Over the past twenty years, businesses of all sizes have outsourced non-core processes to a service organization in order to focus management’s energy on revenue-generating activities. Outsourcing can involve almost any business function, but the most common outsourced business processes include payroll processing, back-office accounting, and information technology, among others.
Since the outsourced process is likely to have a material impact on the financial statements of the business, management must consider the service organization’s internal controls. Rather than send its auditors to each service organization, most user organizations obtain a report on the service organization’s internal controls. This is accomplished by having a CPA firm prepare a report that describes the internal control structure and an opinion on whether it is operating effectively.
Service Organization Internal Controls
Whether your business is a user organization or a service organization, a report over internal controls should be considered. User organizations can obtain the necessary assurance about the processes and service organizations can deal with only one set of auditors, which in turn will differentiate its services from other outsourcing organizations.
Until now, the Statement on Auditing Standards (SAS) No. 70 was the governing standard for performing independent audits of service organization internal controls. Effective June 15, 2011, SAS 70 will be replaced by Standards for Attestation Engagements (SSAE) No. 18. Issuance of SSAE 18 was required in order to update the U.S. service organization reporting standard so that it complies with the new international service organization reporting standard ISAE 3402. SSAE 18 provides three different reporting options (SOC-1, SOC-2, and SOC-3) each with their own requirements.
The old SAS 70 served primarily as a report to the user organization’s auditors (enabling them to rely on the service organization’s controls when auditing the user organization’s financial statements). The new SSAE 18 goes beyond the auditor-to-auditor communication. SOC-1 replaces the old SAS 70. SOC-2 deals with reporting on technology-related areas that go beyond financial controls – like privacy, availability, confidentiality, processing integrity and security. Finally, SOC-3 deals with the same non-financial control areas as SOC-2, but reports on them in accordance with AICPA/CICA Trust Services Principles and Criteria, which allows the service organization to distribute the report more broadly.
Please contact Trey Kennedy or Kevin Rockecharlie to discuss these new reporting requirements.
BKM Sowan Horan, LLP is a licensed CPA firm, registered with the AICPA and the PCAOB. Our CPAs who focus on examinations of service organization controls (SOC) are experienced IT auditors. We have developed an efficient and effective control assessment and testing methodology that enables us to deliver SOC reports timely and with less disruption to the service organization’s business. All of our engagements are staffed with seasoned professionals who are able to help our clients define their control objectives and document their control activities in order to streamline the examination process.