SOC and SOX Controls Synergies
How can you leverage a Service Organization Controls (SOC) report to support your organization’s compliance with Sarbanes-Oxley (SOX) management’s assessment of internal controls? A common way is to use the SOC 1 or SOC 2 Type 2 reports from organizations that provide you services. This provides assurance of the controls in place at the service organization. You rely upon; 1) a SOC 1 type 2 report, Internal Control Over Financial Report (ICFR) for assurance related to services provided to your organization, or 2) a SOC 2 type 2 report which provides assurance over an entity’s controls related to security over information processed by their systems. The report may also include assurances related to availability, confidentiality, processing integrity, and privacy of the information processed by their systems. This is only the beginning of benefits for service organizations.
Are you a service organization that is required to provide your users with SOC 1 or SOC 2 type 2 reports, and you also need to comply with SOX? If so, have you leveraged your SOC controls to provide information for internal and external auditors for SOX compliance? Remember the use of SOC reports is limited to management of the service organization, user entities, and user auditors. The report cannot be relied upon by the service organization’s auditors. You can leverage the synergies of the internal control frameworks and controls that support SOC and SOX reporting by mapping your controls.
Mapping controls allows you to implement controls and leverage them for multiple compliance requirements and across multiple frameworks. When planning a SOC 1 report, management collaborates with the auditors to design the control objectives to include in the SOC 1 report. The control objectives relate to evaluating the effect of the controls at the service organization on the user entities financial statements. There are opportunities to include some or all of the controls that are assessed for SOX depending upon the type and scope of services provided to user entities.
The SOC 2 reports use common criteria that support the AICPA Trust Services Principles of Security, Availability, Processing Integrity, Confidentiality, and Privacy. There are nine common criteria. The first five common criteria are Control Environment, Communication and Information, Risk Assessment, Monitoring Activities, and Control Activities. Each common criteria is one of the Commission on Sponsoring Organization (COSO) 2013 Internal Control Framework (ICF) components. Each common criteria has a set of control objectives that are based upon COSO’s 17 principles and the associated points of focus. The common criteria and associated control objectives also map to Control Objectives for Information and Related Technology (COBIT). Both COSO and COBIT are common frameworks used for SOX. The remaining four common criteria map to COBIT. They provide control objectives for logical and physical access, system operations, change management and risk mitigation. These control objectives cover the Information Technology General Controls (ITGC) to support control activities for COSO Principle 11 – The organization selects and develops general control activities over technology to support the achievement of objectives. You can leverage the controls defined for the SOC 2 by simply expanding the population for testing from just the in scope IT systems or services to the entire entity. Though this does not cover all of the SOX requirements, it does cover the entity level and ITGC controls. What remains are the financial statement control objectives related to in scope non- IT operations.
There are benefits for service organizations who are already SOX compliant and are looking for a SOC 1 or SOC 2 report. Leveraging the SOX controls for a SOC 1 or SOC 2 report reduces the effort for identification and documentation of controls. In addition, the SOX controls that are mapped to SOC controls have been assessed, and there is reasonable assurance of the design and operating effectiveness of the controls.
Using the control mapping strategy provides benefits to service organizations by reducing the number of controls that are required to support compliance efforts. In addition, auditors can leverage the test samples across SOX and SOC testing and reduce the workload on the control owners. You may also receive further benefits if the external auditors agree to rely upon Internal Audit’s control testing.
Our team can assist your organization with initial or ongoing assessment of SOX internal controls over financial reporting. Please reach out to Elaine Nissley, leader of the firm’s Internal Audit practice. For information on SOC reports, reach out to Dave Hammarberg, Partner and leader of the firm’s SOC practice.