Belt and Suspenders, and From SOX to SOC’s: Changes in Service Audit Standards on the Service Organization’s Risk Management, Security and Process Controls
October 29, 2010 by Bierce & Kenerson, P.C.
It’s Halloween 2010. We’re spooked by “security controls from the dead” (or the moribund).
How do you know your service provider is providing a secure environment for processing your transactions? Do you trust your service provider? Can you certify your outsourcing relationship can withstand a shareholder lawsuit claiming you lack the necessary audit and control functions? Do you want a report on the description, design and operational effectiveness of controls at a service organization, and what do you get under current and future auditing, attestation and accounting “standards.”
SAS 70 Type II audits have become the de facto standard for publicly traded companies to meet their SOX 404(b) “audit and control” disclosure requirements. SAS 70 audits are big business for audit firms. Now, as the U.S. “generally accepted accounting principles” face convergence into new international accounting standards (IAS), enterprise customers risk losing familiar comfort letters. The emerging accounting standards suggest it’s time to think about “belt and suspenders” for security and process controls. This article considers the new approach to mitigating and managing risks through “control objectives” as “attested” in “service organization control” (SOC) reports for service organizations and subservice organizations in the services supply chain. This new approach comes into effect for fiscal years ending after June 2011. Important procedural details for the U.S. will be promulgated soon.
These changes in how “security” and “process control” are measured are certain to give a boost to consultants, auditors and lawyers. It will give shot in the arm to
o business analysts, BPM analytics software designers and sourcing consultants, who make a living on assessing and mitigating risk;
o sourcing lawyers, who make a living integrating, sharing and shifting risks in the global service supply chain; and
o service auditors, who will pursue a different profile (perhaps more complex) for service audits and will also enjoy reduced risk of professional liability.
The New Standards.
International Standards. In December 2009, the International Auditing and Assurance Standards Board of the International Federation of Accountants adopted International Standard on Assurance Engagements No. 3402 (ISAE 3402) as an “attest” procedure for assessing service organizations’ compliance with IT and process controls. Unlike an “audit,” an “attestation” (or “attest”) involves an audit professional’s attestation to subject matter (or an assertion about something) other than the fairness of the presentation of financial statements. An attestation is less rigorous than an audit.
U.S. Standards. In April 2010 the AICPA’s Auditing Standards Board (ASB) issued Statement on Standards for Attestation Engagements (SSAE) No. 16, Reporting on Controls at a Service Organization. Unlike an audit (such as under Statement of Auditing Standards 70), SSAE 16 is an “attest” report.
New SOC’s for Old SOX. In anticipation of implementing SSAE 16, the AICPA has adopted three new SOC’s to expand the scope of issues examined by CPA’s as service auditors. This helps companies gain more trust in service delivery processes. Under the SOC label, there are three separate categories of such service audits, designed to allow service organizations to meet specific needs. They are also intended to allow service auditors to refocus on niche risks.
SOC 1 Report – Report on Controls at a Service Organization Relevant to User Entities’ Internal Control over Financial Reporting.
SOC 2 Report— Report on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality or Privacy.
SOC 3 Report— Trust Services Report for Service Organizations.
Value of Control Reports. The value of service audit reports depends on your role in the service supply chain.
Value to Service Organizations. Third-party reports on internal controls in service organizations describe the control processes in services provided by a service organization. Such reports give users information for purposes of assessing and address the risks associated with an outsourced service. If a service organization is compliant with SAS 70 Type II (or the new standards), the service organization has greater credibility that is essential to be able to meet the accounting and regulatory compliance needs of customers. Audits of service providers are necessary to a customer enterprise’s ability to certify that it has appropriate audit and control procedures to manage its business under Section 404(b) of the Sarbanes-Oxley Act of 2002.
Value to Users (Enterprise Customers). Users have been relying on SAS 70 Type II reports for comfort that their outsourcing contracts meet SOX 404(b) standards. However, the new “attest” reports will remove a layer of comfort for users, since the service auditors will not be exercising as much in the way of “critical judgment” and “we could have done better” analysis as under SAS 70 Type II. In short, the user will now have to exercise its own judgment of the acceptability of the “attest” reports and maybe ask for special “attest” report on user-defined “control objectives.” Users will now have to rely more on the service organizations to do the risk analysis, and the users will need to spot gaps in the service organization’s risk analysis.
Control Objectives. Audit and control procedures identify “control objectives,” that target identified risks and seek to mitigate or control such risks. The outsourcing customer needs to understand the scope of the control objectives, since these are generally defined by the service provider. Traditional “control objectives” include security, change management, data integrity, completeness and timeliness. If the customer has any special needs, it needs to get a special “control report.”
Service Organization’s Definition of Control Objectives. Under the new regime, it is the service organization’s responsibility to identify “the risks that threaten achievement of the control objectives stated in the description of its system, and designing and implementing controls to provide reasonable assurance that those risks will not prevent achievement of the control objectives stated in the description of its system, and therefore that the stated control objectives will be achieved.” SOURCE: ISAE 3402, Para. 13(b)(4). In other words, the service provider needs to define the risks it faces and how it plans to mitigate those risks.
From the enterprise customer’s perspective, such analysis should confirm existing documentation and procedures in existing business continuity plans (“BCP”) or disaster recovery plans (“DRP”).
User–Defined Control Objectives. This is a tremendously valuable sales tool for service providers. However, enterprise customers need to know whether their own legal environment needs any different control objectives. This means that outsourcing customers need to identify “every aspect of the service organization’s system that each individual user entity and its auditor may consider important in its particular environment.” SOURCE: ISAE 3402, Para. 17(c).
Downgrade: From “Audit” to “Attest.” The change in 2011 from SAS 70 audits to SSAE 16 “attest” procedures will reduce the professional liability of auditors from high-value, high-risk audit services by converting their role to that of an “attest” function. In an “attest” function, the “auditor” (inspector) does not “audit” all material processes and functions, but merely relies upon the service provider’s assertion that its control system works in the manner described by the service company’s management.
Thus, under SSAE 16 and ISAE 3402, the auditing profession only checks on management’s description. The higher level of “audit” is reduced to merely to “attest” to what management describes. The new objectives of the “attest” inspection are limited to “attest” whether:
o The service organization’s description of its system fairly presents the system as designed and implemented throughout the specified period (or in the case of a type 1 report, as at a specified date).
o The controls related to the control objectives stated in the service organization’s description of its system were suitably designed throughout the specified period (or in the case of a type 1 report, as at a specified date).
o Where included in the scope of the engagement, the controls operated effectively to provide reasonable assurance that the control objectives stated in the service organization’s description of its system were achieved throughout the specified period. SOURCE: ISAE 3402, Para. 8(a).
For Type 2 assessments, the report will provide assessments of whether:
a. The service organization management’s description fairly presents the service organization’s system as designed and implemented throughout the specified period;
b. The controls related to the control objectives stated in the service organization’s description of its system were suitably designed throughout the specified period; and
c. The controls related to the control objectives are operating effectively as stated in the service organization’s description of its system. SOURCE: ISAE 3402, Para. 9(k).
The key element is the “assertion-based engagement,” requiring the service organization’s management to describe their control objectives and procedures.
Audit Period vs. Audit Point. The new SSAE 16 rules will make some changes in the period covered by the assessment. In a Type 2 assessment under SAS 70, the description of the service organization’s control system was determined as of a specified date, rather than for a period. In a Type 2 assessment under SSAE 16, the description of the service organization’s system and the service auditor’s opinion on the description will cover a period (the same period as the period covered by the service auditor’s tests of the operating effectiveness of controls). SOURCE: AICPA.
Carve-Outs v. All-Inclusive Process Audits: Downgrade the User’s Rights in “Subservice Providers.” In the service supply chain, an outsourcing provider might subcontract some services to a “subservice provider.” In the new “attest”-based “assertion-reliant” assessment of controls, the outsourcing service provider can choose between an all-inclusive assessment (that includes subservice provider controls) or a “carve-out” assessment (that expresses no opinion on the suitability of design of controls or the operational effectiveness of subservice provider controls. Buyers of outsourcing services should know the difference and get assessments to cover the entire outsourced function. This issue arises at all sub-levels in the service supply chain.
Service Auditor’s Reliance on Service Provider’s Description and Representation Letter. The new accounting standards allow the “auditor” (“attest”-based inspector) to rely upon the service organization for a description of the control objectives and particular mandates. The service organization thus must specify the source of each control objective, such as by a particular law or regulation, or by another party (for example, a user group or a professional body). In essence, this shifts to the service provider a duty to define its regulatory environment by name and thus allows the assessment report to say there is “reasonable assurance” that the service provider complies with that legal environment.
In addition, the service organization must provide, in effect, description of the types of services it performs (such as SOW’s), the transaction processing and procedures manual (including procedures by which transactions are initiated, recorded, processed, corrected as necessary, and transferred to the reports and other information prepared for user entities), transaction reporting manuals). This approach reflects a maturity in the outsourcing industry, since every high-value service provider adopts such protocols as a core marketing strategy.
The service organization will now have to give a “representation” letter to the service auditor. This letter will disclose information that the auditor would normally have sought to identify using audit techniques. Such disclosures must include all information “of which it is aware” about:
(i) Non-compliance with laws and regulations, fraud, or uncorrected deviations attributable to the service organization that may affect one or more user entities;
(ii) Design deficiencies in controls;
(iii) Instances where controls have not operated as described; and
(iv) Any events subsequent to the period covered by the service organization’s description of its system up to the date of the service auditor’s assurance report that could have a material impact upon the report SOURCE: ISAE 3402, Para. 38.
Effectively, as a matter of fraud prevention, the new accounting standards (“attest” standards) will shift liability from the service auditor (for negligent discovery of lapses in the control environment) to the service provider. This puts the liability where the cash flow is deep, not where it is shallow.
Service Auditor’s Reliance on Internal Auditor’s Function. The new “attest” standards will allow the service auditor to rely not only on management’s description of the processes, but also on the service provider’s internal auditors. In a Type 1 assessment, the service auditor does not need to mention whether it relies on the work of internal auditors. In the Type 2 assessment:
if the work of the internal audit function has been used in performing tests of controls, that part of the service auditor’s assurance report that describes the service auditor’s tests of controls and the results thereof shall include a description of the internal auditor’s work and of the service auditor’s procedures with respect to that work. SOURCE: ISEA 3402, Para. 37.
In short, the “independent” service auditor can rely, if tested for reliability, on internal audits for Type 1 assessments without disclosing such reliance. Only in Type 2 assessments must such reliance be disclosed. Even then, however, it is not an “audit” but merely a compilation of information received from the service organization and the application of some “attest” procedures to review that work.
Suddenly, outsourcing customers will now need to know more about how internal auditors work and whether there are any special requirements for the customer to investigate. It’s a new world, with customers needing to fend more for themselves in audit and control processes.
Investors will need to make further assessments of their own, based on the changes in the intensity and level of “assurance” that outsourcing will not encounter excessive risks to the portfolio enterprise as an outsourcing customer.
Belt and Suspenders: New Challenges for Enterprise Customers. SAS 70 audits might still survive by special request from enterprise customers. The new SSAE 16 / ISAE 3402 “attest” model will challenge enterprise customers to become more familiar with security, BCP, DRP and other core control issues directly. Enterprise customers can thus begin to prepare a checklist for deal documentation, including both “attest” assessment reports and function-specific documentation that the enterprise customer must evaluate. Attest will be the belt, and direct documentation review will be the suspenders.
“Attest” Reports in the Cloud: A Good Time to Stop the Music. This shift in service auditor roles comes at a time when global enterprises are increasingly exploring data virtualization, software virtualization, platform-as-a-service (PaaS) and software-as-a-service (SaaS). Cloud computing creates a “perfect storm” showing the weaknesses of an “attest-based” “audit and control” function under SOX 404(b).
The new “attest” rules will encourage service providers to use “carve-out” principles to exclude subservice organizations from the scope of such security audits. Certainly in Web-based public cloud services a “carve-out” approach is the only feasible one, since, in Internet-based services, an “all-inclusive” service audit model fails. It is inherently impossible to do a service audit of all possible servers on the Internet.
Steps to Take Now. Whether you are a service organization or an enterprise customer, it’s time for a review of your “audit and control” rights and obligations relating to outsourcing.
o Impact Analysis and Assessment. Analyze and understand the impact of the shift from SAS 70 to SSAE or ISAE 3402 upon your company’s process audits, as well as all service delivery and transaction reporting processes.
o The impact affects your entire service supply chain, including you, your service customers, your service providers and all subservice providers who support you directly or who support your outsourcing service providers.
o Discuss with your auditors the anticipated impact of SSAE 16 and ISAE 3402 on their own audit report, particularly whether they will want to make any exceptions to their fairness opinion.
o Requirements for Type of Report. Decide whether you want an “inclusive” or “carve-out” approach to reporting on process controls.
o Accounting and Compliance Criteria. Identify the criteria for your organization’s evaluation of the sufficiency of your service provider’s description of its processes and its internal audit functions.
o Identify issues affecting design of the control objectives.
o Identify evaluation criteria.
o Identify gaps between:
o control objectives and the evaluation criteria.
o control objectives and the most recent risk assessments.
o Scheduling and Planning. Time your rollout according to when the new SSAE 16 standard will apply. Fiscal years beginning on or after July 1, 2010 are affected. Consider the benefits and costs of adoption of SSAE 16 on your costs, marketing, customer service delivery mechanisms, process and procedure manuals, recruitment and training procedures and on audit and financial reporting.
o Subservice Organizations: Identify Impact, Define Requirements. Evaluate subservice organizations under the new SSAE 16 (or ISAE 3402).
o Explore their own compliance intentions.
o Determine whether they will issue SOC’s, and which type.
o Discuss what type of “description” they will issue to a service auditor.
o Identify whether they will use a “carve-out” or an “inclusive” scope for service audit, and consider the impact on your organization and how to mitigate the negative impact of a “carve-out” or an “inclusive” report for Tier 1 suppliers but a “carve-out” report for Tier 2 (and N+2) suppliers in your service supply chain.
o Consider how that will assist or impair your own marketing and compliance efforts.
o Conduct a customer survey to determine your customers’ needs.
o Legal Review. Review your existing outsourcing contracts.
o Identify your audit rights.
o Amend your contracts to ensure you can obtain the type of audit rights and reports that you may need under the new “attest” models.
o Change Management. Engage in change management for audit as part of the global sourcing process.
o Communicate with all key stakeholders internally and externally.
o Changes in requirements.
o Change in risk assessment process to take into account the new gaps and structures of SSAE 16 and ISAE 3402.
o Changes in procedures.
o Redefine internal and external roles and responsibilities.
o Training of affected personnel.
o Changes in manuals.
o Changes in contract management procedures.
o Develop a procedure for being “audited” and for requiring “audits” under the new “attest” standards.
Time to get started. Even before Halloween!