? SOC 1
— Firms issuing multiple SOC reports often select a central contact to administer their SOC
Who typically owns the
administration of SOC reporting program
reports from the service — Responsibilities may include inventorying reports, tracking distribution, approving requests for
provider? new reports, and monitoring customer inquiries.

© 2016 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International
Cooperative (“KPMG International”), a Swiss entity. All rights reserved. NDPPS 551743
24
Conclusion
— SOC Reporting has evolved
- SOC 1 ® focuses on matters relevant to user entities’ internal control over financial reporting.
- SOC 2 ® and SOC 3 ® reports apply more broadly to operational controls covering security, availability, confidentiality, processing
integrity, and/or privacy across a variety of systems.
- SOC 2 ® and 3 ® can supplement a SOC 1 report by taking a “deeper dive” into key areas.
- Emerging OC options exist: SOC 2+, SOC 2 Enhanced, SOC for Cybersecurity, etc.
— In April 2016, the ASB issued SSAE 18 which replaces SSAE 16
- Has an impact on all SOC reports
- Impacts reports dated on or after May 1, 2017
- Several revisions to SOC reports will need to be made as a result of this change
— Using a SOC report should include consideration of:
- Report type (SOC 1, SOC 2, SOC 3, Type 1, Type 2, etc.)
- Report scope
- Report period
- Opinion (Unqualified, Qualified, Adverse)
- Testing Exceptions

© 2016 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International
Cooperative (“KPMG International”), a Swiss entity. All rights reserved. NDPPS 551743
25
Questions and Answers

© 2016 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International
Cooperative (“KPMG International”), a Swiss entity. All rights reserved. NDPPS 551743
26
kpmg.com/socialmedia

Some or all of the services described herein may not be permissible for KPMG Audit clients and their affiliates.
The information contained herein is of a general nature and is not intended to address the circumstances of any particular
individual or entity. Although we endeavor to provide accurate and timely information, there can be no guarantee that such
information is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act on
such information without appropriate professional advice after a thorough examination of the particular situation.

© 2016 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of
independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity.
All rights reserved. NDPPS 551743

The KPMG name and logo are registered trademarks or trademarks of KPMG International.