Service Organization Control (SOC) Reports: What they are and what to do with them MARCH 21, 2017
Presenter Colin Wallace, CPA/CFF, CFE, CIA, CISA Partner Colin has provided management consulting and internal audit services to public, private, government, and not-for-profit organizations since 2002. He has organized and performed financial, operational, and compliance audits throughout the United States and abroad, and has worked on all aspects of the internal audit process including planning, analysis, reporting, and project management. Colin has led numerous fraud investigations involving misappropriation and misuse of company assets, the Foreign Corrupt Practices Act, and management override of internal controls. In addition, he has managed significant SOC examination and SOX 404 assessment projects from initial implementation to final reporting. Colin is an active member of the firm s Technology, Communications and Media Group and is a leader of the firm s forensic and investigative services team. He currently serves as the quality control practice leader for the Business Risk Group.
Presenter Kim Koch, CPA Partner Kim has practiced public accounting since 2001 and has over 15 years of experience in conducting SOC audits, financial statement and compliance audits, attestation examinations, and internal control assessments. Kim serves clients in a variety of industries including technology companies, publicly traded entities, private businesses, third party administrators, and government agencies. She regularly presents continuing professional education sessions internally and externally including topics related to SOC 1, SOC 2, and SOC 3 reporting. Kim is on the team that develops the firm s tools for SOC audits and also regularly reviews the AICPA s proposed changes to SOC requirements.
OBJECTIVES Understand the importance of a SOC report Recognize the differences between SOC 1, 2, and 3 reports List items that are and aren t covered in SOC reports Analyze the scope of your provider s report Assess the impact of complementary user entity controls and internal control exceptions Work with an auditor or management to evaluate and complement their service providers controls 4
Increases exposure to risk SOC REPORTS & MITIGATING RISK Simple questionnaires and contractual clauses are inadequate Need for vendor management and vendor due diligence Rise in outsourcing tasks and functions to service providers 5
OVERVIEW Historical with SAS 70 SAS 70 Reporting New with SSAE 16 SOC 1 Internal Controls Over Financial Reporting New with AT101 SOC 2 Trust Services Principles (Detailed Reporting) SOC 3 Trust Services Principles (Summary Reporting) 6
DEFINITIONS SOC 1 Report o A report on Controls at a Service Organization which are relevant to the user entities internal control over financial reporting. SOC 2 Report o Report on Controls at a Service Organization related to compliance or operations and based on Trust Services Principles and Criteria. Principles covered include Security, Availability, Processing Integrity, Confidentiality and/or Privacy. SOC 3 Report o A SOC 3 report is a general-use report that provides only the auditor s report on whether the system achieved the Trust Services Criteria without including a description of tests and results or opinion on the description of the system. 7
SOC COMPARISON: REPORTING OPTIONS Summary SOC 1 SOC 2 SOC 3 Detailed report for users, auditors and specified parties Detailed reports for users and auditors Summary report that can be more generally distributed Applicability Focused on financial reporting risks and controls specified by the service provider Most applicable when the service provider performs financial transactions processing or supports transaction processing systems Focused on the Trust Services Principles: o Security o Availability o Confidentiality o Processing Integrity o Privacy Applicable to a broad variety of systems 8
SOC COMPARISON: SCOPE SOC 1 SOC 2 / SOC 3 Required focus Internal control over financial reporting Compliance or operational controls Define scope and systems Control domains covered Level of standardization Classes of transactions Procedures for processing and reporting transactions Accounting records of the systems Handling of significant events and conditions other than transactions Report preparation for users Other aspects relevant to processing and reporting user transactions Transaction processing controls Supporting information technology general controls Control objectives are defined by the service provider and may vary depending on the type of service provided. Infrastructure Software Procedures People Data Security Availability Confidentiality Processing Integrity Privacy Principles are selected by the service provider Specific predefined criteria are used rather than control objectives 9
SOC COMPARISON: REPORT STRUCTURE SOC 1 SOC 2 SOC 3 Auditor s Opinion Auditor s Opinion Auditor s Opinion Management Assertion Management Assertion Management Assertion Assertion System Description (including controls) Assertion System Description (including controls) Assertion System Description (including controls) Control Objectives Criteria Criteria (referenced) Control Activities Control Activities Test of Operating Effectiveness* Test of Operating Effectiveness* Results of Tests* Results of Tests* Other Information (if applicable) *Note: Only applicable for Type II reports. Other Information (if applicable) 10
SOC COMPARISON: REPORT TYPES Type I Type II SOC Reports SOC 1 SOC 2 SOC 1 SOC 2 Coverage Point in time Period of time Assessment Design Design Operating Effectiveness Results of Tests 11
INTERNATIONAL REPORTING ISAE 3402 SSAE 16 (SOC 1) United States CICA 5970 Canada AAF 01/06 United Kingdom HKCPA 860.2 HK/China AUS 810 Australia Others 12
WHY ARE SOC REPORTS IMPORTANT? Services outsourced to service organizations are relevant to the audit when these services and related controls are part of the entity s information system which is relevant to financial reporting. When reliance is placed on controls at service organizations and their sub-service providers, it is important to obtain and review SOC reports covering a sufficient portion of the audit period. 13
WHY DO WE REVIEW SOC REPORTS? New Hire Information Employee Termination Payroll Register Payroll Journal Entries Other Employee Masterfile Changes Financial Statements 14
PCAOB OBSERVATIONS Reliance on service organizations was not identified or not properly documented. Sub-service organizations that were scoped out of the report were not addressed. Complementary-entity user controls were not sufficiently tested or not properly linked to the test of controls. Update procedures were not properly performed or documented when the auditor s report did not sufficiently cover the entire audit period. Control exceptions identified by the service provider were not evaluated to determine the sufficiency of audit procedures. 15
HOW ARE SOC REPORTS EVALUATED? Inventory Assess Identify Test and Conclude Description Inventory existing outsourced vendor relationships to determine whether third-party assurance may be required Assess the key financial reporting risks associated with significant outsourced vendors Identify in-scope service organizations Identify relevant reports that have been obtained and determine appropriateness Identify any additional reports or documents needed to complete the assessment (e.g., bridge letter, Management s discussion with the service provider, etc.) Assess the adequacy of the SOC report scope Perform review procedures to evaluate the operational effectiveness of controls relied upon at the service organization 16
STRUCTURE AND CONTENTS OF SOC 1/SOC 2 REPORTS The structure and contents of SOC 1 and SOC 2 reports generally follows the below list: o Independent service auditor s report (opinion) o Management s written assertion o Service organization s description of the system o Complementary user entity controls o Control objectives (SOC 1)/Criteria (SOC 2), control activities and control tests performed (Type II reports) o Supplemental information from the service organization When performing an evaluation of an SOC report, management should identify and evaluate each section of the report 17
INDEPENDENT SERVICE AUDITOR S REPORT This section describes the scope of the examination and provides the service auditor s opinion on: o Management s presentation of its system of internal control. o The suitability of the design of the system. o Opinion on the operating effectiveness of the controls (Type II reports only). It generally includes the following sections: o Scope o Service Organization s Responsibilities o Service Auditor s Responsibilities o Inherent Limitations o Opinion o Description of Test of Controls o Restricted Use 18
REVIEWING INDEPENDENT SERVICE AUDITOR S REPORT Verify that the report coverage is adequate. If the coverage is insufficient and/or the report date does not coincide with the client s year-end, verify how Management was able to gain acceptance of the coverage exceptions. Verify the type of report issued and determine whether it is appropriate for use (e.g., SOC 1 vs. SOC 2, and Type I vs. Type II). Verify whether service providers are being used by the service organization and determine whether the service auditor s evaluation included sub-service providers. Determine the type of opinion issued (i.e., modified vs. unmodified). 19
MANAGEMENT S WRITTEN ASSERTION Management s assertions may be in a separate section of the report or included in the section containing the description of the system. Management s written assertions cover the following: o The fair presentation of the description of the system o The suitability of the design of controls and verification that they were implemented as of a specific date (Type I) or throughout the period (Type II) o The operating effectiveness of the controls throughout the period (Type II) o The relevant changes to the system throughout the period (Type II) 20
REVIEWING MANAGEMENT S WRITTEN ASSERTION Verify that Management s written assertions in this section mirror the service auditor s opinion. Verify that there are no qualifications in the assertions/modifications in the language (i.e., use of except for or other exclusionary language). Verify that there are no omissions in description criteria outlined by the AICPA relative to the services provided. 21
SERVICE ORGANIZATION S DESCRIPTION OF THE SYSTEM This section includes the service organization s explanation of the system and generally includes a description of the following: o Services provided o Description of entity-level controls relating to the control environment, risk assessment processes, monitoring activities and information and communication processes o Procedures by which services are provided and transactions are accounted for, and related accounting records o Significant events other than transactions o Report preparation processes o Control objectives and related control activities o Complementary user entity controls o Description of sub-service provider controls 22
REVIEWING SERVICE ORGANIZATION S DESCRIPTION OF THE SYSTEM Verify that the services provided are consistent with the services received. Understand if there are any significant events that impact the services relied upon. 23
COMPLEMENTARY USER ENTITY CONTROLS Complementary user entity controls (CUECs) are controls which the service organization assumes will be in place at user entities. Identifies the roles, responsibilities and obligations of the user entity to ensure achievement of the control objectives identified in the report. Also known as user organization control, complementary customer controls, or other similar names or phrases. 24
REVIEWING COMPLEMENTARY USER ENTITY CONTROLS Identify and evaluate all CEUCs that are relevant (i.e., those which directly impact financial reporting risk[s]). For IT-related CEUCs, communicate with the IT team and consider the Company s responsibilities in areas of change management, security and operations. For all in-scope CEUCs, ensure that the CEUC is appropriately mapped to key controls and that the design and operating effectiveness of those controls have been tested. 25
CONTROL OBJECTIVES, CONTROL ACTIVITIES AND TESTS PERFORMED Presents the control objectives and related control activities performed by the service organization Presents the test procedures performed and the results of control testing performed by the service auditors Shows the exceptions or deviations noted by the service auditors Shows Management s response to the exceptions noted 26
REVIEWING CONTROL OBJECTIVES, CONTROL ACTIVITIES AND TESTS PERFORMED Consider performing a self-assessment of the service auditors test adequacy of the test procedures performed. Review the responses provided by the service organization and determine whether the responses are satisfactory. Management may also consider discussing the nature of the exceptions with the service auditors. Evaluate all relevant exceptions, which include: Exceptions relevant to control objectives that mitigate the financial reporting risks. Exceptions related to Information Technology General Controls (ITGCs) supporting relevant applications that mitigate the financial reporting risks. 27
SUB-SERVICE ORGANIZATIONS A third-party provider used by the primary service providers to outsource processes and controls. They can be part of transaction processing (e.g., claims processing) or the IT environment (e.g., data center hosting). They are identified by the service organization in their assertion and by the service auditor in their opinion. 28
REVIEWING SUB-SERVICE ORGANIZATIONS Evaluation of internal controls should include the impact of all identified sub-service providers. Assess the impact of sub-service providers to the Company s internal control over financial reporting. Identify and evaluate all sub-service providers used by in-scope service organizations as part of the SOC review procedures. For in-scope sub-service providers, formally document the review of the sub-service providers SOC report, if applicable. 29
ASSESSING SOC COVERAGE To rely on SOC reports for SOX 404, the report must generally cover at least the first nine months of the audit period. Obtain a bridge letter if there is a gap between the SOC report date and the Company s year-end date. Review the bridge letters and evaluate the impact of changes in the service organizations controls, if any. If the report coverage is less than nine months and/or there is a gap larger than three months, Management must document how it became comfortable with the small coverage period and/or gap in the reporting period. 30
SSAE 16 T0 SSAE 18 Naming convention Vendor management Complementary subservice organization controls Service auditor risk assessment 31
Questions? Colin Wallace colin.wallace@mossadams.com (503) 478-2185 Kim Koch kim.koch@mossadams.com (206) 302-6425 The material appearing in this presentation is for informational purposes only and is not legal or accounting advice. Communication of this information is not intended to create, and receipt does not constitute, a legal relationship, including, but not limited to, an accountant-client relationship. Although these materials may have been prepared by professionals, they should not be used as a substitute for professional services. If legal, accounting, or other professional advice is required, the services of a professional should be sought.