Latest Blogs

SERVICE COMPARISON

  FINANCIAL STATEMENT PREPARATION COMPILATION REVIEW AUDIT
Level of assurance that the financial statements are not materially misstated CPA does not obtain or provide any assurance that there are no material modifications that should be made to the financial statements CPA does not obtain or provide any assurance that there are no material modifications that should be made to the financial statements. CPA obtains limited assurance that there are no material modifications that should be made to the financial statements The CPA obtains reasonable (defined as high, but not absolute) assurance about whether the financial statements are free of material misstatement.
Objective To prepare financial statements pursuant to a specified financial reporting framework. To apply accounting and financial reporting expertise to assist management in the presentation of financial statements. To obtain limited assurance as a basis for reporting whether the CPA is aware of any material modifications that should be made to the financial statements for them to be in accordance with the applicable financial reporting framework, primarily through the performance of inquiry and analytical procedures. To obtain reasonable assurance about whether the financial statements as a whole are free of material misstatement thereby enabling the CPA to express an opinion on whether the financial statements are presented fairly, in all material respects, in accordance with an applicable financial reporting framework and to report on the financial statements in accordance with the auditor’s findings.
The CPA is required to be independent No No — but if the CPA is not independent, the CPA is required to indicate lack of independence in the CPA’s compilation report.    

2020-10-27 23:14:01

SERVICE COMPARISON

  FINANCIAL STATEMENT PREPARATION COMPILATION REVIEW AUDIT
Level of assurance that the financial statements are not materially misstated CPA does not obtain or provide any assurance that there are no material modifications that should be made to the financial statements CPA does not obtain or provide any assurance that there are no material modifications that should be made to the financial statements. CPA obtains limited assurance that there are no material modifications that should be made to the financial statements The CPA obtains reasonable (defined as high, but not absolute) assurance about whether the financial statements are free of material misstatement.
Objective To prepare financial statements pursuant to a specified financial reporting framework. To apply accounting and financial reporting expertise to assist management in the presentation of financial statements. To obtain limited assurance as a basis for reporting whether the CPA is aware of any material modifications that should be made to the financial statements for them to be in accordance with the applicable financial reporting framework, primarily through the performance of inquiry and analytical procedures. To obtain reasonable assurance about whether the financial statements as a whole are free of material misstatement thereby enabling the CPA to express an opinion on whether the financial statements are presented fairly, in all material respects, in accordance with an applicable financial reporting framework and to report on the financial statements in accordance with the auditor’s findings.
The CPA is required to be independent No No — but if the CPA is not independent, the CPA is required to indicate lack of independence in the CPA’s compilation report.    

2020-07-09 04:58:59

SERVICE COMPARISON

  FINANCIAL STATEMENT PREPARATION COMPILATION REVIEW AUDIT
Level of assurance that the financial statements are not materially misstated CPA does not obtain or provide any assurance that there are no material modifications that should be made to the financial statements CPA does not obtain or provide any assurance that there are no material modifications that should be made to the financial statements. CPA obtains limited assurance that there are no material modifications that should be made to the financial statements The CPA obtains reasonable (defined as high, but not absolute) assurance about whether the financial statements are free of material misstatement.
Objective To prepare financial statements pursuant to a specified financial reporting framework. To apply accounting and financial reporting expertise to assist management in the presentation of financial statements. To obtain limited assurance as a basis for reporting whether the CPA is aware of any material modifications that should be made to the financial statements for them to be in accordance with the applicable financial reporting framework, primarily through the performance of inquiry and analytical procedures. To obtain reasonable assurance about whether the financial statements as a whole are free of material misstatement thereby enabling the CPA to express an opinion on whether the financial statements are presented fairly, in all material respects, in accordance with an applicable financial reporting framework and to report on the financial statements in accordance with the auditor’s findings.
The CPA is required to be independent No No — but if the CPA is not independent, the CPA is required to indicate lack of independence in the CPA’s compilation report.    

2020-07-09 04:58:22

SERVICE COMPARISON

  FINANCIAL STATEMENT PREPARATION COMPILATION REVIEW AUDIT
Level of assurance that the financial statements are not materially misstated CPA does not obtain or provide any assurance that there are no material modifications that should be made to the financial statements CPA does not obtain or provide any assurance that there are no material modifications that should be made to the financial statements. CPA obtains limited assurance that there are no material modifications that should be made to the financial statements The CPA obtains reasonable (defined as high, but not absolute) assurance about whether the financial statements are free of material misstatement.
Objective To prepare financial statements pursuant to a specified financial reporting framework. To apply accounting and financial reporting expertise to assist management in the presentation of financial statements. To obtain limited assurance as a basis for reporting whether the CPA is aware of any material modifications that should be made to the financial statements for them to be in accordance with the applicable financial reporting framework, primarily through the performance of inquiry and analytical procedures. To obtain reasonable assurance about whether the financial statements as a whole are free of material misstatement thereby enabling the CPA to express an opinion on whether the financial statements are presented fairly, in all material respects, in accordance with an applicable financial reporting framework and to report on the financial statements in accordance with the auditor’s findings.
The CPA is required to be independent No No — but if the CPA is not independent, the CPA is required to indicate lack of independence in the CPA’s compilation report.    

2020-07-09 04:57:46

SERVICE COMPARISON

  FINANCIAL STATEMENT PREPARATION COMPILATION REVIEW AUDIT
Level of assurance that the financial statements are not materially misstated CPA does not obtain or provide any assurance that there are no material modifications that should be made to the financial statements CPA does not obtain or provide any assurance that there are no material modifications that should be made to the financial statements. CPA obtains limited assurance that there are no material modifications that should be made to the financial statements The CPA obtains reasonable (defined as high, but not absolute) assurance about whether the financial statements are free of material misstatement.
Objective To prepare financial statements pursuant to a specified financial reporting framework. To apply accounting and financial reporting expertise to assist management in the presentation of financial statements. To obtain limited assurance as a basis for reporting whether the CPA is aware of any material modifications that should be made to the financial statements for them to be in accordance with the applicable financial reporting framework, primarily through the performance of inquiry and analytical procedures. To obtain reasonable assurance about whether the financial statements as a whole are free of material misstatement thereby enabling the CPA to express an opinion on whether the financial statements are presented fairly, in all material respects, in accordance with an applicable financial reporting framework and to report on the financial statements in accordance with the auditor’s findings.
The CPA is required to be independent No No — but if the CPA is not independent, the CPA is required to indicate lack of independence in the CPA’s compilation report.    

2020-07-09 04:57:10

SERVICE COMPARISON

FINANCIAL STATEMENT PREPARATION COMPILATION REVIEW AUDIT
Level of assurance that the financial statements are not materially misstated CPA does not obtain or provide any assurance that there are no material modifications that should be made to the financial statements CPA does not obtain or provide any assurance that there are no material modifications that should be made to the financial statements. CPA obtains limited assurance that there are no material modifications that should be made to the financial statements The CPA obtains reasonable (defined as high, but not absolute) assurance about whether the financial statements are free of material misstatement.
Objective To prepare financial statements pursuant to a specified financial reporting framework. To apply accounting and financial reporting expertise to assist management in the presentation of financial statements. To obtain limited assurance as a basis for reporting whether the CPA is aware of any material modifications that should be made to the financial statements for them to be in accordance with the applicable financial reporting framework, primarily through the performance of inquiry and analytical procedures. To obtain reasonable assurance about whether the financial statements as a whole are free of material misstatement thereby enabling the CPA to express an opinion on whether the financial statements are presented fairly, in all material respects, in accordance with an applicable financial reporting framework and to report on the financial statements in accordance with the auditor’s findings.
The CPA is required to be independent No No — but if the CPA is not independent, the CPA is required to indicate lack of independence in the CPA’s compilation report.

2020-07-09 04:56:52

SERVICE COMPARISON

FINANCIAL STATEMENT PREPARATION COMPILATION REVIEW AUDIT
Level of assurance that the financial statements are not materially misstated CPA does not obtain or provide any assurance that there are no material modifications that should be made to the financial statements CPA does not obtain or provide any assurance that there are no material modifications that should be made to the financial statements. CPA obtains limited assurance that there are no material modifications that should be made to the financial statements The CPA obtains reasonable (defined as high, but not absolute) assurance about whether the financial statements are free of material misstatement.
Objective To prepare financial statements pursuant to a specified financial reporting framework. To apply accounting and financial reporting expertise to assist management in the presentation of financial statements. To obtain limited assurance as a basis for reporting whether the CPA is aware of any material modifications that should be made to the financial statements for them to be in accordance with the applicable financial reporting framework, primarily through the performance of inquiry and analytical procedures. To obtain reasonable assurance about whether the financial statements as a whole are free of material misstatement thereby enabling the CPA to express an opinion on whether the financial statements are presented fairly, in all material respects, in accordance with an applicable financial reporting framework and to report on the financial statements in accordance with the auditor’s findings.
The CPA is required to be independent No No — but if the CPA is not independent, the CPA is required to indicate lack of independence in the CPA’s compilation report.

2020-07-09 04:56:24

History of SOC reporting

This blog helps you understand the history and background of SOC reporting and a brief overview of how it came into existence and evolved as a way of addressing risks associated with outsourcing services.

Brief History

The increased prominence on governance, risk management, and compliance has steered companies to focus on internal controls over all aspects of their operations. Service organizations providing outsourced services (IT, business processes, etc.) often engage a third party audit firm to certify the design and operating effectiveness of these controls. The auditor's inspection of an organization’s internal control and the impact that a service organization may have on the entity's control environment has long been an area of focus in designing an acceptable audit approach. The original standard for attesting was known as SAS 70 and was an established way by which service organizations could illustrate the effectiveness of their internal controls. The SAS 70 audit was performed by a CPA and the result was a report on the effectiveness of internal control over financial reporting (ICFR). This report was often used by the organizations to show that a vendor was secure and safe to work with. However, the report was principally was not meant for that purpose.

Introduction of SSAE 16

The technology evolved and so did the AICPA’s attestation standards. SSAE No. 16 reporting standards was completed by the AICPA in January 2010. SSAE 16 beneficially replaced SAS 70 as the reliable guidance for reporting on service organizations. SSAE 16 was officially issued in April 2010 and became effective on 15th June 2011. SSAE 16 was drafted with the objective and purpose of updating the US service organization reporting standard so that it reflects and adheres to the new international service organization reporting standard – ISAE 3402. SSAE 16 also established a new attestation standard called AT 801 which contained guidance for performing the service auditor's examination. Many service organizations that had previously performed a SAS 70 examination now switched to the new standard in 2011 and now had an enhanced SSAE 16 report (also referred to as a Service Organization Controls (SOC) 1 report).

The upgraded SSAE 18

The SSAE no. 18 (Statement on standards of attestation engagements) used for SOC reporting is the latest periodic statement issued by the Auditing Standards Board (ASB) of the American Institute of Certified Public Accountants (AICPA) effective from 1st May 2017. Following were the key changes in transforming from SSAE16 to SSAE18:

? SOC as defined under the SSAE-16 Standard stood for ‘Service Organization Control’. Under the new Standard, SOC now stands for ‘System and Organizational Controls’, and applies to other types of organizations and both system and/or entity-level controls.

In the SSAE-16 Standard, complementary user-entity controls (CUEC) were defined as those controls at userentity organizations that were both necessary and unnecessary to achieve control objectives stated in management’s description. Under the SSAE 18 Standard, CUEC are now defined as those controls that are only necessary to achieve control objectives stated in management’s description.

The new SSAE-18 Standard adds requirements related to subservice organizations (SSO) and vendor management processes. When subservice organization is carved out, the inclusion of SSO controls are now provided in management’s description similarly to CUECs. Also, vendor management processes to monitor the effectiveness of controls at SSO have been stressed upon.

The new SSAE-18 Standard requires that the Management Assertion letter accepting responsibility for the description be signed. Previously, a Management Assertion letter was required but it did not have to be signed.

The new SSAE-18 Standard has also included revisions to the language used in the Management Assertion Letter and Service Auditor’s report to accommodate general changes and those associated with complementary userentity and subservice organization controls.

The following table summarizes some of the Statements relative to internal control, the effect of information technology on a financial statement audit, and service organizations, that have been made since SAS No.70 standards introduced in 1992.

Statement Name Date Issued Title of Statement
SAS No. 70 April 1992 Service Organizations
SAS No. 78 December 1995 Consideration of Internal Control in a Financial Statement Audit: An Amendment to Statement on Auditing Standards No. 55
SAS No. 88 December 1999 Service Organizations and Reporting on Consistency
SAS No. 94 May 2001 The Effect of Information Technology on the Auditor's Consideration of Internal Control in a Financial Statement Audit
PCAOB No. 2 March 2004 An Audit of Internal Control over Financial Reporting in Conjunction with an Audit of Financial Statements. (Note: Appendix B refers to Service Organizations)
PCAOB No. 5 May 2007 An Audit of Internal Control over Financial Reporting that is Integrated with an Audit of Financial Statements. (Note: Appendix B17-B17 covers Service Organization considerations.)
ISAE No. 3402 December 2009 Assurance Reports on Controls at a Service Organization
SSAE No. 16 April 2010 Reporting on Controls at a Service Organization
SSAE No. 18 May 2017 Concepts common to all Attestation engagements (with more stress on system details, CUEC (complimentary user organization controls) and SSO (sub-service organization) controls.)

Hope this blog would have added to your understanding the knowledge related to SOC reporting standards. Stay connected and feel free to reach out for knowing more about different types SOC reporting.

2020-06-30 23:53:54

SOC 1 Report

This query has been heard many times that -What is SOC 1 report? and from more than 20 years it has been trend by many organizations to outsource certain activities or business process to other organizations, this outsourcing organization is known as ‘Service organization’ and the organization or company which outsource its certain activities is known as ‘user entity’ in SOC terminology. So, a SOC 1 (also known as SSAE 18) report is called Service organization control report, this is a report on controls (Business process and IT controls) at a service organization which are relevant to user entity’s internal control over financial reporting.

The SOC 1 report is normally required for those organizations which provides financials processing types of services and those processes may potentially impact on user entities internal control over financial reporting. Such outsourced service organization may be a Payroll processor, Data Center service providing organizations, Loan service organization, Medical claims processing companies or cloud service providing companies especially which provides Software-as-a Service (SAAS) service/solutions which may impact the financials of the user entity.

For an example a Data Center service providing company may provide server room or data storage servers which can store financials transaction data or may store user entities financials reports etc. so the user entities which uses the Data center service realize the material impact of data storage that the servers store in accordance with user entity’s expectations. So, a SOC 1 report provide a reasonable assurance to the user entity that the service organization i.e Data center company internal controls are adequately designed and operating effectively to provide the Data Center service.      

SOC 1 report are of two types which are generally know as SOC Type I report and SOC 1 Type II report. The description of Type I and Type II reports are:

SOC 1 Type I Report

SOC 1 Type I reports are generally referred to as point in time reports (or as of a particular date) and the reports normally include a description of a service organization’s system and the audit test the design level of service organization’s controls. The Type I report structure start with the Auditor’s opinion about the service organization controls and scoped Business processes, then Section 2 of the reports shows the Service organization Management assertion which is written by the service organization management by stating that the description of the business system is fairly presents and the control objectives were suitably designed during the Audit period of time. Section 3 of the report talks about the description of the system followed by the Section 4 which represents the description of test of controls with result of testing. The least section provides other information which service organization usually provides about relevant processes that were not tested during the Audit such as Business continuity planning and Disaster recovery etc

SOC 1 Type II Report

SOC 1 Type II reports generally cover a period of time such as 6 months and 12 months. The Type II report normally talks about the design and operating effectiveness of internal control over a period of time.  Like Type I report the Type II report structure also start with the Auditor’s opinion about the scoped service organization controls and Business processes. The Section 2 of the report represents the Service organization Management assertion which is written by the service organization management by stating that the description of the Business system is fairly presents and the control objectives and operating effectiveness are suitably designed over a period of time and Audit duration. The Section 3 of the report talks about the description of the system followed by the Section 4 which represents the description of test of controls with result of testing. The least section provides other information which service organization usually provides about relevant processes that were not tested during the Audit such as Business continuity planning and Disaster recovery etc.       SOC 1 Type II reports generally cover a period of time such as 6 months and 12 months. The Type II report normally talks about the design and operating effectiveness of internal control over a period of time.  Like Type I report the Type II report structure also start with the Auditor’s opinion about the scoped service organization controls and Business processes. The Section 2 of the report represents the Service organization Management assertion which is written by the service organization management by stating that the description of the Business system is fairly presents and the control objectives and operating effectiveness are suitably designed over a period of time and Audit duration. The Section 3 of the report talks about the description of the system followed by the Section 4 which represents the description of test of controls with result of testing. The least section provides other information which service organization usually provides about relevant processes that were not tested during the Audit such as Business continuity planning and Disaster recovery etc.      

2020-06-30 23:40:58

Understanding a SOC Report

In current scenario of emerging technologies, most of the organizations outsource few aspects of their business to vendors which can either include performing a specific task or replacing an entire business function. Vendors can handle various functions like customer support, financial technology, data storage, software development etc. With all these advantages, organizations should also consider various inherent risks associated with outsourcing. To get a comfort on the vendor’s environment and internal controls, organizations usually ask them for a either SOC 1 or SOC report. However, on receiving a SOC 1 or SOC 2 report, most of the organizations do not know how to read it, what exactly a qualified opinion is and whether the risks you are looking to mitigate are addressed in the report. SOC 1 and SOC 2 reports are lengthy and complex, but play extremely important role in understanding the risks to your organization. In this article, we will touch upon some key components of SOC 1 and SOC 2 reports that will help you analyze the security of your vendors.

Categories and Types of SOC Reports

SOC reports are majorly of two categories i.e. SOC 1 & SOC 2 each of either Type I or Type II.

The SOC 1 report attests the company’s financial reporting. IT is particularly important for a service organization that impacts the user entity’s financial reporting. Some examples of organizations which may require SOC 1 reports are:

? Payroll processors

? Medical claims processors

? Data center companies

? Lending services

? Data centers

? Cloud service providers

? Human resources support services

A SOC 2 report highlights the security and protection of customer data. A SOC 2 report follows a similar approach as SOC 1, but includes the controls over IT and systems processing confidential client data. SOC 2 audits focus on controls at a service organization relevant to security, availability, processing integrity, confidentiality or privacy. A SOC 2 audit is one of the best practice for any servicebased organizations that store, manage, or process client information in the cloud. The report is beneficial for any service organization processing or maintaining information that re quires a controlled or secure system.

Further, each of the above reports can be of following two types:

Type I – A report on the fairness of the presentation of management’s description of the service organization’s system and the suitability of the design of the controls to achieve the related control objectives included in the description as of a specified date.

Type II – A report on the fairness of the presentation of management’s description of the service organization’s system and the suitability of the design and operating effectiveness of the controls to achieve the related control objectives included in the description throughout a specified period

Structure of a SOC Report
 

A SOC report broadly consists of following sections each having its own purpose and containing specific information about the client’s environment.

Section 1: Independent service auditors’ report

 

This section generally starts with ‘To the management’ and is signed by the service auditor /CPA. It is more of the service auditor oriented and contains following key aspects related to service organization:

? Scope explaining the type of report, testing date/duration (Type I or Type II) , in scope locations and any omissions

? Responsibilities pertaining to both the service organization and the service auditor

? Inherent Limitations

? Service auditor’s opinion on the system description, design, and operating effectiveness to meet the control objectives

? Statement around the restricted user of the report and the intended users.

Section 2: Management’s assertion regarding the effectiveness of its controls

This section provides the reader the facts and assertions made by the service organization’s management related to the system(s) under audit.

? It provides the contents that will be covered in the description, i.e. the types of services provided, the components of the system, how the system captures and processes significant events, any applicable trust services criteria, and etc., as well as make the statement that the controls described are suitably designed and are operating effectively.

? It also provides the signed Management Assertion letter accepting responsibility for the description provided.

Section 3: Management’s description of its system and controls

This section is the heart of the report and provides the details of the systems being reported on (written by management). Following are the key components of Section 3:

Scope and purpose of the report explaining the type of report, testing date/duration (Type I or Type II) , in scope locations and any omissions

? Company overview and background and Overview of products and service which provides a brief introduction about the organization, it’s background and the products / services company offers

? Details related to company’s IT infrastructure including the network overview, servers, tools & softwares used and the data management.

? Company’s organizational structure, policies & procedures, risk assessment, governance & oversight and details about the control environment

. ? All the control descriptions with their functioning, subservice organizations, user entity controls, and other system information

? Inclusions in this section should be capable of being audited to meet the control objectives

Section 4: Applicable trust services principles’ criteria and control activities

This section depicts the test results and the overall effectiveness of the control objectives. For a type 1 report, you can only see the conclusion and for a type 2 report both the test procedures and the conclusions. It shows the following four columns of information:

Control objective (related to the applicable trust service principles/ controls over financial reporting)

? Controls in place at the service organization to meet the objectives

? Auditor's tests (explaining the test procedures performed)of the controls

? Overall results and conclusion of the tests

Section 5: Other information provided

Lastly, we come to Section 5, which is other information not covered by the auditor’s report. This section is available for any additional information that you would like to provide to the users of the SOC report concerning your services system. In this Section, management can discuss items such as a strategic plan or a business continuity plan, or any other items that they feel would be beneficial for the report users. All sections listed above apart from the Independent Service Auditors Report (Section 1), are the responsibility of management of the service organization. It is important to be as detailed as pPlease reach out to us in case you would like to discuss more on this topic or if you have any queries related to SOC reporting.ossible when creating your SOC report in order to explain the services system and the controls over that system in way that is helpful to the report users, and supportive in trying to arrive at a desired audit opinion.

You can also visit below link to read AICPA articles related impact of COVID 19 on audit and assurance.

https://www.aicpa.org/interestareas/frc/assuranceadvisoryservices/sorhome.html

Please reach out to us in case you would like to discuss more on this topic or if you have any queries related to SOC reporting.

2020-06-29 00:17:51