Evaluating Service Organization Control Reports
- 1. Page 1 of 5 Crossland Advisors, Inc. http://crosslandadvisors.com/ 610-365-4852 Copyright © 2016 Evaluating Service Organization Control Reports (SOC1, SOC2, SOC3) Even though Service Organization Control (SOC) reports have been available since 1992, their actual usage and importance has increased significantly with the Sarbanes- Oxley (SOX) Act in 2002. Prior to SOX, contractual obligations for service organizations to provide a SOC report were generally not specific or not included (it is noted that prior to 2002, contractual requirements for SOC reports were typically found in the government sector, but not for commercial companies). Also, the client organization (aka the user entity) requesting and receiving the report seldom evaluated the report; often, it was a “check-the-box” compliance exercise only to make sure a report was received. With the advent of SOX, financial auditors realized that controls at service organizations needed to be thoroughly evaluated to make sure they were comprehensive, appropriate and operating effectively. The increased focus by financial auditors forced user entity management to also evaluate the controls at their service organization(s) since these services are an extension of the user entity’s processes and internal controls and could have a direct impact on other user entity controls and financial statements. The user entity should expect their service organization(s) to have at least the same level of controls as if those services were provided in-house. Unfortunately, most user entities do not have a thorough understanding of SOC reports and thus do not know how to effectively evaluate the report(s) they receive from their service organization(s). A comprehensive evaluation of a SOC report will ascertain whether: • The report as of a date or period is appropriate for user entity purposes • The standard under which the SOC report was issued is appropriate • The report identifies the use of subservice organizations • The intended users of the report are appropriate • The report addresses the “System”, which includes the IT applications, policies and procedures and service organization locations, used by the entity. “System” refers to the policies and procedures designed, implemented and documented by management of the service organization, including IT components, to provide user entities with the services covered by the service auditor's report. The term “System” does not refer to just the IT applications. • The evidence provided by the report is sufficient and appropriate for understanding the service organization's relevant processes and risks • The report identifies issues with the processes or controls at the service organization
- 2. Page 2 of 5 Crossland Advisors, Inc. http://crosslandadvisors.com/ 610-365-4852 Copyright © 2016 The first step in evaluating a SOC report is to understand the sections of the report: SOC1 o Report cover o Auditor’s opinion o Management assertion o Description of the system o Control objectives, controls, tests and results SOC2 o Report cover o Auditor’s opinion o Management assertion o Description of the system o Criteria, controls, tests and results SOC3 o Report cover o Auditor’s opinion o Management assertion o Short description of the system Auditor’s opinion The Auditor’s opinion summaries the scope and conclusion of the report. The opinion includes: The system(s) included in scope and the period being audited An identification of subservice organizations included or carved-out Whether or not the system description fairly presents what was designed and implemented, the controls related to the control objectives were suitably designed to reasonably achieve the control objectives and the controls tested were operating effectively throughout the period The intended users of the report Management assertion The service organization makes an assertion regarding its description of the system and the operation of the system. Management asserts that: The description presents how the service organization’s system was designed and implemented
- 3. Page 3 of 5 Crossland Advisors, Inc. http://crosslandadvisors.com/ 610-365-4852 Copyright © 2016 The description of the service organization’s system includes relevant details of changes to the service organization’s system during the period covered by the description The description of the service organization’s system does not omit or distort information relevant to the service organization’s system, while acknowledging that management’s description of the service organization’s system is prepared to meet the common needs of a broad range of user entities and their user auditors, and may not, therefore, include every aspect of the service organization’s system that each individual user entity and its user auditor may consider important in its own particular environment The risks that threaten the achievement of the control objectives/criteria stated in management’s description of the service organization’s system have been identified by management The controls identified in management’s description of the service organization’s system would, if operating as described, provide reasonable assurance that those risks would not prevent the control objectives/criteria stated in the description from being achieved The controls were consistently applied as designed, throughout the specified period, including whether manual controls were applied by individuals who have the appropriate competence and authority An assertion should be included for any service organization whose control objectives and controls have been included in the Auditor’s opinion, system description and control objectives/ criteria, controls, tests and results. The assertion may include the name of the authorizing official at the service organization, but such naming is not required. Description of the system The system description identifies the services that are likely to affect a user entity’s internal controls, including applications, technology and supporting IT processes. The description will identify and document: The control environment, risk assessment and monitoring performed as part of internal control Each business process/principle being included as part of the service overview along with the processes owner(s), process description and related controls The control objectives/criteria associated with each business process/principle and document the risks that threaten the achievement of the control objectives/criteria, the controls that address the risks, and the service organization’s basis for its assertion that each control was implemented throughout the report period. While IT controls do not directly affect the financial statement assertions of user entities, they are almost always
- 4. Page 4 of 5 Crossland Advisors, Inc. http://crosslandadvisors.com/ 610-365-4852 Copyright © 2016 necessary for the proper functioning of the business process controls that do directly affect these assertions. The physical location(s) where processing occurs Subservice organizations and the services they provide Complementary user entity controls (CUECs). CUECs are controls assumed to be in place at the user entity in order for the specified control objectives and related controls to be achieved Control objectives/criteria, controls, tests and results The control objectives/criteria in scope are detailed in a matrix that includes a description of the tests performed to determine the operating effectiveness of the controls along with any control deviations noted during testing. The description of the tests performed should include the nature, timing and extent of the testing performed. Areas for follow-up when reviewing a report: The report date or period is not appropriate for the intended use The report type is not appropriate for the intended use The reporting standard is not appropriate for the intended use Subservice organizations are noted in the Auditor’s opinion and system description The auditor is not independent and competent The Auditor’s opinion is qualified The report has restricted usage There is not a Management Assertion for each subservice organization whose control objectives and controls have been included in the Auditor’s opinion, system description and control objectives/ criteria, controls, tests and results The Description of the system does not address, in detail, the processes and controls expected The processing location(s) listed are not the same as those contracted for with the service organization Complementary user entity controls (CUECs) will need to be assessed for applicability and testing The tests performed do not address all aspects of the control objectives/ criteria Testing deviations are noted
- 5. Page 5 of 5 Crossland Advisors, Inc. http://crosslandadvisors.com/ 610-365-4852 Copyright © 2016 Crossland Advisors provides IT risk and control services to a number of industries, including: Manufacturing Pharmaceuticals Healthcare Financial Services Insurance Government Retail Utilities Our extensive experience allows us to develop real world solutions to complex challenges. We use a process-focused risk-based approach and are able to relate leading practices and improvements to understand, anticipate and address a wide variety of information system risk and process issues. Crossland Advisors is ready to work with you to satisfy your IT risk and control needs.