By Charles Hall | Auditing
Service organization control (SOC) reports are often necessary to understand outsourced accounting services. So, when are SOC reports needed?
When are SOC Reports Needed?
SOC reports are needed when:
- The user entity’s complementary controls are not sufficient to lessen the possibility of material misstatements
- The SOC report provides information concerning a significant transactions cycle
Many organizations outsource portions of their accounting to service organizations. Think ADP–a service organization that provides payroll services. External auditors need to understand a service organization’s system and related controls–particularly if that work could allow material misstatements in the user’s financial statements. This understanding is provided in SOC reports.
All financial statement audits focus upon whether material misstatements are occurring. Moreover, the auditor’s opinion is supported by audit evidence proving the financial statements are fairly stated. But does (some of this) audit evidence come from SOC reports? Sometimes, yes.
A financial statement auditor is concerned with material misstatements, regardless of how or where they occur–and regardless of who allows the misstatement. Therefore, auditors look for internal controls weaknesses in both the entity being audited and outsourced service organizations.
As we will see, the external auditor may not need all SOC reports. On the other hand, some SOC reports may be needed but don’t exist.
Definitions Related to Service Organizations
Before delving into the details of service organization controls, let’s define a few key words. These definitions come from AU-C 402.
Complementary user entity controls. Controls that management of the service organization assumes, in the design of its service, will be implemented by user entities and are necessary to achieve the control objectives stated in management’s description of the service organization’s system, are identified as such in that description.
Service auditor. A practitioner who reports on controls at a service organization.
Service organization. An organization or segment of an organization that provides services to user entities that are relevant to those user entities’ internal control over financial reporting.
Audit Standard for Service Organizations
AU-C 402, Audit Considerations Relating to an Entity Using a Service Organization, states the following:
Services provided by a service organization are relevant to the audit of a user entity’s financial statements when those services and the controls over them affect the user entity’s information system, including related business processes, relevant to financial reporting. Although most controls at the service organization are likely to relate to financial reporting, other controls also may be relevant to the audit, such as controls over the safeguarding of assets. A service organization’s services are part of a user entity’s information system, including related business processes, relevant to financial reporting if these services affect any of the following:
- The classes of transactions in the user entity’s operations that are significant to the user entity’s financial statements;
- The procedures within both IT and manual systems by which the user entity’s transactions are initiated, authorized, recorded, processed, corrected as necessary, transferred to the general ledger, and reported in the financial statements;
- The related accounting records, supporting information, and specific accounts in the user entity’s financial statements that are used to initiate, authorize, record, process, and report the user entity’s transactions. This includes the correction of incorrect information and how information is transferred to the general ledger; the records may be in either manual or electronic form;
- How the user entity’s information system captures events and conditions, other than transactions, that are significant to the financial statements;
- The financial reporting process used to prepare the user entity’s financial statements, including significant accounting estimates and disclosures; and
- Controls surrounding journal entries, including nonstandard journal entries used to record nonrecurring, unusual transactions, or adjustments.
If a service organization’s work affects any of the items listed in a. through f., those services are a part of the audited entity’s information system.
When does the external auditor not need SOC reports or other information related to a service organization? Paragraph .05 of AU-C 402 answers that question as follows:
This section does not apply to services that are limited to processing an entity’s transactions that are specifically authorized by the entity, such as the processing of checking account transactions by a bank or the processing of securities transactions by a broker (that is, when the user entity retains responsibility for authorizing the transactions and maintaining the related accountability).
Additionally, complementary user entity controls may be strong enough to eliminate the need for information about the service organization’s controls.
Complementary User Entity Controls
The user entity–an entity that uses a service organization and whose financial statements are being audited–may have controls sufficient to eliminate the need for SOC reports or other information from the service organization. Sometimes the user entity has controls that mitigate the risk of material misstatements caused by service organization deficiencies. Such controls are referred to as “complementary user entity controls.” If the complementary controls operate effectively, the user auditor–an auditor who audits and reports on the financial statements of a user entity–may not need SOC reports or other service organization information.
Alternatively, if the service organization initiates, executes, and does the processing and recording of the user entity’s transactions, then the user auditor may need SOC reports or other service organization information.
Is the Placement of a SOC Report in the Audit File Sufficient?
Placing a SOC report in an audit file without reading and understanding it provides little-to-no audit evidence.
A SOC report provides information about how the service organization’s controls lessen the possibility of material misstatement. So, the user auditor needs to read and document how the service organization’s controls lessen the risk of material misstatement. This understanding of controls is necessary if the service organization’s work affects a significant transaction cycle such as payroll.
Think of SOC reports in this manner: Pretend there is no service organization and the company being audited performs the same processes and controls. If the audited entity performs these controls–and no service organization exists–the auditor gains an understanding of the controls using risk assessment procedures such as inquiry, observations, and inspections of documents. Potential control weaknesses are exposed by the risk assessment process. Thereafter, the identified risks are used to develop the audit program and substantive procedures. The same audit process is true when there is a service organization. But when a service organization is used, the user auditor is using the SOC report to gain the understanding of the service organization’s part of the entity’s accounting system.
If controls weaknesses are noted in the SOC report, the user auditor may–as a response–perform substantive procedures. By doing so the auditor lowers the overall audit risk (which is the risk that the auditor will issue an unmodified opinion when one is not merited).
Type 1 or Type 2 SOC Reports?
Service organization auditors can issue type 1 or type 2 reports.
A type 1 SOC report provides a description of a service organization’s system and the suitability of the design of controls.
A type 2 SOC report includes a service organization auditor’s opinion on the fairness of the presentation of management’s description of the service organization’s system and the suitability of the design and operating effectiveness of the controls.
The type 1 report provides information about the service organization’s system and related controls. The type 2 report provides an opinion on the system description and the design and effectiveness of the controls. A type 1 or a type 2 report can be used to gain an understanding of the controls.
Should the Auditor Visit the Service Organization?
Usually, the auditor does not need to visit the service organization, but sometimes it is necessary to do so. If the service organization provides no SOC report and the complementary user controls are not sufficient, then the auditor may have no choice but to review the service organization’s system and controls. Only do so if the service organization handles significant parts of the accounting system.