Evaluating a SOC 1® from Your Service Organization for Your Financial Statement Audit

A SOC 1® report can be a valuable tool when a service organization processes information that affects financial reporting. It provides insight into the service organization’s control environment and can help support the accuracy and completeness of financial data.

But obtaining a SOC 1® report and filing it away is not enough. These reports vary widely. The services, control objectives, and control activities included in the reports are defined by the service organization and are designed to meet the needs of a broad range of users. As a result, the reports may not cover processes that are critical to the organization, particularly where there are unique use cases or client specific processes.

A report may appear strong but still fail to address the specific ways the organization uses the provider or the risks that use creates. For that reason, the organization should take a structured approach before concluding that a SOC 1® report is sufficient.

Step 1: Understand the Services Being Provided

The first step is to understand and document the services relevant to the organization’s internal control over financial reporting that are being provided. These include services that initiate or process transactions, perform calculations that impact financial amounts, record or maintain data used in accounting or reporting, generate reports relied on for financial reporting, or host systems used in the accounting process. Without understanding the relevant services being used, it is difficult to determine whether the SOC 1® report is relevant or sufficient.

After identifying the relevant services, the organization should determine how they flow through the organization’s processes and affect the financial statements. This includes understanding what information is sent to the provider, what processing occurs at the provider, what reports, files, or outputs are returned, and how those outputs are used in journal entries, account reconciliations, estimates, disclosures, or other financial reporting activities.

Step 2: Perform a Risk Assessment

With that understanding in place, the organization can identify the critical risks associated with using the service organization. The focus should be on what could go wrong from a financial reporting perspective, such as incomplete or inaccurate processing, unauthorized changes to data, interface failures, missed exceptions, untimely reporting, or reports that cannot be relied upon.

Those risks are then translated into the processes and controls at the organization and service provider that are necessary to reduce the associated risks to an acceptable level. These typically include processes and controls over data input, processing accuracy, report completeness, logical access, change management, reconciliations, and exception handling.

Step 3: Review the SOC 1® Report

The first step of the report review is to confirm that the appropriate report has been obtained for review. Questions to answer to validate the appropriateness include:

• Are the services being used by the organization covered by the report?
• Does the report include an opinion on the design, implementation, and operational effectiveness of the controls (Type 2 report), not just the design and implementation (Type 1 report)?
• Does the report cover a representative period of the organization’s audit period?
• Was the report issued by a reputable service auditor that has experience in SOC reporting?

The next step is to evaluate the system description, control objectives, and control activities in the report to assess if they address the risks previously identified. Because these elements are defined by the service organization to meet the needs of a broad range of users, the report may not address the specific applications, transaction streams, interfaces, outputs, or processes the organization relies on. Typical areas to evaluate include controls over data input, processing accuracy, report completeness and accuracy, access, change management, reconciliations, and exception handling.

The organization should also consider whether the service organization uses subservice organizations and, if so, whether they are included in the report or carved out. If a carved-out subservice organization performs services or controls that are critical to the organization’s financial reporting, the organization may need to obtain that subservice organization’s SOC 1® report or other evidence to complete the evaluation.

The organization should also give careful attention to complementary user entity controls, or CUECs, which are controls the service organization had determined are necessary to be implemented at the user entity in order for the control objectives in the SOC 1® report to be achieved. The organization should identify which CUECs are relevant based on the specific services being used, understand what each one requires, and determine whether the organization has implemented those controls and whether they are operating effectively. Relevant CUECs often relate to areas such as validating data submitted to the service organization, reviewing output reports, maintaining appropriate user access, approving transactions, and performing reconciliations. If applicable CUECs are not in place or are not operating effectively, the organization may not be able to rely on the service organization’s controls to the extent expected and may need additional procedures or compensating controls.

Step 4: Final Analysis and Conclusion

The final step is to make a practical determination about adequacy and reliance. A SOC 1® report is adequate only if it covers the right services and period, is issued by a credible service auditor, addresses the risks identified by the organization, and is supported by applicable CUECs that are actually in place at the organization. If those conditions are met, the report can be a strong component of the organization’s control evaluation and can support the external financial statement audit.

If the SOC 1® is not adequate, the organization should decide whether the remaining risks can be addressed through additional controls at the organization, additional procedures over the service provider, or direct testing of key reports and outputs. In some cases, stronger user-side review controls, reconciliations, or validation procedures may be enough to address the gap. In others, particularly where critical processes are outsourced and the provider cannot supply suitable evidence over its control environment, the company may need to reconsider whether the service organization remains an appropriate provider. The right answer will depend on the significance of the outsourced process, the severity of the uncovered risks, and the company’s ability to implement effective compensating controls.

Ultimately, evaluating a SOC 1® is not about collecting a report for the audit file. It is about determining whether the company’s use of a service organization supports reliable financial reporting. When accounting personnel approach that evaluation with a clear understanding of outsourced risks, report scope, service auditor quality, subservice organizations, and CUECs, they are better positioned to support both sound governance and an efficient financial statement audit.