By Kelli Falk, CPA, CIA, CISA, CITP
Does your organization perform services for other companies or act as a user organization that outsources some of its processes to another company? In either case, you should be aware of the guidance related to service organizations.
It has now been almost five years since the American Institute of Certified Public Accountants (AICPA) issued its updated guidance related to an entity’s use of service organizations – SSAE No. 16, Reporting on Controls at a Service Organization; AICPA, Professional Standards, Vol. 1, AT Section 801) and Attest Engagements AT Section 101, This change was due to the increase in outsourced processes that do not necessarily fall within the financial reporting category previously addressed by Statement on Auditing Standards (SAS) No. 70, Service Organizations, AU Section 324.
Since that time, there has been a dramatic increase in demand for Service Organization Controls (SOC) engagements. While you might not think of your company as a service or user organization, there are numerous situations, industries, and even types of companies that would benefit from this type of examination:
- Confidentiality over records retention for municipalities, marketing plans, etc.
- Cloud computing/Software as a Service (SaaS)
- Direct mail marketing
- Secure printing
- Data storage/data centers
- Managed services
- Medical claims processing
- Third-party administrator for employee benefit plans
- Welfare case management
- Gambling systems
- Secure payment processing/lockbox services
- Loan processing
- Title companies
- Hospice organizations
- Payroll processing
- Records management
The extent of these engagements can vary greatly; some might only consider confidentiality of customer data, while others cover all aspects of an application’s processing integrity. The scope is entirely up to the service organization and is based on the needs of its users.
The increase in these engagements is due to recent high-profile security breaches and the never-ending push for tighter security. Because of these, user organizations have become much more aware of their needs related to outsourcing their processes. They have learned – sometimes the hard way – that just because a process is outsourced, the associated risks are not.
This is where the SOC engagements enter the picture. They are designed to cover any controls over which users need assurance. It is also a great benefit for the service organizations themselves because they can be audited one time instead of continually answering questions from their customers’ auditors, or even incurring significant time and resources by being audited by each customer’s auditor. We have seen several instances in which a client needed a SOC report immediately because they could not obtain a lucrative contract without it. In some cases, clients use the report as a marketing tool to give their prospective customers assurance that their controls are functioning as stated. The uses of the reports are plentiful.
If you feel you or your service organization needs a SOC engagement over its controls, please feel free to contact Kelli Falk at firstname.lastname@example.org or (210) 253-1669 for more information.