Service Organization Controls and User ControlsWhitney Irish
Post By Sarah Phillips
Outsourcing services has become a popular way for Organizations to cut costs and to focus on their core strengths. However, a lack of control and knowledge over the behind-the-scenes processes are seen as major cons of outsourcing. How can an Organization be sure the service provider has good practices in place? Just because services are being outsourced doesn’t mean information can’t be obtained about how the service organization operates and how they keep an Organization’s assets safe.
Reports are available for service organizations that directly impact user entities’ (i.e. the customers at a bank) financial statements. These reports, known as SOC 1 reports, are produced to enable the user entities of service organizations to gain an understanding of the internal controls in place at the service provider and enables the user to obtain audits in a cost effective manner. If the internal controls of investment custodians, third party administrators, payroll processors, 401k providers, and life insurance entities had to be independently evaluated by you and your auditor. It would be very time consuming and very expensive.
Gaining an understanding of management’s description of the service organization’s system (Type 1 and Type 2 SOC 1 report), design of controls (Type 1 and Type 2 SOC 1 report) and operating effectiveness of controls (Type 2 SOC 1 report only) at the service organizations used by your Organization is an important step. It not only ensures your Organization’s financials are fairly presented and its assets are in good hands, but also in ensures your own internal controls are properly established.
Poor internal controls, whether in design or implementation at your Organization or the service organization, can create the opportunity for fraud or result in numerical errors that will ultimately be used in your Organization’s financials. This means that obtaining a Type 2 SOC 1 report indicating the controls at a service organization are operating effectively is not enough. These reports will likely indicate that some of the service organization’s control objectives cannot be achieved unless the complimentary user entity controls are also in place. Complementary user entity controls are designed during the development of the service organization’s internal controls and are processes that need to be in place on the user’s end in order to ensure that the control objective can be achieved throughout the entire process. Fortunately, these controls are listed in the SOC 1 report or can be provided by the service organization. These controls should be reviewed, implemented as applicable, and monitored by an Organization’s management to ensure they are operating as intended.
The controls in place at service organizations should be viewed as an extension of an Organization’s own processes. If the controls at the service organization and the user entity controls are in place, designed well and operating effectively, little more needs to be done in terms of financial reporting than if an Organization was performing the function themselves.