Reading time: 5 minutes
“Sona, I sent you all the SOC and Bridge letters – I don’t believe there is anything else I can send you. And, since these are huge companies, I don’t know why on earth you need them! I am bleary-eyed tracking down these reports. Please let me know.” It was signed by Sherryl (Controller).
This email landed in our audit senior‘s inbox on Friday evening. Sherryl is a very conscientious lady, now spending Friday night chasing down reports for a purpose she did not know.
And she is not the only one. Our experience shows there are three groups of clients when it comes to SOC reports requests:
- Provides the SOC reports right away (significant minority)
- May get annoyed but still tries to get through this task (majority)
- Lives in denial of such a request until the very end of the audit (small minority)
Here at JLK Rosenberger, we hope that by explaining the purpose of the SOC reports for our audit work, we can minimize negative emotions and grab our clients‘ hands, to pull them back up on board with us.
Let us introduce the parties first.
|Parties to the SOC Report|
|User auditor||JLK Rosenberger, LLP|
|Service organizations||“These huge companies!”|
|Service auditor||Auditor of a “huge company”|
What does SOC stand for?
SOC stands for service organization controls. A service organization is an organization that provides services to Sherryl‘s company (the user). It can protect users’ assets (e.g., investment custodians), provide payroll services, process bills, and more.
What is a SOC report?
A SOC report is an outcome of an examination. The “huge companies” have their service auditors examine the controls they have in place. The type of controls the service auditor will examine depends on the type of report the service organization wishes to obtain. Similar to the tale of the fisherman and the fish, there are three possible wishes for a service organization to make: SOC 1, SOC 2, and SOC 3 reports.
Sherryl needs SOC 1 Type 2. SOC 1 report focuses on the service organization’s controls that are relevant to Sherryl’s company‘s internal control over financial reporting. Type 1 means that the service auditor assessed the description of the system and the suitability of the design of controls. For Type 2, service auditors needed to roll up their sleeves and test the operating effectiveness of the controls to ensure they are not only looking good on paper.
Can you give me an example of a service organization internal control relevant to Sherryl?
Let’s say Sherryl uses a service organization – a payroll service provider, to keep track of attendance and process payroll. The service organization sets an objective relevant to Sherryl’s needs. They desire to have controls in place that provide reasonable assurance that payroll and attendance data is processed accurately and in accordance with client specifications.
What does a service auditor do in that case?
One of the control activities a service auditor can test is the existence and functionality of error messages and warnings. Is Sherryl trying to process payroll for an employee with missing time? Or duplicate time? There should be a control implemented by the payroll service provider to prevent Sherryl from processing payroll with errors.
What are complementary user entity controls (CUEC)?
Certain control objectives can only be achieved by the service organization with Sherryl’s conscientious collaboration. In our scenario, Sherryl needs to provide information to resolve errors and correct, if necessary, processing errors identified. The service organization assumes this control to be implemented by the user as it is necessary to achieve its control objectives. We call these controls complementary user entity controls (CUECs).
What is the role of the user auditor?
The user auditor is the auditor that reports on the financial statements of the user organization. In our story, it is JLK Rosenberger auditing the financial statements of Sherryl’s company.
According to the auditing standards, JLK Rosenberger is required to obtain an understanding of the services provided by a service organization to the user – their nature, materiality, financial reporting processes affected, etc. According to AU-C Section 402, when obtaining such understanding, the user auditor should also evaluate the CUEC and their implementation by the user.
What does Sherryl need to do to help her auditors satisfy auditing standards?
Sherryl is a very conscientious lady, but she won’t do unnecessary work. She wants to know exactly what is needed and nothing more, so she makes a list of her responsibilities to help her auditors satisfy AU-C Section 402 requirements. That list is found below.
- Ask Courtney, my representative at the service organization, for the SOC 1 Type 1 2 Report.
- Make sure the SOC report from Courtney covers the period that JLKR is auditing. If not, ask Courtney for a comfort letter.
- Send the report and comfort letter, if any, to JLKR.
- Be ready to have a 30-minute walkthrough of CUEC with JLKR.
Will providing the SOC reports hold up the audit?
Short answer: Yes, it can.
Long answer: SOC reports are the means for user auditors to obtain an understanding of internal control to assess the risks of material misstatements. It is not the only means, but it is usually significant enough to obtain an understanding sufficient to proceed with the audit.
Can a SOC report save time and money?
Yes, it can. Just ask Sherryl. Through this process, she learned that the auditor is attempting to reduce the work that would otherwise be required by placing reliance on the controls of the service organization which are only reliable if the client has a few complementary controls of their own.
The SOC reports have had a bad reputation among our audit clients, likely because of the highly technical language embedded within them. Hopefully, the plain English used in this article removed the veil of secrecy they have been wrapped into for far too long, making them understandable and our audit work relatable.
We’re here to help.
If you have questions about SOC reports, JLK Rosenberger can help. For additional information, call us at 818-334-8646, or click here to contact us. We look forward to speaking with you soon.