Internal Control & Outsourcing

CPAs Calculating the Latest in Audit + Accounting News

What is the first thing that comes to mind when you think of internal controls? Making sure work is double checked? Making sure that the employee in charge of reconciling the bank account does not also receive the mail, sign checks, and reconcile receivable and payable accounts? Segregation of duties is typically one of the first things that come to mind when I think of internal controls. As a CPA, I think about the COSO framework. You may now be thinking, COSO? Pardon me?

Allow me to explain without getting too deep into it. COSO stands for Committee of Sponsoring Organizations of the Treadway Commission – which basically is an organization that provides leadership, thought and guidance on internal controls, enterprise risk management and fraud prevention. This organization originally released the internal control framework in 1992 and recently it has been updated in 2013.

At a high level, the 2013 and 1992 version of the COSO framework is very similar because they both contain the five main components of internal control as well as the same definition of internal control. The 1992 framework implicitly stated core principles of internal control which was changed in the 2013 update by explicitly stating 17 principles of internal control that represent fundamental concepts associated with the 5 components. Each of the 17 principles is now supported by focus points. These focus points are designed to help provide guidance to assist management in designing, implementing, conducting, and assessing whether the 17 principles are not only present, but are also operating together within the organization. For those of you interested in understanding each of the 5 components and 17 principles of internal controls, here is a good place to start:

Now that a brief background of the internal control framework has been established, I will move on to outsourcing and the main point of this blog. It is common these days for companies to outsource operations/business tasks that typically were performed in house. Some examples would be IT services, data entry, customer support, payroll processing, etc. When a company considers outsourcing, they should do research on the provider and learn about the provider’s internal control structure. One of the easiest ways to do that is by asking the outsourcing provider if they have a service auditor’s report such as a SOC 1 (SSAE16) report (common reports). There are two types of service auditor reports, Type I & Type II. Without getting too specific, a Type II service auditor report is more reliable than a Type I report.

In summary, when a company outsources a business operation, they essentially remove their internal control on that operation and rely on another organization’s internal control. Wouldn’t you want to be sure that outsourcing company has good internal controls in place so you can feel confident about the services you are receiving?

By Josh Mitchell, CPA