Many business enterprises today outsource some portion of their business operations or functions to a third-party organization. Common examples include the outsourcing of technology systems, such as IT hosting, and payroll for company employees. In these examples, the business acquiring the services of a third party is called a user entity and the third party is referred to as a service organization.
The use of outsourcing generally allows the user entity to leverage the outside expertise while focusing on their own core business goals. Outsourcing has expanded significantly in recent years. These outsourcing activities may likely relate to the management of business transactions and its related financial and accounting reporting and internal controls.
When a user entity outsources functions that affect its internal control over financial reporting (ICFR), management of the user entity needs to gain an understanding of the design and operating effectiveness of certain controls that are performed by the service organization. Also, a financial auditor performing an audit of a user entity’s financial statements (a user auditor) is required under international professional auditing standards to perform risk assessment procedures to obtain an understanding of how the user entity uses the services of a service organization.
Usually this is accomplished through a SOC 1 engagement, which is an engagement performed by a CPA (a service auditor) to report on the service organization’s description of its system, the suitability of the design of the service organization’s controls included in the description, and, in most cases, the operating effectiveness of those controls. The design is assessed as a point in time, while the operating effectiveness is assessed over a period of time, and normally covers at least six months.
Some service organizations provide services that are relevant to subject matter other than user entities’ internal control over financial reporting, for example, controls relevant to the security of a system or to the privacy of information processed by a system for user entities. Such controls may be reported on with a SOC 2 engagement on the security, availability, or processing integrity of a system or the confidentiality or privacy of the information processed by the system. A “system” consists of five key components: infrastructure, software, people, procedures, and data.
Service organizations may receive inquiries from existing or potential customers and their auditors about the internal controls for the outsourcing services. As noted above, professional auditing standards adopted globally require the user auditor to understand such controls. Two similar reporting models, developed by the AICPA and the IAASB, are accepted to describe and document such controls that relate to financial reporting. Other reporting models and international frameworks for controls may exist but these generally do not include sufficient and transparent detail or are not focused on financial reporting and therefore are not usually accepted by user auditors.
If a service organization has not been through a SOC report previously, it may beneficial to invest and prepare for such a report to obtain the services of a qualified CPA to assess or measure the service organization’s readiness by conducting control reviews to identify and document the relevant controls, initially for management’s use only. Once controls are sufficiently documented and are functioning adequately, then a SOC 1 or SOC 2 report may be the next step.
By: James Merrill
James is a technology risk management professional with intensive experience in assisting clients solve third-party reporting and internal control reporting matters. Jim has many years of leadership experience in risk assurance reporting for numerous global financial services organizations as well as for several US federal government agencies. He has been a member of the AICPA’s Service Organization Reports task force since 2007 and is one of the authors of the relevant auditing standards (SSAE 16, SSAE 18) and related guidance on the topic. Jim has presented to various auditing-related audiences in several countries.
Leave a Reply