Discussing cyber extortion got the wheels turning about trust and reliance on our increasingly distributed IT ecosystems. Outsourcing IT functionality causes certain IT controls to be a fleeting afterthought for the user entity — the service provider will handle it, right? Well, maybe not.
That’s where a Service Organization Controls (SOC) report comes in handy. According to the AICPA, a SOC 1 report1 helps “evaluate the effect of the controls at the service organization on the user entities’ financial statement assertions.”
For example, if you outsource payroll to ADP it is a good idea for your auditor to obtain their SOC 1 report to make sure they have proper internal controls in place. No big deal. It’s easy:
Step 1: Request report.
Step 2: Read report. Note opinion.
Step 3: Note any exceptions and decide if they apply to your environment.
Stop right there… You missed one important step. What about checking for complementary user control considerations (UCC) or user entity controls? These are your responsibility (not theirs) and the service organization is kind enough to spell them out for you. Don’t gloss over these pesky, but important controls.
Jason Pett, PwC's US Internal Audit Services Leader, was quoted in the JoA:
When it comes to ICFR [Internal Controls over Financial Reporting], it’s really important that you understand what the third party’s role is in the execution of control activities, because as a company, you can outsource activities, you cannot outsource responsibilities.
Nailed it. You can’t hand off complementary user control considerations. Here’s a few mistakes to avoid when addressing UCCs.
Mistake 1: “Umm… What user control considerations?”
We have touched on this one already… but I will say it again. Don’t blow off user control considerations. They are the user entity’s responsibility and clearly outline how you (the user) must help the service organization or vendor achieve a stated control objective.
AICPA Peer Review team concluded in its matters for further consideration (MFCs) after evaluating SOC 1 engagements that “the client acceptance, the description of controls, and the audit documentation” often omitted “reference to the need for complementary user controls, if any exist.” In other words, even auditors are forgetting about UCCs and you can’t expect clients to know this without a head’s up.
That’s not good, people. These need to be on our radar (as auditors and user entities) or even outsourced systems with a clean opinion might not be under proper control.
Mistake 2: “Wait, you’re telling me I need to restrict access to authorized individuals?”
The majority of logical access controls are up to the user entity, not the service organization or vendor. According to Linford & Co, LLP, here’s an example of a UCC pertaining to logical access:
User organizations should have controls in place to restrict access to the secure web portal that is used to transmit data to the service organization to only authorized individuals. Controls should include notifying the service organization when an individual’s access is no longer required or if authentication credentials have been compromised.
For instance, even if the your cloud storage provider is ironclad you still have to keep the access secure. If you don’t, you might end up like Jessica Lawrence when her iCloud account was phished. Oh, and don’t forget to remove access promptly if someone jumps ship. It could be bad… again, cyber extortion anyone?
Mistake 3: “Oh yeah, I have those controls… I think.”
Just because you “have” controls doesn’t mean that they are working. Elliot Davis recommends for all vendors that you validate each key user entity control for every key SOC report and “provide evidence that the UCC is designed appropriately and operating effectively.” Someone in the company may have written a well-crafted policy and procedure document to address the UCC, but that doesn’t mean anyone has read or has any interest in implementing it.
It’s like when a sport coach drafts up a fabulous playbook and tells reporters before a game that the team plays like a well-oiled machine. Later, after losing miserably, the coach has to answer questions about why the players were all over the place. It’s clear that no one bothered to read the playbook.
Don’t be the embarrassed coach when auditors come knocking. The goal is to validate that UCCs are not only designed and documented well, but are operating effectively.
Have you seen any of these user control consideration snafus or others mistakes user entities make that I forgot? Do tell.
1 In case you have been under a rock since 2011, the SOC 1 is prepared in accordance with SSAE 16 which supersedes the old SAS 70 reporting framework.