Join us for our sixth annual virtual Third-Party Assurance Summit as we cover hot topics and trends in third-party assurance. We will explore opportunities to leverage system and organization controls (SOC) reporting and third-party assurance to establish trust and provide transparency to your customers, business partners, regulators, and stakeholders. Participants may join break-out sessions on emerging topics such as Third-Party Assurance Trends, SOC Basics, evaluating and using Service Auditor Reports, Management Assertion Reports and Financial Services Hot Topics.
PLEASE NOTE: Each session must be registered for individually. Please return to the main page to register for the next session.
Agenda
Welcome & Opening Plenary | 11:00AM – 12:20PM EST
Third Party Assurance Trends and Hot Topics
Participants will hear about emerging trends and hot topics in the third-party assurance landscape. They will gain deeper insights into opportunities to leverage the existing system and organization controls guidance updates.. They will also learn about emerging issues related to Artificial Intelligence (AI) and its applicability to third-party assurance.
Host: Shannon Kramer, Principal, Deloitte & Touche LLP
Speakers:
- TPA Trends - Shannon Kramer, Principal, Deloitte & Touche LLP
- Guidance updates - Carrie Kostelec, Lead Manager - SOC & Related Services, AICPA and Matt Bogusch, Managing Director, Deloitte & Touche LLP
- AI update – Tushar Sainani, Managing Director, Deloitte & Touche LLP
1 Overview CPE credit | Auditing
Learning objectives:
Upon completing this course, participants will be able to:
- Discuss emerging trends and hot topics in third-party assurance.
- Explain recent guidance changes on SOC reporting.
- Identify AI applicability to third-party assurance and system and organization control reports.
Breakout Session 1: SOC Basics + Evaluation of Service Auditor Reports | 12:30 PM – 1:30 PM EST
This course is designed to introduce individuals to SOC reports and how they are intended to be used by user entities. Participants will learn about the different aspects of SOC reports including the opinion, assertion, description of the system, and testing of controls performed by the service auditor. Participants will also gain insight into how to evaluate the results of the report, complementary user entity controls, and complementary subservice organization controls.
Host: Katherine Kaewert, Managing Director, Deloitte & Touche LLP
Speakers:
- Xing Yan, Senior Manager, Deloitte & Touche LLP
- Ivan Mendez Gonzalez, Manager, Deloitte & Touche LLP
1 Overview CPE credit | Auditing
Learning objectives:
Upon completing this course, participants will be able to:
- Describe the uses and benefits of SOC reports.
- Describe the most common types of SOC reports.
- Recall key elements of a SOC 1 and SOC 2 report.
- Evaluate SOC reports received from third parties.
Breakout Session 2: Management Assertion Reports + FSI Hot Topics & Closing | 1:30 PM-2:35 PM EST
This course is designed to introduce individuals to management assertion reports and how these reports can be utilized by service organizations. In addition, participants will hear about hot topics that are affecting the financial services industry, including ISO 27001.
Host: Allen Bradley, Managing Director, Deloitte & Touche LLP
Management Assertion Reports:
- Dan Zychinski, Managing Director, Deloitte & Touche LLP
FSI Hot Topics:
- Stacie King, Managing Director, Deloitte & Touche LLP
- Kim Dragovic, Senior Manager, Deloitte & Touche LLP
Summit recap and closing:
- Shannon Kramer, Principal, Deloitte & Touche LLP
- Katherine Fortune, Managing Director, Deloitte & Touche LLP
1 Overview CPE credit | Auditing
Learning objectives:
Upon completing this course, participants will be able to:
- Discuss management assertion reports and their relevancy to service organizations.
- Identify opportunities for management assertion reports to be implemented within their organizations.
- Identify key issues related to SOC reporting in the financial services industry and ISO 27001.
Speakers
Shannon Kramer
Principal, Deloitte & Touche LLP
Welcome & Opening Plenary, TPA Trends, Closing remarks
Shannon brings over 25 years of experience leading advisory risk, internal controls and compliance reviews in support of independent financial statement audits, third party examinations, and internal audit engagements. She brings a wealth of knowledge leading a number of SOC reports during with her previous roles as well as her current role as US Third Party Assurance Leader
Carrie Kostelec
Lead Manager - SOC & Related Services, AICPA
Plenary Guidance updates
Carrie Kostelec is Lead Manager for SOC & Related Services for the Association of International Certified Professional Accountants, where she leads efforts related to the development and maintenance of the SOC suite of services, including SOC 2, SOC for Cybersecurity, and SOC for Supply Chain.
Prior to her work at the AICPA, Carrie leveraged her experience at a top-25 CPA firm to write and technically review audit manuals and tools covering a variety of topics, including nonattest services and SOC examinations, for a leading publisher of guidance for small-to-medium sized CPA firms.
Matt Bogusch
Managing Director, Deloitte & Touche LLP
Plenary Guidance updates
Matt has over 24 years of professional experience, including 20 years of managing and performing information systems and business process control reviews spanning multiple platforms and numerous applications for large, complex, multinational clients within the Consumer Products and Financial Services Industries. Matt focuses on Sarbanes-Oxley 404 and SOC 1 reports, and has experience with ERP security and controls, including SAP, Oracle, and JD Edwards.
Matt has a Master of Science in Information Systems and an MBA from Penn State University. He has a B.S. in accounting from the University of Scranton. Matt is a Certified Public Accountant in Pennsylvania (CPA), Certified Information Systems Auditor (CISA), Certified Information Systems Security Professional CISSP), Certified Information Technology Professional (CITP), and is certified in the Governance of Enterprise Information Technology (CGEIT).
Kim Dragovic
Senior Manager, Deloitte & Touche LLP
FSI Hot Topics
Kim is a Senior Manager in our Risk and Financial Advisory practice serving clients within the financial services industry. She has over 16 years of experience within the insurance industry serving as an IT Specialist. Her expertise includes conducting both integrated and non-integrated financial statement internal control audits, Sarbanes-Oxley compliance and readiness assessments, internal audits, and third-party assurance attestation engagements (SOC 1, SOC 2, Agreed Upon Procedures). Other services that Kim has provided to her clients include assisting with the remediation of controls to align with SOX, regulatory requirements and leading practices, controls rationalization and redesign, information security assessments, IT Risk Management services, and business process control improvements.
Ivan Mendez Gonzalez
Manager, Deloitte & Touche LLP
SOC Basics + Evaluation of Service Auditor Reports
Ivan Mendez Gonzalez is a Manager in Deloitte Risk & Financial Advisory, specializing in the IT & Specialized Assurance offering. With over 8 years of professional experience, Ivan has a strong background in third-party assurance audits (SOC1 and SOC2), primarily serving clients in the investment management and technology industries.
In his current role, Ivan leads multiple teams in executing year-round audit engagements, gaining a deep understanding of IT processes, identifying areas of IT risk, assessing internal controls, and analyzing data to present findings to management.
Katherine Fortune Kaewert
Managing Director, Deloitte & Touche LLP
Intro SOC Basics + Evaluation of Service Auditor Reports
Katherine has over 19 years of experience evaluating the design and operating effectiveness of business cycle, general computer, internal security, and entity level controls as part of internal and financial statement audits. She specializes in SOC 1 and SOC 2 audits and leads SOC engagements for payroll, technology, SaaS, and workers compensation third party administrator clients, specializing in internal control risk and compliance.
Additionally, Katherine has strong experience in a range of engagements, providing business cycle and IT services, as well as evaluating complex business and technology risks and opportunities for internal control improvement for companies in the technology, media, and manufacturing industries.
Stacie King
Managing Director, Deloitte & Touche LLP
FSI Hot Topics
Stacie has over twenty-five years of experience providing operational and risk management services to Deloitte's clients in the financial services industry. She is also a leader in the firm's efforts to provide Third Party Assurance services to our clients and actively participates in developing the firm’s guidance and ensuring quality around these services at a national level.
Stacie specializes in evaluating risks and controls for our clients. She leads engagement teams in assisting our clients in the review of current business processes and technology operations, documentation of existing processes and procedures, identification of risks and controls, and identification of opportunities for improved processes and controls.
Tushar Sainani
Managing Director, Deloitte & Touche LLP
AI update
Tushar Sainani has over 17+ years of Banking and Investment Management industry experience spanning across internal audit and Controls Attestation (SOX, SOC1 / SOC2). Tushar currently leads the Nexus Digital Nerve Center innovation offering which delivers automated control testing and execution solutions to clients. He is also a member of the Blockchain / Digital Assets Assurance team that developed Deloitte's Digital Assets Assurance framework. Tushar has extensive knowledge of Business Process and Information Systems, which he has utilized to advise clients on conducting automation, analytics and visualization of controls, SOX, internal audits, process improvement, design and implementation of controls framework, third party vendor risk management and Cyber services. Tushar has facilitated and moderated at multiple industry conferences in the US such as FIRMA, SIFMA, CPE - SEC, etc. on the above noted topics of automation, analytics and vendor risk management. He has also facilitated Deloitte's SOX modernization, and other Greenhouse labs that enable Control's transformation—leading change through analytics, automation, collaboration with external audit, and more.
Xing Yan
Senior Manager, Deloitte & Touche LLP
SOC Basics + Evaluation of Service Auditor Reports
Xing is a Risk and Financial Advisory Senior Manager in Deloitte & Touche LLP, within the Assurance market offering. Xing has over 15 years of experience leading multiple teams in a geographical dispersed environment, performing risk assessments, third party assurance audits (SOC 1, and SOC 2), compliance audits (FICCA), SOX IT control audits, business operations, and information technology external and internal audit reviews. Xing has mainly worked on engagements for clients in Investment Management, Mortgage Servicing, Insurance, and Entertainment industries.
Xing's current responsibilities include leading teams to execute audit engagements for multiple clients, understanding compliance, business operations, and IT processes, defining areas of risk, developing audit plans, assessing internal controls, executing test plans, and analyzing and interpreting data to present to C-suite and stakeholders.
Dan Zychinski
Managing Director, Deloitte & Touche LLP
Management Assertion Reports
Dan is a Managing Director with Deloitte & Touche LLP in Atlanta, Georgia, and specializes in providing internal control assurance and internal controls and risk consulting services to clients in the technology and financial services industries. Dan serves some of our largest technology clients with responsibility for overseeing the management and delivery of our services related to third party assurance reporting, internal controls, controls readiness, and information technology auditing.
Related content
Expose the risk, protect your cloud
In a boundaryless environment like the cloud, it can be all too easy to assume that certain cloud risks are someone else’s obligation. But having a clear understanding of assurance expectations and knowing who is responsible can help user organizations avoid the pitfalls that go with a false sense of security.
SOC 2 Examinations: Challenges and the Next Evolution
Increasingly, companies are turning to third parties to manage core business and IT processes, giving outsource service providers (OSPs) access to sensitive data, with implications on internal control environments. As companies increasingly demand third-party assurance (TPA) reports, how can OSPs develop a streamlined approach?
You may need CMMC to do business with the DoD
The release of the Cybersecurity Maturity Model Certification (CMMC) brings changes to the Department of Defense (DoD) Supply Chain for both contractors and subcontractors. As CMMC will be a requirement to do business with DoD, it is critical for DoD contractors to understand what CMMC means for their organizations and begin preparing now.
Third-party reporting proficiency with SOC 2+
Doing business as an “extended enterprise” is now the norm. Today, companies of all sizes routinely rely on an ecosystem of service organizations to carry out a wide array of functions, many of them mission-critical. Through these loosely coupled networks of third parties, companies have been able to vastly expand their reach and capabilities, often extending around the world to create new and exciting market opportunities.
Blockchain: A technical primer
Blockchain, in many ways, appears to signify the dawn of a new era as it relates to the way we store and exchange value. In fact, it can be considered one of the biggest technology breakthroughs in recent history, similar to the advent of the Internet in the early 1990s. At that time, the Internet provided a new and more sophisticated way to search and share information, a way that was much more efficient and transparent.
How a SOC report works
Service organizations often find themselves serving many industries across multiple geographies, which expands the range of compliance and regulatory requirements they must meet. Under increasing compliance pressures, companies are asking their service organizations to demonstrate the efficacy of their controls to higher degrees. In some cases, SOC reports have become a pre-requisite for service organizations to win new business with established companies.