Mitigate Risks Associated With Outsourcing Services
If you outsource services such as payroll processing, loan servicing, data center/co-location/IT Managed Services, Software as a Service (SaaS), or medical claims processing, you rely on the service provider to keep your data secure, maintain confidentiality, integrity of processing, availability of services or systems, and/or privacy. However, AAFCPAs reminds clients that outsourcing may expose your organization to risk and underscores the need for effective vendor due diligence.
The American Institute of Certified Public Accountants states “Management of a user entity is responsible for assessing and addressing risks faced by the user entity related to financial reporting, compliance with laws and regulations, and the efficiency and effectiveness of operations. When a user entity engages a service organization to perform key processes or functions, the entity exposes itself to additional risks related to the service organization’s system. Although management of a user entity can delegate tasks or functions to a service organization, the responsibility for the service provided to customers of the user entity cannot be delegated. Management of the user entity is usually held responsible by those charged with governance (for example, the board of directors); customers; shareholders; regulators; and other affected parties for establishing effective internal control over outsourced functions.”
A service organization is part of your financial system of controls if they affect any of the following:
- The classes of transactions in your operations that are significant to your financial statements;
- The procedures, both automated and manual, by which your transactions are initiated, recorded, processed, and reported from their occurrence to their inclusion in the financial statements;
- The related accounting records, whether electronic or manual, supporting information, and specific accounts in your financial statements involved in initiating, recording, processing, and reporting your transactions;
- How your information system captures other events or conditions that are significant to your financial statements; or
- The financial reporting process used to prepare your financial statements, including significant accounting estimates and disclosures.
How Do You Know If Your 3rd Party Service Provider Has Adequate Controls?
Systems and Organization Controls (SOC) reports provide user organization management with the information they need related to the service organization’s controls to help assess and address the risks associated with an outsourced service.
SOC 1: Report on Controls at a Service Organization Relevant to User Entities’ Internal Control Over Financial Reporting
The SOC 1 report is designed to address internal controls over financial reporting and concentrates on a service organization’s controls as they relate to the processing of your transactions. For example, a payroll processing company receives your records and banking instructions for all employees. This work is outsourced to the payroll company, but you are still responsible for the work and how it impacts your financial statements. If the payroll company cannot demonstrate they have adequate and suitably designed controls that operate effectively, they are viewed as a greater risk to clients and as a result are less likely to be hired for these outsourced services.
AAFCPAs advises our clients to request a SOC 1 from their service providers when the outsourced services have a relationship to their financial reporting. The SOC report should be assessed by the user organization and controls specified in the User Organization Controls section should be evaluated for whether they should be implemented at the user organization. Other SOC reports, such as those for subservice providers, should also be requested because the service provider may be relying on the services and controls of the subservice provider.
SOC 2: Report on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy
The SOC 2 report addresses a service organization’s controls for operations related to the security, confidentiality, processing integrity, availability, and privacy of IT, personally identifiable information (PII), and other sensitive information for their clients. For example, an organization that prints and/or mails statements for hospitals or other medical institutions may require a SOC 2 report. Hospitals often outsource the printing and mailing of client statements to an external vendor. The hired organization receives extensive confidential information, including names, addresses, diagnoses, and medications for patients. A SOC 2 report will provide reasonable assurance that information is securely received and transmitted for the service organization’s clients.
AAFCPAs advises our clients to request a SOC 2 from their service providers when the outsourced services have a relationship to their financial reporting. The SOC report should be assessed by the user organization and controls specified in the User Organization Controls section should be evaluated for whether they should be implemented at the user organization. Again, SOC reports for subservice providers should also be requested.
Vendor Risk Management Program
AAFCPAs advises clients to develop, document, and adhere to a vendor risk assessment program, which should include requirements for SOC reports and other attestations. Organizations are urged to only outsource services to a vendor that meets compliance standards.
The controls tested during a SOC 1 report will determine whether the service organization has sufficient internal controls over processes that can impact your company’s financial reporting. Similarly, SOC 2 examinations will test the controls that protect the systems or data of which service organizations have access.
When outsourcing the processing of financials or large amounts of sensitive data, you need to trust that the service organization has the systems and controls in place and in working order to protect your information.