Service organization control (SOC) reports are often necessary to understand outsourced accounting services. So, what are SOC reports and when are they needed?
When an entity provides services to other entities (e.g., ADP payroll services), the service organization desires to provide comfort to their clients. Why? Well the service organization wants to provide assurance regarding the safety and effectiveness of its services. Trust is foundational to the business relationship. Therefore, the service organization provides comfort to clients by hiring an outside independent auditor to review its accounting system. The result of that review is a service organization control report.
So if ADP desires to give comfort to its clients regarding the design and operation of its accounting system, it will hire an outside audit firm to review and render an opinion on its internal controls. While SOC reports provide comfort the service organization’s clients, they are also used in another manner.
Suppose ADP provides payroll services to Jet Sports, Inc. The auditors of Jet Sports will review ADP’s SOC report to see if their accounting system is appropriately designed and operating. After all, ADP, in this example, is an extension of Jet Sports, Inc.’s accounting system. Jet’s auditors view ADP’s services as a part of Jet’s accounting system: Jet has simply outsourced their payroll services to ADP. That’s why ADP’s SOC report is relevant to Jet Sports, Inc.’s audit.
SOC reports are needed when:
Many organizations outsource portions of their accounting to service organizations, such as ADP’s payroll services. External auditors need to understand a service organization’s system and related controls–particularly if that work could allow material misstatements in the user’s financial statements. This understanding is provided in SOC reports.
All financial statement audits focus upon whether material misstatements are occurring. Moreover, the auditor’s opinion is supported by audit evidence proving the financial statements are fairly stated. But does (some of this) audit evidence come from SOC reports? Sometimes, yes.
A financial statement auditor is concerned with material misstatements, regardless of how or where they occur, and regardless of who allows the misstatement. Therefore, auditors look for internal controls weaknesses in both the entity being audited and service organizations.
As we will see, the external auditor may not need all SOC reports. On the other hand, some SOC reports may be needed but don’t exist.
Before delving into the details of service organization controls, let’s define a few key words.
Complementary user entity controls. These are the controls performed by users of a service organization’s services. These entity controls complement the service organization’s controls: both are necessary to ensure the process is safe and effective. For example, your client might perform the complementary control of reviewing payroll hours reported before providing those to an outside payroll service organization.
Service auditor. The auditor that reports on controls at a service organization.
Service organization. An organization that provides services to user entities that impact the user entity’s financial reporting.
AU-C 402, Audit Considerations Relating to an Entity Using a Service Organization, states the following:
Services provided by a service organization are relevant to the audit of a user entity’s financial statements when those services and the controls over them affect the user entity’s information system, including related business processes, relevant to financial reporting.
So if a service organization’s activities affect an entity’s information system, business processes, or financial reporting, then that activity is relevant.
The user entity–an entity that uses a service organization and whose financial statements are being audited–may have controls sufficient to eliminate the need for SOC reports or other information from the service organization. Sometimes the user entity has controls that mitigate the risk of material misstatements caused by service organization deficiencies. Such controls are referred to as complementary user entity controls. If the complementary controls operate effectively, the user auditor–the auditor who audits and reports on the financial statements of a user entity–may not need SOC reports or other service organization information.
Alternatively, if the service organization initiates, executes, and does the processing and recording of the user entity’s transactions and the complementary controls would not detect material misstatements, then the user auditor may need SOC reports or other service organization information.
When complementary controls are present, they should be reviewed in the walkthrough of controls by the user auditor. For example, if your client reviews payroll time recorded prior to submission to an outside payroll service provider, then determine if this control is designed appropriately and implemented (as you do for all key controls). SOC reports usually provide a list of complementary controls, so look there for potential client controls. Then see if they are in use.
Placing a SOC report in an audit file without reading and understanding it provides little-to-no audit evidence.
A SOC report provides information about how the service organization’s controls lessen the possibility of material misstatement. So, the user auditor needs to read and document how the service organization’s controls lessen the risk of material misstatement. This understanding of controls is necessary if the service organization’s work affects a significant transaction cycle such as payroll.
Think of SOC reports in this manner: Pretend there is no service organization and the company being audited performs the same processes and controls. If the audited entity performs these controls–and no service organization exists–the auditor gains an understanding of the controls using risk assessment procedures such as inquiry, observations, and inspections of documents. Potential control weaknesses are exposed by the risk assessment process. Thereafter, the identified risks are used to develop the audit program and substantive procedures. The same audit process is true when there is a service organization. But when a service organization is used, the user auditor is using the SOC report to gain the understanding of the service organization’s part of the entity’s accounting system.
If controls weaknesses are noted in the SOC report, the user auditor may–as a response–perform substantive procedures. By doing so the auditor lowers the overall audit risk (which is the risk that the auditor will issue an unmodified opinion when one is not merited).
Service organization auditors can issue type 1 or type 2 reports.
A type 1 SOC report provides a description of a service organization’s system and the suitability of the design of controls.
A type 2 SOC report includes a service organization auditor’s opinion on the fairness of the presentation of management’s description of the service organization’s system and the suitability of the design and operating effectiveness of the controls.
The type 1 report provides information about the service organization’s system and related controls. The type 2 report provides an opinion on the system description and the design and effectiveness of the controls. A type 1 or a type 2 report can be used to gain an understanding of the controls.
You may see, in some of these SOC reports, carve-outs.
Many SOC reports carve out services that are provided to the service organization by another service provider (a service provider to a service provider, if you will). In such a situation, consider whether you need to review the sub-service provider’s SOC report. (Sub-service providers are named in the SOC report along with what they do.)
So, should you (the user auditor) ever visit a service organization’s office?
Usually, the user auditor does not need to visit the service organization, but sometimes it is necessary to do so. If the service organization provides no SOC report and the complementary user controls are not sufficient, then the auditor may have no choice but to review the service organization’s system and controls. Only do so if the service organization handles significant parts of the accounting system.
In summary, if you audit an entity that uses a service organization, consider whether you need a SOC report. If the service organization provides services that impact a significant transaction cycle or account balance, then you probably need to review the related SOC report. Why? To see if there are any service organization internal control weaknesses that impact your client’s audit.
Charles Hall is a practicing CPA and Certified Fraud Examiner. For the last thirty years, he has primarily audited governments, nonprofits, and small businesses. He is the author of The Little Book of Local Government Fraud Prevention and Preparation of Financial Statements & Compilation Engagements. He frequently speaks at continuing education events. Charles is the quality control partner for McNair, McLemore, Middlebrooks & Co. where he provides daily audit and accounting assistance to over 65 CPAs. In addition, he consults with other CPA firms, assisting them with auditing and accounting issues.
Please log in again. The login page will open in a new tab. After logging in you can close it and return to this page.