Many enterprises outsource a portion of their operations, including information systems, to service enterprises.

The IFAC International Standard on Assurance Engagments (ISAE) 3402. Reporting on Controls at a Service Organization, and the corresponding American standard SSAE 16 define a service organization as a third-party organization (or segment of a third-party organization) that provides services to user entities that are likely to be relevant to user entities’ internal control as it relates to financial reporting.”. There is an increased emphasis on outsourcing as enterprises take advantage of the increased capability and reduced cost of services that include cloud computing (software as a service [SaaS]), data centers, help desks, business process outsourcing and co-located computing facilities. Increasingly, outsourced services are central to service provision by IT functions within enterprises.

ISAE 3402 and SOX 404

In the context of SOX 404 compliance, the services provided by service organizations are an integral element of organizational information systems. Depending on their nature and extent, the outsourced services from service organizations may come within the scope of ICFR. Management should consider the services provided by service organizations in making its assessment of ICFR, in the context of SOX 404 compliance. There is a range of issues that management must consider when making this assessment. Similarly, internal and external auditors of those organizations must take into account the extent and materiality of the services provided by service organizations when designing audit procedures on the functioning of IT controls.

Assurance on the Operation of Services Organizations

The increasing importance of service organizations on ICFR gives rise to a range of assurance services on the services provided by these organizations to other organizations and the public. Generally three classes of assurance services on service organizations, covering different levels of assurance and intended for different users are defined (based on US AICPA regulation):

SOC 1. Report on Controls at a Service Organization Relevant to User Entities’ Internal Control Over Financial Reporting in accordance with the IFAC Statement on Standards for Attestation Engagements (SSAE) No. 16, Reporting on Controls at a Service Organization, IFAC Professional Standards, AT Section 801. SOC 1 reports go to the auditors of user entities of the service organization. SOC 1 reports under ISAE 3402, promulgated in 2011, replace the IFAC Statement on Auditing Standards (SAS) No. 70, Service Organizations reports. There are two classes

of SOC 1 reports. Type 1 reports give an opinion for a specific point of time. Conversely, Type 2 reports encompass a period. Both reports give an opinion on management’s description of the system and on the appropriateness of the design of controls within the system. Importantly, Type 2 reports also give an opinion on the operating effectiveness of those controls.

SOC 1 reports support the work of auditors in their conduct of the financial statement audit on clients who use outsourced service providers. SOC 1 reports provide evidence for the auditor on the nature and quality of internal controls at these service providers. The scope of SOC 1 engagements are, as a result, clearly limited to the controls that are relevant to ICFR.

•SOC 2—Report on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality or Privacy in accordance with IFAC AT Section 101 and Trust Services Principles Criteria and Illustrations, TPA

Section 100. SOC 2 reports go to the management and users of the service organization.

The scope of SOC 2 reports can be considerably broader than for SOC 1 reports. SOC 2 engagements draw on the IFAC and CPA Canada’s Trust Services Principles Criteria and illustrations. SOC 2 reports may cover aspects of security, privacy, electronic commerce and other operational issues that go beyond the processes and controls that impact financial reporting.

•             SOC 3—Report on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality or Privacy in accordance with IFAC AT Section 101 and Trust Services Principles Criteria and Illustrations, TPA Section 100.

SOC 3 engagements draw on the same Trust Service Principles Criteria and Illustrations as for SOC 2 engagements. The key and important difference between these engagements is that SOC 3 reports are intended for general use and can be freely distributed and publicly promoted.

AS 5 requires auditors to conduct appropriate procedures to evaluate the operating effectiveness of controls at the service organization. One of the possible procedures that AS 5 points to is for the organization’s auditor to obtain a service auditor’s report on the nature of controls at the service’s organization and the operating effectiveness of those controls (SOC 1, Type 2 report) to support the assessment and opinion, if the SOC 1 report is sufficient. Other procedures that AS 5 identifies include performing tests at the client organization and potentially at the service organization.

MEA02 Monitor, evaluate and assess the system of internal control in COBIT 5 provides good practice on the monitoring and evaluation of internal control. SOC 1 and SOC

2 reports are potentially important elements in the system of internal control for user enterprises. Service auditor SOC 1 and SOC 2 reports can provide input to several of the management practices within MEA02. For example, management practice MEA02.02 suggests to “Review business process controls effectiveness,” and management practice MEA02.04 suggests to “Identify and report control deficiencies.” SOC 1 and SOC 2 assurance reports are valuable inputs to these management practices, where outsourcing is material. The RACI chart for the MEA02 process provides valuable help on how responsibility for monitoring and assessment of internal control can be devised.32

Reporting of Controls of Service Organizations

An auditor of a user enterprise should review the SOC 1 report for appropriateness of timing, scope, control mapping and conclusions reached. Service providers themselves often will be consumers of outsourced services. The auditor will, as a result, consider the applicability of any service sub-provider reports while also auditing those reports. An important consideration for the auditor of the user enterprise is to deliberate on any deviations noted within the report and the impact of those deviations on whether the auditor can rely on the SOC 1 report.

An important element of SOC 1 engagements are complementary user entity controls (CUECs). The auditor of the service provider that completes the SOC 1 report is communicating with the auditors of the clients (user enterprises) of the service provider. There may well be hundreds or thousands of these user enterprises. The user enterprises will often have a responsibility for instituting controls as part of the overall outsourcing relationship. These are CUECs. The auditor of the user enterprise will need to test the CUECs and, after consideration of those CUECs, make a determination whether they can rely on the SOC 1 report coupled with management’s CUECs.

After consideration of timing, scope and control mapping in the SOC 1 report, the auditor of a user enterprise may consider that the coverage of the SOC 1 report is insufficient to support the auditor’s assessment of ICFR. The remainder of this chapter identifies issues that may exist or surface when evaluating the sufficiency of a SOC 1 report.

Scope

Several issues may result in the scope of the SOC 1 report not being sufficient to provide the evidence that the service organization’s controls are operating effectively. These issues include the following:

• The description of controls is not relevant or is relevant to only a portion of the outsourced services that are part of the information system.

• The description of controls does not sufficiently cover the service organization locations that provide services to the user enterprise.

• The service organization relies on a another organization, the service sub-provider has been “carved out” of the scope of the ISAE 3402 report, and no ISAE 3402 report is available from the service sub-provider.

In these instances, management and the auditor(s) should consider the following:

• Obtaining an understanding of the controls that are placed in operation at the service organization that are not covered by an ISAE 3402 report and are relevant to the user enterprise’s financial statement assertions

• Obtaining evidence that the controls are operating effectively through direct testing or other means

In performing these procedures, management and the auditor(s) should recognize that the procedures to be performed will vary, depending on the importance of the controls at the service organization to management’s assessment and on the level of interaction between the company’s controls and the controls at the service organization.

Desciption of controls

PCAOB AS 5, paragraph B19 (Appendix B) states that the description of controls provided by the service organization is designed to permit user enterprises and their auditors to obtain:

“an understanding of the controls at the service organization that are relevant to the entity’s internal control and the controls at the user organization over the activities of the service organization.33”

While the service organization is responsible for fair presentation of the description of controls and the service auditor gives an opinion on the fairness of the description, unique aspects of the user enterprise’s process and financial statement assertions may result in the description of controls not meeting the needs of the user enterprise and its auditors.

Issue: The description of controls is not presented at a level of detail that is sufficient to permit management or the auditor to:

• Identify types of user enterprise financial statement assertions that are likely to be affected by the controls and sources of potential misstatements

• Consider factors that affect the risk of material misstatement

• Support management’s assessment with regard to internal control

• Support the auditor’s opinion on internal controls

Issue: The control objectives that are specified by the management of the service organization do not address all of the financial statement risk factors that are identified by user management or do not provide sufficient evidence of the coverage of appropriate risk.

Issue: The controls that are specified by management of the service organization are not, in the judgment of user management or the auditor (s), sufficient to achieve the specified control objectives as they relate to the user enterprise’s financial statement assertions.

Issue: The description of controls does not present sufficient information about the relevant entity-level IT controls to permit user enterprise management or the user auditor(s) to assess their operating effectiveness in establishing, enhancing or mitigating the effectiveness of the activity-level IT controls.

Management of the user enterprise can address these issues by augmenting the description of controls that are presented in the ISAE 3402 report with information available from other sources. These sources may include user manuals, system overviews, technical manuals, the contract between the user enterprise and the service organization, and reports by internal auditors and regulatory authorities of the service organization. This information may need to be supplemented with information obtained directly from the service organization through verbal or written inquiry.

Issues in using ISAE 3402 SOC 1 examination reports

Issue: The description of controls at the service organization does not contain a description of controls that should be in place at the user enterprise. The design of controls at service organizations usually requires user enterprises to implement certain controls.

If the description of controls does not identify such user enterprise controls, the user enterprises and their auditors consider whether any controls should have been identified. In making this evaluation, user enterprises may wish to compare the sources of potential misstatements that they have identified to the controls from the ISAE 3402 report.

Timing

An inherent trade-off exists between the need for management and auditors to have the most current evaluation of service organization controls possible and the receipt of the ISAE 3402 report with sufficient timeliness that any control exceptions or control objective qualifications can be assessed and the risk mitigated. This trade-off often results in the ISAE 3402 report date preceding the balance sheet date of the user enterprise. This results in two issues that may need to be addressed.

First, significant changes have occurred to the controls over the services provided during the period of time that has elapsed between the time covered by the tests of operating effectiveness and the date of management’s assessment. Normally, an auditor of the user enterprise seeks a comfort letter from the auditor of the service organization. If significant changes have occurred in the controls at the service organization, management and the auditor(s) should consider the following:

Obtaining an understanding of the controls that have changed and that are relevant to the user enterprise’s financial statement assertions

•Obtaining evidence that the controls that have changed are operating effectively. Change notifications, technical manual updates, training materials and other communications from the service organization are often sufficient to permit management and the auditor(s) to understand the effect of the change on the user enterprise’s financial statement assertions. However, additional inquiry of service organization personnel, supplemented with the receipt of additional documentation may be necessary.

Evidence that the controls that have changed are operating effectively may be more difficult to obtain. If the service organization maintains effective IT general controls, management and the auditor(s) may be able to evidence the functioning of application control changes at the user enterprise site through direct tests of the application controls or participation in user acceptance testing and inspection of the results of the testing. In other instances, the controls that have changed may be redundant with controls in place and functioning at the user enterprise. In these instances, management and the auditors may choose to test these redundant controls. Finally, management or the auditor smay determine that the control can be tested only at the service organization location. In these instances, management or the auditor may need to travel to the service organization location or make arrangements to have the service auditor test the controls that have changed and issue an agreed-on procedures or attestation report.

The nature and extent of management and the auditor’s procedures will vary, depending on the importance of the controls to management’s assessment and on the level of interaction between the enterprise’s controls and the controls at the service organization.

 The second timing issue is that a significant period has elapsed between the time covered by the tests of operating effectiveness and the date of management’s assertions. In such a case, there is a risk that the controls at the service organization have changed or have ceased to operate effectively. Management should perform procedures to identify whether any such changes have occurred.

Nature and Extent of Testing

When the nature or extent of testing that is performed by the service auditor is not sufficient to support management’s assessment of controls as they relate to the financial statement assertions, user enterprise management or the auditor need to perform additional procedures.

Issue: The tests of operating effectiveness of controls that are specified by the service organization do not provide sufficient evidence to support a conclusion about control risk for the financial statement assertions of the user enterprise. A similar problem exists if there is insufficient testing of controls to address the financial statement risk factors that are identified by management.

Issue: The description of the tests of controls is insufficient in detail regarding the nature, timing and extent of testing to permit user enterprise management or the auditor to assess the control risk for the financial statement assertions of the user enterprise.

In this instance, management and the auditor may be able to arrange a discussion with the service organization and its auditor to obtain additional information regarding the description of the tests. Such inquiries and the responses should be documented in accordance with standards and an evaluation of the sufficiency of the responses received.

If such a discussion cannot be arranged, the specific testing should be treated as providing insufficient evidential matter to support a conclusion.

Issue: The description of tests that are performed on the relevant aspects of the control environment, information and communication, risk assessment, and monitoring

that are related to the services provided is not sufficient to permit user enterprise management or the auditor to assess their operating effectiveness in establishing, enhancing or mitigating the effectiveness of the specified controls. Management and the auditor should consider performing limited procedures to test these controls through inquiry and inspection of regulatory filings and other documents.

Issue: In describing the results of tests of operating effectiveness performed, the description of deviations is not sufficient (e.g., sample size, number of deviations noted, the nature of the deviations, causative factors, corrective actions or other relevant qualitative information) to permit user enterprise management or the auditor to assess

their impact on the control risk for the financial statement assertions of the user enterprise. In this instance, user enterprise management or the auditor may be able to arrange a discussion with the service organization and its auditor to obtain additional information regarding the description of the exception(s). Such inquiries and the responses should be documented in accordance with standards, and the control should be evaluated based on the response received. If such a discussion cannot be arranged, management and the auditor should consider the control as not operating effectively and should evaluate its impact on the user enterprise’s financial statement assertions.

Qualifications and Deviations

Issue: The opinion of the service auditor results in the evaluation of those aspects of internal control that are provided by the service organization as ineffective. When the service auditor’s opinion contains a qualification in the opinion or an exception is noted in the description of the results of testing, management should identify

the qualification or exception as a control deficiency and identify any controls implemented by the user enterprise that compensate for the control deficiency noted, or otherwise mitigate the risk associated with the deficiency. The deficiency

should then be evaluated in accordance with the user enterprise’s methodology for evaluating deficiencies.

Issue: There is insufficient detail on the qualifications contained within the service auditor’s opinion to permit user enterprise management or the auditor to assess the impact on the control risk for the financial statement assertions of the user enterprise. In this instance, management and the auditor may be able to arrange a discussion with the service organization and its auditor to obtain additional information regarding

the description of the qualification. Such inquiries and the responses should be documented in accordance with standards, and the control objective and related controls should be evaluated based on the response received. If such a discussion cannot be arranged, user enterprise management and the auditor should consider the control objectives as not having been achieved and should evaluate its impact on the user enterprise’s financial statement assertions.

Service Auditor

Issue: The reputation, competence, independence and professional standing of the service auditor are not sufficient to support management’s assessment and the

auditor’s opinion. Where the reputation, competence, independence or professional standing of the service auditor is not sufficient, management and the auditor should deem the nature and extent of the procedures that were performed to be insufficient and should perform such procedures noted previously.