Using DoD SSAE 16/18 Service Organization Control (SOC) Reports - PDI 2017

Addressing Service Organization ControlsHow do I do this? What SOC 1 reports are available?DoD SSAE 16/18sas of May 2017SSAE 16/18ServiceProviderFY 2014System(s)IncludedAssessable UnitFY 2015FY 2016IPA FirmFY 14OpinionReporting PeriodIPA FirmFY 15OpinionReporting PeriodSSAE 16 forFY 16?IPAFirmFY 16OpinionFY 2017Report IssuanceSSAE 16Reporting Period Date / Expectedfor FY 17?Issuance DateIPAFirmFY 17OpinionProjectedExpectedReporting PeriodReportfor FY 17Issuance DateDefense Civilian Personnel Data System (DCPDS)DCPDSPwCModifiedOct 2013 - Jun 2014KPMGUnmodifiedOct 2014 - Jun 2015YesKPMGUnmodifiedOct 2015 - Jun 2016Aug 15, 2016YesKPMGTBDOct 2016 - Jun 2017Aug 15, 2017Defense Travel System (DTS)DTSN/AN/AN/AWACOModifiedOct 2014 - Jun 2015YesWACOModifiedOct 2015 - Jun 2016Sep 08, 2016YesKPMGTBDOct 2016 - Jun 2017Aug 15, 2017Contract PayMOCAS, eToolsGTModifiedFeb 2014 - Oct 2014GTModifiedFeb 2015 - Sept 2015YesGTModifiedJan 2016 - June 2016Aug 15, 2016YesGTTBDOct 2016 - Jun 2017Aug 15,2017RMAModifiedMar 2014 - Aug 2014WACOModifiedOct 2014 - Jun 2015YesGTModifiedOct 2015 - Jun 2016Aug 15, 2016YesRMATBDOct 2016 - Jun 2017Aug 15, 2017WACOModifiedJan 2014 - Jun 2014WACOUnmodifiedOct 2014 - Jun 2015YesGTModifiedOct 2015 - Jun 2016Aug 15, 2016YesRMATBDOct 2016 - Jun 2017Aug 15, 2017DMDCDCMAWide Area Work Flow - Invoices Receipt AcceptanceiRAPTand Property Transfer (WAWF - iRAPT)DLADefense Agency Initiative (DAI)DAIDefense Automatic Addressing System (DAAS)DAASE&YModifiedSep 2013 - Feb 2014WACOModifiedOct 2014 - Jun 2015YesGTModifiedOct 2015 - Jun 2016Aug 15, 2016YesRMATBDOct 2016 - Jun 2017Aug 15, 2017Service Owned Items in DLA Custody (SOIDC)DSSNANANANANANAYesKearneyModifiedJan 2016 - Sept 2016Apr 28, 2017NoNANANANADefense Property Accountability System (DPAS)DPASCBHUnmodifiedOct 2013 - Jun 2014CBHUnmodifiedJul 2014 - Jun 2015YesCBHUnmodifiedOct 2015 - Jun 2016Aug 26, 2016YesCBHTBDOct 2016 - Jun 2017Aug 15, 2017Operations Center (FY 15-16 Scope)Mechanicsburg, Ogden, Oklahoma City, MontgomeryKPMGUnmodifiedOct 2013 - Jun 2014E&YUnmodifiedOct 2014 - Jun 2015YesE&YUnmodifiedOct 2015 - Jun 201615-Aug-16YesE&YTBDOct 2016 - Jun 2017Aug 15, 2017Automated Time Attendance and Production System(ATAAPS)ATAAPSN/AN/AN/AE&YModifiedOct 2014 - Jun 2015YesE&YModifiedOct 2015 - Jun 201615-Aug-16YesE&YTBDOct 2016 - Jun 2017Aug 15, 2017Conventional AmmunitionLMP, WARS-NT, SAAS-MODYesKPMGTBDOct 2016 - Mar 2017TBDGeneral Fund Enetrprise Business System (GFEBS)GFEBSNoNANANANACorporate Payment Systems (CPS)U.S. Bank Freight Payment Transaction ProcerssingSystemSyncadaTotal Systems Services (TSYS), Subservice Org toCPS, for credit management processingDISAU.S. ArmyElavon, Inc., Subservice Org to CPS, for dailyU.S. Bancorp processing services related to carrier billingE&YUnmodifiedOct 2013 - Sept 2014E&YUnmodifiedOct 2014 - Sept 2015YesE&YUnmodifiedOct 2015 - Jul 2016Sept 19,2016YesE&YTBDAug 2016 - Jul 2017Sept 15, 2017TS1 & TS2YesKPMGUnmodifiedJan 2016 - Sep 2016Oct 31, 2016YesKPMGTBDJan 2017 - Sep 2017Oct 2017Merchant Processing System (MPS)YesE&YUnmodifiedNov 2015 - Oct 2016Dec 19, 2016YesE&YTBDNov 2016 - Oct 2017Dec 2016YesE&YUnmodifiedNov 2015 - Oct 2016Dec 19, 2016YesE&YTBDNov 2016 - Oct 2017Dec 2016YesE&YUnmodifiedNov 2015 - Oct 2016Dec 15, 2016YesE&YTBDNov 2016 - Oct 2017Dec 15, 2017Retail Payment Processing (RPS), Subservice Org to Integrated Card System, Triad, ACAPS, Falcon,CPS, for processing check, electronic payments &SeQual, CASPER, CME, SAR, CA Web Viewer, IVR,research payment discrepanciesARMSCommercial Card Transaction Processing System(ELAN)Access Online, SeQual, Corporate Payments MgtInformation System (CPMIS), Automated CreditApplication Processing System (ACAPS)N/AN/AN/AE&YUnmodifiedNov 2014 - Oct 2015Multiple SOC 1s are underway or planned.13

Addressing Service Organization ControlsHow do I do this? What SOC 1 reports are available?DoD SSAE 16/18sas of May 2017SSAE 16/18ServiceProviderU.S.Department ofLaborCitiAssessable UnitCompensation Benefit & Payment for MedicalServices for Federal Civilian EmployeesSystem(s)IncludedReport IssuanceSSAE 16Reporting Period Date / Expectedfor FY 17?Issuance DateYesKPMGUnmodifiedOct 2015 - Jun 2016Rec'd Oct 13 2016YesRESJUnmodifiedOct 2015 - Mar 2016YesKPMGUnmodifiedFeeder Systems: PRISM, IPP, CGE, moveLINQ & EPayroll to Oracle Reporting (EOR). ARC providesapplication admin of feeder systems.YesKPMGInvestOne Accounting System & FedInvest SubsystemYesInvestOne Accounting System & FedInvest SubsystemYesIPA FirmReporting PeriodProjectedExpectedReporting PeriodReportfor FY 17Issuance DateIPAFirmFY 17OpinionYesKPMGTBDOct 2015 - Jun 2016Early SeptRec'd Oct 13 2016YesRESJTBDOct 2015 - Mar 2016Early SeptJan 2016 - Sep 2016Rec'd Jan 26, 2017YesKPMGTBDJan 2017 - Sep 2017Dec 2017UnmodifiedJul 2015 - Jun 2016Sep 1, 2016YesKPMGTBDJul 2016 - Jun 2017Sep 2017KPMGUnmodifiedAug 2015 - Jul 2016Sep 23, 2016YesKPMGTBDAug 2016 - Jul 2017Sep 2017KPMGUnmodifiedAug 2015 - Jul 2016Sep 23, 2016YesKPMGTBDAug 2016 - Jul 2017Sep 2017Integrated Federal Employees' Compensation System(iFECS)Office of the Assistant Secretary for Administration andManagement (OASAM) General Support System (GSS)Central Bill Processing SystemTravel CardMainframe Systems Include: IBM z/OS, UnisysClearPathCitigroup Technology Infrastructure (CTI), GlobalInformation Security (GIS), Global Identity Admin(GIDA)FY 2017FY 16OpinionReporting PeriodFY 15OpinionFY 2016IPAFirmIPA FirmFY 14OpinionFY 2015SSAE 16 forFY 16?Office of Workers' Compensation Program (OWCP)Bill Processing / Central Bill Processing SystemU.S. TreasuryAdminResourceCenterFY 2014Midrange include: Stratus, Nonstop Tandem, & IBMseries and various types of physical & virtual UNIX,Linux Windows operating systems)Oracle Federal Financials (Oracle) & DiscovererAccounting, Budgeting, Reporting, Travel,Procurement, Systems Support & Platform ServicesU.S. TreasuryFederalInvestment Transactions for Government SecuritiesInvestments &BorrowingsU.S. TreasuryManagement & Accounting Services for Select Gov'tTrust Funds, Treasury managed accounts, accountsFundsof Treasury's Office of the Asst Sec for Int'l AffairsManagementMultiple SOC 1s are underway or planned.14

Addressing Service Organization ControlsHow do I do this? Which SOC 1s do I need?Projected FY 2017 SSAE 18 Distribution List to DoD Components (Based on Components' Responses)As of Jan 27, 2017DFAS - Service ProviderNo.DoD ComponentTierStandard Disbursing ServicesMilitary Pay(ADS)(DJMS & DMO)DLA - Service ProviderAT&L - Service ProviderFinancial Reporting(DDRS)Civilian Pay(DCPS)Contract Pay(MOCAS, EAS, EUD(APVM/PPVM), SCRT, BAMERMP) Vendor PayFund Balance with Treasury (CAPSW, OnePay, ODS,Transaction DistributionDCD/DCW, STARS, CAPSW Data Defesne Cash Accountability SystemCenter, BAM-ERMP, APVM)(DCAS)Defense Automatic Addressing System(DAAS)Wide Area Work Flow - Invoices ReceiptDefense Agency Initiative Service Owned Items in DLA Custody - SOIDCAcceptance and Property Transfer(DAI)Distribution Standard System (DSS)(WAWF - iRAPT)DoDHRA DMDC - Service ProviderCorporate Payment Systems - FreightPayments System(Syncada)Defense Property Accountability System(DPAS) 1Air Force GF1 2Air Force WCF1 3Army GF1 4Army WCF1 5Navy GF & WCF1 6USACE1 7USMC GF & WCF1 8DIA (Defense Intelligence Agency)2 9NGA (National Geospatial-Intelligence Agency)2 10 NRO (National Reconnaissance Office)2 11 NSA (National Security Agency)2 12 DCAA2 13 DeCA (GF & WCF)2 14 DFAS (as reporting entity)2 15 DHA-CRM2 16 DHA (FOD, NCR, Comptroller)2 17 SMA-Army2 18 SMA-Navy2 19 SMA-USAF2 20 DISA (GF & WCF)2 21 DLA (GF, WCF & Strategic Materials)2 22 USSOCOM2 23 USTRANSCOM2 24 USUHS2 25 CBDP3 26 DARPA3 27 DCMA328 DoDEA See Note Below Commercial Credit Card Processing System(Access Online)DCMA - Service ProviderDISA - Service ProviderDefense Civilian Personnel Data System(DCPDS)Defense Travel System(DTS)Contract Pay(MOCAS)Automated Time Attendanceand Production System(ATAAPS)Enterprise Computing Service USTRANSCOM reviewing USTRANSCOM reviewing 3 29 DSCA3 30 DTRA3 31 MDA3 32 Office of Chairman of JCS3 33 WHS3 34 DAU4 35 DHRA4 36 DLSA4 37 DMA (Defense Media Activity)4 38 DMEA (Defense Micro-Electronics Activity)4 39 DoDIG4 40 DPMO / DPAA (Def POW/MIA Accounting Agency)4 41 DSS4 42 DTIC4 43 DTSA4 44 NDU4 45 OEA4 46 AT&L DPAS (as a service provider)N/A47 DCMA Contract Pay (as a service provider)N/A48DFAS (Std Disb, Mil Pay, Fin Rpting, Civ Pay, ContractPay, FBWT-DCAS (as a service provider)N/A49 DLA (iRAPT, DAI & DAAS) (as a service provider)N/A50 DISA ATAAPS (as a service provider)N/A51 DMDC DTS (as a service provider)N/A USTRANSCOM reviewing User Entities are responsible for report distribution within their organizations.15

Addressing Service Organization ControlsHow do I do this? Which SOC 1s do I need?Subservice OrganizationsXDFAS - Contract PayXDFAS - Vendor Pay*XDFAS FBWT - Transaction DistributionXU.S. Bank National Retail LockboxU.S. Bank Retail Payment Solutions (RPS)Convergys CorporationCarpathia (Hosting Facility Contractor)Elavon, Inc.Total System Services, Inc. (TSYS)Federal Retirement Thrift Investment Board (FRTIB)Defense Manpower Data Center (DMDC)EdgewebDFAS - Standard DisbursingSprint and SunGardXFirst FederalXXVerizonXDFAS - Military PayOther (Non-DoD)XeroxDFAS - Civilian PayDefense Contract ManagementAgency (DCMA)Defense Logistics Agency (DLA)DFAS (DCPS)DFAS (ATAAPS)Defense Finance and Accounting Service (DFAS)Other (DoD)DFAS Accounting Operations DirectorateDISA Joint Interoperability Test Command (JITC)Service Organization - SOC 1(expected FY 17)DISA Enterprise Services (ES)DISAXXXXXXXXXXXDFAS FBWT - Treasury Reconciliation*DFAS - Financial ReportingXDMDC - Defense Civilian Personnel Data System (DCPDS)XDMDC - Defense Travel System (DTS)DCMA - Contract PayXDLA - Invoice Receipt Acceptance and Property Transfer (iRAPT)XDLA - Defense Agency Initiative (DAI)XXXDLA - Defense Automatic Addressing System (DAAS)DLA - Service Owned Items in DLA Custody (SOIDC)XDLA - Defense Property Accountability System (DPAS)XDISA - Enterprise Services (Hosting)DISA - Automated Time & Attendance Production System (ATAAPS)XXXU.S. Bancorp - Freight Payment Transaction ProcessingXU.S. Bancorp - Commercial Card Transaction Processing SystemXXXXXU.S Department of Labor Integrated Federal Employees'Compensation System.X(Relates to Federal Employees' Compensation Act (FECA))Expected FY 17 Subservice Organizations updates / changes are probable.16

Addressing Service Organization ControlsHow do I do this? Which SOC 1s do I need?Civilian Pay FY 16 SOC 1 “Family”Defense CivilianPersonnel DataSystem(DCPDS)Civilian Pay SOC 1 – Page 41-DISA ES provides the physical hosting andadministration of DCPS. Specific functions /responsibilities include:- Maintenance of the hardware and systemsoftware supporting DCPS.- Protection of computer platforms and residentsoftware and data from unauthorized physicalaccess and environmental hazards.- Administration of logical access to ACF 2.- Performance of certain computer operationsactivities for the mainframe platformssupporting DCPS, including monitoring ofprocessing, and resolution of any deviationsfrom the pre-defined processing schedule.- Administration of data transmission utilities andmonitoring of data transmissions to and fromthe mainframe platforms supporting DCPS.- Performance of uptime monitoring andassistance with the resolution of availabilityissues related to DCPS.- System software, application, and data backupand recovery.DAI / ATAAPSTime &AttendanceDISAEnterpriseServicesCivilian Pay SOC 1 – Page 41-DCPDS is and HR information support system formaintaining civilian personnel data in the DoD.DCPDS is used to provide HR / personnel supportsuch as applicant ratings, employee appointments,reassignments, and promotions.Civilian Pay SOC 1 – Page 29-Some user entities send their T&A data into DCPSusing batch files generated from separate, userentity operated T&A systems.DFAS S)Civilian Pay SOC 1 – Page 33DFAS FBWTTransactionDistribution(DCAS)--The DD 592 file is sent to ADS for processing byDisbursing Operations and to the Defense CashAccountability System (DCAS) for use indownstream reconciliations and financial reporting.Check and EFT Payment Files: On a bi-weeklybasis, DCPS produces check and EFT paymentfiles interfaced to ADS for disbursement to userentity civilian employees.Note: The DLA DAAS SOC 1 may also be applicable for those entities routing interface files through this system.SOC 1 reports may point you / your auditor where to go.Follow the End-to-End Process.17

Using the Service Organization Controls Report

How do I use the SOC 1 report?Desired OutcomesWhat are we trying to achieve? Unqualified / Unmodified SOC 1 OpinionsControls Reliance User Entities Place Reliance on the SOC 1 Reports(following A-123 Appendix A / ICOFR requirements)Reporting / User Entity(performed under the examination standards SSAE 18,AT-C 105, AT-C 205, AT-C 320) User Auditors Place Reliance on the SOC 1 Reports(as allowed by the auditing standards ex., AU-C 402)An Unqualified SOC 1 does not automatically result in User Auditor reliance.19

How do I use the SOC 1 report?Desired OutcomesThe User Auditor’s ability to rely on internal controlsdirectly affects audit and audit support costsLevel of Controls RelianceAuditor Sample SizesHigh Internal Controls RelianceOptimum for a large financial statement auditMinimum Sample SizesSome Internal Controls RelianceReduced Sample SizesSufficient for a financial statement auditMaximum Sample SizesNo Internal Controls Reliance10s to 100s of thousands ofsample items across DoDInefficient and UnsustainableAn Unqualified SOC 1 does not automatically result in User Auditor reliance.20

How do I use the SOC 1 report?SOC 1 Report StructureA SOC 1 Report typically includes the following sections:Section 1Independent Service Auditor’s ReportSection 2Assertion Provided by Management of the Service OrganizationSection 3Description of the Service Organization, including an overview of relevant operations and applications Complementary User Entity Controls (CUECs) Subservice Organizations and Complementary Subservice Organization Controls CSOCsSection 4Service Organization’s Control Objectives and Related Controls (Control Objectives, Controls, and Test ofOperating Effectiveness)Section 5Other Information Provided by Service Organization Management (UNAUDITED)Read the report and assess the impact on your risk of financial misstatement.21

How do I use the SOC 1 report?Areas for Consideration1Service auditor competency6Evaluation of relevant controls2Scope exclusions7Reliability of data3Carve-outs8Results of tests4CUECs9Opinion5CSOCs10Gap PeriodsYour auditor will consider these . So should you.22

How do I use the SOC 1 report?What are CUECs and CSOCsExample DFAS Control Objective:Controls provide reasonable assurance that logical access to DCPS programs and data isrestricted to authorized users.CSOCs (SSAE 18)DFAS controls were designed assumingcertain controls were in place at the Subservice Organization (DISA).CUECs (SAS 70, SSAE 16, and SSAE 18)DFAS controls were designed assumingcertain controls were in place at thecustomer (Reporting Entity).These assumptions will now be included inManagement’s Description for each Subservice Organization.These assumptions have been and willcontinue to be included in Management’sDescription.Some basis is needed for the assumptionsand DFAS is responsible for monitoringSub-service providers.DISA ControlsDFAS ControlsDesigned & Operating EffectivelySome basis is needed for the assumptionsbut DFAS is not responsible for monitoringcustomers.User Entity ControlsAppropriate controls need to be in place at the Reporting Entity, Service Organization(s),and Sub-service Organization(s) to achieve the Control Objective.23

How do I use the SOC 1 report?What are CUECs and CSOCsReporting /UserEntitiesControlsControlsCUECs (SSAE 16 & 18)DFAS controls were designed assumingcertain controls were in place at thecustomer (Reporting Entity).ReportingEntity / UserAuditorsCUECsDFAS CivilianPay ServiceSOC 1ControlsControlsCSOCsCUECs (SSAE 16 & 18)DISA controls were designed assumingcertain controls were in place at thecustomer (DFAS).CSOCs (SSAE 18)DFAS controls were designed assumingcertain controls were in place at the Subservice Organization (DISA).CUECsControlsDISA HostingServicesSOC 1Appropriate controls need to be in place at the Reporting Entity, Service Organization(s),and Sub-service Organization(s) to achieve the Control Objective.24

How do I use the SOC 1 report?Reliability of Data (and Reports)Background: The clarified standards require the service auditor to evaluateEffectiveness ofwhether system generated information is sufficiently reliable for thecontrols depends in partservice auditor’s purposes “by obtaining evidence about itson the controls over theaccuracy and completeness and evaluating whether theaccuracy andinformation is sufficiently precise and detailed.”completeness of theThey also require the service auditors and the service organization system-generated datato validate system generated information and reports by detailingor reports.how they are generated, who prepares such reports and ensuringthe requisite level of detail in such reports.Classes of system generated information:The following are the types of data that should be evaluated as part of the SOC 1 attestation: Information used in the execution of controls within the SOC 1 report. Information provided by the service organization to the service auditor to perform testing ofcontrols. Information provided to the user entity.User Entities should understand what reports are being generated by the Service Organization andthen confirm whether those reports are included in the SOC 1.25

How do I use the SOC 1 report?Reliability of Data (and Reports)Translation:1. Reports / data that are relied upon by the Service Organization to performcontrols in their SOC 1 (e.g., user access list, reconciliation reports,spreadsheets, etc.)2. Reports / data that are used by the Service Auditor to perform SOC 1testing (e.g., user access listings, transaction populations).3. Reports / data that are provided to the User Entity and are relied upon inyour financial reporting (e.g., reporting package, external outputs).User Entities should understand what reports are being generated by the Service Organization andthen confirm whether those reports are included in the SOC 1.26

How do I use the SOC 1 report?Common Evaluation Pitfalls Certain applications, interface programs used by some userentities might not be included in the scope of the report and / orimportant IT controls may be scoped out. The report may be directed at only a limited number of userentities or the coverage is only for certain locations.Reporting /UserEntities Relevant reports from the Service Organization may not beincluded within the scope of the procedures performed by theService Auditor. All exceptions (not just those within qualified objectives) are notconsidered for relevance and impact to the User Organizations Subservice Organization SOC 1 reports are not obtained andreviewed.Your auditor will consider these . So should you.27

Reporting Entity Responsibilities forService Organization ControlsEstablish MOUs that clearly identify who is responsible for what.1. Identify all Service Organizations (Service Providers) that impact theReporting Entity’s internal controls over financial reporting.2. Document an understanding of the Service Providers impact on theReporting Entity’s Financial Reporting and Associated Risks.3. Document the Reporting Entity’s Understanding of Service ProviderControls in Place to Mitigate Financial Reporting Risks.4. Evaluate the Design and Operating Effectiveness of Service ProviderControls in Place to Mitigate Financial Reporting Risks.5. Address Complementary User Entity Controls (CUECs) Identified bythe Service Provider (i.e., implement effective controls within theReporting Entity).DOCUMEMT6. Establish Regular Communications with Service Providers to MonitorPerforma

What SOC 1 reports are available? Defense Civilian Personnel Data System (DCPDS) DCPDS PwC Modified Oct 2013 - Jun 2014 KPMG Unmodified Oct 2014 - Jun 2015 Yes KPMG Unmodified Oct 2015 - Jun 2016 Aug 15, 2016 Yes KPMG TBD Oct 2016 - Jun 2017 Aug 15, 2017