February 01, 2012
REPORTING ON CONTROLS AT A SERVICE ORGANIZATION
Every so often a brand becomes so well known that it becomes the product or the service. Remember when a kitchen refrigerator was known as a Frigidaire; or when a request to copy a document was phrased “please Xerox this for me.” If Casey Stengel were alive today, instead of telling people “you could look it up” he would probably say “you could Google it.”
CPAs have had a similar situation evolve with “SAS 70.” Over the past 20 years users of information processed by independent third parties (“Service Organizations”) have been requesting SAS 70 Reports issued by Service Auditors to obtain assurances regarding controls over information processed by Service Organizations. While it may have been flattering to CPAs to see SAS 70 become the brand itself like Frigidaire, Xerox, and Google, the intent of SAS 70 has often been misunderstood and the resulting reports have often been misused and misapplied.
Note: “SAS” is short for Statement on Auditing Standards, which are issued by the American Institute of Certified Public Accountants (“AICPA”). The number “70” was the sequential issuance number of the SAS that was originally entitled Reports on the Processing of Transactions by Service Organizations.
The original objective of a SAS 70 Report was the issuance of an opinion by a Service Auditor on the controls of a Service Organization that processes certain transactions for its clients, specifically, where such controls are relevant to its clients’ (“user entities’”) internal control over financial reporting (“ICFR”). Accordingly, it was inappropriate to issue a SAS 70 Report addressing the controls surrounding any and all data processed by a Service Organization that was not going to be used by a user entity in its financial statements. Moreover, it was inappropriate for a Service Organization to claim that it was SAS 70 certified or SAS 70 compliant as there was never such a designation.
A common example of an appropriately used SAS 70 Report was when a client (the “user”) contracted with a third party Service Organization to process its payroll (e.g., ADP). In such situations, because the results of the payroll processed by the Service Organization affected amounts reported in users’ financial statements, the user, and its independent auditor, needed to understand how the Service Organization’s controls over its payroll processing were designed, whether they were placed in operation, and, if deemed necessary, how effectively such controls are operating. Since it would place an undue burden on the Service Organization to have each auditor for its payroll services clients perform the necessary procedures to obtain that level of processing control assurance over payroll transactions, the Service Organization typically contracts with a Service Auditor to perform the necessary procedures to be able to issue a Report on controls – a SAS 70 Report over payroll transactions in this example -- that can be used by every one of its clients.
In today’s economically challenging business environment, instead of building costly infrastructures to perform and support all tasks and functions internally, entities continue to undertake a strategy of outsourcing specific tasks, or entire functions, to Service Organizations that have the resources (i.e., personnel, expertise and/or the technology) to accomplish such tasks or functions. To address this ever-growing practice, users of Service Organizations, their managements, audit and other committees charged with governance, business partners, suppliers, customers, regulators, and others want assurances regarding those outsourced services, with a heightened focus on the confidentiality and privacy of information processed. Accordingly, the AICPA has replaced SAS 70 with a new reporting model called “SOC” Reports – short for reports on Service Organization Controls. These reports will separately address controls at a Service Organization likely to be relevant to user entities’ ICFR (SOC 1 Reports), and controls relevant to subject matter other than user entities’ ICFR (SOC 2 and 3 Reports). This new reporting approach should also alleviate the perceived misunderstandings surrounding SAS 70, which was not intended to be all things to all users.
To be a successful independent processor of transactions, data and other information, Service Organizations must have sufficiently robust controls that will meet the varied needs and demands of its user customers/clients and others such as regulators. Such controls should encompass activities designed to address overall system processing integrity -- only authorized transactions and data are processed securely, completely, accurately and timely, and all such information and data is kept private and confidential – resulting in the production of reliable financial and non-financial reports that comply with applicable laws and regulations as the situation warrants.
Note: This discussion recognizes the definition and description of internal control contained in Internal Control – Integrated Framework, published by the Committee of Sponsoring Organizations of the Treadway Commission (COSO), and the criteria developed by the AICPA and the Canadian Institute of Chartered Accountants (CICA) that are based on Trust Services Principles, Criteria, and Illustrations for Security, Availability, Processing Integrity, Confidentiality, and Privacy. Please note that as of the date of this article, revisions to the COSO Framework are under consideration.
In SOC 1 engagements, where the objective is limited to providing user entities and their auditors with sufficient information to evaluate the effect of controls at the Service Organization on the user entities’ financial statements, not all controls in place at a Service Organization will be relevant to user entities’ ICFR. Accordingly, the focus is on the control activities in place to achieve specific control objectives over the applicable transactions being processed (for example, payroll) resulting in complete and accurate amounts that can be reported in users’ financial statements.
The users of SOC 2 and 3 Reports are a broader audience and, accordingly, control objectives cannot be as limited as in a SOC 1 engagement, and the breadth of the COSO Framework is not a sufficient criterion to report on because it does not specifically address the confidentiality and privacy of data. As a result, the control criteria for SOC 2 and 3 engagements are the predefined Trust Services Principles (“TSP”) Criteria and Illustrations developed by the AICPA and the CICA.
A SOC 1 Report is similar to the replaced SAS 70 Report, and is to be prepared in accordance with a new standard, Statement on Standards for Attestation Engagements (SSAE) No. 16, Reporting on Controls at a Service Organization. Use of these reports is restricted to the management of the Service Organization, user entities, and auditors of user entities’ financial statements in evaluating the effect of controls at the Service Organization on the user entities’ financial statements.
In summary, the new SOC 1 Report includes management’s description of the Service Organization’s system and the relevant function performed by the system for its users. Depending on the needs of the users, the resulting report can be either of two types:
Report on the fairness of the presentation of management’s description of the Service Organization’s system and the suitability of the design of the controls to achieve the related control objectives included in the description as of a specified date.
Report on the fairness of the presentation of management’s description of the Service Organization’s systems and the suitability of the design and operating effectiveness of the controls to achieve the related controls objectives included in the description throughout a specified period.
Type 2 reports are generally preferred by users and their independent auditors.
Situation Examples: Employee Benefit Plan administrators, trustees, custodians or other record keepers and their auditors; Payroll Service Organizations users and their auditors
Note: While SAS 70 – codified under Section 324 of the auditing standards – no longer addresses reporting standards, it still provides guidance to independent auditors in planning and performing audits of user entities’ financial statements when an entity uses a Service Organization to process its transactions.
To address controls relevant to subject matter other than user entities’ ICFR, the AICPA created SOC 2 and SOC 3 Reports. Both of these reports address similar subject matter and use the same TSP control criteria.
SOC 2 Reports are generally restricted to users who have an understanding of the Service Organization and its controls, such as management or those charged with governance of the user entities and Service Organizations, its customers, business partners, suppliers, and legal counsel, as well as courts and regulators. In a SOC 2 engagement, management of the Service Organization selects which TSP criteria will be covered by the SOC 2 Report – security, availability, processing integrity, confidentiality, and/or privacy.
SOC 2 Reports include a detailed description of the Service Organization’s system; the controls designed to meet TSP criteria; a written assertion by management of the Service Organization regarding the description and the design and operation of the controls; and the Service Auditor’s opinion on whether the system description is fairly presented and the controls are suitability designed (Type 1), and if requested, whether such controls are operating effectively (Type 2,which would include the Service Auditor’s description of the procedures it performed to test the operating effectiveness of the controls and the result of those tests for the period covered).
SOC 3 Reports are designed to meet the needs of a wider range of users who need assurance about controls at a Service Organization but do not have the need for or knowledge necessary to effectively use a SOC 2 Report. The SOC 3 Report should include a description of the system and its boundaries, but such description generally is brief and does not include the detail provided in a SOC 2 system description.
SOC 3 Reports will also have a written assertion by the management of the Service Organization regarding the suitability of the design and operation of the controls implemented, and a CPA “practitioner’s” report on the suitability of the design and operating effectiveness of the controls. SOC 3 Reports, however, do not express an opinion on the fairness of the Service Organization’s system description, and do not describe the tests performed by the CPA practitioner nor the results of those tests.
Because they are general use reports, SOC 3 Reports can be posted on a website or distributed to current and prospective customers, or otherwise used as a marketing tool to demonstrate that the Service Organization has the appropriate controls in place to mitigate risks related to processing integrity, security, privacy, etc. If the report is unqualified, the Service Organization is eligible to display on its website the SysTrust for Service Organizations seal, which is valid for 12 months from the date of the report.
Situation Examples for a SOC 2 Report: From outsourcing the entire IT function of an organization; to specific services such as Financial Services customer accounting where banks and investment companies that outsource the accounting back-office to a Service Organizations want processing control assurances for their customers; Settlement Fund Claims Administrators which want to assure courts, regulators, and legal counsel that controls are effectively designed and in place to address court- approved plans of allocation and protect claimant confidentiality and privacy; and Software-as-a-Service (or “SaaS”) Organizations or Cloud Service Computing.
Situation Example for a SOC 3 Report: An on-line internet retailer who wants to provide assurance to its business partners that controls over the privacy of customers’ information meet generally accepted control criteria.
The SOC reporting model is new for 2011 reporting periods and, as with most new standards, will take some getting used to. The public response, however, has been favorable, especially for SOC 2 and SOC 3 Reports that address non-financial statement transaction data. Additionally, the AICPA has issued two SOC Guides and several Q&As. Following are some of the more frequently asked questions.
Q: Can a Service Organization engage a CPA to perform and report on a SOC 2 and SOC 3 engagement?
A: Yes. The work performed in a SOC 2 Type 2 engagement may enable a Service Auditor to report on a SOC 3 engagement. However, because a SOC 3 engagement requires that all TSP criteria be met in order for the CPA to issue an unqualified opinion, certain conditions must be met regarding subservice organizations and complementary user-entity controls. These conditions are described in paragraph 1.19 of the AICPA SOC 2 Guide.
Q: A Service Organization may have controls that are relevant to a user entity’s ICFR and also to the TSPs. For example, a medical claims processing Service Organization is subject to strict privacy regulations and the results from its system processing may be used to record employee benefit expense in a user’s financial statements. Can a SOC 2 Report be issued that combines reporting on a Service Organization’s controls relevant to user entities’ ICFR with reporting on controls relevant to the TSPs, particularly the privacy principle?
A: No…but a Service Organization may engage a Service Auditor to separately perform and report on a SOC 1 and SOC 2 engagement. In such situations, the Service Auditor may use relevant testing performed in either engagement to provide evidence for the other engagement (Paragraph 1.23 of the AICPA SOC 2 Guide) to keep down costs.
Note that if a Service Organization which has had a SAS 70 Report in prior years is to undergo a SOC 2, or SOC 3, engagement for the first time, the Service Organization will need to determine whether its existing control objectives align with the applicable TSP criteria and whether such control objectives address all of the applicable TSP criteria. If not, the Service Organization will need to implement or revise certain controls to meet all of the applicable TSP criteria.
Q: Is there a minimum period for a Type 2 report on control effectiveness?
A: Performing a Type 2 engagement that covers a period of less than six months is generally discouraged, however, there are certain limited circumstances where a Type 2 report covering less than six months may be considered - See Paragraph A42 of SSAE No. 16
Out with the Old – SAS 70 Reports, In with the New – SOC 1, 2, & 3 Reports
Lifetime Gifts: A Window Of Opportunity
Issues to Consider in a Merchandise Licensing Program