Belt and Suspenders, and From SOX to SOC’s: Changes in Service Audit Standards on the Service Organization’s Risk Management, Security and Process Controls
October 29, 2010 by Bierce & Kenerson, P.C.
It’s Halloween 2010. We’re spooked by “security controls from the dead” (or the moribund).
How do you know your service provider is providing a secure environment for processing your transactions? Do you trust your service provider? Can you certify your outsourcing relationship can withstand a shareholder lawsuit claiming you lack the necessary audit and control functions? Do you want a report on the description, design and operational effectiveness of controls at a service organization, and what do you get under current and future auditing, attestation and accounting “standards.”
SAS 70 Type II audits have become the de facto standard for publicly traded companies to meet their SOX 404(b) “audit and control” disclosure requirements. SAS 70 audits are big business for audit firms. Now, as the U.S. “generally accepted accounting principles” face convergence into new international accounting standards (IAS), enterprise customers risk losing familiar comfort letters. The emerging accounting standards suggest it’s time to think about “belt and suspenders” for security and process controls. This article considers the new approach to mitigating and managing risks through “control objectives” as “attested” in “service organization control” (SOC) reports for service organizations and subservice organizations in the services supply chain. This new approach comes into effect for fiscal years ending after June 2011. Important procedural details for the U.S. will be promulgated soon.
These changes in how “security” and “process control” are measured are certain to give a boost to consultants, auditors and lawyers. It will give shot in the arm to
o business analysts, BPM analytics software designers and sourcing consultants, who make a living on assessing and mitigating risk;
o sourcing lawyers, who make a living integrating, sharing and shifting risks in the global service supply chain; and
o service auditors, who will pursue a different profile (perhaps more complex) for service audits and will also enjoy reduced risk of professional liability.
The New Standards.
International Standards. In December 2009, the International Auditing and Assurance Standards Board of the International Federation of Accountants adopted International Standard on Assurance Engagements No. 3402 (ISAE 3402) as an “attest” procedure for assessing service organizations’ compliance with IT and process controls. Unlike an “audit,” an “attestation” (or “attest”) involves an audit professional’s attestation to subject matter (or an assertion about something) other than the fairness of the presentation of financial statements. An attestation is less rigorous than an audit.
U.S. Standards. In April 2010 the AICPA’s Auditing Standards Board (ASB) issued Statement on Standards for Attestation Engagements (SSAE) No. 16, Reporting on Controls at a Service Organization. Unlike an audit (such as under Statement of Auditing Standards 70), SSAE 16 is an “attest” report.
New SOC’s for Old SOX. In anticipation of implementing SSAE 16, the AICPA has adopted three new SOC’s to expand the scope of issues examined by CPA’s as service auditors. This helps companies gain more trust in service delivery processes. Under the SOC label, there are three separate categories of such service audits, designed to allow service organizations to meet specific needs. They are also intended to allow service auditors to refocus on niche risks.
SOC 1 Report – Report on Controls at a Service Organization Relevant to User Entities’ Internal Control over Financial Reporting.
SOC 2 Report— Report on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality or Privacy.
SOC 3 Report— Trust Services Report for Service Organizations.
Value of Control Reports. The value of service audit reports depends on your role in the service supply chain.
Value to Service Organizations. Third-party reports on internal controls in service organizations describe the control processes in services provided by a service organization. Such reports give users information for purposes of assessing and address the risks associated with an outsourced service. If a service organization is compliant with SAS 70 Type II (or the new standards), the service organization has greater credibility that is essential to be able to meet the accounting and regulatory compliance needs of customers. Audits of service providers are necessary to a customer enterprise’s ability to certify that it has appropriate audit and control procedures to manage its business under Section 404(b) of the Sarbanes-Oxley Act of 2002.
Value to Users (Enterprise Customers). Users have been relying on SAS 70 Type II reports for comfort that their outsourcing contracts meet SOX 404(b) standards. However, the new “attest” reports will remove a layer of comfort for users, since the service auditors will not be exercising as much in the way of “critical judgment” and “we could have done better” analysis as under SAS 70 Type II. In short, the user will now have to exercise its own judgment of the acceptability of the “attest” reports and maybe ask for special “attest” report on user-defined “control objectives.” Users will now have to rely more on the service organizations to do the risk analysis, and the users will need to spot gaps in the service organization’s risk analysis.
Control Objectives. Audit and control procedures identify “control objectives,” that target identified risks and seek to mitigate or control such risks. The outsourcing customer needs to understand the scope of the control objectives, since these are generally defined by the service provider. Traditional “control objectives” include security, change management, data integrity, completeness and timeliness. If the customer has any special needs, it needs to get a special “control report.”
Service Organization’s Definition of Control Objectives. Under the new regime, it is the service organization’s responsibility to identify “the risks that threaten achievement of the control objectives stated in the description of its system, and designing and implementing controls to provide reasonable assurance that those risks will not prevent achievement of the control objectives stated in the description of its system, and therefore that the stated control objectives will be achieved.” SOURCE: ISAE 3402, Para. 13(b)(4). In other words, the service provider needs to define the risks it faces and how it plans to mitigate those risks.
From the enterprise customer’s perspective, such analysis should confirm existing documentation and procedures in existing business continuity plans (“BCP”) or disaster recovery plans (“DRP”).
User–Defined Control Objectives. This is a tremendously valuable sales tool for service providers. However, enterprise customers need to know whether their own legal environment needs any different control objectives. This means that outsourcing customers need to identify “every aspect of the service organization’s system that each individual user entity and its auditor may consider important in its particular environment.” SOURCE: ISAE 3402, Para. 17(c).
Downgrade: From “Audit” to “Attest.” The change in 2011 from SAS 70 audits to SSAE 16 “attest” procedures will reduce the professional liability of auditors from high-value, high-risk audit services by converting their role to that of an “attest” function. In an “attest” function, the “auditor” (inspector) does not “audit” all material processes and functions, but merely relies upon the service provider’s assertion that its control system works in the manner described by the service company’s management.
Thus, under SSAE 16 and ISAE 3402, the auditing profession only checks on management’s description. The higher level of “audit” is reduced to merely to “attest” to what management describes. The new objectives of the “attest” inspection are limited to “attest” whether:
o The service organization’s description of its system fairly presents the system as designed and implemented throughout the specified period (or in the case of a type 1 report, as at a specified date).
o The controls related to the control objectives stated in the service organization’s description of its system were suitably designed throughout the specified period (or in the case of a type 1 report, as at a specified date).
o Where included in the scope of the engagement, the controls operated effectively to provide reasonable assurance that the control objectives stated in the service organization’s description of its system were achieved throughout the specified period. SOURCE: ISAE 3402, Para. 8(a).
For Type 2 assessments, the report will provide assessments of whether:
a. The service organization management’s description fairly presents the service organization’s system as designed and implemented throughout the specified period;
b. The controls related to the control objectives stated in the service organization’s description of its system were suitably designed throughout the specified period; and
c. The controls related to the control objectives are operating effectively as stated in the service organization’s description of its system. SOURCE: ISAE 3402, Para. 9(k).
The key element is the “assertion-based engagement,” requiring the service organization’s management to describe their control objectives and procedures.
Audit Period vs. Audit Point. The new SSAE 16 rules will make some changes in the period covered by the assessment. In a Type 2 assessment under SAS 70, the description of the service organization’s control system was determined as of a specified date, rather than for a period. In a Type 2 assessment under SSAE 16, the description of the service organization’s system and the service auditor’s opinion on the description will cover a period (the same period as the period covered by the service auditor’s tests of the operating effectiveness of controls). SOURCE: AICPA.
Carve-Outs v. All-Inclusive Process Audits: Downgrade the User’s Rights in “Subservice Providers.” In the service supply chain, an outsourcing provider might subcontract some services to a “subservice provider.” In the new “attest”-based “assertion-reliant” assessment of controls, the outsourcing service provider can choose between an all-inclusive assessment (that includes subservice provider controls) or a “carve-out” assessment (that expresses no opinion on the suitability of design of controls or the operational effectiveness of subservice provider controls. Buyers of outsourcing services should know the difference and get assessments to cover the entire outsourced function. This issue arises at all sub-levels in the service supply chain.
Service Auditor’s Reliance on Service Provider’s Description and Representation Letter. The new accounting standards allow the “auditor” (“attest”-based inspector) to rely upon the service organization for a description of the control objectives and particular mandates. The service organization thus must specify the source of each control objective, such as by a particular law or regulation, or by another party (for example, a user group or a professional body). In essence, this shifts to the service provider a duty to define its regulatory environment by name and thus allows the assessment report to say there is “reasonable assurance” that the service provider complies with that legal environment.
In addition, the service organization must provide, in effect, description of the types of services it performs (such as SOW’s), the transaction processing and procedures manual (including procedures by which transactions are initiated, recorded, processed, corrected as necessary, and transferred to the reports and other information prepared for user entities), transaction reporting manuals). This approach reflects a maturity in the outsourcing industry, since every high-value service provider adopts such protocols as a core marketing strategy.
The service organization will now have to give a “representation” letter to the service auditor. This letter will disclose information that the auditor would normally have sought to identify using audit techniques. Such disclosures must include all information “of which it is aware” about:
(i) Non-compliance with laws and regulations, fraud, or uncorrected deviations attributable to the service organization that may affect one or more user entities;
(ii) Design deficiencies in controls;
(iii) Instances where controls have not operated as described; and
(iv) Any events subsequent to the period covered by the service organization’s description of its system up to the date of the service auditor’s assurance report that could have a material impact upon the report SOURCE: ISAE 3402, Para. 38.
Effectively, as a matter of fraud prevention, the new accounting standards (“attest” standards) will shift liability from the service auditor (for negligent discovery of lapses in the control environment) to the service provider. This puts the liability where the cash flow is deep, not where it is shallow.
Service Auditor’s Reliance on Internal Auditor’s Function. The new “attest” standards will allow the service auditor to rely not only on management’s description of the processes, but also on the service provider’s internal auditors. In a Type 1 assessment, the service auditor does not need to mention whether it relies on the work of internal auditors. In the Type 2 assessment:
if the work of the internal audit function has been used in performing tests of controls, that part of the service auditor’s assurance report that describes the service auditor’s tests of controls and the results thereof shall include a description of the internal auditor’s work and of the service auditor’s procedures with respect to that work. SOURCE: ISEA 3402, Para. 37.
In short, the “independent” service auditor can rely, if tested for reliability, on internal audits for Type 1 assessments without disclosing such reliance. Only in Type 2 assessments must such reliance be disclosed. Even then, however, it is not an “audit” but merely a compilation of information received from the service organization and the application of some “attest” procedures to review that work.
Suddenly, outsourcing customers will now need to know more about how internal auditors work and whether there are any special requirements for the customer to investigate. It’s a new world, with customers needing to fend more for themselves in audit and control processes.
Investors will need to make further assessments of their own, based on the changes in the intensity and level of “assurance” that outsourcing will not encounter excessive risks to the portfolio enterprise as an outsourcing customer.
Belt and Suspenders: New Challenges for Enterprise Customers. SAS 70 audits might still survive by special request from enterprise customers. The new SSAE 16 / ISAE 3402 “attest” model will challenge enterprise customers to become more familiar with security, BCP, DRP and other core control issues directly. Enterprise customers can thus begin to prepare a checklist for deal documentation, including both “attest” assessment reports and function-specific documentation that the enterprise customer must evaluate. Attest will be the belt, and direct documentation review will be the suspenders.
“Attest” Reports in the Cloud: A Good Time to Stop the Music. This shift in service auditor roles comes at a time when global enterprises are increasingly exploring data virtualization, software virtualization, platform-as-a-service (PaaS) and software-as-a-service (SaaS). Cloud computing creates a “perfect storm” showing the weaknesses of an “attest-based” “audit and control” function under SOX 404(b).
The new “attest” rules will encourage service providers to use “carve-out” principles to exclude subservice organizations from the scope of such security audits. Certainly in Web-based public cloud services a “carve-out” approach is the only feasible one, since, in Internet-based services, an “all-inclusive” service audit model fails. It is inherently impossible to do a service audit of all possible servers on the Internet.
Steps to Take Now. Whether you are a service organization or an enterprise customer, it’s time for a review of your “audit and control” rights and obligations relating to outsourcing.
o Impact Analysis and Assessment. Analyze and understand the impact of the shift from SAS 70 to SSAE or ISAE 3402 upon your company’s process audits, as well as all service delivery and transaction reporting processes.
o The impact affects your entire service supply chain, including you, your service customers, your service providers and all subservice providers who support you directly or who support your outsourcing service providers.
o Discuss with your auditors the anticipated impact of SSAE 16 and ISAE 3402 on their own audit report, particularly whether they will want to make any exceptions to their fairness opinion.
o Requirements for Type of Report. Decide whether you want an “inclusive” or “carve-out” approach to reporting on process controls.
o Accounting and Compliance Criteria. Identify the criteria for your organization’s evaluation of the sufficiency of your service provider’s description of its processes and its internal audit functions.
o Identify issues affecting design of the control objectives.
o Identify evaluation criteria.
o Identify gaps between:
o control objectives and the evaluation criteria.
o control objectives and the most recent risk assessments.
o Scheduling and Planning. Time your rollout according to when the new SSAE 16 standard will apply. Fiscal years beginning on or after July 1, 2010 are affected. Consider the benefits and costs of adoption of SSAE 16 on your costs, marketing, customer service delivery mechanisms, process and procedure manuals, recruitment and training procedures and on audit and financial reporting.
o Subservice Organizations: Identify Impact, Define Requirements. Evaluate subservice organizations under the new SSAE 16 (or ISAE 3402).
o Explore their own compliance intentions.
o Determine whether they will issue SOC’s, and which type.
o Discuss what type of “description” they will issue to a service auditor.
o Identify whether they will use a “carve-out” or an “inclusive” scope for service audit, and consider the impact on your organization and how to mitigate the negative impact of a “carve-out” or an “inclusive” report for Tier 1 suppliers but a “carve-out” report for Tier 2 (and N+2) suppliers in your service supply chain.
o Consider how that will assist or impair your own marketing and compliance efforts.
o Conduct a customer survey to determine your customers’ needs.
o Legal Review. Review your existing outsourcing contracts.
o Identify your audit rights.
o Amend your contracts to ensure you can obtain the type of audit rights and reports that you may need under the new “attest” models.
o Change Management. Engage in change management for audit as part of the global sourcing process.
o Communicate with all key stakeholders internally and externally.
o Changes in requirements.
o Change in risk assessment process to take into account the new gaps and structures of SSAE 16 and ISAE 3402.
o Changes in procedures.
o Redefine internal and external roles and responsibilities.
o Training of affected personnel.
o Changes in manuals.
o Changes in contract management procedures.
o Develop a procedure for being “audited” and for requiring “audits” under the new “attest” standards.
Time to get started. Even before Halloween!
Outsourcing Law & Business Journal™: October 2010
October 29, 2010 by Bierce & Kenerson, P.C.
OUTSOURCING LAW & BUSINESS JOURNAL (™) : Strategies and rules for adding value and improving legal and regulation compliance through business process management techniques in strategic alliances, joint ventures, shared services and cost-effective, durable and flexible sourcing of services. www.outsourcing-law.com. Visit our blog at http://blog.outsourcing-law.com.
Insights by Bierce & Kenerson, P.C., Editors. www.biercekenerson.com
Vol. 10, No. 10 (October 2010)
_______________________________
Editor’s Note: Happy Halloween, Happy Election Day (USA)! This month’s article spooks us by helping us wonder whether we are getting all the data protection and integrity we thought we were entitled to. This should make us feel somewhat better about life, since the “robo-signers” and “robo-justice” mills for real estate foreclosures make ITO and BPO look like the solution to the evils brought about by sloppy (if not fraudulent) business practices. We are also pleased to announce a special webinar (full disclosure, the speaker is the Editor of this newsletter).
_______________________________
Webinar Announcement
“LLC Toolkit for Designing Collaborative Business Models: Sweat-Equity, JVs and Global Services Businesses”
December 9, 2010, 11am – 12:20pm, EST US
Speaker: William B. Bierce, Esq., – Bierce & Kenerson, P.C.
This is an advanced seminar for experienced corporate and commercial lawyers as well as entrepreneurs, CEOs and COOs, investors, bankers, and venture capitalists looking for a different perspective on how LLC’s can be structured and governed. This webinar will address the fundamentals of structuring LLCs for use in special purpose environments, such as service-oriented and Web-based businesses in the US and globally. It will help lawyers understand key legal and tax issues in such environments for tax-efficient operations. This webinar is free and application for Accredited Provider status for CLE credit in New York is currently pending. To obtain more information, please contact Laura Sanfiorenzo and to register, click here.
_______________________________
1. Belt and Suspenders, and From SOX to SOC’s: Changes in Service Audit Standards on the Service Organization’s Risk Management, Security and Process Controls.
2. Humor.
3. Conferences.
__________________________
1. Belt and Suspenders, and From SOX to SOC’s: Changes in Service Audit Standards on the Service Organization’s Risk Management, Security and Process Controls. How do you know your service provider is providing a secure environment for processing your transactions? Do you trust your service provider? Can you certify your outsourcing relationship can withstand a shareholder lawsuit claiming you lack the necessary audit and control functions? Do you want a report on the description, design and operational effectiveness of controls at a service organization, and what do you get under current and future auditing, attestation and accounting “standards.”
SAS 70 Type II audits have become the de facto standard for publicly traded companies to meet their SOX 404(b) “audit and control” disclosure requirements. SAS 70 audits are big business for audit firms. Now, as the U.S. “generally accepted accounting principles” face convergence into new international accounting standards (IAS), enterprise customers risk losing familiar comfort letters. The emerging accounting standards suggest it’s time to think about “belt and suspenders” for security and process controls. This article considers the new approach to mitigating and managing risks through “control objectives” as “attested” in “service organization control” (SOC) reports for service organizations and subservice organizations in the services supply chain. This new approach comes into effect for fiscal years ending after June 2011. Important procedural details for the U.S. will be promulgated soon.
For the complete article, click here.
Robo-Justice, n. (1) fast-track system in Florida courts for adjudication of foreclosures at the rate of 20 per hour, 7 hours a day, 5 days a week, per judge, unless service levels degrade for non-essential activities such as extra time for hearing evidence; (2) the swift and decisive hand of justice, meted out to fight the swift and decisive hand of the Robo-Signer.
Robo-Signer, n. (1) a person appointed by a bank or mortgage origination service company to sign thousands of loan documents per week; (2) phantom performing fiduciary duty in a totally automated, human-free mechanism, with computer-generated rubber-stamped documents and corresponding human signatures; (3) human automaton approving computer outputs. See “Robo-Justice.
3. Conferences.
December 7-8, 2010, IQPC presents 10th E-Discovery Conference, New York, New York. The 10th eDiscovery Summit is the key meeting of the year for eDiscovery experts. The universe of ESI is continually expanding as the costs associated with eDiscovery are on the rise. This unique eDiscovery event brings together in-house counsel, IT experts, document management, outside counsel, solution providers, Judges and regulatory experts. You will learn how to improve your eDiscovery processes and save time and money despite the onslaught of litigation. Some highlighted topics include:
- Incorporating advanced search technology and protocol into your eDiscovery processes
- Tackling the complexity of legal holds in light of the Pension Committee case
- Gaining insight from our Judges panel analyzing important 2010 eDiscovery case law
- Effectively managing the ever-increasing universe of social media content
- Implementing a proactive approach where litigation preparedness enables you to significantly cut costs and time in eDiscovery
Outsourcing Law contacts can receive 20% off the standard all access price when they register with the code OSL20. Register by calling 1-800-882-8684. View the program brochure for more details.
February 14-26, 2011, IQPC follows up with the 4th E-Discovery Finance Conference, New York, New York, focusing exclusively on the financial services industry. The Dodd-Frank bill is the most comprehensive legislative overhaul of the financial services industry since the Great Depression, and financial corporations must respond and adapt immediately. Changing technology creates quickly moving targets for corporations to reach. The burden falls on legal, information security, record retention, and IT departments to ensure the best review, retention, and destruction policies and procedures. A successful e-discovery team can mitigate the costs of e-discovery, reduce the volume of extraneous data, and avoid sanctions and other judicially imposed penalties. Highlights include strategies to:
- Keep costs down while maximizing efficiency.
- Comply with stricter, more expansive regulations.
- Implement and adapt to new technologies in order to “future-proof.”
- Stay out of the headlines for non-compliance or sanctions.
To obtain more information, click here.
February 14-26, 2011, Legal Process Outsourcing Conference, New York, New York. With advanced technology and tight budgets in a downturn economy, companies are exploring more cost-efficient alternatives for high quality legal work. CEOs and CFOs are putting tremendous pressure on their employees to cut spending and given the exorbitant cost of legal spend, in-house counsel are feeling the pressure more than most. Although legal outsourcing is not a fit for every law firm and in-house legal department, the legal community simply cannot ignore the expansion of the LPO market. This event will take an honest look at all sides of LPO and address the challenges, ethics, implications, and strategies of legal outsourcing. Attending this Summit will help decide where your company fits into this new outsourcing dynamic. For more information visit their website.
******************************************
FEEDBACK: This newsletter addresses legal issues in sourcing of IT, HR, finance and accounting, procurement, logistics, manufacturing, customer relationship management including outsourcing, shared services, BOT and strategic acquisitions for sourcing. Send us your suggestions for article topics, or report a broken link at: wbierce@biercekenerson.com. The information provided herein does not necessarily constitute the opinion of Bierce & Kenerson, P.C. or any author or its clients. This newsletter is not legal advice and does not create an attorney-client relationship. Reproductions must include our copyright notice. For reprint permission, please contact: wbierce@biercekenerson.com . Edited by Bierce & Kenerson, P.C. Copyright (c) 2010, Outsourcing Law Global LLC. All rights reserved. Editor in Chief: William Bierce of Bierce & Kenerson, P.C. located at 420 Lexington Avenue, Suite 2920, New York, NY 10170, 212-840-0080.