Service organizations are trusted with some of their customers’ most sensitive information. In order to thrive, these organizations need their stakeholders’ full faith that their internal controls safeguard both financial and nonfinancial information, and are designed and operating effectively. How can service organizations demonstrate that their control systems are protecting their customers? According to the American Institute of Certified Public Accountants (AICPA), Service Organization Control (SOC) reports are the answer.
Smart Business spoke with Jeff Stark, audit partner at Sensiba San Filippo LLP, about SOC reporting and how it helps service organizations provide the broad spectrum of assurance their stakeholders require.
What are SOC reports?
SOC reports are standards created by the AICPA to allow for reporting on controls at service organizations. There are three types of SOC reports: SOC 1, SOC 2 and SOC 3. Together, they both replace and expand on Statements on Auditing Standards (SAS) 70 reports, giving service organizations the tools they need to provide the assurance their stakeholders require.
Though not widely known, SOC reports are becoming essential to the ongoing growth of the technology service sector as more businesses are outsourcing tasks and functions to outside service providers. Since the risk of the service provider becomes the risk of their stakeholders and customers, SOC reports provide much needed assurance, empowering service organizations to gain trust, while helping to protect their stakeholders from outside risk.
Why was SAS 70 replaced?
Since 1992, SAS 70 has provided service organizations with a vehicle to disclose control objectives and activities related to financial reporting. As the market changed, service organizations had a growing need to report on many nonfinancial control objectives. SAS 70, with its limited intended focus, was too often being used for purposes outside of financial controls.
In order to solve this problem, the AICPA issued Statements on Standards for Attestation Engagements (SSAE) 16, which replaced audit standards with attestation standards for internal controls over financial reporting. SSAE 16 standards became the basis for SOC 1 reporting, replacing SAS 70.
Additionally, the AICPA issued guidance related to attestation on controls relevant to the Trust Service Principles and Criteria including security, availability, processing integrity, confidentiality and privacy. This guidance became the basis for SOC 2 reporting, bridging the gap between market need for broad assurance reporting and the previously narrow financial focus of SAS 70.
How can an organization know whether a SOC 1 or SOC 2 report is right for them?
Whether an organization should obtain a SOC 1 or SOC 2 report depends entirely on the controls in question. Controls relating to information that could affect financial statements are covered by SOC 1 reports. SOC 2 covers controls related to nonfinancial information.
Payroll processors, employee benefit plan managers and banks commonly use SOC 1 reports. Data centers, Software as a Service providers and companies subject to industry-specific regulatory standards frequently benefit from SOC 2 reports.
Why should companies consider SOC reporting?
Service organizations that want to remain competitive need internal control attestation in a variety of areas. Many companies will not even consider working with an organization without assurance that relevant controls are well designed and operating effectively. In a highly risk-averse business climate, organizations can demonstrate effective controls with the appropriate SOC report.
Jeff Stark is an audit partner at Sensiba San Filippo LLP. Reach him at (480) 286-7780 or email@example.com.
Insights Accounting is brought to you by Sensiba San Filippo LLP
The recent financial downturn and continuing economic global crises have caused some users of financial statements — investors, lenders or financial analysts — to question if auditors’ reports could tell more of the story and alert users earlier to looming problems.
“Everybody wants to minimize investment risk. They figure the more that they know, the better equipped they are going to be to make decisions,” says Carolyn H. McNerney, CPA, director of Assurance Services at SS&G.
Now, standard setting agencies are considering what disclosures need to be added to auditors’ reports.
Smart Business spoke with McNerney about expectations for revised auditor reporting.
What are the responsibilities of management versus the auditor for financial statements?
Management is responsible for preparing the financial statements, including required footnote disclosures in conformity with generally accepted accounting principles (GAAP) or other reporting framework. The auditors’ responsibility is to express an opinion on the financial statements based on their audit, which involves performing tests and procedures to obtain evidence about the amounts and disclosures in the statements.
Many, if not most, auditors would argue that disclosure should come from management and an auditor’s responsibility is to ensure the ‘numbers’ are fairly stated. Most also acknowledge that the complexity of required disclosures combined with the multitude of new financial instruments, including derivatives, has increasingly complicated reporting. This complexity is a primary driver in the call for more information in auditors’ reports.
What new disclosures are being discussed?
New disclosures are currently being addressed by the International Auditing and Assurance Standards Board (IAASB) as well as by the Public Company Accounting Oversight Board (PCAOB), which sets the U.S. professional reporting standards for auditors of public companies.
Proposed additions include discussion of matters of audit significance that would be in a separate auditors’ commentary or discussion and analysis section of the auditors’ report. The focus would be on key audit areas, which typically require the use of significant management judgment in determining the amounts reported and auditor judgment for the audit approach.
Will the benefits of expanded disclosure be offset by a lack of comparability?
Standard setters are still deciding what should be disclosed and in how much detail. There is a concern that many financial statement users will be confused by detailed disclosures of audit risk and auditors’ responses thereto. A ‘clean’ auditor’s opinion often takes only one page. Some proposed new example reports go on for many pages.
The question is: Will users be able to interpret and compare auditors’ reports that contain a varying amount of disclosures and are significantly different in length? Sophisticated financial analysts may find this additional information useful, others may find it confusing or misinterpret what the disclosure is intended to convey.
Does the additional cost of potential new disclosures outweigh the benefit?
Additional disclosures in the auditors’ reports will require more time of both auditors and management, resulting in additional costs. In the U.S., expanded disclosures are currently being proposed only for public companies.
In the private company world, financial statement users have access to management and, perhaps, even the auditor, should they have questions. For this reason, additional disclosures for private companies are not currently being proposed.
What should owners look for in the future?
It seems very likely that there will be some kind of revised, expanded auditor reporting standards for public companies over the next several years. The IAASB has publicly discussed a desired timetable for the issuance of new reporting standards while the PCAOB has not. Certainly, both of these organizations are keeping a watchful eye on each other’s activities and proposals with respect to auditor reporting. However, even private business owners invest in the public company marketplace and receive annual reports of investments.
Carolyn H. McNerney, CPA, is director, Assurance Services, at SS&G. Reach her at (330) 668-9696 or CMcNerney@SSandG.com.
Insights Accounting & Consulting is brought to you by SS&G