Achieving Vendor Assurance through SOC-1 Reports

Duration: 90 Minutes
IT outsourcing continues to grow with no signs of slowing. As organizations continue to use service providers to perform various IT tasks, it becomes more important to set up a compliance program that assesses the performance of those service providers. One well known way is with the SOC-1 Type II report. This is also known as a SSAE-16 report. This fast-moving 90 minute webinar will highlight many aspects, issues and suggestions that an auditor can use in assessing controls at a service provider. This webinar is from the perspective of a person who is using the report.
SOC-1 Reports
Instructor: Jerry D. Norton
Product ID: 501887
Objectives of the Presentation
  • Brief background on the standards: What are SOC-1, SOC-2 and SOC-3 reports? What's the difference between a Type I and Type II report? SOC-1 versus ISAE3402, what are the differences?
  • Structure of a SOC-1 Type II report
  • How to assess the reputation of the audit firm that generated the report
  • The number one rule to determine which controls at your vendor are Key
  • Cost to obtain the report
  • How to write a test script / lead sheet for a Vendors SOC-1 report. How to conduct the test using the report
  • Methods of misleading users of SOC-1 reports
  • The problem with User Control Considerations
  • What to do if the report shows exceptions, assessing materiality
Why Should you Attend
SOC-1 Type II reports are more common than ever and companies who outsource IT functions often rely on them to gain reasonable assurance of the effectiveness of controls they perform. IT Auditors must know how to use these reports. There are unexpected situations, issues, and many unanswered questions that pop-up when assessing controls at a vendor.

This webinar is aimed at the people who have run into these many issues. How do you address them? How do you obtain assurance when there are gaps in the content of SOC-1 reports? How do you compensate for exceptions that are identified in SOC-1 reports? How do you address gaps where the SOC-1 report does not address everything you believe is important?

Areas Covered
  • The types of reports and their structure. What a SOC-1 report can and can't do
  • How to obtain SOC-1 reports
  • Restrictions on the use of SOC-1 reports; legal and imposed by the standards
  • The several basic test steps that are required whenever you receive a SOC-1 report. Here's how to do those tests
  • The purpose of receiving a SOC-1 report is so you can assess the effectiveness of both the design and operational effectiveness of controls being performed on your behalf at an outsourced service organization. This course addresses how to setup tests, assess design and operational effectiveness, and to conclude on these controls at your vendor
  • You can mostly, but not totally trust the contents of a SOC-1 report. This course addresses some specific situations where the SOC-1 may be inadequate or misleading and where additional work might be needed
  • Ways vendors shift accountability back to your company / organization
  • Nobody is perfect. Occasionally your service organization will have an audit exception. What do these exceptions mean for your organization? This webinar advises on how to evaluate and conclude on these findings
  • Special situations: several special situations are discussed. Topics will include how to address PCI-DSS penetration test requirements which are typically prohibited against your vendor, timing issues of when SOC-1 reports are issued versus the end of their time period, nested layers of outsourcing.
Who will Benefit
  • This webinar is directed at IT Auditors who receive SOC-1 reports from service organizations and must utilize them in assessing the design and operating effectiveness of controls performed by the Vendor
  • Public Accounting firms and their IT auditors will benefit from this information. Also, Internal Auditors and controls assessors at every organization that is has outsourced IT functions (virtually 100% of companies / organizations in USA) must understand these issues to properly assess controls that they have outsourced to vendors
Topic Background
SOC-1/SSAE-16 reports and their predecessor the SAS-70 Type II report are well known in the IT compliance circles. But instructional webinars / seminars/ and videos typically address the obvious, but not some of the less obvious lessons-learned from real-life application of SOC-1 reports to your situation. This webinar boldly addresses the weird stuff, issues you likely will encounter. You still need to sign your name to IT tests, even though there are some unusual items that were detected. This webinar seeks to be the authoritative source of solid and reputable information that can help you, as an IT Audit and Compliance professional, in addressing the unusual items.
Recorded Session for one participant
Get life time access with download option!
Book this course
Pay Now
  $450.00 Training CD
Free shipment within 4 Working Days of placing the order. Get life time access for unlimited participants.
  $550.00 Training USB Flash Drive
Free shipment within 4 Working Days of placing the order. Get life time access for unlimited participants.
For multiple location please contact our customer care team +1-510-857-5896.
How it works
Live Session - How it works
  • Login to onlinecompliancepanel with your registered username and password
  • The webinar joining link, username and password for joining the webinar will be updated on your OCP Account 24 hours prior to the webinar
  • Presentation handouts in Downloadable PDF format will be updated on your OCP Account 24 hours prior to the live session
  • Login to the audio conference on the scheduled date and time
  • Get answers to your queries through interactive Q&A sessions via chat at the end of the session
  • Download the Certificate of Attendance and Purchase Invoice from your OCP Account 24 hours after the completion of the session
  • Please let us know your thoughts and views at the end of the webinar, your valuable feedback will help us improve
Recorded Session - How it works
  • Login to onlinecompliancepanel with your registered username and password
  • Upon purchase of the recorded session a link will be updated on your OCP Account within 24 hours
  • Please click on the link to access the Recorded Session
  • Presentation handouts in downloadable PDF format will be updated on your OCP Account within 24 hours of the purchase of the product
  • Download the Certificate of Attendance and Purchase Invoice from your OCP Account after 48 hours of the product Purchase
  • Please share your valuable Feedback at the end of the session
Instructor Profile:
Jerry D. Norton, CISA, PMP, CGEIT, ITILv3, is Director of Smashing Wave Advisors LLC, an IT consulting firm that specializes in corporate governance and project management. He is a visionary, accomplished, and award-winning compliance Project Manager and Auditor with years of extensive experience in Governance, and Auditing within Medical, Pharmaceutical, Educational, Financial, Insurance, Accounting, Retail, IT, Non-Profits, and Government projects. He has a proven record in implementing SOX and other regulations, liaison with external auditors, managing outsourced IT teams, developing and training staff, and overseeing capital and operating budget. Mr. Norton has been on both sides of SOC-1 reports; creating them as part of a public-accounting team and utilizing them while conducting audits on behalf of clients.

His Governance experience includes SEC Reporting requirements, SOX, COSO, HIPAA, FDA CFR Part 21, FCPA, European Union Safe Harbor provision, SOC I and SOC II audits, management of outsourced IT teams, auditing of IT systems and related security, IT risk assessments and forensic investigation. Prior to joining Candela Solutions, Mr. Norton consulted with companies throughout the nation, including over five years with Keane, Inc. He has over 15 years experience in IT auditing and Compliance. Consulting projects have included new and emerging companies' design and implementation of their compliance programs for SOX, PCI-DSS, HIPAA, BASEL II, and European Privacy Regulations.

Currently Mr. Norton is at Walt Disney's Compliance Department and has been designated by PricewaterhouseCoopers, LLP as an auditor on whose work they are willing to rely. Recent clients include Ford Motor Company, Exact Sciences, BAE Systems and SAB Miller. He earned a Bachelor of Arts degree in Business from Eckerd College, speaks frequently on IT governance issues, serves on a Board of Directors and is a published author.

View More