Service organizations exist to assist companies of all sizes in performing certain tasks that the company is not capable of performing or would rather outsource to a third-party. Examples of service organizations include:
- Payroll providers
- 401(k) record-keepers
- IT backup and cloud services
- And more
But do companies understand and review the controls within the service organizations to ensure they are utilizing the services correctly and the service organization is operating as described?
The majority of service organizations are able to provide to their customers an SOC1 Report, upon request. This Service Organization Controls Report describes internal controls over financial reporting that are relevant to a service organization’s users. In addition, related to descriptions of the controls in place, the SOC1 typically includes an audit report which contains an opinion on whether controls in place were suitably designed to provide reasonable assurance that the control objectives would be achieved if the controls operated effectively during a certain time period.
Below are some key items that a company should look at within the report.
As noted above, these reports include an audit opinion over the various controls. A company should review the opinion and determine if a qualified opinion is provided, the cause of the qualification and whether there are any concerns with the utilization of the service organization.
Complementary user entity controls
Within these reports is typically a section titled Complementary User Entity Controls (“CUEC”). This section details all controls that a company should have in place for the service organization’s controls to operate correctly. One example of a CUEC from a payroll provider is “ensuring that custom settings used in the processing of payroll are configured based on the client’s environment.” A company should review these CUECs to ensure that any necessary controls are appropriately setup within their company.
Hopefully a service organization won’t have any exceptions/deviations identified, but in the case that there are, a company should review the exceptions/deviations identified in the report and determine whether or not the exceptions/deviations have an impact on the utilization of the service organization and whether there are any mitigating controls at the company to address the exceptions/deviations identified. Exceptions/deviations should be considered individually and in the aggregate to determine their effect, if any, on the company’s utilization of the service organization
These are just a few of the items that a company should look at within a report. For further information on SOC1 reports and their use visit the AICPA’s website.
Kevin C. Bach, CPA, CVA