{"id":159,"date":"2017-04-02T02:09:40","date_gmt":"2017-04-02T02:09:40","guid":{"rendered":"https:\/\/www.jasonsblog.place\/?p=159"},"modified":"2017-04-02T02:09:40","modified_gmt":"2017-04-02T02:09:40","slug":"newer-ways-of-audit-reporting-on-third-party-companies","status":"publish","type":"post","link":"https:\/\/www.jasonsblog.place\/index.php\/2017\/04\/02\/newer-ways-of-audit-reporting-on-third-party-companies\/","title":{"rendered":"Newer Ways of Audit Reporting on Third Party Companies"},"content":{"rendered":"<p>I went to a recent meeting of the <a href=\"http:\/\/www.isaca-northtexas.org\/\">North Texas chapter of ISACA<\/a>, and there was a presentation on SSAE 18.\u00a0 For those of you who don&#8217;t know,<a href=\"https:\/\/www.ssae-16.com\/ssae-18-an-update-to-ssae-16-coming-2017\/\"> SSAE 18<\/a> supersedes <a href=\"http:\/\/www.aicpa.org\/InterestAreas\/FRC\/AssuranceAdvisoryServices\/Pages\/SORHome.aspx\">SSAE 16<\/a>, and consolidates Service Organization Controls reporting into something more manageable.\u00a0 Here, I&#8217;ll talk about what I&#8217;ve learned about SSAE 18, SOC 1, and SOC 2.<\/p>\n<p>In SSAE 18, more emphasis has been put on testing the design of controls for subservice organizations (e.g. third parties for which the organization has contracted out some process) and whether they are doing what they are suppose to be doing.\u00a0 The auditor, through Service Organization Control (SOC), has to report on the effective use of these controls.\u00a0 In the case of a SOC 1 report, they would assist in testing the controls as they pertain to the financial statements.\u00a0 With SOC 2, the auditor reports on the controls with regards to security, availability, integrity, and confidentiality.<\/p>\n<p>Now the auditor has to look for things such as complementary user entity controls, which are the controls that are assumed to be in place for users. \u00a0The auditor will have to look at reports from the subservice company to the main organzation. \u00a0They will have to see whether the organization is actually <em>verifying<\/em> the information in the report. \u00a0For instance, the auditor will have to see system-generated reports are being validated by the users of these reports. \u00a0The processing integrity principle will be used heavily in this situation.<\/p>\n<p>This audit will look at how management has chosen the suitable criteria for the control, and how well they&#8217;ve measured the subject matter (note that &#8220;subject matter&#8221; means the risk relevant to entities using the subservice company).\u00a0 So an auditor will look at whether the risk is something related to the entity&#8217;s business with the subservice company, then check the metrics of the current control, and see whether they are actually related to the control.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>I went to a recent meeting of the North Texas chapter of ISACA, and there was a presentation on SSAE 18.\u00a0 For those of you who don&#8217;t know, SSAE 18 supersedes SSAE 16, and consolidates Service Organization Controls reporting into something more manageable.\u00a0 Here, I&#8217;ll talk about what I&#8217;ve learned about SSAE 18, SOC 1, [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[71,2,7],"tags":[35,60,34,73,74,75,72],"class_list":["post-159","post","type-post","status-publish","format-standard","hentry","category-audit-and-reporting","category-finance","category-information-technology","tag-audit","tag-it-audit","tag-management","tag-soc-1","tag-soc-2","tag-ssae-16","tag-ssae-18"],"_links":{"self":[{"href":"https:\/\/www.jasonsblog.place\/index.php\/wp-json\/wp\/v2\/posts\/159","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.jasonsblog.place\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.jasonsblog.place\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.jasonsblog.place\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.jasonsblog.place\/index.php\/wp-json\/wp\/v2\/comments?post=159"}],"version-history":[{"count":12,"href":"https:\/\/www.jasonsblog.place\/index.php\/wp-json\/wp\/v2\/posts\/159\/revisions"}],"predecessor-version":[{"id":171,"href":"https:\/\/www.jasonsblog.place\/index.php\/wp-json\/wp\/v2\/posts\/159\/revisions\/171"}],"wp:attachment":[{"href":"https:\/\/www.jasonsblog.place\/index.php\/wp-json\/wp\/v2\/media?parent=159"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.jasonsblog.place\/index.php\/wp-json\/wp\/v2\/categories?post=159"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.jasonsblog.place\/index.php\/wp-json\/wp\/v2\/tags?post=159"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}