Many organizations, perhaps including yours, outsource aspects of their business activities to service providers. Your company may be outsourcing the performance of essential tasks or could potentially be using a provider to act as a business unit on your behalf. These services can be related to payroll, customer support, IT cloud hosting, accounting and finance, record storage and other functions.
Using service providers can offer cost savings and efficiencies, but it also introduces risks to your organization. It’s important to remember that while aspects of your business can be outsourced, the ownership of the risk related to those services cannot. How can your organization gain comfort that service providers are protecting your intellectual property, processing your transactions completely and accurately, and addressing the risks associated with your organization, its services and functions, and the system used to provide them?
Methods for obtaining comfort can include:
- 1) Periodic meetings to evaluate the service provider’s performance against your contract or service-level agreement.
- 2) Requesting completion of questionnaires related to your organization’s key risk areas.
- 3) Reviewing the service provider’s most recently issued System and Organization Controls (SOC) 1 or 2 report.
Our experience has shown that the most effective means for gaining comfort over a service organization’s environment is by reviewing their SOC report. SOC reports are designed to help service organizations build trust and confidence in the services performed and controls related to those services through a report issued by an independent Certified Public Accountant (CPA).
Once your organization has obtained the SOC report, what should be considered? Below are some key points of focus for review.
It is important to note that the American Institute of Certified Public Accountants (AICPA) requires SOC reports be issued only by CPA firms.
As a part of your organization’s evaluation, you will want to confirm that the CPA firm has appropriate and updated licensing. This confirmation lets you know that the CPA firm undergoes peer review every three years to validate they remain in good standing in their accounting and auditing practices.
Each SOC report contains an independent service auditor’s (e.g., the CPA firm) opinion regarding the description of the service organization’s system, whether the system was presented fairly and whether the service organization’s controls are suitably designed and operating effectively.
The service auditor’s opinion can be presented in four possible ways:
- Unqualified: The service auditor’s opinion fully supports the results of their audit procedures, with no modifications. However, an unqualified opinion does not mean there were no issues/exceptions identified by the service auditor.
- Qualified: The service auditor identifies misstatements in the system description or exceptions in the suitability of design or operating effectiveness of controls. The identification is limited to one or more, but not all, aspects of the description of the system or control objectives/criterias and does not affect the service auditor opinion on other aspects of the system or other control objectives/criteria.
- Adverse: The service auditor believes that misstatements in the system description or exceptions in the suitability of design or operating effectiveness of controls, are material and pervasive throughout the system description or across all or most of the control objectives.
- Disclaimer: The service auditor is unable to express an opinion due to insufficient evidence, and the possible effects could be both material and pervasive.
In the case of both a disclaimer and adverse opinion, your organization will want to communicate with your service provider to understand the circumstances surrounding these opinions.
The SOC report will also include a description of the service organization’s system, sometimes referred to as the narrative. The system description will include background information and a description of the software, people, procedures, processes and data that are covered.
Your organization will need to review the system description to determine whether information relevant to the services provided to your organization was included. In the case of a SOC 2 report, your review will also need to evaluate whether the Trust Services Criteria included in the scope of the report are relevant to your agreed-upon service commitments and system requirements with the service provider.
The SOC report will disclose any exceptions identified during the performance of audit procedures. As your organization reviews these exceptions, you will need to determine whether the exceptions identified are critical to your organization. If they are critical, you will need to determine the impact these will have on your organization’s processes and controls.
In addition to monitoring your service organization, your company should review Complementary User Entity Controls (CUEC) which can be included in a SOC report and define the areas of responsibility for your organization in relation to the services provided. Your organization should perform the following:
- Determine which CUECs are relevant to your organization, as all may not apply
- Determine how your organization addresses CUECs. These can typically be addressed through:
- Programs and policies
- Formal controls
- Informal/unwritten controls (if so, those should be documented)
- Record how your organization addresses each CUEC
- Reassess CUECs with each new SOC report issued
By addressing the relevant CUECs in the SOC report, your organization will ensure that you can effectively rely on the system of controls being performed by the service organization.
Have Additional Questions?
SOC reports remain a complex topic for many organizations. We understand you might still have some questions: If that’s the case, please feel free to contact us. We also encourage you to read our related SOC blog posts for further information:
- Understanding SOC Reporting: 4 Frequently Asked Questions
- Exploring SOC for Supply Chain: What Your Business Needs to Know
Journet Greene is a Director in Moore Colson’s Risk Advisory and Compliance Services Practice. She leads Sarbanes-Oxley initiatives, internal audits, SOC audits and other compliance engagements for the firm’s many large IT and consulting engagements.