Protiviti’s Shari Katz and Gina Chaoanw outline steps organizations can take in pursuit of annual SOX compliance and as they use third parties to navigate the challenges arising from COVID-19.
More and more companies are outsourcing key business processes to third-party providers to attain cost savings and to focus on core business activities. As a result, when management needs to assess its internal controls over financial reporting (ICFR), many of these outsourced activities fall into scope for Sarbanes-Oxley (SOX) compliance. Be prepared to tackle this dynamic area before year-end in order to streamline the overall SOX compliance process and avert any problems that may arise due to control environment changes resulting from the COVID-19 pandemic.
As organizations prepare for their annual SOX compliance efforts, we see the following guidelines serve as an effective means to oversee and manage third-party providers impacting financial reporting:
1. Inventory Your Providers
It sounds straightforward, but we’ve seen organizations trip up on this first critical step. By getting a handle on all the different vendors used to perform critical business functions related to financial reporting, the SOX compliance team can map them to their internal controls that are in scope for SOX. This should include the identification of sub-servicers (if any) used by the third-party provider, as recently required by SSAE 18 (formerly SSAE 16).
2. Obtain SOC Reports
The AICPA issued SSAE 18 to allow auditors to issue System and Organization Control (SOC) audit reports to provide assurance over the internal controls at these service providers. There are two types of SOC reports that are most commonly encountered: SOC 1 and SOC 2. “SOC 1® – SOC for Service Organizations: ICFR – Report on Controls at a Service Organization Relevant to User Entities’ Internal Control over Financial Reporting” is the most commonly seen report used for SOX support. “SOC 2® – SOC for Service Organizations: Trust Services Criteria – Report on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality or Privacy” is sometimes used to support outsourced IT application controls for SOX.
Using the universe of providers deemed in scope for SOX, the SOX compliance team can next collaborate with management to obtain the most recent SOC report. When obtaining SOC reports, it is important to identify whether the third-party provider will be issuing a Type 1 or Type 2 report. A Type 2 report covers both design and operating effectiveness of controls specified in the report for a specific period, while a Type 1 only evaluates the design of the controls. The SOC 1 Type 2 report is the gold standard report and is most preferred by external auditors. If a Type 1 report is issued, it will be important for the SOX compliance team to assess whether additional procedures may be needed to get comfortable with operating effectiveness of the third-party provider’s internal controls. Allow additional time to obtain subservice provider SOC reports, as they are typically provided to the third-party provider rather than directly to organizations using the third-party provider.
The business should work with service providers early in the contracting and outsourcing process to emphasize the importance of having a SOC report. This will prevent confusion and allow the organization to advocate upfront its SOX requirements.
3. Map Controls from the SOC Report to Management’s Processes
Using the SOC 1 report, identify the controls within it that mitigate the risks identified in the in-scope SOX processes. In our annual Protiviti 2020 Sarbanes-Oxley Compliance Survey, we asked 700 respondents whether their companies are performing this exercise and found that 63 percent are doing this critical control mapping activity.
The control mapping exercise should consider the user control considerations (UCCs), also known as complementary user entity controls (CUECs) identified in the report. These are controls the vendor recommends be in place on the user entity side (which would be the organization that has outsourced the process) to successfully achieve control objectives and effective risk mitigation.
If this is a first-time vendor evaluation, the SOX team should obtain the SOC report as early as possible to assess whether its organization has the appropriate controls to address the UCCs or CUECs outlined by the vendor. Often, this exercise may identify a need to implement additional controls at the organization in order to fully address the CUEC requirements. If a report is not available yet, SOX teams should ask vendors for their most recent SOC 1 report, as this will provide some insights on the UCCs and CUECs required. Common areas covered in UCCs and CUECs include policies and procedures, periodic user access reports, access provisioning and termination and authorization approvals.
4. Evaluate Control Deficiencies Identified in the SOC Report and Assess Potential Impact to Your Organization
As part of the SOC 1 evaluation, it is important to evaluate deficiencies identified and disclosed by the third-party provider and assess if there is a direct and material impact to your organization. This analysis should be documented in the SOX team’s evaluation and should highlight key compensating controls at its organization that would prevent and/or detect a material error or misstatement based on these control issues at the third-party provider. If there is a direct and material impact identified, we recommend quantifying the balance, area(s) impacted and mitigating controls (i.e., monitoring controls) within your organization that would minimize the risk.
5. Obtain Bridge Letters
The scope periods for SOC 1 reports typically cover a 12-month period but, more often than not, may not align with the organization’s year-end, including calendar year-end companies. As a result, bridge letters are required to address the gap between the SOC 1 report scope period and the outsourcing organization’s year-end date and to ascertain whether there have been any material changes to the third-party providers’ control environment during that time span. It is common for organizations to obtain bridge letters for periods of up to three months. If the organization has a year-end date that does not align with the calendar year, the SOX team may be relying upon bridge letters for a longer period of time. We recommend discussing these instances with the external auditors to determine whether additional procedures may be required to address the increased reliance on bridge letters greater than three months of the fiscal year.
6. Determine Impacts from the Pandemic
Given these unprecedented times, we anticipate there will be challenges with SOC 1 reports and/or bridge letters. Some of these SOC 1 reports may either be delayed in their issuance as external auditors navigate the new remote working environment or contain adverse opinions due to changes in controls at the service providers as a result of the COVID-19 pandemic. Organizations should proactively reach out to all of their third-party providers to check the timeline and availability of SOC 1 reports and bridge letters.
7. Take Appropriate Actions
In cases where a SOC report is not available, determine appropriate actions. In our Protiviti 2020 Sarbanes-Oxley Compliance Survey, we asked respondents how often they had to go on site to audit their third-party providers due to the lack of a SOC report: 37 percent of respondents indicated they do this type of verification activity. In many cases, survey respondents indicated that management was able to rely on internal management review controls in lieu of going on site to test the controls at the service provider. Regardless of which situation the organization finds itself in, don’t procrastinate until year-end to start assessing controls for processes outsourced to third parties.
In closing, our motto is “be prepared.” Year-end is a busy time, and if the SOX team can start this process and get external auditors involved earlier, it will be one less item to worry about during one of the organization’s busiest and most stressful times of the year. Remember, management is ultimately responsible for the internal controls of all processes – even those that it outsources. Taking a proactive stance to assess outsourced internal controls early in the fiscal year will set the organization up for success.