Reporting On Controls At A Service Organization

Wednesday, March 21, 2012 - 10:37

In today’s economically challenging business environment, instead of building costly infrastructures to perform and support all tasks and functions internally, entities often undertake a strategy of outsourcing specific tasks, or entire functions, to independent third-party “service organizations” that have the resources (i.e., personnel, expertise and/or the technology) to accomplish such tasks or functions. When this occurs, business partners, suppliers and customers of service organizations, audit and other committees charged with governance, regulators and others want assurances regarding controls over information processed by service organizations.  

Over the past 20 years such users of information processed by service organizations have been requesting SAS 70 reports issued by service auditors to obtain those assurances. SAS 70 reports, however, were not intended to provide assurances regarding all information processed by service organizations, particularly in the areas of confidentiality and privacy.

The Misunderstanding Of SAS 70

The original objective of a SAS 70 report was the issuance of an opinion by a service auditor on the controls of a service organization that processes certain transactions for its clients, specifically, where such controls are relevant to its clients’ (“user entities’”) internal control over financial reporting (“ICFR”). Accordingly, it was inappropriate to issue a SAS 70 report addressing the controls surrounding any and all data processed by a service organization that was not going to be used by a user entity in its financial statements. Moreover, it was inappropriate for a service organization to claim that it was SAS 70 certified or SAS 70 compliant as there was never such a designation.

The Appropriate Use Of A SAS 70 Report – An Example

A common example of an appropriately used SAS 70 report was when a client (the “user”) contracted with a third-party service organization to process its payroll (e.g., ADP). In such situations, because the results of the payroll processed by the service organization affected amounts reported in users’ financial statements, the user – and its independent auditor – needed to understand how the service organization’s controls over its payroll processing were designed, whether they were placed in operation, and, if deemed necessary, how effectively such controls are operating. Since it would place an undue burden on the service organization to have each auditor for its payroll service clients perform the necessary procedures to obtain that level of processing control assurance over payroll transactions, the service organization typically contracts with a service auditor to perform the necessary procedures to be able to issue a report on controls – a SAS 70 report over payroll transactions in this example – that can be used by every one of its clients.

New Reporting Standards – SAS 70 Replaced By SOC 1, 2 And 3

Accordingly, the AICPA has replaced SAS 70 with a new reporting model called service organization controls (“SOC”) reports. These reports will separately address controls at a service organization likely to be relevant to user entities’ ICFR (SOC 1 reports) and controls relevant to subject matter other than user entities’ ICFR (SOC 2 and 3 reports). This new reporting approach should also alleviate the perceived misunderstandings surrounding SAS 70, which was not intended to be all things to all users. 

What Users Are Looking For From A Service Organization And Its Controls

To be a successful independent processor of transactions, data and other information, service organizations must have sufficiently robust controls that will meet the varied needs and demands of its user customers/clients and others, such as regulators. Such controls should encompass activities designed to address overall system processing integrity – only authorized transactions and data are processed securely, completely, accurately and timely, and all such information and data is kept private and confidential – resulting in the production of reliable financial and non-financial reports that comply with applicable laws and regulations as the situation warrants.

Note: This discussion recognizes the definition and description of internal control contained in Internal Control – Integrated Framework, published by the Committee of Sponsoring Organizations of the Treadway Commission (COSO), and the criteria developed by the AICPA and the Canadian Institute of Chartered Accountants (CICA) that are based on Trust Services Principles, Criteria, and Illustrations for Security, Availability, Processing Integrity, Confidentiality and Privacy. Please note that as of the date of this article, revisions to the COSO Framework are under consideration.

In SOC 1 engagements, where the objective is limited to providing user entities and their auditors with sufficient information to evaluate the effect of controls at the service organization on the user entities’ financial statements, not all controls in place at a service organization will be relevant to user entities’ ICFR. Accordingly, the focus is on the control activities in place to achieve specific control objectives over the applicable transactions being processed (for example, payroll), resulting in complete and accurate amounts that can be reported in users’ financial statements.

The users of SOC 2 and 3 reports are a broader audience and, accordingly, control objectives cannot be as limited as in a SOC 1 engagement, and the breadth of the COSO Framework is not a sufficient criterion to report on because it does not specifically address the confidentiality and privacy of data.  As a result, the control criteria for SOC 2 and 3 engagements are the predefined Trust Services Principles (“TSP”) Criteria and Illustrations developed by the AICPA and the CICA.

SOC 1 Report - Report On Controls At A Service Organization Relevant To User Entities’ Internal Control Over Financial Reporting

A SOC 1 report is similar to the replaced SAS 70 report and is to be prepared in accordance with a new standard, the Statement on Standards for Attestation Engagements (SSAE) No. 16, Reporting on Controls at a Service Organization. Use of these reports is restricted to the management of the service organization, user entities and auditors of user entities’ financial statements in evaluating the effect of controls at the service organization on the user entities’ financial statements.

In summary, the new SOC 1 report includes management’s description of the service organization’s system and the relevant function performed by the system for its users. Depending on the needs of the users, the resulting report can be either of two types:

Type 1

Report on the fairness of the presentation of management’s description of the service organization’s system and the suitability of the design of the controls to achieve the related control objectives included in the description as of a specified date.

Type 2

Report on the fairness of the presentation of management’s description of the service organization’s systems and the suitability of the design and operating effectiveness of the controls to achieve the related control objectives included in the description throughout a specified period. 

Type 2 reports are generally preferred by users and their independent auditors.

Situation Examples for a SOC 1 Report: Employee benefit plan administrators, trustees, custodians or other record keepers and their auditors; payroll service organization users and their auditors.

SOC 2 And 3 Reports – Related But Different

To address controls relevant to subject matter other than user entities’ ICFR, the AICPA created SOC 2 and SOC 3 reports.  Both of these reports address similar subject matter and use the same TSP control criteria. Management of the service organization selects which TSP criteria will be covered: security, availability, processing integrity, confidentiality and/or privacy.

SOC 2 reports are generally restricted to users who have an understanding of the service organization and its controls, such as management or those charged with governance of the user entities and service organizations, its customers, business partners, suppliers and legal counsel, as well as courts and regulators. SOC 2 reports include a detailed description of the service organization’s system; the controls designed to meet TSP criteria; a written assertion by management of the service organization regarding the description and the design and operation of the controls; and the service auditor’s opinion on whether the system description is fairly presented and the controls are suitability designed (Type 1), and if requested, whether such controls are operating effectively (Type 2, which would include the service auditor’s description of the procedures it performed to test the operating effectiveness of the controls and the result of those tests for the period covered).

SOC 3 reports are designed to meet the needs of a wider range of users who need assurance about controls at a service organization but do not have the need for or knowledge necessary to effectively use a SOC 2 report. The SOC 3 report should include a description of the system and its boundaries, but such description generally is brief and does not include the detail provided in a SOC 2 system description.

SOC 3 reports will also have a written assertion by the management of the service organization regarding the suitability of the design and operation of the controls implemented, and a CPA “practitioner’s” report on the suitability of the design and operating effectiveness of the controls. SOC 3 reports, however, do not express an opinion on the fairness of the service organization's system description and do not describe either the tests performed by the CPA practitioner or the results of those tests.

Because they are general use reports, SOC 3 reports can be posted on a website or distributed to current and prospective customers, or otherwise used as a marketing tool to demonstrate that the service organization has the appropriate controls in place to mitigate risks related to processing integrity, security, privacy, etc. If the report is unqualified, the service organization is eligible to display on its website the SysTrust for Service Organizations seal, which is valid for 12 months from the date of the report.

Situation Examples for a SOC 2 Report: From outsourcing the entire IT function of an organization to specific services such as financial services customer accounting, where banks and investment companies that outsource the accounting back office to a service organization want processing control assurances for their customers; settlement fund claims administrators who want to assure courts, regulators and legal counsel that controls are effectively designed and in place to address court-approved plans of allocation and protect claimant confidentiality and privacy; and software-as-a-service (or “SaaS”) organizations or cloud computing services.

Situation Example for a SOC 3 Report: An online Internet retailer who wants to provide assurance to its business partners that controls over the privacy of customers’ information meet generally accepted control criteria.

Guidance

The SOC reporting model is new for 2011 reporting periods and, as with most new standards, will take some getting used to. The public response, however, has been favorable, especially for SOC 2 and SOC 3 reports that address non-financial statement transaction data. Additionally, the AICPA has issued two SOC guides and several Q&As. To view some of the more frequently asked questions, please visit the full text of this article at http://www.eisneramper.com/Trends_and_Developments/sas70-SOC-reports-0212.aspx.

David Cace is a Partner in the Litigation Services Group and is a firm advisor on audit and statistical sampling matters. Prior to devoting his full time to litigation consulting and forensic accounting matters, Mr. Cace was a member of the firm's Professional Practice Group. He has over 30 years of accounting, auditing, financial reporting, forensic, and internal control design and implementation experience.

Please email the author at david.cace@eisneramper.com with questions about this article.