(Source: BDO USA)
Earlier this year, the American Institute of Certified Public Accountants’ (AICPA’s) Auditing Standards Board approved an updated release to the AICPA SOC 1 Guide, Reporting on an Examination of Controls at a Service Organization Relevant to User Entities’ Internal Control Over Financial Reporting (SOC 1®). The guide has been developed by the AICPA Service Organizations Guide Task Force to assist practitioners engaged to examine and report on controls at a service organization that are likely to be relevant to user entities’ internal control over financial reporting. The latest updates provide enhanced implementation guidance for auditors and users to bring clarity around several recent and emerging industry topics to promote reporting quality and consistency, incorporating new attestation standards (e.g., SSAE 20 and SSAE 21). The SOC 1 Guide was updated to conform with SSAE as follows:
– SSAE No. 20, Amendments to the Description of the Concept of Materiality
– SSAE No. 21, Direct Examination Engagements
If you currently have or will be working toward a SOC 1 report, it is essential to understand the impact to the SOC 1 reporting process. Early preparation will help your organization stay ahead of the curve when it comes to preparation and achieving compliance.
The updated SOC 1 guidance is significant in the following ways:
– Clarifications and templates should enhance consistency in reporting;
– Additional information regarding key reports will help user entities and their auditors with their ICFR auditing;
– Service auditors and user entities may need to consider impact to scope and efforts if key report approach needs enhancement;
– Enhanced guidance regarding treatment of subservice organization (SSOs), their complementary user entity controls (CUECs) and complementary subservice organization controls (CSOCs) will benefit user entities and service auditors;
– The many enhancements to illustrative scenarios and examples will benefit service auditors by promoting clearer alignment with the standards.
Clarification that management’s description of the service organization’s system generally should include key outputs, such as reports or files provided or made available to user entities if they are relevant to user entities’ internal control over financial reporting (ICFR)
3.30: Additionally, in meeting the description criteria in paragraphs .15a(i)-(ii) of AT-C section 320, the description of the service organization’s system generally would include key outputs, such as reports or files provided, or made available, to user entities if they are relevant to the user entities’ internal control over financial reporting. The list of reports may be included in the description itself or presented in an appendix to the description and incorporated by reference into the description of the service organization’s system.
3.105: To expand on the auditor procedures previously provided in 3.101, additional guidance provided to obtain system description details for key outputs or reports provided, or made available, to user entities when those reports are relevant to a user entity’s ICFR.
4.70: The service organization may provide information to user entities that is relevant to the user entities’ internal control over financial reporting (a) in the form of reports, or (b) by allowing user entities to access their information and to customize the information to meet their needs. In such instances, the service organization may include an appropriate control objective related to such information. The following are illustrative control objectives that may be used, depending on the manner in which the information is provided to user entities:
- Reports Provided to User Entities
• Controls provide reasonable assurance that [identify reports] provided to user entities are complete, accurate, and timely.
- Information Provided to User Entities That May Be Customized to Meet Their Needs
• Controls provide reasonable assurance that information provided to user entities is complete, accurate, and timely.
Clarification that management of the service organization is responsible for its description of the service organization’s system, by revising the title of the description in the following way:
– Management Description of XYZ Service Organization’s Description of Its [Name of System]
– Removes the term vendor from the discussion of whether a service provider is a subservice organization. A service provider either is or is not a subservice organization and there is no need to use another term for a service provider that is not a subservice organization.
Expanded Guidance Regarding Internal Audit Procedures
Expansion to guidance regarding procedures related to an Internal Audit function:
3.106: Paragraph .21 of AT-C section 320 states that, if the service organization has an internal audit function, part of the service auditor’s understanding of the service organization’s system should include the following (also see paragraphs 3.101—.132):
a. The nature of the internal audit function’s responsibilities and how the internal audit function fits in the service organization’s organizational structure
b. The activities performed, or to be performed, by the internal audit function as it relates to the service organization
In addition, as part of the service auditor’s process to obtain an understanding of the service organization’s system, paragraph .16a of AT-C section 205 requires the service auditor to make further inquiries to obtain an understanding of the main findings of the internal audit function with respect to the subject matter.
Evaluating Controls on a Sample of Transactions
.98: Provides guidance for evaluation of management controls that rely on sampling of transactions.
• Reasonableness of management’s accuracy rate expectation;
• Characteristics relevant to the control objective sufficiently addressed;
• Sufficient number of transactions to reasonably assess the accuracy rate within the population;
• Transactions tested are representative of the full population;
• Sufficient process in place for management to review testing results and take timely corrective actions to address errors.
Description includes the controls at the service organization that monitor the effectiveness of controls at the subservice organization.
3.63: …monitoring is a component of a service organization’s internal control …and …may be necessary for the achievement of …control objectives…regardless of whether the carve-out or inclusive method is selected, the description … and the scope of the service auditor’s examination include the controls at the service organization that monitor the effectiveness of controls at the subservice organization. Such monitoring controls may include some combination of the following:
– Ongoing monitoring to determine that potential issues are identified timely
– Separate evaluations to determine that internal controls are effective over time
– Examples may include vendor security reviews, review of SOC reports, and/or questionnaires
Service auditor is only required to determine whether monitoring controls are fairly presented and not whether they are suitability designed and operating effectively.
3.67: Although monitoring controls are included in the description, the service auditor is only required to determine whether they are fairly presented and not whether they are suitability designed and operating effectively because the service auditor is required by paragraph .27 of AT-C section 320 to assess the suitability of the design and by paragraph .28 to test the operating effectiveness of controls that management has identified in its description as the controls that achieve the control objectives, and the description ordinarily does not include a control objective regarding monitoring of the subservice organization’s activities. Even if the description did include a control objective that addressed monitoring activities, testing the suitability of the design and operating effectiveness of monitoring controls might be of limited value because in a carve-out engagement, by its nature, the service organization’s monitoring controls are limited to those controls that the service organization has the ability to implement and cannot encompass controls over all the negative events that could occur at the subservice organization that could harm user entities.
The service auditor does not have a responsibility to communicate to user entities deficiencies identified at a carved-out subservice organization.
3.68: Management’s monitoring activities may identify deficiencies in relevant controls or other problems at the subservice organization … or the service auditor may become aware of such information through other means. If such information is inconsistent with the evidence on which the practitioner originally based the assessment of the risks of material misstatement, the service auditor should revise the assessment…and modify the planned procedures accordingly. However, the service auditor does not have a responsibility to communicate to user entities deficiencies identified at a carved-out subservice organization. Such concerns may include some combination of the following:
– Qualified SOC reports
– Issues noted in vendor assessment
– Public news articles
Controls Identified by a Subservice Organization as Controls That Should Be Implemented by User Entities (Service Organization Is a User Entity of the Subservice Organization).
3.41: In addition to controls that a service organization expects user entities to implement, there may be activities that a subservice organization expects the service organization…to implement. If the subservice organization has a SOC 1® report, such activities may be identified …within the complementary user entity controls… If the service organization needs to have controls in place to address the complementary user entity controls … such controls should be identified in the service organization’s description. Including complementary subservice organization controls (CSOCs) in system description.
3.46: The method of presenting the description of complementary subservice organization controls is not prescribed …however …the description should include the specified control objectives and controls designed to achieve those objectives, including, as applicable, complementary user entity controls and complementary subservice organization controls assumed in the design of the service organization’s controls.
– Physical security
– Incident notification
– IT General Controls
– And more
Summary of Changes
- Illustrative reports and management assertions
- Revised the illustrative and management assertions to emphasize that management of the service organization is responsible for its description of the service organization’s system and for its assertion
- Subservice monitoring audit procedure examples
3.66: Examples of procedures that the service auditor may perform to determine whether subservice organization monitoring activities are presented fairly
Additional examples of CUECs which may be necessary to achieve service org’s control objectives (3.37)
As explained in the SOC 1 Guide (3.36) Paragraph .15a(vii) of AT-C section 320 indicates that the description should include, among other things, the specified control objectives and the controls designed to achieve those control objectives including, as applicable, complementary user entity controls. Paragraph 3.37 of the guide provides examples of situations in which complementary user entity controls may be necessary to achieve the service organization’s related control objectives.
Appendix I: additional language on QM. “On June 2, 2022, the ASB issued Statement on Quality Management Standards (SQMS) No. 1, A Firm’s System of Quality Management, codified as QM section 10. Systems of quality management in compliance with SQMS No. 1 are required to be designed and implemented by December 15, 2025, and the evaluation of the system of quality management required by SQMS No. 1 is required to be performed within one year following December 15, 2025.”
To enure compliance with the new SOC 1 guidance updates, connect with an Elevate service specialist to request an assessment!
Also be sure to check out BDO USA webcasts every week at https://www.bdo.com/events.