SOC
Sub-service organizations
--A third party provider used by the primary providers to outsource processes and controls --They can be part of transaction processing or the IT environment --They are identified by the service organization in their assertion and by the service auditor in their opinion REVIEWING --Evaluation of internal controls should include the impact of all identified sub-service providers --Assess the impact of sub service providers to the company's internal control over financial reporting --Identify and evaluate all sub-service providers used by in scope service organizations as part of the SSAE 16 review procedures --For in-scope sub-service providers, formally document the review of the sub-service providers' SOC report, if applicable
SOC 1 scope, systems and control domains covered
--Classes of transactions --Procedures for processing and reporting transactions --Accounting records of the system --Handling of significant events and conditions other than transactions --Report preparation for users --Other aspects relevant to processing and reporting user transactions --Transaction processing controls --Supporting information technology general controls
SOC 2 scope, systems and control domains covered
--Infrastructure --Software --Procedures --People --Data --Security --Availability --Confidentiality --Processing integrity --Privacy
Control Objectives, Control Activities and Tests Performed
--Presents the control objectives and related control activities performed by the service organization --Presents the test procedures performed and the results of control testing performed by the service auditors --Shows the exceptions or deviations noted by the service auditors --Shows management's response to the exceptions noted EVALUATING CONTROL EXCEPTIONS --Consider performing a self-assessment of the service auditor's test adequacy of the test procedures performed --Review the responses provided by the service organization and determining whether the responses are satisfactory. Management may also consider discussing the nature of the exceptions with the service auditors. --Evaluate all relevant exceptions, which include: -Exceptions relevant to control objectives that mitigate the financial reporting risks. -Exceptions related to information technology general controls (ITGC) supporting relevant applications that mitigate the financial reporting risks.
Reviewing coverage of the SOC report
--To rely on SOC reports for SOX 404, the report must generally cover at least the first nine months of the audit period --Obtain a bridge letter if there is a gap between the SOC report date and the Company's year-end date --Review the bridge letters and the evaluate the impact of changes in the service organization's controls if any --If the report coverage is less than nine months and/or there is a gap larger than three months, Management must document how it became comfortable with the small coverage period and/or gap in the reporting period
Qualified opinion
A report issued when the auditor believes that the overall financial statements are fairly stated but that either the scope of the audit was limited or the financial data indicated a failure to follow GAAP
SOC 1 Report
A report on controls at a service organization which are relevant to user entities' internal control over financial reporting. An example of a service organization that may need a SOC 1 report is a company that provides payroll processing services to user entities. User entities that use the payroll processing company realize the material impact of payroll on their financial statements and request some independent assurance that their payroll is being handled in accordance with their expectations. A SOC 1 report provides user entities of the payroll processing company reasonable assurance that the internal controls of the payroll processing company are suitably designed (Type I report) or suitably designed and operating effectively (Type II report) to provide the payroll services. Because SOC 1 reports may contain sensitive information about service organizations, they are considered restricted use reports and should only be shared with management of the service organization (the company who has the SOC 1 performed), user entities of the service organization (the service organization's clients) and the user entities' financial auditors (user auditors). The report can assist the user entities' financial auditors with laws and regulations like the Sarbanes-Oxley Act. There are numerous service organizations that may receive SOC 1 reports. The common theme between the service organizations should be the potential impact on user entities' internal controls over financial reporting (ICFR). Some examples of organizations who may receive SOC 1 reports include: Payroll processors Medical claims processors Loan servicing companies Data center companies Software-as-a-Service (SaaS)
Sub service organizations
A subservice organization is an entity that is used by the service organization to perform some of the services provided to customers (user entities). An example of a common service provided by a subservice organization would be a company that offers their data center to a cloud provider (the service organization). The service organization relies on processes and controls implemented at the subservice organization to meet the Control Objectives or Trust Services Principles of the SOC report. When a subservice organization is utilized by the service organization, there are two methods for reporting on the processes and controls at the subservice organization. --First, the processes and controls can be included as a part of the report. --This is the Inclusive method. --Second, the processes and controls can be excluded from the report. --This is the Carve Out method. Each method requires that the service organization take steps to determine whether controls are in place and operating effectively to meet the needs of the end user (customer).
Complementary user entity controls (CUECs)
AKA User Control Considerations (UCCs) Controls that the vendor has included within its system and rely on the user entity (you) to implement in order to achieve the vendor's control objectives. In most cases, the control objectives stated in the description can be achieved only if these complementary user entity controls are suitably designed and operating effectively (by you), combined with the controls at the service organization (the vendor). **Common Placement of Complementary User Entity Controls in a SOC Report** --Specific subsection of the description - You can often find the CUECs listed out in the service description section with details on how exactly they relate to the control objectives laid out in the report. --As part of the tested controls section - You can also find the CUECs right in the testing section. They're usually documented along with the control objectives they align with. **Common Examples of CUECs in a SOC Report** --Logical Access: Account provisioning General IT controls and policies Account management --Separation Procedures: Timely account removal Regular assessment of accounts --Authorization Policies and Procedures: Policies and procedures that ensure transactions are appropriately authorized and transactions are secure, timely and complete --Data Transmission Policies and Procedures: When sending data, it must be protected by appropriate methods such as encryption Knowing about CUECs still isn't enough. As part of your vendor risk management process, you have to map them back to your own policies and procedures to ensure that you have controls in place that properly align with your vendor's expectations. Part of comprehending a vendor's value in providing a product or service is making sure you can effectively execute your responsibilities.
Bridge letter
AKA a gap letter --Obtain a bridge letter if there is a gap between the SOC report date and the Company's year-end date --Review the bridge letters and the evaluate the impact of changes in the service organization's controls if any
SOC 1, Type 1
AKA point in time report Type 1 reports test the design of a service organization's controls, but not the operating effectiveness. As of a particular date, includes a description of a service organization's system as well as tests to help determine whether a service organization's controls are designed appropriately.
Independent service auditor's report
Describes the scope, service organization's responsibilities, service auditor's responsibilities, inherent limitations, opinion, description of test of controls, restricted use. It also describes the service auditor's opinion of management's presentation of its system of internal control, the suitability of the design of the system, the opinion on the operating effectiveness of the controls (Type II reports only). REVIEWING THIS SECTION --Verify the report coverage is adequate, if it is insufficient or the date does not coincide with the client's year end, verify how management was able to gain acceptance of the coverage exceptions. --Verify the type of report issued and whether it is appropriate for use --Verify whether service providers are being used by the service organization and determine whether the service auditor's evaluation included sub-service providers --Determine the type of opinion issued
SOC 3 Report
Established as a general use report alternative to the SOC 2 report, a summary that can be provided to the public. An examination on controls relevant to the applicable Trust Services Principles The report includes only the auditor's opinion and limited description of controls (narrative)
Service organization's description of the system
Includes the service organization's explanation of the system and descriptions of: --Services provided --Entity-level controls relating to the control environment, risk assessment processes, monitoring activities and information and communication processes --Procedures by which services are provided and transactions are accounted for, and related accounting records --Significant events other than transactions --Report preparation processes --Control objectives and related control activities --Complementary user entities controls --Description of sub-service provider controls REVIEWING --Verify the services provided are consistent with the services received --Understand if there are any significant events that impact the services relied upon
ICFR
Internal Control over Financial Reporting
How are SOC reports evaluated?
Inventory -- Inventory existing outsourced vendor relationships to determine whether third-party assurance may be required Assess -- Assess the key financial reporting risks associated with significant outsourced vendors & identify in-scope service organizations Identify -- Identify relevant reports that have been obtained and determine appropriateness. Identify any additional reports or documents needed to complete the assessment (e.g., bridge letter, management's discussion with the service provider, etc.) Test and conclude -- Assess the adequacy of the SSAE 16 report scope and perform review procedures to evaluate the operational effectiveness of controls relied upon at the service organization
Management's written assertion
Management's assertion may be in a separate section of the report or included in the section containing the description of the system. Management's written assertion covers: --The fair presentation of the description of the system --The suitability of the design of controls and verification that they were implemented as of a specific date (type 1) or throughout the period (type 2) --The operating effectiveness of the controls throughout the period (Type II) --The relevant changes to the system throughout the period (Type 2) REVIEWING --Verify management's written assertion in this section mirrors the service auditor's opinion --Verify that there are no qualification in the assertions/modification in the language (i.e., use of "except for" or other exclusionary language --Verify that there are no omissions in description criteria outlined by the aicpa relative to the services provided
Unqualified opinion
Opinion issued by a certified public accountant that means the company's financial statements are, in all material respects, in compliance with GAAP; the auditor has no reservations. Contrast with qualified opinion.
AICPA Trust Services Principles
Security Availability Processing integrity Privacy Confidentiality
SOC Report
Service Organization Control Report
SOC Report scope
Services included
SOC 2 Report
Sometimes referred to as AT101/performed under standard AT101. Report on Controls at a Service Organization related to compliance or operations and based on Trust Services Principles and Criteria. SOC2 service organization controls must meet the specified Trust Services Principles defined by the AICPA (you can choose one or many), which include: Security Availability Processing Integrity Confidentiality Privacy Reports more on the underlying IT environment
SOC 1 Report key ideas
Sometimes referred to as SSAE16 A report on controls at a service organization which are relevant to user entities' internal control over financial reporting (ICFR) Most applicable when the service provider performs financial transactions processing or supports transaction processing systems Independent assurance that their ____ is being handled in accordance with their expectations. Service organizations determine control objectives and controls to meet the appropriate objectives. Control objectives are defined by the service provider and vary based on the service provided. They are considered restricted use reports and should only be shared with management of the service organization (the company who has the SOC 1 performed), user entities of the service organization (the service organization's clients) and the user entities' financial auditors (user auditors).
Complementary sub service organization controls (CSOCs)
The CSOCs need to be specific to the services provided by the service organization's system. The description of the service organization's system needs to describe the subservice organization's responsibility for implementing CSOCs and indicate that the service organization can only achieve the specific control objectives or applicable trust services criteria if the CSOCs are suitably designed and, in a type 2 examination, operating effectively throughout the period.
SOC 1 Report Structure
The Opinion Letter (SOC 1 Qualified Opinion vs. Unqualified) --The first section contains the opinion letter (aka Independent Auditor's Report). The opinion letter outlines the scope of the report (services included), test period (Type 2), or report as-of-date (Type 1) and type of opinion being issued. Management's Assertion --The second section contains an assertion written by management of the service organization that makes a number of management statements including the following: 1) An assertion that the description of the system fairly presents the system 2) The control objectives were suitably designed (Type 1) or suitably designed and operating effectively (Type 2) 3) Discussion of the criteria used to make the assertion. Description of the System --The description of a service organization's system is a description of the services provided that are relevant to user entities ICFR (Internal Control Over Financial Reporting). --The description includes the supporting processes, policies, procedures, personnel, and operational activities that constitute the service organization's services that are relevant to user entities. Description of Tests of Controls and Results of Testing --This is the section that a SOC auditor uses to describe the controls that were tested as part of the examination, the test procedures used for testing the controls and the results of testing. --When reviewing a SOC 1 report, the opinion and the results of testing sections contain the key information necessary to determine whether a service organization's system of internal controls is suitably designed and operating effectively to provide the services. Other Information --Some SOC 1 reports include a section used by service organizations to provide additional information about relevant processes that were not tested within the report such as disaster recovery and business continuity information. The SOC auditor will not express an opinion on the statements made by management within this section.
Soc 1, Type 2
Type 2 reports cover a period of time (usually 12 months), include a description of the service organization's system, and test the design and operating effectiveness of key internal controls over a period of time.
Carve out method
Used for sub-service organizations, the process and controls are excluded from the report. The following considerations must be evaluated: --What services are performed by the subservice organization that are relevant to the services offered to the customer? Normally, these services are explained briefly as part of the carve out language within the SOC report. --Does the subservice organization issue a SOC report on the services not included as part of the service organization report? --Does the service organization report or the subservice organization reports contain any exceptions in it? If so, what compensating or mitigating controls are in place to eliminate or reduce the risk associated with the exception? --Have you reviewed the service organization CUEC's to determine whether there are controls within the subservice organization report that address the CUEC's? If not, what additional controls are in place at the user entity (customer) that would mitigate the absence of controls for all of the CUEC's?
Inclusive method
Used for sub-service organizations, the processes and controls are included as part of the report The following considerations must be evaluated: --Is the subservice organization assertion letter included along with the service organization assertion letter? --Are there any exceptions noted within the report? If so, what compensating or mitigating controls are in place to eliminate or reduce the risk associated with the exception?