Latest Blogs

History of SOC reporting

This blog helps you understand the history and background of SOC reporting and a brief overview of how it came into existence and evolved as a way of addressing risks associated with outsourcing services.

Brief History

The increased prominence on governance, risk management, and compliance has steered companies to focus on internal controls over all aspects of their operations. Service organizations providing outsourced services (IT, business processes, etc.) often engage a third party audit firm to certify the design and operating effectiveness of these controls. The auditor's inspection of an organization’s internal control and the impact that a service organization may have on the entity's control environment has long been an area of focus in designing an acceptable audit approach. The original standard for attesting was known as SAS 70 and was an established way by which service organizations could illustrate the effectiveness of their internal controls. The SAS 70 audit was performed by a CPA and the result was a report on the effectiveness of internal control over financial reporting (ICFR). This report was often used by the organizations to show that a vendor was secure and safe to work with. However, the report was principally was not meant for that purpose.

Introduction of SSAE 16

The technology evolved and so did the AICPA’s attestation standards. SSAE No. 16 reporting standards was completed by the AICPA in January 2010. SSAE 16 beneficially replaced SAS 70 as the reliable guidance for reporting on service organizations. SSAE 16 was officially issued in April 2010 and became effective on 15th June 2011. SSAE 16 was drafted with the objective and purpose of updating the US service organization reporting standard so that it reflects and adheres to the new international service organization reporting standard – ISAE 3402. SSAE 16 also established a new attestation standard called AT 801 which contained guidance for performing the service auditor's examination. Many service organizations that had previously performed a SAS 70 examination now switched to the new standard in 2011 and now had an enhanced SSAE 16 report (also referred to as a Service Organization Controls (SOC) 1 report).

The upgraded SSAE 18

The SSAE no. 18 (Statement on standards of attestation engagements) used for SOC reporting is the latest periodic statement issued by the Auditing Standards Board (ASB) of the American Institute of Certified Public Accountants (AICPA) effective from 1st May 2017. Following were the key changes in transforming from SSAE16 to SSAE18:

? SOC as defined under the SSAE-16 Standard stood for ‘Service Organization Control’. Under the new Standard, SOC now stands for ‘System and Organizational Controls’, and applies to other types of organizations and both system and/or entity-level controls.

In the SSAE-16 Standard, complementary user-entity controls (CUEC) were defined as those controls at userentity organizations that were both necessary and unnecessary to achieve control objectives stated in management’s description. Under the SSAE 18 Standard, CUEC are now defined as those controls that are only necessary to achieve control objectives stated in management’s description.

The new SSAE-18 Standard adds requirements related to subservice organizations (SSO) and vendor management processes. When subservice organization is carved out, the inclusion of SSO controls are now provided in management’s description similarly to CUECs. Also, vendor management processes to monitor the effectiveness of controls at SSO have been stressed upon.

The new SSAE-18 Standard requires that the Management Assertion letter accepting responsibility for the description be signed. Previously, a Management Assertion letter was required but it did not have to be signed.

The new SSAE-18 Standard has also included revisions to the language used in the Management Assertion Letter and Service Auditor’s report to accommodate general changes and those associated with complementary userentity and subservice organization controls.

The following table summarizes some of the Statements relative to internal control, the effect of information technology on a financial statement audit, and service organizations, that have been made since SAS No.70 standards introduced in 1992.

Statement Name Date Issued Title of Statement
SAS No. 70 April 1992 Service Organizations
SAS No. 78 December 1995 Consideration of Internal Control in a Financial Statement Audit: An Amendment to Statement on Auditing Standards No. 55
SAS No. 88 December 1999 Service Organizations and Reporting on Consistency
SAS No. 94 May 2001 The Effect of Information Technology on the Auditor's Consideration of Internal Control in a Financial Statement Audit
PCAOB No. 2 March 2004 An Audit of Internal Control over Financial Reporting in Conjunction with an Audit of Financial Statements. (Note: Appendix B refers to Service Organizations)
PCAOB No. 5 May 2007 An Audit of Internal Control over Financial Reporting that is Integrated with an Audit of Financial Statements. (Note: Appendix B17-B17 covers Service Organization considerations.)
ISAE No. 3402 December 2009 Assurance Reports on Controls at a Service Organization
SSAE No. 16 April 2010 Reporting on Controls at a Service Organization
SSAE No. 18 May 2017 Concepts common to all Attestation engagements (with more stress on system details, CUEC (complimentary user organization controls) and SSO (sub-service organization) controls.)

Hope this blog would have added to your understanding the knowledge related to SOC reporting standards. Stay connected and feel free to reach out for knowing more about different types SOC reporting.

2020-06-30 23:53:54

SOC 1 Report

This query has been heard many times that -What is SOC 1 report? and from more than 20 years it has been trend by many organizations to outsource certain activities or business process to other organizations, this outsourcing organization is known as ‘Service organization’ and the organization or company which outsource its certain activities is known as ‘user entity’ in SOC terminology. So, a SOC 1 (also known as SSAE 18) report is called Service organization control report, this is a report on controls (Business process and IT controls) at a service organization which are relevant to user entity’s internal control over financial reporting.

The SOC 1 report is normally required for those organizations which provides financials processing types of services and those processes may potentially impact on user entities internal control over financial reporting. Such outsourced service organization may be a Payroll processor, Data Center service providing organizations, Loan service organization, Medical claims processing companies or cloud service providing companies especially which provides Software-as-a Service (SAAS) service/solutions which may impact the financials of the user entity.

For an example a Data Center service providing company may provide server room or data storage servers which can store financials transaction data or may store user entities financials reports etc. so the user entities which uses the Data center service realize the material impact of data storage that the servers store in accordance with user entity’s expectations. So, a SOC 1 report provide a reasonable assurance to the user entity that the service organization i.e Data center company internal controls are adequately designed and operating effectively to provide the Data Center service.      

SOC 1 report are of two types which are generally know as SOC Type I report and SOC 1 Type II report. The description of Type I and Type II reports are:

SOC 1 Type I Report

SOC 1 Type I reports are generally referred to as point in time reports (or as of a particular date) and the reports normally include a description of a service organization’s system and the audit test the design level of service organization’s controls. The Type I report structure start with the Auditor’s opinion about the service organization controls and scoped Business processes, then Section 2 of the reports shows the Service organization Management assertion which is written by the service organization management by stating that the description of the business system is fairly presents and the control objectives were suitably designed during the Audit period of time. Section 3 of the report talks about the description of the system followed by the Section 4 which represents the description of test of controls with result of testing. The least section provides other information which service organization usually provides about relevant processes that were not tested during the Audit such as Business continuity planning and Disaster recovery etc

SOC 1 Type II Report

SOC 1 Type II reports generally cover a period of time such as 6 months and 12 months. The Type II report normally talks about the design and operating effectiveness of internal control over a period of time.  Like Type I report the Type II report structure also start with the Auditor’s opinion about the scoped service organization controls and Business processes. The Section 2 of the report represents the Service organization Management assertion which is written by the service organization management by stating that the description of the Business system is fairly presents and the control objectives and operating effectiveness are suitably designed over a period of time and Audit duration. The Section 3 of the report talks about the description of the system followed by the Section 4 which represents the description of test of controls with result of testing. The least section provides other information which service organization usually provides about relevant processes that were not tested during the Audit such as Business continuity planning and Disaster recovery etc.       SOC 1 Type II reports generally cover a period of time such as 6 months and 12 months. The Type II report normally talks about the design and operating effectiveness of internal control over a period of time.  Like Type I report the Type II report structure also start with the Auditor’s opinion about the scoped service organization controls and Business processes. The Section 2 of the report represents the Service organization Management assertion which is written by the service organization management by stating that the description of the Business system is fairly presents and the control objectives and operating effectiveness are suitably designed over a period of time and Audit duration. The Section 3 of the report talks about the description of the system followed by the Section 4 which represents the description of test of controls with result of testing. The least section provides other information which service organization usually provides about relevant processes that were not tested during the Audit such as Business continuity planning and Disaster recovery etc.      

2020-06-30 23:40:58

Understanding a SOC Report

In current scenario of emerging technologies, most of the organizations outsource few aspects of their business to vendors which can either include performing a specific task or replacing an entire business function. Vendors can handle various functions like customer support, financial technology, data storage, software development etc. With all these advantages, organizations should also consider various inherent risks associated with outsourcing. To get a comfort on the vendor’s environment and internal controls, organizations usually ask them for a either SOC 1 or SOC report. However, on receiving a SOC 1 or SOC 2 report, most of the organizations do not know how to read it, what exactly a qualified opinion is and whether the risks you are looking to mitigate are addressed in the report. SOC 1 and SOC 2 reports are lengthy and complex, but play extremely important role in understanding the risks to your organization. In this article, we will touch upon some key components of SOC 1 and SOC 2 reports that will help you analyze the security of your vendors.

Categories and Types of SOC Reports

SOC reports are majorly of two categories i.e. SOC 1 & SOC 2 each of either Type I or Type II.

The SOC 1 report attests the company’s financial reporting. IT is particularly important for a service organization that impacts the user entity’s financial reporting. Some examples of organizations which may require SOC 1 reports are:

? Payroll processors

? Medical claims processors

? Data center companies

? Lending services

? Data centers

? Cloud service providers

? Human resources support services

A SOC 2 report highlights the security and protection of customer data. A SOC 2 report follows a similar approach as SOC 1, but includes the controls over IT and systems processing confidential client data. SOC 2 audits focus on controls at a service organization relevant to security, availability, processing integrity, confidentiality or privacy. A SOC 2 audit is one of the best practice for any servicebased organizations that store, manage, or process client information in the cloud. The report is beneficial for any service organization processing or maintaining information that re quires a controlled or secure system.

Further, each of the above reports can be of following two types:

Type I – A report on the fairness of the presentation of management’s description of the service organization’s system and the suitability of the design of the controls to achieve the related control objectives included in the description as of a specified date.

Type II – A report on the fairness of the presentation of management’s description of the service organization’s system and the suitability of the design and operating effectiveness of the controls to achieve the related control objectives included in the description throughout a specified period

Structure of a SOC Report

A SOC report broadly consists of following sections each having its own purpose and containing specific information about the client’s environment.

Section 1: Independent service auditors’ report


This section generally starts with ‘To the management’ and is signed by the service auditor /CPA. It is more of the service auditor oriented and contains following key aspects related to service organization:

? Scope explaining the type of report, testing date/duration (Type I or Type II) , in scope locations and any omissions

? Responsibilities pertaining to both the service organization and the service auditor

? Inherent Limitations

? Service auditor’s opinion on the system description, design, and operating effectiveness to meet the control objectives

? Statement around the restricted user of the report and the intended users.

Section 2: Management’s assertion regarding the effectiveness of its controls

This section provides the reader the facts and assertions made by the service organization’s management related to the system(s) under audit.

? It provides the contents that will be covered in the description, i.e. the types of services provided, the components of the system, how the system captures and processes significant events, any applicable trust services criteria, and etc., as well as make the statement that the controls described are suitably designed and are operating effectively.

? It also provides the signed Management Assertion letter accepting responsibility for the description provided.

Section 3: Management’s description of its system and controls

This section is the heart of the report and provides the details of the systems being reported on (written by management). Following are the key components of Section 3:

Scope and purpose of the report explaining the type of report, testing date/duration (Type I or Type II) , in scope locations and any omissions

? Company overview and background and Overview of products and service which provides a brief introduction about the organization, it’s background and the products / services company offers

? Details related to company’s IT infrastructure including the network overview, servers, tools & softwares used and the data management.

? Company’s organizational structure, policies & procedures, risk assessment, governance & oversight and details about the control environment

. ? All the control descriptions with their functioning, subservice organizations, user entity controls, and other system information

? Inclusions in this section should be capable of being audited to meet the control objectives

Section 4: Applicable trust services principles’ criteria and control activities

This section depicts the test results and the overall effectiveness of the control objectives. For a type 1 report, you can only see the conclusion and for a type 2 report both the test procedures and the conclusions. It shows the following four columns of information:

Control objective (related to the applicable trust service principles/ controls over financial reporting)

? Controls in place at the service organization to meet the objectives

? Auditor's tests (explaining the test procedures performed)of the controls

? Overall results and conclusion of the tests

Section 5: Other information provided

Lastly, we come to Section 5, which is other information not covered by the auditor’s report. This section is available for any additional information that you would like to provide to the users of the SOC report concerning your services system. In this Section, management can discuss items such as a strategic plan or a business continuity plan, or any other items that they feel would be beneficial for the report users. All sections listed above apart from the Independent Service Auditors Report (Section 1), are the responsibility of management of the service organization. It is important to be as detailed as pPlease reach out to us in case you would like to discuss more on this topic or if you have any queries related to SOC reporting.ossible when creating your SOC report in order to explain the services system and the controls over that system in way that is helpful to the report users, and supportive in trying to arrive at a desired audit opinion.

You can also visit below link to read AICPA articles related impact of COVID 19 on audit and assurance.

Please reach out to us in case you would like to discuss more on this topic or if you have any queries related to SOC reporting.

2020-06-29 00:17:51

SOC 2 vs. ISO 27001 Audit

As we talk about the two auditing standards, we should keep in mind that both are information security standards and involve an external audit performed with an intent of keeping your and client’s data safe. Both are standards have different fundamental methodologies for providing an assurance. While, ISO 27001 is a certification of an ISMS (Information Security Management System) tested against an established framework, SSAE is an audit of the processes, policies and procedures an organization has in place.

ISO 27001 involves issuing a certificate of compliance by the auditor on completion which confirms that the organization meets the requirements set by the International Organization for Standardization (ISO) and International Electro technical Commission for protecting information and managing risk. A SOC 2 attestation involves a report prepared by the auditor to ascertain whether that a service organization’s security controls meet the relevant Trust Services Criteria set by AICPA. While, both the standards cover most of the similar topics, they focus on differing audit criteria and the details of the two standards are completely different.


SOC 2 Assessment

SOC 2 audit involves evaluating a service organization’s internal controls, policies, and procedures precisely based on the 5 trust services criteria i.e. security, availability, processing integrity, confidentiality, and privacy. The Trust Services Criteria are relevant to the services of organization as follows:

  • Security – Protection of system against unauthorized access
  • Availability – Availability of the system for operation and use
  • Processing Integrity – The system is processing information completely,                              accurately and timely
  • Confidentiality – Information classified as confidential is protected
  • Privacy – Any personal information is collected, used, retained, disclosed, and destroyed in accordance with the entity’s privacy notice.


ISO 27001 Audit

ISO 27001 is an internationally accepted standard for governing an organization’s Information Security Management System (ISMS). The ISMS preserves the confidentiality, integrity, and availability of information by applying a risk management process and induces trust in external parties that information related risks are appropriately managed by the organization.

The ISO 27001 standard regulates how an organization creates and run an effective ISMS through policies and procedures and associated legal, physical, and technical controls supporting an organization’s information risk management processes. An ISMS protects the confidentiality, integrity, and availability of information by applying a risk management process. Following 7 sections of the ISO 27001:2013 standard (from section 4 to 10) provide the core guidelines for compliance with the standard:

  • Section 4: Context of the Organization
  • Section 5: Leadership
  • Section 6: Planning
  • Section 7: Support
  • Section 8: Operation
  • Section 9: Performance evaluation
  • Section 10: Improvement.

Following are few other key differences between SOC 2 and ISO 27001 standards that further enhance your understanding:


The certifying and governing bodies

The SOC 2 report is attested by a licensed CPA (Certified Public Accountant) firm attests whereas an ISO 27001 certification is certified by a recognized ISO27001-accredited registrar. ISO 27001 is managed by the International Standards Organization (ISO) and SOC 2 attestation standards (SSAE 18) are regulated by the American Institute of Certified Public Accountants (AICPA).

Market Relevance

Both the standards are creditable security certifications accepted by clients widely. Precisely, if you are selling services to organizations in the United States, SOC 2 is better suited. However, if you are doing business internationally, ISO27001 is more extensively accepted by clients worldwide.

Certification Renewals

SOC 2 has two types namely Type 1 (which gives a point in time design assessment) and Type 2 (which requires you to demonstrate effectiveness of your security controls for a period of time, typically twelve months). Typically, a SOC 2 Type 2 needs to be renewed on an annual basis. On the other hand, an ISO27001 engagement includes a 3 year commitment where you have a point in time audit every year the certification and gets renewed annually after the successful completion of the audit.


Report Type obtained on completion

SOC 2 gives you a detailed report containing the auditor’s opinion, management’s assertion, description of controls, user control considerations, tests of controls, and the results. However, ISO certification is a single page certification issued to the company.




Applicability and use

A SOC 2 report laid out on the Trust service criteria is applicable to an organization’s overall system while ISO 27001 based on the Information Security Framework is precisely applicable to organization’s ISMS.


Further, SOC 2 attestation being a good industry practice is used measure a Service Organization against static security principles and criteria. The ISO 27001 is considered to be one of the best practices performed to establish, implement, maintain, and improve the ISMS of the organization.



Both SOC 2 and ISO 27001 are effective compliance methods for organizations to accept and can be utilized to get an edge over market competition, demonstrate the design and operating effectiveness of internal controls, and to achieve compliance with regulatory requirements.


One can decide to go through either a SOC 2 or ISO 27001 engagement based on their understanding of markets, customer’s and the regulatory requirements that they need qualify. Hope, you have a clearer picture about the two standards now. Please feel free to reach out to us in case you have any

2020-06-10 03:37:31

Foreign Direct Investment Policy

The Government of India has recently amended its Foreign Direct Investment Policy ("FDI Policy") and barred automatic investment into India by its neighbouring countries. A press release1 dated April 17th, 2020, ("Press Release") issued by the Department for Promotion of Industry and Internal Trade (DPIIT) has revised the FDI Policy to curb opportunistic takeovers or acquisitions of Indian companies in the aftermath of the novel coronavirus outbreak and the looming economic crisis.

Present Position

Prior to the amendment, a non-resident entity could invest in India, subject to the FDI Policy except in certain reserved sectors. However, a citizen of Bangladesh or an entity incorporated in Bangladesh could invest only under the Government route. Whereas a citizen of Pakistan or an entity incorporated in Pakistan could invest in India, but only with prior Government approval in sectors excluding defence, space, atomic energy or any other sensitive/ prohibited sectors.

Amendment of FDI Policy

The revised FDI Policy requires the Government's approval for any FDI made by an entity of any country which shares a land border with India or where the beneficial owner of such an investment is residing in or is a citizen of any such country. India shares its land borders with Pakistan, Bangladesh, Nepal, Myanmar, Bhutan, China and Afghanistan ("Neighbours"). In other words, as per the new amendment, FDI from these Neighbouring countries requires an approval from the Government of India (and cannot go down the automatic route), which will subsequently be able to monitor the extent of these investments and provide its approval on a case to case basis. Two senior Government officials have, subsequent to the Press Release clarified that this restriction shall also apply to Hongkong, which is a Special Administrative Region of China2.

Additionally, the revised FDI Policy retains existing clauses that state that any citizen of Pakistan or an entity incorporated in Pakistan can invest in India only after securing prior Government approval but not in the defence, space, atomic energy or any other restricted sector. The amendment also addresses situations involving a proposed transfer of ownership of any existing or future FDI in an Indian entity benefitting an entity or citizen of a country sharing land border with India. The revised FDI Policy states that such a transfer would also require Government approval.

On the heels of this decision of the Government to revise the FDI Policy, was the Securities and Exchange Board of India's (SEBI) request for data from custodians, with an aim to analyse investment from China, Hongkong and 11 other Asian countries3.

What Triggered the Amendment?

In 1991, the Narasimha Rao government ushered in a slew of new reforms and revolutionised the economy through the revolutionary Liberalisation, Privatisation and Globalisation (LPG) regime4. This marked the beginning of the end of many public sector monopolies with the Government taking a huge step forward by abolishing licensing control on private investment. Since then, India has been on a constant trajectory of liberalizing its FDI Policy. The recent amendment places obvious hindrances in the path of liberalisation reform which seeks to reduce Government control beyond the bare minimum.

However, in the wake of the Covid-19 pandemic and its looming economic implications, India has vide this amendment taken a protective stand towards homegrown and Indian entities from Neighbouring investment. This legislation is in line with the protectionist stances taken by USA & China throughout the brewing trade war last year.

As of December 2019, China's cumulative investment in India has exceeded 8 billion US dollars, far more than the total investments of India's other border-sharing countries5. Earlier this month, it was reported that China's central bank, i.e., People's Bank of China (PBoC) raised its stake in Housing Development Finance Corp. Ltd (HDFC) from 0.8% to 1.01% in the March quarter. This move has raised grave concerns regarding hostile takeovers of marquee Indian companies that have lost significant value in the recent market meltdown by Neighbouring countries such as China.

Looking into history, and using the example of China's acquisition of the Sri Lankan port – Hambantota Port. The port was built with the assistance of money lent to Sri Lanka by China over several years. Struggling to repay the debt, the Sri Lankan government after months of negotiations with the Chinese, eventually had to hand over the port as well as the surrounding land to China for 99 years. This is not the only port that China has a stake in. The Chinese government has a stake in ports in Pakistan (as well as the proposed China Pakistan Economic Corridor), Myanmar and several other countries in as well as outside the Indian subcontinent6, thus being perceived as a threat to India.

Implications of the Amendment

Any fresh investment from China or any of India's Neighbours would now require a Government nod which will lengthen the time required for concluding a transaction. This may cause Indian entities to prefer investments from the US or Europe or other parts of the world.

However, this would also mean that companies with existing Chinese FDI may face severe problems. Chinese companies such as Alibaba, Tencent & Xiaomi are heavily invested in India and several of India Inc.'s big names such as PayTm, Big Basket, Zomato, Ola have large chunks of Chinese investments. 18 out of 30 Indian unicorns are Chinese funded7, and the clamp down on Chinese investment will have implications on future investments. In a market that is already struggling with a severe liquidity crunch, this amendment will exacerbate the cash crisis further.

While start-ups and other debt-ridden entities in India may be wary of the Government's move to change the FDI Policy in an attempt to restrict investment from China, the move could prove beneficial in the long run and protect the Indian economy from opportunistic takeovers. The decision of the Government has been taken as a measure to protect India Inc. as well as address the concerns of many who were worried that Indian companies could be susceptible to a take over from foreign investors, as their valuations have been hit given the correction in equity markets because of the pandemic and the consequent lockdown.

In a latest development, the spokesperson of the Chinese Embassy in India, Counselor Ji Rong stated that "The additional barriers set by Indian side for investors from specific countries violate WTO's principle of non-discrimination, and go against the general trend of liberalization and facilitation of trade and investment. More importantly, they do not conform to the consensus of G20 leaders and trade ministers to realize a free, fair, non-discriminatory, transparent, predictable and stable trade and investment environment, and to keep our markets open. Companies make choices based on market principles. We hope India would revise relevant discriminatory practices, treat investments from different countries equally, and foster an open, fair and equitable business environment. 8"

2020-06-09 06:21:52

FDI Approval

Policy: However, an entity of a country, which shares land border with India or where the beneficial owner of an investment into India is situated in or is a citizen of any such country, can invest only under the Government route. In the event of the transfer of ownership of any existing or future FDI in an entity in India, directly or indirectly, resulting in the beneficial ownership falling within the restriction/purview of such subsequent change in beneficial ownership will also require Government approval. Once approval is taken again approval may not be required in following cases: Additional foreign investment up to cumulative amount of Rs 5000 crore into the same entity within an approved foreign equity percentage/or into a wholly owned subsidiary. Process: (Foreign Investment Facilitation Portal)

Step 1: Create an account by Registering with Log in ID and password

Step 2: Log in to account for making an application-

Step 3: List of documents Which documents need to be uploaded at the time of submission of application?

• Summary of Proposal on Company(Applicant) Letterhead

• Certificate of Incorporation(COI) (Investee/Investor/Downstream)

• Memorandum of Association(MOA) (Investee/Investor/Downstream)

• Board Resolution(Investee/Investor/Downstream)

• Audited Financial Statement of Last Financial Year(Investee/Investor/Downstream)

• Article of Association(Investee/Investor/Downstream)

• LLP Draf

t • LLP Agreement

• Income Tax Return of Last Year

• Passport Copy/ Identification Proof Other Document

• A copy of the JV agreement/shareholders agreement/ technology transfer/trademark/brand assignment agreement (as applicable), in case there are existing ventures.

• Board resolution of any joint venture company(if required)

• Certificates of Incorporation and charter documents of any joint venture/company which is a party to the proposed transaction

• Certification for LLP cases compliance

• Copy of Downstream Intimation

• Copy of relevant past FIPB/SIA/RBI approvals, connected with the current proposal(In case of amendment proposal)

• Diagrammatic representation of the flow and funds from the original investor to the investee company and Pre and Post shareholding pattern of the Investee Company.


• In the cases of investments by entities which themselves are pooled investment funds, thw details such as names and addresses of promoters, investment managers as well as all the contributors to the investment fund.

• List of the downstream companies of the Indian company and the details of the equity held by the Indian Company along with the details of the activities of the companies

• Self Certificate of the documents/ for affidavit.

• The comments of the Indian partners/ technical/ trademerk collaborators about the new venture, on their official letter heads, with name and contact address of the signatory of the comments

. • The No Objection Certificate from the the State Government(in case of repatriation under real estate sector)

• Valuation certificate as approved by a CA Security Clearance Form

• Security Clearance Form (If required) Additional Relevant Document

• Any Relevant Document

2020-05-30 07:24:18

The US and UK attestation standards (SSAE and ISAE)

Usually, when you look out to get an independent controls attestation for your organization by a third party service auditor, you may come across many ways of getting that done. You can either get a SOC 1 or SOC2 audit done (Type I or Type II) based on your requirements and choose your attestation standards for the report i.e. either ISAE (the UK standard, No. 3402 being the latest one) or the SSAE (the US standard, No. 18 being the latest). In this article, we will touch upon both the standards, their managing authorities and the key differences which will help you understand what exactly they are and identify the best one for yourself. ISAE stands for International Standards on Attestation Engagements (the UK standard) which is managed by IAASB (International Auditing & Assurance Standards Board) which in turn reports to IFAC (International Federation of accountants). SSAE stands for Statement on Standards of Attestation Engagements (the US standard) and is managed by AICPA (American Institute of Certified Public Accountants) which reports to FASB (Financial Accounting Standards Board). Principally both the standards are designed to achieve the same objective in terms of reporting the establishment of effectively designed controls over financial reporting and each service organizations may need to provide reports to their clients (user entities) according to different standards. For the service organizations catering services within United States, SSAE18 is best suited. While for the ones providing services outside US, reporting can be done in accordance with the ISAE 3402 standards (termed as a combined report). Further, there are a few key differences when it comes to performance and reporting style of both the standards. Below are the major key differences which one should know: • Investigation of the Intentional Acts Both the standards require the investigation of any deviations identified during the testing. They direct the service auditor to investigate the noted deviations that could have been caused by an intentional act of service organization’s (SO) personnel. The SSAE 18 directs that the auditor should receive a written representation from SO management detailing any actual or suspected intentional acts (like employee committing frauds) that could impact the fair presentation of management’s description of the system. However, the ISAE 3402 does not explicitly require auditors to obtain the written representations. • Dealing with Operating Anomalies Any finding that deviates from the standard is an Operating Anomaly. SSAE 18 treats all deviations in the same manner, rather than as an anomaly. However, ISAE 3402 contains a requirement that allows a service auditor to conclude that any identified deviation while testing a sample of the control can be considered an anomaly. The idea is that when controls are sampled, they are not necessarily representative of the entire population from the samples drawn. • Assistance from Internal Audit Team SSAE 18 enables the use of direct assistance from the service organization’s internal audit function in accordance with the U.S. audit standards guidance. ISAE 3402 does not allows the use of the internal audit function for direct assistance. • Subsequent Events SSAE 18 calls out that the service auditor should report any event that could be significant in order to prevent users from being misled. A subsequent event would be something that could change management’s assertion after the audit period has ended. However, ISAE 3402 restricts the types of subsequent events that would be disclosed in the service auditor’s report to only those that could have a significant effect on the service auditor’s report. • Statement on Restricting Use of the Service Auditor’s Report SSAE 18 requires that the auditor’s report should include a statement restricting the use of the report to management of the service organization, user entities, and user auditors. However, ISAE 3402 requires that the service auditor’s report include a statement that indicates that the report is intended for the service organization, user entities & user auditors but does not require a statement restricting its use. • Acceptance of Engagement and Continuation SSAE 18 directs that management should acknowledge and accept the responsibility of providing the service auditor with written representations at the conclusion of the engagement. However, ISAE 3402 does not requires this acknowledgment. • Disclaimer of Opinion If the service provider does not provide the assessor with specific written representation, ISAE 3402 requires that the auditor deny an opinion after discussing the concern with management. If this happens, the auditor can carry out the required action. SSAE 18 requires that the service auditor takes an action or withdraws from the engagement. The SSAE 18 also contains certain incremental requirements for a situation where auditor plans to deny any opinion. • Elements of the Section 801 Report That Are Not Required in the ISAE 3402 Report SSAE 18 contains certain requirements that are additional to those in ISAE 3402. These requirements are as follows: o The identification of any information included in the documentation that is not covered by the service auditor’s report. o A reference to management’s assertion, and a statement that management is responsible for identifying any of the risks that threaten the fulfillment of the control objectives. o A statement that the examination included assessing the risks that management’s description of the service organization’s system is not fairly presented and that the controls were not suitably designed or operating effectively to achieve the related control objectives. o A statement that an examination engagement of this type also includes evaluating the overall presentation of management’s description of the service organization’s system and suitability of the control objectives stated in the description. We believe, that the article what have enhance your understanding of the two standards and their key differences. Please reach out us if you still have any queries or for any further information.

2020-05-30 07:17:53

The Persisting Challenges of SOC 2 Reporting

Information technology plays an important role in day to day functioning of organisations and in light of recent COVID-19 situation, resilient IT structure proved helpful to carry out basic business operations in IT and service industry. This have also raised concerns regarding information security and scrutiny of service organizations’ control infrastructure and driven demand for attestation reports. As a result, the SOC 2 examination's can provide the service organisation a comfort over service organisation’s information security and their control environment. The SOC 2’s operational and security centric approach, allows for an attestation process that addresses critical security concerns that customers have regarding third party services. The top 3 challenges voiced in the industry and accompanying recommendations are listed below. 1) SOC Report Selection The market place is filled with confusion because of the uncertainty of the potential customer backlash of issuing one report over the other. Even though the Trust Service Principles were recently revised and enhanced, users and service organizations are concerned whether the customer will understand the inherent value found in the criteria. For reporting options including non-SOC reporting, service organizations are strongly encouraged to consult with an experienced and reputable SOC 2 firm. This firm should provide the organization with various choices and paths without requiring any commitment. As a result, service organizations will be more prepared to convey the importance of the provided service, more effective at communicating the positive impact, and the type of control in place with customers and stakeholders. If the SOC 2 is the chosen solution, the benefits and significance of the Trust Service Principles should be emphasized by the service organization. 2) Selection of Trust Service Principles for SOC 2 Engagements Many of the service organizations choosing to have SOC 2 examination are not clear on the exact Trust Service Principle(s) that should be included in the report. In addition, the best method of using the service principles in describing the control environment also represents a grey area. The most common concerns are, "Are the controls in place?", "Will the controls satisfy the required criteria?", and "Should the organization provide a Type 1 or Type 2 report?". The best way to reach a common solution is by starting with the end. In the beginning, communicating and determining the information the user organization will want should guide towards electing the best Trust Services Principles. As a leading provider of SOC 2 reporting, we ensures the most beneficial reporting solutions are chosen. The Persisting Challenges of SOC 2 Reporting 3) SOC 1 and SOC 2 Are NOT Created Equal Don't assume SOC 1 and 2 activities are identical. SOC 2 Principles create a preset baseline standard. From there, service providers commonly identify, adjust or implement new baseline standards for achieving the SOC criteria. In contrast, more flexibility may exist under the control objective framework of the SOC 1. On the path to being successful, SOC 2 service organizations should plan and be prepared. To achieve this, readiness assessments are found to be very helpful. In conjunction, everyone's expectations must be set at the most appropriate level, both internally and externally. It's also equally important to determine the organization's existing controls and commitments to its customers.

2020-05-30 07:16:05

FRRO Registration - A Practical Guide

Global mobility has become an inevitable part of businesses ever since globalization. Employees are very often asked to take up assignments outside their home country. These movements call for various aspects to be taken care of such as tax compliances, immigration-related matters, language barriers etc. Amongst all these considerations, one of the important aspects, which require immediate attention while moving to India, is obtaining a residential permit from the Foreigner Regional Registration office ("FRRO").
Every foreigner who is coming to India on a visa, which is more than 180 days, is required to obtain registration from the respective FRRO office within 14 days of his or her arrival.
As the process of obtaining the registration i.e. Residential Permit is now completely online, here are few important guidelines:-

To initiate the process, an expat is mandatorily required to create his login credentials on the website of e-FRRO. In case expat’s family is also accompanying, the same login credentials will be used for the family members, however, separate application forms will be filed for each member of the family.

Once the login id is created, application form for a fresh/new application to be filled for the requisite service such as registration, registration extension, de-registration, change of address and vi etc. Documents which are required to be furnished for fresh registration are set out below:

- Passport (front and back page) along with page bearing last Indian Immigration arrival stamp.

- Indian Visa

- Photo (as per the specification)

- Residence Proof- Copy of Form C generated by Hotel/ Individual house along with the copy of the notarized lease deed/ utility bill

- Employment Contract mentioning designation, Duration of the employment period, Salary break-up etc.

- Request letter to FRRO office for visa-related service

- Undertaking Letter- duly signed by an Indian host/ authorized signatory

The coloured scanned copy of the above documents (in PDF) is required to be uploaded along with the application.

Once the documents are uploaded, the FRRO office will process the application. In case any additional document is required, the FRRO office through email will intimate the same. The processing of the application typically takes 2-5 days in case the documentation is complete and there is no requirement to visit the FRRO office.

In case, there is a change in address, FRRO office should be intimated by filing the necessary form. Also, in case there is a transfer of employment from one state to another (for example-from Mumbai to Delhi), a de-registration is required to be obtained from Mumbai FRRO. Once the Mumbai FRRO Office grants the transfer certificate, an application for a fresh registration required to be filed with the FRRO office in Delhi as per the procedure mentioned in the foregoing paragraphs.

In order for the smooth processing of the application, it is recommended to furnish all the documents as per the instructions mentioned at e-FRRO portal.

2020-05-15 00:14:59

Outsourcing by CPA Firms

12 reasons why accounting outsourcing is ideal for your CPA firm


Research says CPA firms typically spend 70% of their time administering low-yield, data-intensive compliance functions. The good news is an accounting outsourcing company can do this work! Other than the obvious benefits of cost-savings, outsourcing your accounting functions reduces overheads that come in the form of:

  • Recruiting and training specialist staff
  • Retaining non-core skills
  • Buying and maintaining systems and software, and
  • Dealing with IRS

In addition to the above, the following benefits explain why a CPA firm like yours should stop processing their data-intensive compliance function in-house and move to the model of "accounting outsourcing":

1) Lower operational cost

This is commonly cited as the primary driver. Under an ad-hoc business model, businesses pay for the resources as and when they need them. Even if they sign up for a dedicated resource, substantial reduction in costs is quickly visible. It is not uncommon for businesses to reduce their in-house accounting costs by close to 50%.

2) Increase operations efficiency

This is, after cost reduction, the second most cited benefit. Small and medium sized CPA firms lack access to best practices such as technology and infrastructure to perform efficient accounting functions. However, when they outsource such a task to an outsourcing specialist, they can easily achieve equal if not better efficiency and productivity levels as their big competitors.

An accounting outsourcing service provider can create this leveled playing field only because they are specialists who operate from a location where the overheads are lower than the client country.

3) Improve margins

For CPA firms, running data-intensive compliance functions is generally considered a low-margin activity. Accounting outsourcing not only reduces costs but ups the margin. It is especially beneficial if you have huge volumes of compliance work.

4) Save time

Accounting outsourcing allows you to spend billable time on delivering higher billing work, building and maintaining client relationships and growing the firm. It also frees up managers and partners from time-intensive recruitment, training and compliance duties, leaving time for truly strategic initiatives like budgeting and forecasting.

5) Get a competitive advantage

Gives you an edge over your competitors as you can now expand your firm by offering higher valued services to their clients. An in-house survey of QX’s current clients found that accounting outsourcing had allowed them to take on more profitable work and boost business revenue.

6) Faster turnaround time

CPA firms outsourcing to India gain from the time difference. How, you ask? With India being 10 hours ahead of the East Coast of North America, work sent overnight can be returned the next morning. There’s great value in that service for tax, bookkeeping and financial services accounting and that means you can shorten your response times.

7) Acquire flexible resources

One of the most unique benefits that lets you run a lean operation. Outsourcing nowadays offers the option of scalability with an array of engagement models like shared, ad-hoc and dedicated. Depending on work volumes, you can choose the one that fits your needs.

During peak seasons when you are inundated with work you can easily scale up the outsource team, and when work is slow you can trim it down. Moreover, you don’t have to worry about back-ups to cover holidays, sickness, maternity, together with the time and cost it involves.

8) Tap the best minds in the world

Accounting outsourcing opens access to an articulate, educated, English-speaking workforce that grows with your company without the HR headache. It also allows you to enjoy a larger workforce and increase your firm’s efficiency without increasing headcount.

9) Escape the maze of legislation

Accounting outsourcing companies take care of staying a step ahead of the ever-changing raft of legislation. They take over the complex legislation and work in partnership with IRS and US GAAP so you can concentrate on delivering the primary services of your firm.

10) Share risk

Another less-spoken about benefit which directly affects the growth of your firm. When used as a business strategy, accounting outsourcing allows you to significantly reduce your exposure to risk. To add to that, it reduces the risk of having in-house employees responsible who may not be available at a critical time due to sickness or holidays.

11) Access to a specialist team and industry best practices at a low cost

This is especially beneficial for small and medium CPA firms that are looking for ‘specialist’ employees. Outsourcing opens access to a team of professionals who are specialists at running your data-intensive compliance functions. Particularly in areas of technology, outsourcing provides an instant access to industry best practices that might be too cost-intensive to buy or hire.

12) Level the playing field

It’s a given that small or medium sized firms can’t match the in-house quality of non-core tasks that big firms can maintain. This changes totally when CPA firms get access to a specialist team and technology that in the past was only available to big firms. This further allows you to compete with bigger firms for bigger jobs and generate larger profits by outsourcing portions of the workload.


2020-05-27 00:08:20