Everything You Need To Know About IFRS

1. Introduction

The International Financial Reporting Standards (IFRS) are a set of global accounting standards that have been developed and coordinated by the International Accounting Standards Board (IASB). The IASB is an independent, not-for-profit organization which was established in 2001, comprising of representatives from around the world. The primary objective of the IASB is to develop a single set of high-quality global accounting standards that will enable companies to comparably present financial statements across international borders.

2. Background on IFRS

The International Financial Reporting Standards (IFRS) are a bunch of worldwide bookkeeping norms that have been created by the International Accounting Standards Board (IASB).

IFRS are used by more than 160 countries, and have been adopted by some of the world’s largest economies, including the United States, Canada, and Japan. They are also increasingly being used in emerging markets.

3. What are the benefits of IFRS?

International Financial Reporting Standards (IFRS) provide a common global framework for financial reporting. IFRS is given by the International Accounting Standards Board (IASB).

The benefits of using IFRS include:

– improved comparability of financial statements across companies and industries
reduced costs of preparing and reading financial statements
– improved access to capital and investment
– reduced distortion of competition
– better assessment of a company’s financial position and performance.

Build trust on you services. Get you SOC2 Report now

4. The main changes under IFRS

The most significant changes brought about by IFRS 15, Revenue from Contracts with Customers, are:
– The recognition of revenue is based on the principle of allocation to the performance obligations in a contract.
– Income is perceived when a client acquires control of a good or service.
– A contract’s price is allocated to the performance obligations in the contract based on their relative stand-alone selling prices.
– The amount of revenue recognized reflects the amount that is expected to be realized as consideration for transferring goods or providing services to customers.
– The gauge of variable thought is refreshed at each reporting period.

5. Converting to IFRS

The International Financial Reporting Standards (IFRS) is a set of global accounting standards that are designed to bring transparency and comparability to financial statements around the world. adoption of International Financial Reporting Standards

has been accelerating in recent years, with over 100 countries now using them as their official accounting standards.

There are a number of reasons why companies might choose to convert to IFRS. Some of the benefits of using IFRS include increased clarity and comparability of financial statements, a reduction in financial reporting complexity, and improved access to financing.

6. How will IFRS affect you?

The International Financial Reporting Standards (IFRS) will affect companies in a number of ways. One of the most important changes is that companies will need to present their financial statements in a more uniform way. This will make it easier for investors to compare companies and make informed investment decisions.

SOC 2 Audit for Amazon AWS Environments

SOC 2 Audit for Amazon AWS Environments

With the migration to the cloud happening at record pace, thousands of companies are currently
being needed to become SOC 2 compliant every year. In this blog, we will be touching upon the key
areas and their importance from a SOC2 perspective related to Amazon Web Services (AWS) being
used as a cloud platform.
SOC 2 Scoping & Readiness Assessment: Understanding scope and also the what business
processes are to be enclosed inside your SOC 2 audit is important, and conjointly for mitigating any
kind of scope related problems. Since you’re hosting your services (i.e., your production
environment) in AWS, it would have its own variety of advantages along with your SOC 2 audit.
oFirst, a wide range of the physical security controls are lined by AWS themselves as their
personal information centers store your virtual server instances.
oSecond, AWS incorporates a decent number of audit & compliance, and management tools &
solutions that are straightforward to “spin up” in any surroundings, additional serving to
compliance needs
Leverage AWS’ SOC Reports for Scope Reduction: For the CPA firm you engaged with to
perform your SOC 2 audit, they’ll kindle you to get a replica of AWS’ most current SOC 2 report,
and for an obvious reason – scope reduction. A large range of the controls you’ll want for SOC 2
compliance are literally lined by AWS’ report. From physical and environmental controls –AWS’
SOC 2 must be leveraged.

Utilize AWS’s Security and Compliance Tools: CloudWatch logs reports on application logs,
whereas CloudTrail Logs details on specific info on what occurred in your AWS account. These are
simply some samples of the various tools that AWS has accessible for your growing security,
governance, and regulative compliance desires.

Visit https://aws.amazon.com/products/security/ and you’ll notice a list of tools and solutions for
serving to meet growing regulative compliance desires for not solely SOC 2, but HIPAA, HITRUST,
GDPR, PCI DSS, FISMA, and far a lot of. Here may be a sneak peek at the various tools accessible
for from AWS in serving to with growing regulative compliance needs:

o AWS object: The AWS object portal provides on-demand access to AWS’ security and
compliance documents, conjointly referred to as audit artifacts.
o AWS Certificate Manager: AWS Certificate Manager may be a service that permits you
to simply provision, manage, and deploy Secure Sockets Layer/Transport Layer Security
(SSL/TLS) certificates.
o AWS CloudHSM: The AWS CloudHSM service helps you meet
company, written agreement and regulative compliance needs for information security by
mistreatment dedicated Hardware Security Module (HSM) appliances inside the AWS cloud.
o Amazon Cognito: Amazon Cognito permits you to add user sign-up/sign-in and access
management to your net and mobile apps quickly and simply.
o AWS Identity and Access Management (IAM): Use AWS Identity and Access
Management (IAM) to regulate users’ access to AWS services. Produce and manage users and
teams, and grant or deny access.

There are more tools accessible from AWS once it involves security & compliance, therefore use
them as required. They’ll build life within the cloud and they’ll build your SOC 2 audit much easier.
Implement the Tools: Sounds simple, however we’ll got to with courtesy prompt you that simply
knowing that such tools are accessible isn’t enough, you would like to place them to smart use as
auditors can wish to envision proof of such. If you’re not aware of AWS in terms of their toolsets
and offerings for regulative compliance, then it’s necessary to search out for AWS security &
compliance.

Develop AWS info Security Policies and Procedures: One among the foremost aspects of
turning into SOC 2 criticism is developing all the specified info security policies and procedures.
Specifically, SOC 2 is significant on documentation, and you’ll have to be compelled to place in situ
strong, literary InfoSec policies. However a lot of necessary, these policies have to be compelled to
be written specifically for your surroundings inside AWS.
Here’s simply a little sample of policy documents you’ll want for turning into SOC 2 compliant:
o Access management
o Information backup
o Incident response
o Information retention and disposal
o Security and patch management – and many more.
Perform Essential Operational Initiatives: Four key operational initiatives that you simply
should perform for SOC 2 compliance are:
o Perform annual risk assessment
o Check your incident response annually
o Implement security awareness coaching
o Conduct vulnerability scans periodically

The Audit Begins: The auditors are going to be inquiring for a wide range of evidences.
Specifically, they’ll be requesting documentation (i.e., policies and procedures), proof of varied
system settings (this can are available the shape of screenshots), proof of operational measures
undertaken, like security awareness coaching, risk assessments, and more. It’s therefor essential to
produce them with any and every one requests that return your means. In short, be clear along with
your auditors.
We believe this the article would have enhances your understanding of AWS controls from a SOC2
perspective. Please reach out to us if you would like to know more about data security or need any
help to perform a SOC/ GDPR certification for your organization.

Visit our website https://accorppartners.com/soc/index.php to read more articles related to SOC
reporting.

History of SOC reporting

History of SOC reporting

 

This blog helps you understand the history and background of SOC reporting and a brief overview of how it came into
existence and evolved as a way of addressing risks associated with outsourcing services.
Brief History
The increased prominence on governance, risk management, and compliance has steered companies to focus on internal
controls over all aspects of their operations. Service organizations providing outsourced services (IT, business processes,
etc.) often engage a third party audit firm to certify the design and operating effectiveness of these controls. The auditor’s
inspection of an organization’s internal control and the impact that a service organization may have on the entity’s
control environment has long been an area of focus in designing an acceptable audit approach.
The original standard for attesting was known as SAS 70 and was an established way by which service organizations
could illustrate the effectiveness of their internal controls. The SAS 70 audit was performed by a CPA and the result was a
report on the effectiveness of internal control over financial reporting (ICFR). This report was often used by the
organizations to show that a vendor was secure and safe to work with. However, the report was principally was not meant
for that purpose.

Introduction of SSAE 16

The technology evolved and so did the AICPA’s attestation standards. SSAE No. 16 reporting standards was completed by
the AICPA in January 2010. SSAE 16 beneficially replaced SAS 70 as the reliable guidance for reporting on service
organizations. SSAE 16 was officially issued in April 2010 and became effective on 15th June 2011. SSAE 16 was drafted
with the objective and purpose of updating the US service organization reporting standard so that it reflects and adheres
to the new international service organization reporting standard – ISAE 3402.
SSAE 16 also established a new attestation standard called AT 801 which contained guidance for performing the service
auditor’s examination. Many service organizations that had previously performed a SAS 70 examination now switched to
the new standard in 2011 and now had an enhanced SSAE 16 report (also referred to as a Service Organization Controls
(SOC) 1 report).

The upgraded SSAE 18

The SSAE no. 18 (Statement on standards of attestation engagements) used for SOC reporting is the latest periodic
statement issued by the Auditing Standards Board (ASB) of the American Institute of Certified Public Accountants
(AICPA) effective from 1st May 2017. Following were the key changes in transforming from SSAE16 to SSAE18:
 SOC as defined under the SSAE-16 Standard stood for ‘Service Organization Control’. Under the new
Standard, SOC now stands for ‘System and Organizational Controls’, and applies to other types of
organizations and both system and/or entity-level controls.
 In the SSAE-16 Standard, complementary user-entity controls (CUEC) were defined as those controls at userentity organizations that were both necessary and unnecessary to achieve control objectives stated in
management’s description. Under the SSAE 18 Standard, CUEC are now defined as those controls that are only
necessary to achieve control objectives stated in management’s description.
 The new SSAE-18 Standard adds requirements related to subservice organizations (SSO) and vendor
management processes. When subservice organization is carved out, the inclusion of SSO controls are now
provided in management’s description similarly to CUECs. Also, vendor management processes to monitor the
effectiveness of controls at SSO have been stressed upon.
 The new SSAE-18 Standard requires that the Management Assertion letter accepting responsibility for the
description be signed. Previously, a Management Assertion letter was required but it did not have to be signed.
 The new SSAE-18 Standard has also included revisions to the language used in the Management Assertion Letter
and Service Auditor’s report to accommodate general changes and those associated with complementary userentity and subservice organization controls.

The following table summarizes some of the Statements relative to internal control, the effect of information technology
on a financial statement audit, and service organizations, that have been made since SAS No.70 standards introduced in
1992.
Statement Name Date Issued Title of Statement
SAS No. 70 April 1992 Service Organizations
SAS No. 78 December 1995
Consideration of Internal Control in a
Financial Statement Audit: An
Amendment to Statement on
Auditing Standards No. 55
SAS No. 88 December 1999 Service Organizations and Reporting
on Consistency
SAS No. 94 May 2001
The Effect of Information Technology
on the Auditor’s Consideration of
Internal Control in a Financial
Statement Audit
PCAOB No. 2 March 2004
An Audit of Internal Control over
Financial Reporting in Conjunction
with an Audit of Financial
Statements. (Note: Appendix B refers
to Service Organizations)
PCAOB No. 5 May 2007
An Audit of Internal Control over
Financial Reporting that is Integrated
with an Audit of Financial
Statements. (Note: Appendix B17-B17
covers Service Organization
considerations.)

ISAE No. 3402 December 2009 Assurance Reports on Controls at a
Service Organization
SSAE No. 16 April 2010 Reporting on Controls at a Service
Organization
SSAE No. 18 May 2017
Concepts common to all Attestation
engagements (with more stress on
system details, CUEC
(complimentary user organization
controls) and SSO (sub-service
organization) controls.)

Hope this blog would have added to your understanding the knowledge related to SOC reporting standards.
Stay connected and feel free to reach out for knowing more about different types SOC reporting.

Understanding a SOC 3 Report

Understanding a SOC 3 Report

 

Overview

Over the last decade, companies have started to see outsourcing as a way of reducing
costs and improving inefficiencies which lead to a rapid growth in outsourcing of
software as service and other cloud-based technologies. The change led to an
increased demand of SOC reports and has also increased the necessity for auditor
reporting at service organizations to make sure that these service providers have
appropriate internal controls in place to manage their information systems. As these
requests from customers for these reports become more frequent, it can often
become confusing on which report you ought to be providing also as which report
are going to be more useful for the Service Organization.

Introduction

AICPA has 5 main Trust Services Criteria namely security, availability, processing
integrity, confidentiality and privacy. A Service Organization Control 3 (SOC 3)
report provides information related to a service organization’s internal controls
around these TSCs.
A SOC 3 is intended for a public audience. These reports are short and include lesser
details as compared to a Soc 2 report, which is distributed to a focused audience of
stakeholders. Due to generic nature, Soc 3 reports can be shared openly and posted
on a company’s website to portray their compliance. However, the report may still
be invaluable for an organization looking for insights on their current security and
control landscape.

Difference Between a SOC 2 and SOC 3 Report

Basically, both SOC 2 and SOC 3 reports revolve around same AICPA standards and
the work performed by the service auditor for the two reports is very similar. Both
reports are based on the AICPA’s TSCs and the controls identified and tested are
usually same for both the reports. Following are some key differences between both
the reports:
• SOC 2 reports can be either Type I or a Type II while a SOC 3 report is always
a Type II report
• SOC 3 report has a less detailed description of controls related to compliance
and operations. Also, it does not include detailed testing procedures or results
of testing.
• SOC 2 reports are meant for restricted use reports of the service organization’s
management, customers, and customers’ auditors. On contrary, SOC 3 reports
are general use reports that can be distributed freely as they contain
significantly less detail.
• SOC 3 report are more used as tool for attracting prospective customers but it
may not satisfy the needs of current customers and their auditors.
• A SOC 2 report is larger in size as it includes an auditor’s opinion,
management’s assertion, a detailed description of the system. It also includes
description of service organization’s internal controls and their test results
performed by the service auditors. However, a SOC 3 report is much smaller in
size and consists of a brief auditor’s opinion, management assertion, and a
brief narrative providing background on the service organization. It contains
very less detail on the specific controls operating within the service
organization

Benefits of a SOC 3 Report

Following are some key benefits of obtaining a SOC 3 report:
• It evidences that your organization invests in security measures and portrays
customers that you’re transparent about your practices
• SOC 3 report can help enhance your company’s credibility and gain the trust of
new clients.
• Provides you an edge over competitors who do not have any third-party
certification
• A positive report demonstrates you have a professional team and your
organization cares about clients to ensure that their data is safe from cyber
threats.

Summary

To conclude, it is relatively easier for an organization to decide if they need a SOC 1
or a SOC 2 because the key difference between being that SOC 1 is more inclined
towards impact of service organization’s controls on the customer’s internal control
over financial reporting. The decision becomes a little more difficult when deciding
between a SOC 2 and SOC 3 report.
Important thing to remember is that a SOC 2 is a restricted use report that contains
detailed information on the system, the controls in place, the service auditor’s test
procedures and the results of their test procedures. SOC 2 reports are useful for
corporate oversight, vendor management programs, internal corporate governance
and risk management processes.

A SOC 3 is a general use report that does not include much detail and is a great
marketing tool. They can be used to attract new client and induce confidence and
trust in both upcoming and existing clients.
We believe this the article would have enhanced your understanding about SOC 3
reports. Please feel free to reach out if you have any queries related to SOC reports
or need to get a SOC/ISO/GDPR certification done for your organization.
You can also visit our website https://accorppartners.com/soc/index.php to read
more articles related to SOC reporting

Learn More to visit on Audit
/Review/Compilation