Can SOX Rely on SOC?
The Sarbanes-Oxley Act of 2002 (SOX) continues to be the main regulation to provide assurance over the accuracy of financial reporting by publicly traded companies. Most organizations rely upon systems and vendors for key controls over processes that impact the financial statements. The most efficient way to gain assurance of the application and vendor’s controls is by obtaining a Service Organization Controls (SOC) report. This article will discuss the parameters organizations should use to make sure they have the correct SOC report and that the report provides reasonable assurance that the controls can be relied upon for purposes of SOX.
Type 1 versus Type 2 SOC Report
SOC reports are prepared at two levels. A Type I SOC report only provides an assurance over the design of the controls. A Type II report provides assurance over both the design and operating effectiveness of the controls. A Type II report is required in order to provide the assurance required for SOX testing.
SOC 1, SOC 2 or SOC 3
SOC 1 reports focus on financial reporting controls. They are typically provided for third-party service providers, insurance companies, payroll and benefit processors, loan servicers, and trust companies. They are a report on the service organizations internal controls over financial reporting. This is the most common type of report used to support SOX.
SOC 2 and SOC 3 reports focus on non-financial controls. The SOC 3 report covers the same information as the SOC 2 report but in a summary format without the detail support and is typically just used for marketing purposes. These reports are typically provided for data center co-locations, Software as a Service (SaaS) providers, cloud service providers, and managed IT service providers. They provide assurance related to security, availability and processing integrity of the systems at the service organization. In addition, they provide assurance related to the confidentiality and privacy of the information processed by these systems.
How to Evaluate a SOC Report
Simply obtaining a SOC Type 2 report does not mean the organization can rely upon the controls at the service organization. There are key components of the report that require evaluation and assessment to provide assurance that the controls can be relied upon. This process is generally a key SOX control that states the organization obtains and reviews the SOC report. The documented review of the report is assessed and must include the following assurances.
- The scope and location of the report covers the services provided to the entity.
- The report period covers the SOX financial reporting period.
- The report is a type II report, was assessed, and the entity verified that the type of testing performed is sufficient to meet the SOX control testing requirements. Any control deficiencies noted are assessed to determine if they have a material impact on the entities’ reliance on the controls.
- The entity assesses the service organization’s reliance on sub-service organizations and obtains the sub-service organizations SOC report if relevant. An in scope sub-service organization’s SOC report must also be assessed.
- All SOC reports define what controls must be in place at the user organization before they can rely upon the SOC report. These are generally call complimentary user entity controls. These control requirements must be mapped to the entities controls that meet the control requirements. Any control gaps must be noted and remediated prior to reliance on the report.
- If the report has a disclaimer of opinion, adverse opinion, or qualified opinion, evaluate how this impacts the entities’ reliance on the report and the services provided by the service organization.
- The report must contain a written assertion by the service organization’s management as to the accuracy of the report. If management’s assertion is missing or opinions differ, a conversation with the service organization may be warranted to assess how this impacts reliance upon the report.
Just obtaining a SOC report from a service organization is not enough. You must fully evaluate the SOC report to verify you can place reliance on controls at the service organization.
M&A can assist your organization with initial or ongoing assessment of SOX internal controls over financial reporting. Please reach out to Elaine Nissley, leader of the firm’s Internal Audit practice.