SlideShare uma empresa Scribd logo

Moss Adams SSAE 16 SOC Audits

Transferir como PPTX, PDF
A
AISDC

Overview of SOC reporting, Scope and coverage of SOC audits for AIS, Background about Moss Adams, Key terminology, Customers’ responsibilities

TecnologiaNegócios
1 de 22
SOC Audits Service Organization Reporting MOSS ADAMS LLP | 1
INTRODUCTION Chris Kradjan, CPA, CITP, CRISC Chris Kradjan is the National SSAE 16 Leader for Moss Adams. He has been with Moss Adams since 1994, and has been auditing and consulting since 1992. He works routinely with a wide range of complex service organizations to meet their needs. His practice areas include SSAE 16 SOC 1/2/3 auditing, PCI-DSS compliance services, internal controls reviews, Sarbanes-Oxley compliance services, SysTrust/WebTrust audits, and independent technology assessments. Furthermore, Chris is regularly involved with technology and financial controls assessments based on the COSO, COBIT, PCI-DSS, NIST, FISMA, and ISO 27002 frameworks. He serves on the AICPA SOC 2 Task Force and was recently appointed to the AICPA Assurance Services Executive Committee. SLIDE 2 MOSS ADAMS LLP | 2
OBJECTIVES • • • • • • Overview of SOC reporting Scope and coverage of SOC audits for AIS Background about Moss Adams as your auditors Key terminology Customers’ responsibilities AIS internal contact SLIDE 3 MOSS ADAMS LLP | 3
MARKET / REGULATORY PRESSURES • • • • • • • • • • Increased competition Sarbanes-Oxley – SEC/publicly traded companies HIPAA Security and Privacy Rules – Healthcare GLBA – Financial services FERPA – Education PCI-DSS – Payment card data State and local security and privacy laws NIST 800-53 – Federal compliance ISO 27001 – Security Safe Harbor – International SLIDE 4 MOSS ADAMS LLP | 4
SOC AUDITS • Represents that AIS has been through an in-depth audit of its system/controls • For business unit(s) or entire organization • Discloses controls relevant to customers • Demonstrates design and operating effectiveness of controls in place • Follows AICPA standards - can only be issued by CPAs • Even more important given Sarbanes-Oxley, heightened regulatory conditions, and increasing competition SLIDE 5 MOSS ADAMS LLP | 5
VALUE OF SOC AUDITS • Provide customers independent assurance about AIS’ controls • Satisfy multiple customers through a single audit • Help AIS differentiate itself from its competition • Provide independent feedback to management to define and monitor adherence to established operational metrics • Identify potential opportunities to strengthen the business practices and operating environment at AIS SLIDE 6 MOSS ADAMS LLP | 6
RELEVANT PARTIES User Auditors User Auditors User Entities User Entities Moss Adams American Internet Services User Entities User Auditors SLIDE 7 User Entities User Auditors MOSS ADAMS LLP | 7
RELEVANT PARTIES - DEFINED • Audit of “system”/controls (vs. financial audit) • AIS performs services (as “service organization”) for its own customers • In turn, its customers (“user entities”) and their auditors (“user auditors”) want assurance over the AIS systems/controls • AIS then hired Moss Adams (“service auditor”) to opine on AIS’ systems/controls SLIDE 8 MOSS ADAMS LLP | 8
MOSS ADAMS 11th largest accounting and consulting firm Reputable and nationally recognized, celebrating 100 years Over 1,800 professionals and 240 partners in 22 offices Strong acceptance to relevant customers and industries/markets Well established in the tech and data center space Professionals serving in important leadership roles through the AICPA, COSO, and other national committees • Proven technical expertise and industry credentials • Established SOC auditing and testing processes • Practical, solution-oriented approach • • • • • • SLIDE 9 MOSS ADAMS LLP | 9
AUDIT TEAM Leads • Chris Kradjan, Partner • Francis Tam, Partner • JP Langlois, Supervisor Highlights • Lead by SSAE 16 National Practice Leader • Comprised of seasoned SOC team • Security, operations and controls advisors • SOC, Sarbanes-Oxley, HIPAA, PCI, internal controls specialist • CPA, CISA, CISM, CITP, CRISC, PCI QSA SLIDE 10 MOSS ADAMS LLP | 10
SCOPE Reports • SOC 1 Type 2 Audit (SSAE 16 and ISAE 3402) • SOC 2 Type 2 Audit • SOC 3 Type 2 Audit Audit Period Ending: April 30, 2012, April 30, 2013, etc. Sites • Lightwave Data Center (LWDC) • San Diego Tech Center (SDTC) • Fiber Alley Data Centers #1/#2/#3 (FADC) • One Wilshire Point of Presence (OWPOP) • Van Buren Data Center (VBDC) SLIDE 11 MOSS ADAMS LLP | 11
CONTROL AREAS SOC 1/ISAE 3402 Control Areas: • Service Delivery • Solutions Design • Computer Operations • Logical and Physical Security • Change Management • Incident Management • Disaster Recovery Planning • Business Continuity Planning SLIDE 12 SOC 2 and SOC 3 Principles: • Security • Availability Control Areas: • Policies • Communication • Procedures • Monitoring MOSS ADAMS LLP | 12
ALPHABET SOUP Historical with SAS 70 SAS 70 Reporting AU 324 New with SSAE 16 • SOC 1 – Internal Controls Over Financial Reporting • SOC 2 – AT 101 and Trust Services Principles (Detailed Reporting) • SOC 3 – Trust Services Principles (SysTrust/WebTrust) AT 801 AT 101 AT 101 Type 1 and 2 reporting both still applicable SLIDE 13 MOSS ADAMS LLP | 13
SOC 2 AND 3 REPORTING • AICPA SOC 2 Report AT 101 Attest Engagements Report on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality and/or Privacy (Type 1 and 2 Reports) • AICPA SOC 3 Report Trust Services Report Trust Services Principles, Criteria and Illustrations (Including WebTrust® and SysTrust®) SLIDE 14 MOSS ADAMS LLP | 14
TRUST SERVICES • Follows Trust Services Principles, Criteria and Illustrations (Including WebTrust® and SysTrust®) • The engagement is used to emphasize system reliability • Based on a prescribed set of control objectives and criteria Principles Control Areas o o o o o Security Availability Processing Integrity Confidentiality Privacy o o o o Policies Communication Procedures Monitoring • Intended audience is system stakeholders • No restrictions on report distribution SLIDE 15 MOSS ADAMS LLP | 15
ISAE 3402 SSAE 16 HKCPA 860.2 United States HK/China CICA 5970 AUS 810 Canada Australia AAF 01/06 United Kingdom SLIDE 16 Others MOSS ADAMS LLP | 16
REPORT COMPARISON SOC 2 1. 2. 3. 4. 5. Auditors report Detail system description Management assertion Management controls Auditor tests of controls and results of those tests – criteria SOC 1/ISAE 3402 1. 2. 3. 4. 5. Auditors report Detail system description Management assertion Management controls Auditor tests of controls and results of those tests – control objectives SLIDE 17 SOC 3 1. 2. 3. 4. 5. Auditors report Detail system description Management assertion Management controls Auditor tests of controls and results of those tests Source: AICPA © 2011 MOSS ADAMS LLP | 17
CUSTOMERS’ FIDUCIARY RESPONSIBILITY Periodically monitor AIS in formal manner Obtain and maintain an understanding of AIS operations Assess policies, procedures and controls in place Identify recent changes and reportable issues Use the latest SOC Type 2 reports to reduce their own compliance efforts • Obtain a gap letter/negative assurance letter between reports • • • • • SLIDE 18 MOSS ADAMS LLP | 18
CUSTOMERS’ BENEFITS OF SOC REPORTS • Streamlined way to obtain detailed and regular input on the performance of the service organization • Provides a clear description of the controls in place • Independently affirms the controls were (1) designed appropriately, and (2) operating effectively. • Simplifies ability to fulfill fiduciary responsibilities • Helps focus on exceptions and issues • May provide them cost savings through reduced audit fees SLIDE 19 MOSS ADAMS LLP | 19
REVIEWING AN SSAE 16 REPORT Audit period covered and whether it is a SOC Type 2 report Firm engaged to perform the SOC audits Nature of the opinion and if there are any modifications Any subservice organizations included or carved out Scope of controls and level of detail within control description Coverage and sufficiency of the specified control activities Extent of changes since prior report Nature, timing and extent of testing performed by service auditor • Nature and extent of exceptions, and their significance • Review and consideration of the user control considerations • • • • • • • • SLIDE 20 MOSS ADAMS LLP | 20
AIS INTERNAL CONTACT Frank Gaff VP Service Assurance & Chief Compliance Officer (858) 576-4272 x128 fgaff@americanis.net “In successfully completing its current suite of SOC 1, SOC 2 and SOC 3 Type 2 audit reports, AIS has reinforced its strong commitment to the security and availability of its data center facilities and operations.” Chris Kradjan, Partner, National IT/SOC Practice Leader, Moss Adams SLIDE 21 MOSS ADAMS LLP | 21
Chris Kradjan, CPA, CITP, CRISC Partner , SSAE 16 National Practice Leader (206) 302-6511 chris.kradjan@mossadams.com The material appearing in this presentation is for informational purposes only and is not legal or accounting advice. Communication of this information is not intended to create, and receipt does not constitute, a legal relationship, including, but not limited to, an accountantclient relationship. Although these materials may have been prepared by professionals, they should not be used as a substitute for professional services. If legal, accounting, or other professional advice is required, the services of a professional should be sought. MOSS ADAMS LLP | 22 22

Recomendados

Achieving SSAE 16 Certification
Achieving SSAE 16 Certification Achieving SSAE 16 Certification
Achieving SSAE 16 Certification Gary Pennington
 
Auditor Reporting on Controls at Service Organizations
Auditor Reporting on Controls at Service OrganizationsAuditor Reporting on Controls at Service Organizations
Auditor Reporting on Controls at Service OrganizationsUniversity of Waterloo
 
SSAE 16 Transitions Overview
SSAE 16 Transitions OverviewSSAE 16 Transitions Overview
SSAE 16 Transitions OverviewJeffrey Paulette
 
SOC 2 and You
SOC 2 and YouSOC 2 and You
SOC 2 and YouSchellman & Company
 
Gaining assurance over 3rd party soc 1 and soc 2 reporting 7-2014
Gaining assurance over 3rd party soc 1 and soc 2 reporting 7-2014Gaining assurance over 3rd party soc 1 and soc 2 reporting 7-2014
Gaining assurance over 3rd party soc 1 and soc 2 reporting 7-2014Accounting_Whitepapers
 
SOC 1 Overview
SOC 1 OverviewSOC 1 Overview
SOC 1 OverviewSchellman & Company
 
SOC 2: Build Trust and Confidence
SOC 2: Build Trust and ConfidenceSOC 2: Build Trust and Confidence
SOC 2: Build Trust and ConfidenceSchellman & Company
 
Audit clauses in IT agreements
Audit clauses in IT agreementsAudit clauses in IT agreements
Audit clauses in IT agreementsRichard Austin
 

Recomendados

Achieving SSAE 16 Certification
Achieving SSAE 16 Certification Achieving SSAE 16 Certification
Achieving SSAE 16 Certification Gary Pennington
 
Auditor Reporting on Controls at Service Organizations
Auditor Reporting on Controls at Service OrganizationsAuditor Reporting on Controls at Service Organizations
Auditor Reporting on Controls at Service OrganizationsUniversity of Waterloo
 
SSAE 16 Transitions Overview
SSAE 16 Transitions OverviewSSAE 16 Transitions Overview
SSAE 16 Transitions OverviewJeffrey Paulette
 
SOC 2 and You
SOC 2 and YouSOC 2 and You
SOC 2 and YouSchellman & Company
 
Gaining assurance over 3rd party soc 1 and soc 2 reporting 7-2014
Gaining assurance over 3rd party soc 1 and soc 2 reporting 7-2014Gaining assurance over 3rd party soc 1 and soc 2 reporting 7-2014
Gaining assurance over 3rd party soc 1 and soc 2 reporting 7-2014Accounting_Whitepapers
 
SOC 1 Overview
SOC 1 OverviewSOC 1 Overview
SOC 1 OverviewSchellman & Company
 
SOC 2: Build Trust and Confidence
SOC 2: Build Trust and ConfidenceSOC 2: Build Trust and Confidence
SOC 2: Build Trust and ConfidenceSchellman & Company
 
Audit clauses in IT agreements
Audit clauses in IT agreementsAudit clauses in IT agreements
Audit clauses in IT agreementsRichard Austin
 
Soc 2 attestation or ISO 27001 certification - Which is better for organization
Soc 2 attestation or ISO 27001 certification - Which is better for organizationSoc 2 attestation or ISO 27001 certification - Which is better for organization
Soc 2 attestation or ISO 27001 certification - Which is better for organizationVISTA InfoSec
 
Relying on the Third Party
Relying on the Third PartyRelying on the Third Party
Relying on the Third Partysabrina_maeng
 
Internal audit ( pdf drive )
Internal audit ( pdf drive )Internal audit ( pdf drive )
Internal audit ( pdf drive )TaDo8
 
Chap1 2007 Cisa Review Course
Chap1 2007 Cisa Review CourseChap1 2007 Cisa Review Course
Chap1 2007 Cisa Review CourseDesmond Devendran
 
Internal Control Certification – It’s Not Just an Accounting Thing (Credit Un...
Internal Control Certification – It’s Not Just an Accounting Thing (Credit Un...Internal Control Certification – It’s Not Just an Accounting Thing (Credit Un...
Internal Control Certification – It’s Not Just an Accounting Thing (Credit Un...NAFCU Services Corporation
 
Evaluating Service Organization Control Reports
Evaluating Service Organization Control ReportsEvaluating Service Organization Control Reports
Evaluating Service Organization Control ReportsJay Crossland
 
Fatca ready reckoner
Fatca ready reckonerFatca ready reckoner
Fatca ready reckonerNewgen Software Technologies Limited
 
Corporate Compliance Management
Corporate Compliance ManagementCorporate Compliance Management
Corporate Compliance ManagementLexComply
 
Compliance Management Software
Compliance Management SoftwareCompliance Management Software
Compliance Management SoftwareLexComply
 
Benefits of Implementing ISO 20000 within your Organization
Benefits of Implementing ISO 20000 within your Organization Benefits of Implementing ISO 20000 within your Organization
Benefits of Implementing ISO 20000 within your OrganizationPECB
 
ITIL and ISO 20000: Fundamentals and necessary compliance Synergies
ITIL and ISO 20000: Fundamentals and necessary compliance SynergiesITIL and ISO 20000: Fundamentals and necessary compliance Synergies
ITIL and ISO 20000: Fundamentals and necessary compliance SynergiesPECB
 
Ebsl Technologies Jon Shende- Sas 70
Ebsl Technologies Jon Shende- Sas 70Ebsl Technologies Jon Shende- Sas 70
Ebsl Technologies Jon Shende- Sas 70Publicly traded global multi-billion services company
 
Iso 20000 presentation
Iso 20000 presentationIso 20000 presentation
Iso 20000 presentationMusibau Taiwo Lasisi
 
Qi Consulting Services 2009
Qi Consulting Services 2009Qi Consulting Services 2009
Qi Consulting Services 2009Carlos Amoranto
 
Audit
AuditAudit
AuditSudanPudasaini1
 
Documents system
Documents systemDocuments system
Documents systemDeepak Amoli
 
Iso iec 20000 foundation training course by interprom
Iso iec 20000 foundation training course by interpromIso iec 20000 foundation training course by interprom
Iso iec 20000 foundation training course by interpromMart Rovers
 
How Your Organization Can Become ISO Certified...It's easier than you think
How Your Organization Can Become ISO Certified...It's easier than you thinkHow Your Organization Can Become ISO Certified...It's easier than you think
How Your Organization Can Become ISO Certified...It's easier than you thinkITSM Academy, Inc.
 
Itil Updated Aug2008 For Cio Presentation
Itil Updated Aug2008 For Cio PresentationItil Updated Aug2008 For Cio Presentation
Itil Updated Aug2008 For Cio PresentationJames Sutter
 
information system and computers
information system and computersinformation system and computers
information system and computers9535814851
 
Company Profile Sample
Company Profile SampleCompany Profile Sample
Company Profile SampleYagika Madan
 
2. Standard Setter April 2013
2. Standard Setter April 20132. Standard Setter April 2013
2. Standard Setter April 2013Zowie Murray
 

Mais conteúdo relacionado

Mais procurados

Soc 2 attestation or ISO 27001 certification - Which is better for organization
Soc 2 attestation or ISO 27001 certification - Which is better for organizationSoc 2 attestation or ISO 27001 certification - Which is better for organization
Soc 2 attestation or ISO 27001 certification - Which is better for organizationVISTA InfoSec
 
Relying on the Third Party
Relying on the Third PartyRelying on the Third Party
Relying on the Third Partysabrina_maeng
 
Internal audit ( pdf drive )
Internal audit ( pdf drive )Internal audit ( pdf drive )
Internal audit ( pdf drive )TaDo8
 
Chap1 2007 Cisa Review Course
Chap1 2007 Cisa Review CourseChap1 2007 Cisa Review Course
Chap1 2007 Cisa Review CourseDesmond Devendran
 
Internal Control Certification – It’s Not Just an Accounting Thing (Credit Un...
Internal Control Certification – It’s Not Just an Accounting Thing (Credit Un...Internal Control Certification – It’s Not Just an Accounting Thing (Credit Un...
Internal Control Certification – It’s Not Just an Accounting Thing (Credit Un...NAFCU Services Corporation
 
Evaluating Service Organization Control Reports
Evaluating Service Organization Control ReportsEvaluating Service Organization Control Reports
Evaluating Service Organization Control ReportsJay Crossland
 
Corporate Compliance Management
Corporate Compliance ManagementCorporate Compliance Management
Corporate Compliance ManagementLexComply
 
Compliance Management Software
Compliance Management SoftwareCompliance Management Software
Compliance Management SoftwareLexComply
 
Benefits of Implementing ISO 20000 within your Organization
Benefits of Implementing ISO 20000 within your Organization Benefits of Implementing ISO 20000 within your Organization
Benefits of Implementing ISO 20000 within your OrganizationPECB
 
ITIL and ISO 20000: Fundamentals and necessary compliance Synergies
ITIL and ISO 20000: Fundamentals and necessary compliance SynergiesITIL and ISO 20000: Fundamentals and necessary compliance Synergies
ITIL and ISO 20000: Fundamentals and necessary compliance SynergiesPECB
 
Qi Consulting Services 2009
Qi Consulting Services 2009Qi Consulting Services 2009
Qi Consulting Services 2009Carlos Amoranto
 
Iso iec 20000 foundation training course by interprom
Iso iec 20000 foundation training course by interpromIso iec 20000 foundation training course by interprom
Iso iec 20000 foundation training course by interpromMart Rovers
 
How Your Organization Can Become ISO Certified...It's easier than you think
How Your Organization Can Become ISO Certified...It's easier than you thinkHow Your Organization Can Become ISO Certified...It's easier than you think
How Your Organization Can Become ISO Certified...It's easier than you thinkITSM Academy, Inc.
 
Itil Updated Aug2008 For Cio Presentation
Itil Updated Aug2008 For Cio PresentationItil Updated Aug2008 For Cio Presentation
Itil Updated Aug2008 For Cio PresentationJames Sutter
 
information system and computers
information system and computersinformation system and computers
information system and computers9535814851
 

Mais procurados (20)

Soc 2 attestation or ISO 27001 certification - Which is better for organization
Soc 2 attestation or ISO 27001 certification - Which is better for organizationSoc 2 attestation or ISO 27001 certification - Which is better for organization
Soc 2 attestation or ISO 27001 certification - Which is better for organization
 
Relying on the Third Party
Relying on the Third PartyRelying on the Third Party
Relying on the Third Party
 
Internal audit ( pdf drive )
Internal audit ( pdf drive )Internal audit ( pdf drive )
Internal audit ( pdf drive )
 
Chap1 2007 Cisa Review Course
Chap1 2007 Cisa Review CourseChap1 2007 Cisa Review Course
Chap1 2007 Cisa Review Course
 
Internal Control Certification – It’s Not Just an Accounting Thing (Credit Un...
Internal Control Certification – It’s Not Just an Accounting Thing (Credit Un...Internal Control Certification – It’s Not Just an Accounting Thing (Credit Un...
Internal Control Certification – It’s Not Just an Accounting Thing (Credit Un...
 
Evaluating Service Organization Control Reports
Evaluating Service Organization Control ReportsEvaluating Service Organization Control Reports
Evaluating Service Organization Control Reports
 
Fatca ready reckoner
Fatca ready reckonerFatca ready reckoner
Fatca ready reckoner
 
Corporate Compliance Management
Corporate Compliance ManagementCorporate Compliance Management
Corporate Compliance Management
 
Compliance Management Software
Compliance Management SoftwareCompliance Management Software
Compliance Management Software
 
Benefits of Implementing ISO 20000 within your Organization
Benefits of Implementing ISO 20000 within your Organization Benefits of Implementing ISO 20000 within your Organization
Benefits of Implementing ISO 20000 within your Organization
 
ITIL and ISO 20000: Fundamentals and necessary compliance Synergies
ITIL and ISO 20000: Fundamentals and necessary compliance SynergiesITIL and ISO 20000: Fundamentals and necessary compliance Synergies
ITIL and ISO 20000: Fundamentals and necessary compliance Synergies
 
Ebsl Technologies Jon Shende- Sas 70
Ebsl Technologies Jon Shende- Sas 70Ebsl Technologies Jon Shende- Sas 70
Ebsl Technologies Jon Shende- Sas 70
 
Iso 20000 presentation
Iso 20000 presentationIso 20000 presentation
Iso 20000 presentation
 
Qi Consulting Services 2009
Qi Consulting Services 2009Qi Consulting Services 2009
Qi Consulting Services 2009
 
Audit
AuditAudit
Audit
 
Documents system
Documents systemDocuments system
Documents system
 
Iso iec 20000 foundation training course by interprom
Iso iec 20000 foundation training course by interpromIso iec 20000 foundation training course by interprom
Iso iec 20000 foundation training course by interprom
 
How Your Organization Can Become ISO Certified...It's easier than you think
How Your Organization Can Become ISO Certified...It's easier than you thinkHow Your Organization Can Become ISO Certified...It's easier than you think
How Your Organization Can Become ISO Certified...It's easier than you think
 
Itil Updated Aug2008 For Cio Presentation
Itil Updated Aug2008 For Cio PresentationItil Updated Aug2008 For Cio Presentation
Itil Updated Aug2008 For Cio Presentation
 
information system and computers
information system and computersinformation system and computers
information system and computers
 

Destaque

Company Profile Sample
Company Profile SampleCompany Profile Sample
Company Profile SampleYagika Madan
 
2. Standard Setter April 2013
2. Standard Setter April 20132. Standard Setter April 2013
2. Standard Setter April 2013Zowie Murray
 
AIS Company Overview
AIS Company OverviewAIS Company Overview
AIS Company OverviewAISDC
 
Everything You Need To Know About SOC 1
Everything You Need To Know About SOC 1Everything You Need To Know About SOC 1
Everything You Need To Know About SOC 1Schellman & Company
 
Iaasb isae 3000_ed
Iaasb isae 3000_edIaasb isae 3000_ed
Iaasb isae 3000_edThiên Lệ
 
Outsourcing methods ppt
Outsourcing methods pptOutsourcing methods ppt
Outsourcing methods pptPrithvi Ghag
 
Outsourcing introduction & issues
Outsourcing introduction & issuesOutsourcing introduction & issues
Outsourcing introduction & issuesnishant_ns
 

Destaque (10)

Company Profile Sample
Company Profile SampleCompany Profile Sample
Company Profile Sample
 
2. Standard Setter April 2013
2. Standard Setter April 20132. Standard Setter April 2013
2. Standard Setter April 2013
 
AIS Company Overview
AIS Company OverviewAIS Company Overview
AIS Company Overview
 
Everything You Need To Know About SOC 1
Everything You Need To Know About SOC 1Everything You Need To Know About SOC 1
Everything You Need To Know About SOC 1
 
Outsourcing Ppt 1
Outsourcing Ppt 1Outsourcing Ppt 1
Outsourcing Ppt 1
 
Iaasb isae 3000_ed
Iaasb isae 3000_edIaasb isae 3000_ed
Iaasb isae 3000_ed
 
Outsourcing.ppt
Outsourcing.pptOutsourcing.ppt
Outsourcing.ppt
 
Outsourcing
OutsourcingOutsourcing
Outsourcing
 
Outsourcing methods ppt
Outsourcing methods pptOutsourcing methods ppt
Outsourcing methods ppt
 
Outsourcing introduction & issues
Outsourcing introduction & issuesOutsourcing introduction & issues
Outsourcing introduction & issues
 

Semelhante a Moss Adams SSAE 16 SOC Audits

SOC 2 Compliance and Certification
SOC 2 Compliance and CertificationSOC 2 Compliance and Certification
SOC 2 Compliance and CertificationControlCase
 
Introduction to NIST Cybersecurity Framework
Introduction to NIST Cybersecurity FrameworkIntroduction to NIST Cybersecurity Framework
Introduction to NIST Cybersecurity FrameworkTuan Phan
 
Service Organizational Control (SOC 2) Compliance - Kloudlearn
Service Organizational Control (SOC 2) Compliance - KloudlearnService Organizational Control (SOC 2) Compliance - Kloudlearn
Service Organizational Control (SOC 2) Compliance - KloudlearnKloudLearn
 
Integrating Internal Controls
Integrating Internal Controls Integrating Internal Controls
Integrating Internal Controls InnoTech
 
[ON-DEMAND WEBINAR] Understanding SOC2: A SOC 2 Guide for Managed Service Pro...
[ON-DEMAND WEBINAR] Understanding SOC2: A SOC 2 Guide for Managed Service Pro...[ON-DEMAND WEBINAR] Understanding SOC2: A SOC 2 Guide for Managed Service Pro...
[ON-DEMAND WEBINAR] Understanding SOC2: A SOC 2 Guide for Managed Service Pro...Rea & Associates
 
Data Center Audit Standards
Data Center Audit StandardsData Center Audit Standards
Data Center Audit StandardsKeyur Thakore
 
Vendor Management for PCI DSS, HIPAA, and FFIEC
Vendor Management for PCI DSS, HIPAA, and FFIECVendor Management for PCI DSS, HIPAA, and FFIEC
Vendor Management for PCI DSS, HIPAA, and FFIECControlCase
 
Leveraging compliance to raise the bar on security
Leveraging compliance to raise the bar on securityLeveraging compliance to raise the bar on security
Leveraging compliance to raise the bar on securityMike Lemire
 
Business Continuity and Information Security- An Excellent Fit!
Business Continuity and Information Security- An Excellent Fit!Business Continuity and Information Security- An Excellent Fit!
Business Continuity and Information Security- An Excellent Fit!Continuity and Resilience
 
Secrets for Successful Regulatory Compliance Projects
Secrets for Successful Regulatory Compliance ProjectsSecrets for Successful Regulatory Compliance Projects
Secrets for Successful Regulatory Compliance ProjectsChristopher Foot
 
OneAudit™ - Assess Once, Certify to Many
OneAudit™ - Assess Once, Certify to ManyOneAudit™ - Assess Once, Certify to Many
OneAudit™ - Assess Once, Certify to ManyControlCase
 
TehDays Basel - Auditing in sql server 2012 - charley hanania - tech days bas...
TehDays Basel - Auditing in sql server 2012 - charley hanania - tech days bas...TehDays Basel - Auditing in sql server 2012 - charley hanania - tech days bas...
TehDays Basel - Auditing in sql server 2012 - charley hanania - tech days bas...Charley Hanania
 
Forecast 2014: Infrastructure as a Service (IaaS)
Forecast 2014: Infrastructure as a Service (IaaS)Forecast 2014: Infrastructure as a Service (IaaS)
Forecast 2014: Infrastructure as a Service (IaaS)Open Data Center Alliance
 
IT Security and Risk Management - Visionet Systems
IT Security and Risk Management - Visionet SystemsIT Security and Risk Management - Visionet Systems
IT Security and Risk Management - Visionet SystemsVisionet Systems, Inc.
 
Reduce the Burden Of Managing SAP With Enterprise Identity Management
Reduce the Burden Of Managing SAP With Enterprise Identity ManagementReduce the Burden Of Managing SAP With Enterprise Identity Management
Reduce the Burden Of Managing SAP With Enterprise Identity ManagementSBWebinars
 
DFARS CMMC SPRS NIST 800-171 Explainer.pdf
DFARS CMMC SPRS NIST 800-171 Explainer.pdfDFARS CMMC SPRS NIST 800-171 Explainer.pdf
DFARS CMMC SPRS NIST 800-171 Explainer.pdfControlCase
 
Nist cybersecurity framework isc2 quantico
Nist cybersecurity framework isc2 quanticoNist cybersecurity framework isc2 quantico
Nist cybersecurity framework isc2 quanticoTuan Phan
 
ITAM AUS 2017 BMC SAM Journey
ITAM AUS 2017 BMC SAM JourneyITAM AUS 2017 BMC SAM Journey
ITAM AUS 2017 BMC SAM JourneyMartin Thompson
 

Semelhante a Moss Adams SSAE 16 SOC Audits (20)

SOC 2 Compliance and Certification
SOC 2 Compliance and CertificationSOC 2 Compliance and Certification
SOC 2 Compliance and Certification
 
Introduction to NIST Cybersecurity Framework
Introduction to NIST Cybersecurity FrameworkIntroduction to NIST Cybersecurity Framework
Introduction to NIST Cybersecurity Framework
 
Institute of Internal Auditors Presentation 2014
Institute of Internal Auditors Presentation 2014Institute of Internal Auditors Presentation 2014
Institute of Internal Auditors Presentation 2014
 
Service Organizational Control (SOC 2) Compliance - Kloudlearn
Service Organizational Control (SOC 2) Compliance - KloudlearnService Organizational Control (SOC 2) Compliance - Kloudlearn
Service Organizational Control (SOC 2) Compliance - Kloudlearn
 
Integrating Internal Controls
Integrating Internal Controls Integrating Internal Controls
Integrating Internal Controls
 
[ON-DEMAND WEBINAR] Understanding SOC2: A SOC 2 Guide for Managed Service Pro...
[ON-DEMAND WEBINAR] Understanding SOC2: A SOC 2 Guide for Managed Service Pro...[ON-DEMAND WEBINAR] Understanding SOC2: A SOC 2 Guide for Managed Service Pro...
[ON-DEMAND WEBINAR] Understanding SOC2: A SOC 2 Guide for Managed Service Pro...
 
Data Center Audit Standards
Data Center Audit StandardsData Center Audit Standards
Data Center Audit Standards
 
Vendor Management for PCI DSS, HIPAA, and FFIEC
Vendor Management for PCI DSS, HIPAA, and FFIECVendor Management for PCI DSS, HIPAA, and FFIEC
Vendor Management for PCI DSS, HIPAA, and FFIEC
 
Leveraging compliance to raise the bar on security
Leveraging compliance to raise the bar on securityLeveraging compliance to raise the bar on security
Leveraging compliance to raise the bar on security
 
Business Continuity and Information Security- An Excellent Fit!
Business Continuity and Information Security- An Excellent Fit!Business Continuity and Information Security- An Excellent Fit!
Business Continuity and Information Security- An Excellent Fit!
 
Secrets for Successful Regulatory Compliance Projects
Secrets for Successful Regulatory Compliance ProjectsSecrets for Successful Regulatory Compliance Projects
Secrets for Successful Regulatory Compliance Projects
 
OneAudit™ - Assess Once, Certify to Many
OneAudit™ - Assess Once, Certify to ManyOneAudit™ - Assess Once, Certify to Many
OneAudit™ - Assess Once, Certify to Many
 
SOC for Cybersecurity Overview
SOC for Cybersecurity OverviewSOC for Cybersecurity Overview
SOC for Cybersecurity Overview
 
TehDays Basel - Auditing in sql server 2012 - charley hanania - tech days bas...
TehDays Basel - Auditing in sql server 2012 - charley hanania - tech days bas...TehDays Basel - Auditing in sql server 2012 - charley hanania - tech days bas...
TehDays Basel - Auditing in sql server 2012 - charley hanania - tech days bas...
 
Forecast 2014: Infrastructure as a Service (IaaS)
Forecast 2014: Infrastructure as a Service (IaaS)Forecast 2014: Infrastructure as a Service (IaaS)
Forecast 2014: Infrastructure as a Service (IaaS)
 
IT Security and Risk Management - Visionet Systems
IT Security and Risk Management - Visionet SystemsIT Security and Risk Management - Visionet Systems
IT Security and Risk Management - Visionet Systems
 
Reduce the Burden Of Managing SAP With Enterprise Identity Management
Reduce the Burden Of Managing SAP With Enterprise Identity ManagementReduce the Burden Of Managing SAP With Enterprise Identity Management
Reduce the Burden Of Managing SAP With Enterprise Identity Management
 
DFARS CMMC SPRS NIST 800-171 Explainer.pdf
DFARS CMMC SPRS NIST 800-171 Explainer.pdfDFARS CMMC SPRS NIST 800-171 Explainer.pdf
DFARS CMMC SPRS NIST 800-171 Explainer.pdf
 
Nist cybersecurity framework isc2 quantico
Nist cybersecurity framework isc2 quanticoNist cybersecurity framework isc2 quantico
Nist cybersecurity framework isc2 quantico
 
ITAM AUS 2017 BMC SAM Journey
ITAM AUS 2017 BMC SAM JourneyITAM AUS 2017 BMC SAM Journey
ITAM AUS 2017 BMC SAM Journey
 

Mais de AISDC

AIS Client Portal Overview
AIS Client Portal OverviewAIS Client Portal Overview
AIS Client Portal OverviewAISDC
 
Introducing AIS BusinessCloud1
Introducing AIS BusinessCloud1Introducing AIS BusinessCloud1
Introducing AIS BusinessCloud1AISDC
 
7 Essentials of AIS BusinessCloud1
7 Essentials of AIS BusinessCloud17 Essentials of AIS BusinessCloud1
7 Essentials of AIS BusinessCloud1AISDC
 
The 7 Essential Features of AIS vCloudOne
The 7 Essential Features of AIS vCloudOneThe 7 Essential Features of AIS vCloudOne
The 7 Essential Features of AIS vCloudOneAISDC
 
The 7 Essentials of AIS CloudOne
The 7 Essentials of AIS CloudOneThe 7 Essentials of AIS CloudOne
The 7 Essentials of AIS CloudOneAISDC
 
360-Degree Approach to DR / BC
360-Degree Approach to DR / BC360-Degree Approach to DR / BC
360-Degree Approach to DR / BCAISDC
 
AIS e-High Availability (e-HA)
AIS e-High Availability (e-HA)AIS e-High Availability (e-HA)
AIS e-High Availability (e-HA)AISDC
 
AIS DIsaster Recovery & Business Continuity
AIS DIsaster Recovery & Business ContinuityAIS DIsaster Recovery & Business Continuity
AIS DIsaster Recovery & Business ContinuityAISDC
 
Overview of AIS e-ManagedSecurity
Overview of AIS e-ManagedSecurityOverview of AIS e-ManagedSecurity
Overview of AIS e-ManagedSecurityAISDC
 

Mais de AISDC (9)

AIS Client Portal Overview
AIS Client Portal OverviewAIS Client Portal Overview
AIS Client Portal Overview
 
Introducing AIS BusinessCloud1
Introducing AIS BusinessCloud1Introducing AIS BusinessCloud1
Introducing AIS BusinessCloud1
 
7 Essentials of AIS BusinessCloud1
7 Essentials of AIS BusinessCloud17 Essentials of AIS BusinessCloud1
7 Essentials of AIS BusinessCloud1
 
The 7 Essential Features of AIS vCloudOne
The 7 Essential Features of AIS vCloudOneThe 7 Essential Features of AIS vCloudOne
The 7 Essential Features of AIS vCloudOne
 
The 7 Essentials of AIS CloudOne
The 7 Essentials of AIS CloudOneThe 7 Essentials of AIS CloudOne
The 7 Essentials of AIS CloudOne
 
360-Degree Approach to DR / BC
360-Degree Approach to DR / BC360-Degree Approach to DR / BC
360-Degree Approach to DR / BC
 
AIS e-High Availability (e-HA)
AIS e-High Availability (e-HA)AIS e-High Availability (e-HA)
AIS e-High Availability (e-HA)
 
AIS DIsaster Recovery & Business Continuity
AIS DIsaster Recovery & Business ContinuityAIS DIsaster Recovery & Business Continuity
AIS DIsaster Recovery & Business Continuity
 
Overview of AIS e-ManagedSecurity
Overview of AIS e-ManagedSecurityOverview of AIS e-ManagedSecurity
Overview of AIS e-ManagedSecurity
 

Último

08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhisoniya singh
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Paola De la Torre
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 

Último (20)

08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 

Moss Adams SSAE 16 SOC Audits

  • 1. SOC Audits Service Organization Reporting MOSS ADAMS LLP | 1
  • 2. INTRODUCTION Chris Kradjan, CPA, CITP, CRISC Chris Kradjan is the National SSAE 16 Leader for Moss Adams. He has been with Moss Adams since 1994, and has been auditing and consulting since 1992. He works routinely with a wide range of complex service organizations to meet their needs. His practice areas include SSAE 16 SOC 1/2/3 auditing, PCI-DSS compliance services, internal controls reviews, Sarbanes-Oxley compliance services, SysTrust/WebTrust audits, and independent technology assessments. Furthermore, Chris is regularly involved with technology and financial controls assessments based on the COSO, COBIT, PCI-DSS, NIST, FISMA, and ISO 27002 frameworks. He serves on the AICPA SOC 2 Task Force and was recently appointed to the AICPA Assurance Services Executive Committee. SLIDE 2 MOSS ADAMS LLP | 2
  • 3. OBJECTIVES • • • • • • Overview of SOC reporting Scope and coverage of SOC audits for AIS Background about Moss Adams as your auditors Key terminology Customers’ responsibilities AIS internal contact SLIDE 3 MOSS ADAMS LLP | 3
  • 4. MARKET / REGULATORY PRESSURES • • • • • • • • • • Increased competition Sarbanes-Oxley – SEC/publicly traded companies HIPAA Security and Privacy Rules – Healthcare GLBA – Financial services FERPA – Education PCI-DSS – Payment card data State and local security and privacy laws NIST 800-53 – Federal compliance ISO 27001 – Security Safe Harbor – International SLIDE 4 MOSS ADAMS LLP | 4
  • 5. SOC AUDITS • Represents that AIS has been through an in-depth audit of its system/controls • For business unit(s) or entire organization • Discloses controls relevant to customers • Demonstrates design and operating effectiveness of controls in place • Follows AICPA standards - can only be issued by CPAs • Even more important given Sarbanes-Oxley, heightened regulatory conditions, and increasing competition SLIDE 5 MOSS ADAMS LLP | 5
  • 6. VALUE OF SOC AUDITS • Provide customers independent assurance about AIS’ controls • Satisfy multiple customers through a single audit • Help AIS differentiate itself from its competition • Provide independent feedback to management to define and monitor adherence to established operational metrics • Identify potential opportunities to strengthen the business practices and operating environment at AIS SLIDE 6 MOSS ADAMS LLP | 6
  • 8. RELEVANT PARTIES - DEFINED • Audit of “system”/controls (vs. financial audit) • AIS performs services (as “service organization”) for its own customers • In turn, its customers (“user entities”) and their auditors (“user auditors”) want assurance over the AIS systems/controls • AIS then hired Moss Adams (“service auditor”) to opine on AIS’ systems/controls SLIDE 8 MOSS ADAMS LLP | 8
  • 9. MOSS ADAMS 11th largest accounting and consulting firm Reputable and nationally recognized, celebrating 100 years Over 1,800 professionals and 240 partners in 22 offices Strong acceptance to relevant customers and industries/markets Well established in the tech and data center space Professionals serving in important leadership roles through the AICPA, COSO, and other national committees • Proven technical expertise and industry credentials • Established SOC auditing and testing processes • Practical, solution-oriented approach • • • • • • SLIDE 9 MOSS ADAMS LLP | 9
  • 10. AUDIT TEAM Leads • Chris Kradjan, Partner • Francis Tam, Partner • JP Langlois, Supervisor Highlights • Lead by SSAE 16 National Practice Leader • Comprised of seasoned SOC team • Security, operations and controls advisors • SOC, Sarbanes-Oxley, HIPAA, PCI, internal controls specialist • CPA, CISA, CISM, CITP, CRISC, PCI QSA SLIDE 10 MOSS ADAMS LLP | 10
  • 11. SCOPE Reports • SOC 1 Type 2 Audit (SSAE 16 and ISAE 3402) • SOC 2 Type 2 Audit • SOC 3 Type 2 Audit Audit Period Ending: April 30, 2012, April 30, 2013, etc. Sites • Lightwave Data Center (LWDC) • San Diego Tech Center (SDTC) • Fiber Alley Data Centers #1/#2/#3 (FADC) • One Wilshire Point of Presence (OWPOP) • Van Buren Data Center (VBDC) SLIDE 11 MOSS ADAMS LLP | 11
  • 12. CONTROL AREAS SOC 1/ISAE 3402 Control Areas: • Service Delivery • Solutions Design • Computer Operations • Logical and Physical Security • Change Management • Incident Management • Disaster Recovery Planning • Business Continuity Planning SLIDE 12 SOC 2 and SOC 3 Principles: • Security • Availability Control Areas: • Policies • Communication • Procedures • Monitoring MOSS ADAMS LLP | 12
  • 13. ALPHABET SOUP Historical with SAS 70 SAS 70 Reporting AU 324 New with SSAE 16 • SOC 1 – Internal Controls Over Financial Reporting • SOC 2 – AT 101 and Trust Services Principles (Detailed Reporting) • SOC 3 – Trust Services Principles (SysTrust/WebTrust) AT 801 AT 101 AT 101 Type 1 and 2 reporting both still applicable SLIDE 13 MOSS ADAMS LLP | 13
  • 14. SOC 2 AND 3 REPORTING • AICPA SOC 2 Report AT 101 Attest Engagements Report on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality and/or Privacy (Type 1 and 2 Reports) • AICPA SOC 3 Report Trust Services Report Trust Services Principles, Criteria and Illustrations (Including WebTrust® and SysTrust®) SLIDE 14 MOSS ADAMS LLP | 14
  • 15. TRUST SERVICES • Follows Trust Services Principles, Criteria and Illustrations (Including WebTrust® and SysTrust®) • The engagement is used to emphasize system reliability • Based on a prescribed set of control objectives and criteria Principles Control Areas o o o o o Security Availability Processing Integrity Confidentiality Privacy o o o o Policies Communication Procedures Monitoring • Intended audience is system stakeholders • No restrictions on report distribution SLIDE 15 MOSS ADAMS LLP | 15
  • 16. ISAE 3402 SSAE 16 HKCPA 860.2 United States HK/China CICA 5970 AUS 810 Canada Australia AAF 01/06 United Kingdom SLIDE 16 Others MOSS ADAMS LLP | 16
  • 17. REPORT COMPARISON SOC 2 1. 2. 3. 4. 5. Auditors report Detail system description Management assertion Management controls Auditor tests of controls and results of those tests – criteria SOC 1/ISAE 3402 1. 2. 3. 4. 5. Auditors report Detail system description Management assertion Management controls Auditor tests of controls and results of those tests – control objectives SLIDE 17 SOC 3 1. 2. 3. 4. 5. Auditors report Detail system description Management assertion Management controls Auditor tests of controls and results of those tests Source: AICPA © 2011 MOSS ADAMS LLP | 17
  • 18. CUSTOMERS’ FIDUCIARY RESPONSIBILITY Periodically monitor AIS in formal manner Obtain and maintain an understanding of AIS operations Assess policies, procedures and controls in place Identify recent changes and reportable issues Use the latest SOC Type 2 reports to reduce their own compliance efforts • Obtain a gap letter/negative assurance letter between reports • • • • • SLIDE 18 MOSS ADAMS LLP | 18
  • 19. CUSTOMERS’ BENEFITS OF SOC REPORTS • Streamlined way to obtain detailed and regular input on the performance of the service organization • Provides a clear description of the controls in place • Independently affirms the controls were (1) designed appropriately, and (2) operating effectively. • Simplifies ability to fulfill fiduciary responsibilities • Helps focus on exceptions and issues • May provide them cost savings through reduced audit fees SLIDE 19 MOSS ADAMS LLP | 19
  • 20. REVIEWING AN SSAE 16 REPORT Audit period covered and whether it is a SOC Type 2 report Firm engaged to perform the SOC audits Nature of the opinion and if there are any modifications Any subservice organizations included or carved out Scope of controls and level of detail within control description Coverage and sufficiency of the specified control activities Extent of changes since prior report Nature, timing and extent of testing performed by service auditor • Nature and extent of exceptions, and their significance • Review and consideration of the user control considerations • • • • • • • • SLIDE 20 MOSS ADAMS LLP | 20
  • 21. AIS INTERNAL CONTACT Frank Gaff VP Service Assurance & Chief Compliance Officer (858) 576-4272 x128 fgaff@americanis.net “In successfully completing its current suite of SOC 1, SOC 2 and SOC 3 Type 2 audit reports, AIS has reinforced its strong commitment to the security and availability of its data center facilities and operations.” Chris Kradjan, Partner, National IT/SOC Practice Leader, Moss Adams SLIDE 21 MOSS ADAMS LLP | 21
  • 22. Chris Kradjan, CPA, CITP, CRISC Partner , SSAE 16 National Practice Leader (206) 302-6511 chris.kradjan@mossadams.com The material appearing in this presentation is for informational purposes only and is not legal or accounting advice. Communication of this information is not intended to create, and receipt does not constitute, a legal relationship, including, but not limited to, an accountantclient relationship. Although these materials may have been prepared by professionals, they should not be used as a substitute for professional services. If legal, accounting, or other professional advice is required, the services of a professional should be sought. MOSS ADAMS LLP | 22 22

Notas do Editor

  1. Security. The system is protected against unauthorized access (both physical and logical). Availability. The system is available for operation and use as committed or agreed.Processing Integrity. System processing is complete, accurate, timely, and authorized.Confidentiality. Information designated as confidential is protected as committed or agreed. Privacy. Personal information is collected, used, retained, disclosed, and destroyed in conformity with the commitments in the entity’s privacy notice and with criteria set forth in generally accepted privacy principles (GAPP) issued by the AICPA and CICA.Policies. The entity has defined and documented its policies relevant to the particular principle. (The term policies as used here refer to written statements that communicate management's intent, objectives, requirements, responsibilities, and standards for a particular subject). Communications. The entity has communicated its defined policies to responsible parties and authorized users of the system.Procedures. The entity placed in operation procedures to achieve its objectives in accordance with its defined policies.Monitoring. The entity monitors the system and takes action to maintain compliance with its defined policies.