Talking with experts and getting your questions answered are incomparable benefits of attending a conference.
At the 2023 AICPA® & CIMA® SOC & Third-Party Risk Management Conference held earlier this year, attendees posed their questions about real and hypothetical scenarios to a panel. Experts provided insights into challenges of SOC engagements, including when there are inadequate vendor management controls. Highlights from the one-hour Q&A session follow.
SOC reporting despite inadequate vendor management controls
The SOC 1® engagement involves reporting on the service organization’s description of its system and the design (and in type 2 report, the operating effectiveness) of the service organization’s controls within the system. So, what do you when there aren’t vendor management controls?
In a SOC 2® engagement, common criterion (CC) 9.2 of the trust services criteria gives you an opportunity to report if vendor management processing is not functioning adequately. SOC 1 engagements differ from SOC 2 engagements, however, which presents challenges when you need to articulate errors or inadequate controls related specifically to vendor management in a SOC 1 engagement.
When reviewing the classes of transactions in a SOC 1 engagement,there will be key elements of the systems that are used to process transactions. Steven Ursillo, CPA, CISA, CISSP, CCSFP, partner and national leader for information assurance and cybersecurity at Cherry Bekaert LLP, elaborated, “If those transactions and the controls around those transactions are contingent upon certain elements of vendors’ responsibilities, then obviously there's an expectation that there's some element of coverage that the service organization is providing in order to make sure that they are comfortable with the actions that are being performed to report properly.”
Ursillo offered this advice: “It comes down to auditor judgment. … Vendor management can be a critical component of that and needs to be actioned accordingly with the right controls in order to substantiate the achievement of the control objective.”
SOC reporting and ICFR dependencies
Factors to consider when conducting a SOC 1 or SOC 2 engagement extend beyond vendor management control objectives to include financial reporting (ICFR) dependencies.
Chris K. Halterman, CPA, SOC reporting leader at EY LLP, stated, “An SOC 2 report provides useful evidence, but not to the extent that an SOC 1 report would.” When doing a SOC 1 audit, you’ll need to concentrate “on the needs of the user auditors and user entities.
“The big area of focus is that when we're doing an SOC 1 audit, we put on our hat that focuses on the needs of users, particularly user auditors and user entities, with regard to the ICFR. Whereas when we're putting on our SOC 2 hat, it's a much broader perspective of how it relates to security, availability, processing integrity, confidentiality, privacy, commitments of the entity, or system requirements.
“So, the two reports have different intended uses and different auditors, and that's why when you try to make use of one or the other, you can find that you're not getting sufficient information,” said Halterman.
A nuanced understanding is vital for extracting sufficient information from the reports. And SOC practitioners need to advise clients to ensure they understand, as a service organization, their responsibilities in a SOC 1 or SOC 2 engagement.
But can you justify performing a SOC 1 examination when the subject matter isn't clearly ICFR?
Halterman offers this tip: “Remember that the subject matter has to be appropriate. And a system just may not be an appropriate subject matter for [a] SOC 1 report … SOC 1 has its own criteria. … If they're not appropriate, you shouldn't accept that engagement. You may need to work with your client to help them and their user entities understand exactly why and help better define what their needs are and make sure they're getting the right report and helping the client resolve that issue.”
Timeframe for collecting evidence
Conference attendees were curious to know about an efficient timeframe to collect evidence, and Sean Linton, CPA/CITP, partner at EisnerAmper LLP, posed a hypothetical scenario to the panel regarding a type 1 report with an as-of date.
According to Halterman, it comes down to professional judgment. “That professional judgment is going to be reflected based on … what other controls are in place ... and how [do] they interrelate? How close have you collected evidence to the end of the period on those other controls?”
Neha Patel, CPA, CISA, CDPSE, and partner in charge of IT Advisory Services at Weaver and Tidwell LLP, added, “For a type 1, the service auditor is evaluating controls as of a specific date. If an auditor is using evidential support after the as-of date, the key question is what additional steps did the auditor take to validate a control that was in place in the past? Professional judgment and application are instrumental in regard to determining how far in advance or beyond the date you can go to maximize the level of assurance the report provides.”
Additional SOC resources
Auditing system-level controls of a service organization or entity-level controls of other organizations is a noteworthy service offering that gives you a competitive edge.
The SOC for Service Organizations Toolkit guides you through key considerations, such as determining scoping and pricing. The System and Organization Controls: SOC Suite of Serviceswebpageprovides resources for SOC 1, SOC 2, SOC 3, SOC for Cybersecurity, and SOC for Supply Chain examinations.
To learn more and get your questions answered, join us online or in Las Vegas for AICPA & CIMA ENGAGE 2024. Register by Dec. 19 and save $350.