Home > Risk > SOC Compliance and Service Providers

SOC Compliance and Service Providers

I always read advice and guidance from Protiviti, especially when Jim DeLoach is involved in it. The firm is a prolific source and they often have good advice – but not always.

A couple of weeks ago, they published Preparing for Annual SOX Compliance Amid COVID-19:  Outsourced Processes and Use of Third-Party Providers Remain Relevant to ICFR.

First, let me reset your expectations. Their article and this post have next to nothing to do with COVID-19. They are using that as a hook; the only point they make relative to COVID is that the SOC-1 reports might be delayed.

Protiviti has been pushing this article on social media, so I am going to share my thoughts before people start down the wrong path.

They outline and discuss these steps:

  1. Inventory your providers
  2. Obtain SOC reports
  3. Map controls from the SOC report to management’s processes
  4. Evaluate deficiencies identified in the SOC report and assess potential impact to your business
  5. Obtain bridge letters
  6. Determine impacts from the pandemic
  7. Take appropriate actions

Now why is this the wrong path?

It is not top-down and risk-based. It is fundamentally bottom-up.

Here’s a better series of steps:

  1. When you perform your SOX scoping, identify where you are relying on key controls performed by a service provider to provide reasonable assurance on an ICFR risk identified in your scoping. Just because you are using a service provider doesn’t mean you don’t have adequate key controls to rely on that are performed by your company’s staff. You may or may not be relying on key controls performed by the service provider. (Adequate means that you can rely on the controls to prevent or detect a material error or omission in the filed financial statements.)
  2. Identify the specific controls performed by each service provider on which you need assurance and include them in scope as key controls.
  3. Make sure – in advance – that these controls will be included in the scope of the SOC-1 audit of the service provider. Where you can, use prior reports but supplement them with inquiries of the service provider to make sure the controls at the service provider that will be audited match your needs. Be prepared for step 5.
  4. Obtain the SOC-1 reports.
  5. Review the description of the controls they tested and make sure that the design of the controls meets your needs.
  6. Confirm that the SOC-1 report indicates that the controls were operating effectively. Pay attention to the timing of the report and the testing.
  7. Review the list of controls that the SOC-1 auditor has indicated they expect the company to perform. Confirm that either they are among your key controls, are unnecessary, or take action to include additional controls.
  8. Evaluate any deficiencies in the same way you evaluate deficiencies in controls performed in-house.
  9. Discuss with the service provider the actions they are taking to address any deficiencies and when those will be completed and rested.
  10. Determine what additional actions should be taken given the deficiencies and the remediation planned by the service provider. This may involve identifying and testing additional compensating or mitigating controls.
  11. If necessary, obtain bridge letters or otherwise roll forward the assessment.
  12. Discuss with management the performance of the service provider and determine if any actions should be taken.

All of this should be carefully documented and discussed with the external auditor through the process, especially where issues are identified or anticipated.

I welcome your thoughts.

I will be leading (virtual) training on SOX in October. See here for details.

  1. John Parsons
    August 12, 2020 at 11:03 AM

    Absolutely correct and I’m glad you wrote this. I have too many times seen colleagues uncritically refer to the SOC1 report as the needed controls because the CPA firm that prepared it must know all about controls and they picked the right ones. Your reversal of the typical order should help people understand the need to evaluate their own needs prior to reading the offered report.

    • Norman Marks
      August 12, 2020 at 11:06 AM


  1. August 16, 2020 at 6:30 AM

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: