As guidance changes and regulators continue to hammer on internal controls, auditors are starting to dig deeper into reports provided by outsourced service providers.
To the extent companies outsource processes that are important to the completeness and accuracy of their financial reports—like payroll, for example—auditors often depend on separate audit reports provided by those service organizations to show their own controls are sound. Those audits are governed by standards set by the American Institute of Certified Public Accountants and documented in System and Organization Controls reports, or SOC reports.
“Today, I don’t know that all auditors necessarily look at controls included in an SOC report with the same view they look at controls that are resident at the company,” says Todd Bialick, a partner at PwC. “But more and more, auditors are realizing that they have to.”
The ongoing scrutinyfrom the Public Company Accounting Oversight Board is one factor, says Bialick. The PCAOB does not inspect SOC reports, but it asks auditors through regulatory inspections how they know they can rely on those SOC reports, he says.
“The PCAOB is starting to look more at those and say: How do you know this report covers everything it should cover? That the tests that are being done are the right tests? That the auditor who did this did all the right things they should do?” says Bialick. “That’s a big change. It’s happening over time, and it’s really starting to make a difference.”
As a result of rising PCAOB scrutiny, auditors are looking at SOC reports more carefully, says Bialick. “It leads to differences in requests—requesting what’s not in the report,” he says.
“Today, I don’t know that all auditors necessarily look at controls included in an SOC report with the same view they look at controls that are resident at the company. But more and more, auditors are realizing that they have to.”
Todd Bialick, Partner, PwC
At the same time, the guidance auditors are following in preparing SOC reports is shifting. The AICPA rolled out new guidance in 2017 for SOC 1 reports, which service organizations provide to their clients specifically regarding internal controls that are important to the financial reporting process. Those are reports external auditors rely on to provide audit opinions under Sarbanes-Oxley Section 404 requirements.
The new guidance for SOC 1 reports makes two primary changes, says Jeff Krull, a partner at audit firm Baker Tilly Virchow Krause. First, it pulls more information into SOC 1 reports when an outsourced firm outsources, or when a service organization outsources to yet another sub-service provider. “Before, everybody was supposed to reach through the outsource levels to get SOC reports from each level,” he says. “Now you have to map to what are the complementary service organization controls to each sub-servicer. You have to make sure you’re doing the right due diligence down the chain.”
The SOC 1 reports also support demands arising from PCAOB inspections for more understanding about information provided by the entity, or IPE, especially attest procedures around the reliability of evidence, says Krull. “Right now, we’re hitting that adoption cycle where we’re seeing more SOC reports including this,” he says.
Guidance is also shifting with respect to SOC 2 reports, which address a service organization’s controls over security, availability, processing integrity, confidentiality, and privacy of personal information housed in the service organization’s systems. Those reports are not as tightly connectedto internal control reporting, but auditors can’t ignore them to the extent they produce information important to the internal control audit.
The AICPA recently rewrote the trust services criteria for SOC 2 reports, tying it more closely to the COSO Internal Control — Integrated Framework, which companies rely on for Sarbanes-Oxley compliance. Generally, SOC 2 reports will provide more transparency, says Krull, especially with respect to breaches into systems that compromise privacy or security.
Even further, the AICPA established a voluntary attestationcompanies can pursue with respect to their reporting of cyber-security risks. That, among other factors, prompted the Center for Audit Quality to prod directors and auditorsto look more closely at cyber-security risks to consider how they might affect the financial statement and internal control audits, says Binita Pradhan, a partner at audit firm BDO USA.
While the attestation is not required, “auditors at firms are starting to ask what your cyber-security program is and what is the company doing,” says Pradhan. “Have there been any breaches? How has it impacted financial statements?”
The various moving parts are prompting auditors to ask more questions, says Kirt Seale, attest services national managing principal at Grant Thornton. “This may result in additional audit procedures,” he says. Even with an SOC report in hand, auditors may still want to pay visits to service organizations to take a closer look for themselves.
Added transparency in new SOC reports should give auditors more information that will make audits more complete and more efficient, says Pradhan. “If (SOC) auditors are following the new standards, it should provide SOX auditors more clear information about what audit work has been done for any outsourced processes,” she says.
On the other hand, added transparency might also have the effect of giving auditors new information that might prompt more questions, says Krull. “With a little more transparency, you’re going to see people being aware of things they probably weren’t aware of before as it relates to sub-service providers,” he says. “As reports pull in more clarity around that, I suspect we’ll be seeing SOX auditors asking a few more questions, maybe realizing there are risks there they didn’t realize were there before.”
Krull is suggesting companies reach out to service providers sooner than later to get a sense of how their SOC reports may change and to what extent auditors might still have questions. “There shouldn’t be massive, sweeping changes, but make sure you understand what’s coming before it comes through in a report,” he says.