SOC Compliance and Service Providers

I always read advice and guidance from Protiviti, especially when Jim DeLoach is involved in it. The firm is a prolific source and they often have good advice – but not always.

A couple of weeks ago, they published Preparing for Annual SOX Compliance Amid COVID-19:  Outsourced Processes and Use of Third-Party Providers Remain Relevant to ICFR.

First, let me reset your expectations. Their article and this post have next to nothing to do with COVID-19. They are using that as a hook; the only point they make relative to COVID is that the SOC-1 reports might be delayed.

Protiviti has been pushing this article on social media, so I am going to share my thoughts before people start down the wrong path.

They outline and discuss these steps:

1. Inventory your providers
2. Obtain SOC reports
3. Map controls from the SOC report to management’s processes
4. Evaluate deficiencies identified in the SOC report and assess potential impact to your business
5. Obtain bridge letters
6. Determine impacts from the pandemic
7. Take appropriate actions

Now why is this the wrong path?

It is not top-down and risk-based. It is fundamentally bottom-up.

Here’s a better series of steps:

1. When you perform your SOX scoping, identify where you are relying on key controls performed by a service provider to provide reasonable assurance on an ICFR risk identified in your scoping. Just because you are using a service provider doesn’t mean you don’t have adequate key controls to rely on that are performed by your company’s staff. You may or may not be relying on key controls performed by the service provider. (Adequate means that you can rely on the controls to prevent or detect a material error or omission in the filed financial statements.)
2. Identify the specific controls performed by each service provider on which you need assurance and include them in scope as key controls.
3. Make sure – in advance – that these controls will be included in the scope of the SOC-1 audit of the service provider. Where you can, use prior reports but supplement them with inquiries of the service provider to make sure the controls at the service provider that will be audited match your needs. Be prepared for step 5.
4. Obtain the SOC-1 reports.
5. Review the description of the controls they tested and make sure that the design of the controls meets your needs.
6. Confirm that the SOC-1 report indicates that the controls were operating effectively. Pay attention to the timing of the report and the testing.
7. Review the list of controls that the SOC-1 auditor has indicated they expect the company to perform. Confirm that either they are among your key controls, are unnecessary, or take action to include additional controls.
8. Evaluate any deficiencies in the same way you evaluate deficiencies in controls performed in-house.
9. Discuss with the service provider the actions they are taking to address any deficiencies and when those will be completed and rested.
10. Determine what additional actions should be taken given the deficiencies and the remediation planned by the service provider. This may involve identifying and testing additional compensating or mitigating controls.
11. If necessary, obtain bridge letters or otherwise roll forward the assessment.
12. Discuss with management the performance of the service provider and determine if any actions should be taken.

All of this should be carefully documented and discussed with the external auditor through the process, especially where issues are identified or anticipated.

I welcome your thoughts.

I will be leading (virtual) training on SOX in October. See here for details.

Advertisement