Outsourced Service Providers Benefit from Service Organization Controls Reports by Steve Nouss, CPA
Posted on July 22, 2016 by
No longer is the outsourcing of business functions, such as IT, customer service, payroll, billing and collections, restricted to large corporations with big budgets. Today, businesses of all sizes recognize and embrace the multitude of benefits derived from outsourcing entire business functions to outside service organizations that have the personnel, expertise, equipment and technology to accomplish these tasks faster and more economically. Despite these benefits, outsourcing processes to independent service organizations requires businesses to give up some level of control over these tasks and put their trust in the service providers’ abilities to effectively manage critical processes, protect sensitive data, comply with industry regulations and limit risks from internal and external threats. For example, hospitals or physicians’ offices will want to ensure that their billing and collections providers have controls in place to monitor for the prevention of processing errors and to secure patient data in compliance with Health Insurance Portability and Accountability Act (HIPAA) standards. Similarly, financial service institutions will want to ensure that their service providers implement appropriate security and monitoring measures to protect customers’ personal information from improper disposal or unauthorized access or information sharing under Gramm-Leach-Bliley Act (GLBA) regulations.
To help service organizations reassure their customers that they have the internal systems in place to meet users’ needs and maintain appropriate controls, the American Institute of Certified Public Accountants (AICPA) developed the Service Organization Control (SOC) reporting framework. More specifically, SOC reports are intended to address the following AICPA Trust Service Principles that are most at risk in today’s business environment:
- Security. Providers protect their services/systems against unauthorized access.
- Availability. Providers ensure their services/systems are available for operation and use as defined and committed to.
- Processing integrity. Providers ensure systems processing is complete, valid, accurate, timely and authorized.
- Confidentiality. Providers protect information designated as confidential.
- Privacy. Providers collect, use, retain, disclose and destroy personal information in compliance with customers’ privacy standards and those of the AICPA.
The Makings of an SOC Report
SOC reports are valuable tools to help organizations build customer trust and confidence in their services. They communicate “the suitability of design and operating effectiveness of their controls through a widely accepted reporting format.” They must be prepared by independent accounting firms whose auditors conduct comprehensive evaluations of a providers’ systems. The reports help to validate that an organization offers the scope of services it claims and operates within strict parameters with appropriate levels of control to meet user needs and industry standards during a specific testing period. They typically include management’s description of the organization’s services and systems, followed by the auditor’s opinion of the fairness of the description and results of control testing of the service provider’s delivery systems. The type of report prepared will depend on the type of service or system provided by the outsourced organizations.
Types of Reports
SOC 1. Statement on Standards for Attestation Engagements Report. These reports focus solely on the internal controls a service organization relies on to process customer’s financial transactions. This can include organizations that provide payroll and check processing, billing and collection or financial statement reporting services. An independent auditor will assess and test the service organization’s control environments to substantiate provider’s claims and validate that systems work as intended.
SOC 2. Reports on Controls at a Service Organization over Security, Availability, Processing Integrity, Confidentiality and/or Privacy. These reports involve the independent audit of a service provider’s operational procedures outside of financial reporting processes. They include reviews of the suitability of design and operating effectiveness of interrelated internal controls involving risk management; information collection, processing, storage and distribution; and data backup and disaster recovery. Ideally suited for software, cloud computing and managed IT services providers, SOC2 reports come in one two types. The first is an opinion on whether the provider’s system description is fair and whether or not controls were in place at a single point in time to achieve specific control objectives. Conversely, a Type 2 report covers a longer period of time, typically six to 12 months, and includes an independent auditor’s test results and opinion as to whether the provider’s internal controls operate effectively.
SOC 3. This type of report addresses the same five Trust Principles of security, availability, processing integrity, confidentiality and/or privacy that are addressed in a SOC 2 report, without including specific details about the provider’s system processes and controls. It provides a general, high-level summary of the provider’s services and controls, which is ideal for marketing purposes. Service providers can reassure prospective customers that they meet specific requirements, without having to divulge the finer details of their product design and business operations.
In today’s rapidly evolving and highly competitive corporate environment, providers that offer outsourced services to other businesses must demonstrate their ability to protect and effectively manage customer data and processes in compliance with a myriad of regulations. It requires a more formal approach to confirm corporate assertions by engaging an independent third-party to test and document audit evidence.
Berkowitz Pollack Brant’s Business Consulting Group is registered with the AICPA to provide service businesses with SOC reports, which provide a unique opportunity for those businesses to assess their operations and enhance their processes by identifying and incorporating best practices into their business controls.
About the Author: Steve Nouss, CPA, is chief consulting officer with Berkowitz Pollack Brant, where he provides profit-enhancing CFO services, operational reviews, enterprise risk management, internal audit and anti-fraud services for businesses on all sizes and across international borders. He can be reached in the CPA firm’s Ft. Lauderdale, Fla., office at (954)712-7000 or via email at email@example.com.