No Result
View All Result
SUBSCRIBE | NO FEES, NO PAYWALLS
MANAGE MY SUBSCRIPTION
NEWSLETTER
Corporate Compliance Insights
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe
No Result
View All Result
Corporate Compliance Insights
Home Featured

Preparing for Annual SOX Compliance Amid COVID-19

Outsourced Processes and Use of Third-Party Providers Remain Relevant to ICFR

by Shari Katz and Gina Chaoanw
July 28, 2020
in Featured, Internal Audit
SOX spelled on wooden tiles with overlay of coronavirus

Protiviti’s Shari Katz and Gina Chaoanw outline steps organizations can take in pursuit of annual SOX compliance and as they use third parties to navigate the challenges arising from COVID-19.

More and more companies are outsourcing key business processes to third-party providers to attain cost savings and to focus on core business activities. As a result, when management needs to assess its internal controls over financial reporting (ICFR), many of these outsourced activities fall into scope for Sarbanes-Oxley (SOX) compliance. Be prepared to tackle this dynamic area before year-end in order to streamline the overall SOX compliance process and avert any problems that may arise due to control environment changes resulting from the COVID-19 pandemic.

As organizations prepare for their annual SOX compliance efforts, we see the following guidelines serve as an effective means to oversee and manage third-party providers impacting financial reporting:

1. Inventory Your Providers

It sounds straightforward, but we’ve seen organizations trip up on this first critical step. By getting a handle on all the different vendors used to perform critical business functions related to financial reporting, the SOX compliance team can map them to their internal controls that are in scope for SOX. This should include the identification of sub-servicers (if any) used by the third-party provider, as recently required by SSAE 18 (formerly SSAE 16).

2. Obtain SOC Reports

The AICPA issued SSAE 18 to allow auditors to issue System and Organization Control (SOC) audit reports to provide assurance over the internal controls at these service providers. There are two types of SOC reports that are most commonly encountered: SOC 1 and SOC 2. “SOC 1® – SOC for Service Organizations: ICFR – Report on Controls at a Service Organization Relevant to User Entities’ Internal Control over Financial Reporting” is the most commonly seen report used for SOX support. “SOC 2® – SOC for Service Organizations: Trust Services Criteria – Report on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality or Privacy” is sometimes used to support outsourced IT application controls for SOX.

Using the universe of providers deemed in scope for SOX, the SOX compliance team can next collaborate with management to obtain the most recent SOC report. When obtaining SOC reports, it is important to identify whether the third-party provider will be issuing a Type 1 or Type 2 report. A Type 2 report covers both design and operating effectiveness of controls specified in the report for a specific period, while a Type 1 only evaluates the design of the controls. The SOC 1 Type 2 report is the gold standard report and is most preferred by external auditors. If a Type 1 report is issued, it will be important for the SOX compliance team to assess whether additional procedures may be needed to get comfortable with operating effectiveness of the third-party provider’s internal controls. Allow additional time to obtain subservice provider SOC reports, as they are typically provided to the third-party provider rather than directly to organizations using the third-party provider.

The business should work with service providers early in the contracting and outsourcing process to emphasize the importance of having a SOC report. This will prevent confusion and allow the organization to advocate upfront its SOX requirements.

3. Map Controls from the SOC Report to Management’s Processes

Using the SOC 1 report, identify the controls within it that mitigate the risks identified in the in-scope SOX processes. In our annual Protiviti 2020 Sarbanes-Oxley Compliance Survey, we asked 700 respondents whether their companies are performing this exercise and found that 63 percent are doing this critical control mapping activity.

The control mapping exercise should consider the user control considerations (UCCs), also known as complementary user entity controls (CUECs) identified in the report. These are controls the vendor recommends be in place on the user entity side (which would be the organization that has outsourced the process) to successfully achieve control objectives and effective risk mitigation.

If this is a first-time vendor evaluation, the SOX team should obtain the SOC report as early as possible to assess whether its organization has the appropriate controls to address the UCCs or CUECs outlined by the vendor. Often, this exercise may identify a need to implement additional controls at the organization in order to fully address the CUEC requirements. If a report is not available yet, SOX teams should ask vendors for their most recent SOC 1 report, as this will provide some insights on the UCCs and CUECs required. Common areas covered in UCCs and CUECs include policies and procedures, periodic user access reports, access provisioning and termination and authorization approvals.

4. Evaluate Control Deficiencies Identified in the SOC Report and Assess Potential Impact to Your Organization

As part of the SOC 1 evaluation, it is important to evaluate deficiencies identified and disclosed by the third-party provider and assess if there is a direct and material impact to your organization. This analysis should be documented in the SOX team’s evaluation and should highlight key compensating controls at its organization that would prevent and/or detect a material error or misstatement based on these control issues at the third-party provider. If there is a direct and material impact identified, we recommend quantifying the balance, area(s) impacted and mitigating controls (i.e., monitoring controls) within your organization that would minimize the risk.

5. Obtain Bridge Letters

The scope periods for SOC 1 reports typically cover a 12-month period but, more often than not, may not align with the organization’s year-end, including calendar year-end companies. As a result, bridge letters are required to address the gap between the SOC 1 report scope period and the outsourcing organization’s year-end date and to ascertain whether there have been any material changes to the third-party providers’ control environment during that time span. It is common for organizations to obtain bridge letters for periods of up to three months. If the organization has a year-end date that does not align with the calendar year, the SOX team may be relying upon bridge letters for a longer period of time. We recommend discussing these instances with the external auditors to determine whether additional procedures may be required to address the increased reliance on bridge letters greater than three months of the fiscal year.

6. Determine Impacts from the Pandemic

Given these unprecedented times, we anticipate there will be challenges with SOC 1 reports and/or bridge letters. Some of these SOC 1 reports may either be delayed in their issuance as external auditors navigate the new remote working environment or contain adverse opinions due to changes in controls at the service providers as a result of the COVID-19 pandemic. Organizations should proactively reach out to all of their third-party providers to check the timeline and availability of SOC 1 reports and bridge letters.

7. Take Appropriate Actions

In cases where a SOC report is not available, determine appropriate actions. In our Protiviti 2020 Sarbanes-Oxley Compliance Survey, we asked respondents how often they had to go on site to audit their third-party providers due to the lack of a SOC report: 37 percent of respondents indicated they do this type of verification activity. In many cases, survey respondents indicated that management was able to rely on internal management review controls in lieu of going on site to test the controls at the service provider. Regardless of which situation the organization finds itself in, don’t procrastinate until year-end to start assessing controls for processes outsourced to third parties.

In closing, our motto is “be prepared.” Year-end is a busy time, and if the SOX team can start this process and get external auditors involved earlier, it will be one less item to worry about during one of the organization’s busiest and most stressful times of the year. Remember, management is ultimately responsible for the internal controls of all processes – even those that it outsources. Taking a proactive stance to assess outsourced internal controls early in the fiscal year will set the organization up for success.


Tags: COVID-19Financial ReportingInternal ControlsSOX Compliance
Previous Post

Webinar: Data Analytics to Revolutionize Anti-Corruption & Anti-Kickback Risk Management

Next Post

ProcessUnity Launches Vendor Financial Intelligence to Enhance TPRM Programs

Shari Katz and Gina Chaoanw

Shari Katz and Gina Chaoanw

Shari Katz leads Protiviti‘s SOX Champions Network and supports Protiviti’s Internal Audit professionals through knowledge management, methodology development, technical expertise and training. With over 25 years of experience, she builds knowledge capital around internal audit hot topics, creates technical training for Protiviti Internal Audit professionals and serves her colleagues as a knowledge resource on a variety of internal audit topics.
Gina Chaoanw is a Senior Manager with Protiviti’s Internal Audit and Financial Advisory practice in the San Francisco Bay Area. Over the last eight years, her primary focus has been performing a combination of internal audit services across multiple industries, including financial services, homebuilding, hospitality and services, real estate and investment trust (REIT) and consumer products. Her experiences within these industries include planning, managing and executing various SOX compliance audits, internal audits, fraud risk assessment reviews, operational audits and public company transformation/readiness assessments.

Related Posts

Accounting For Non Accountants : Debit, Credits And Financial Statements

Accounting For Non Accountants : Debit, Credits And Financial Statements

by Aarti Maharaj
February 13, 2023

OVERVIEW This webinar will equip attendees with an understanding of financial ledger components within the organization’s accounting and reporting structure....

covid business closure insurance

Who’s on the Hook for Pandemic-Related Business Disruptions? Courts Agree, It’s Not Property Insurers.

by Crowell & Moring
February 8, 2023

We’re nearing the three-year anniversary of widespread business shutdowns in the early days of the Covid-19 pandemic. In that short...

uvalde crosses

Will 2023 Bring More ‘Permacrisis’ Culture?

by Lisa Schor Babin
January 4, 2023

While 2022 had no shortage of chaotic events, ethics columnist Lisa Schor Babin shares her hopes for 2023 — and...

hottest takes

The Hottest Compliance Takes of 2022

by Staff and Wire Reports
December 14, 2022

Nobody was canceled for anything they wrote for our pages in 2022 — at least that we know of. But...

Next Post
ProcessUnity Launches Vendor Financial Intelligence to Enhance TPRM Programs

ProcessUnity Launches Vendor Financial Intelligence to Enhance TPRM Programs

Compliance Job Interview Q&A

Jump to a Topic

AML Anti-Bribery Anti-Corruption Artificial Intelligence (AI) Automation Banking Board of Directors Board Risk Oversight Business Continuity Planning California Consumer Privacy Act (CCPA) Code of Conduct Communications Management Corporate Culture COVID-19 Cryptocurrency Culture of Ethics Cybercrime Cyber Risk Data Analytics Data Breach Data Governance DOJ Download Due Diligence Enterprise Risk Management (ERM) ESG FCPA Enforcement Actions Financial Crime Financial Crimes Enforcement Network (FinCEN) GDPR HIPAA Know Your Customer (KYC) Machine Learning Monitoring RegTech Reputation Risk Risk Assessment SEC Social Media Risk Supply Chain Technology Third Party Risk Management Tone at the Top Training Whistleblowing
No Result
View All Result

Privacy Policy

Founded in 2010, CCI is the web’s premier global independent news source for compliance, ethics, risk and information security. 

Got a news tip? Get in touch. Want a weekly round-up in your inbox? Sign up for free. No subscription fees, no paywalls. 

Follow Us

Browse Topics:

  • CCI Press
  • Compliance
  • Compliance Podcasts
  • Cybersecurity
  • Data Privacy
  • eBooks Published by CCI
  • Ethics
  • FCPA
  • Featured
  • Financial Services
  • Fraud
  • Governance
  • GRC Vendor News
  • HR Compliance
  • Internal Audit
  • Leadership and Career
  • On Demand Webinars
  • Opinion
  • Resource Library
  • Risk
  • Uncategorized
  • Videos
  • Webinars
  • Well-Being
  • Whitepapers

© 2022 Corporate Compliance Insights

No Result
View All Result
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe

© 2022 Corporate Compliance Insights

Welcome to CCI. This site uses cookies. Please click OK to accept. Privacy Policy
Cookie settingsACCEPT
Manage consent

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
CookieDurationDescription
cookielawinfo-checbox-analytics11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional11 monthsThe cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy11 monthsThe cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
Functional
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Performance
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Analytics
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Advertisement
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
Others
Other uncategorized cookies are those that are being analyzed and have not been classified into a category as yet.
SAVE & ACCEPT