On the Audit Front: Is Your Back Door Open?

With the advance of communication and technology platforms, the competitive global environment creates the opportunity, and many times the need, for companies to explore and create other potential revenue generating or administrative support sources. The opportunities often involve developing independent associations with business partners outside the immediate organization (the user entity). In audit and accounting circles, the outside partner is called a service organization. These external organizations commonly provide data that eventually enters your financial systems.

If you are an Accounting Manager, Controller or CFO, one of your defined, first-hand responsibilities is the protection of assets by establishing, monitoring, and enforcing internal controls.  With that long-standing definition, the data coming in from an outside service organization becomes one of your most vulnerable accountabilities. The responsibility includes developing front-line processes to test and validate the incoming data before you give the nod for that data to enter your financial processes, and eventually your published financial statements.  As the accountable, user-entity financial manager, what have you formally structured to obtain certainty that the data entering your financial systems is consistently dependable?  One of the key requirements of the user-entity auditor will include a request for substantive evidence that provides the auditor confidence the service organization data is reliable.

Step one is to require the outside service organization to annually obtain a Type 2 independent analysis based upon Statements on Standards for Attestation Engagements (SSAE) No. 16, Reporting on Controls at a Service Organization (recently recodified as SSAE 18, Attestation Standards: Clarification and Recodification).  An SSAE 18 report objective is to provide assurance regarding the controls at a service organization relevant to the user entities’ internal control over financial reporting.  Likewise, within the parameters of an SSAE 18 report, the user entity also has responsibilities to assure the auditor performing the SSAE 18 audit that the user entity maintains certain controls that are critical to the support of the SSAE audit.  They are called complementary user entity controls.  These are controls the user entity Accounting Manager, Controller or CFO must study, document and make certain are in place within their organization.  Complementary user entity controls are noted within the SSAE 18 report language as a qualification for the validation of the issued SSAE 18 report.

Is your back door open?

As a user-entity, do you have clear-cut data assessment processes in place for consistently testing and validating the report data that comes to you from your outside service organization providers before you allow it to enter your financial reporting process?  SSAE 18 audits have become one monitoring standard in a culture proliferated with electronic delivery systems and cybersecurity concerns.  However, an SSAE 18 audit is not a “certification” that everything is in place.  It is one step in the Accounting Manager, Controller or CFO’s overall program to provide confidence to its audit committee and board of directors that the back door is secure and regularly monitored.  We also recommend every financial officer obtain and become well acquainted with Statement of Auditing Standards AU-C 402 – Audit Considerations Relating to an Entity Using a Service Organization.  This document provides a clear description of what is expected of the user entity and its auditor when service organizations are employed.