Category: Advisory

Dealing with Suppliers (Sub-Service Organizations) in 4 Steps.

Dealing with Suppliers

(Sub-Service Organizations) in 4 steps.

This article provides 4 steps to better oversee the audit process and work more efficiently.

Step 1. Is there a subservice organization?

The so-called subservice organizations represent a special class of suppliers. These are defined as “a service organization used by another service organization to perform some of the services provided to user entities that are likely to be relevant to those user entities’ internal control over financial reporting.”

Subservice organizations may appear in an SOC 1 or SOC 2 report, and this may determine whether it is a Type 1 or a Type 2 report. The following providers are typical examples of a subservice organization:

  • Datacenter
  •  IT service providers
  • -Software als service of platform als serviceprovider

Step 2. Split or inclusive reporting?

Once the organization has been able to identify whether there is a subservice organization, that is actually just the tip of the iceberg. For the report, it still needs to be decided whether to use the carve-out method or the inclusive method.

Carve-out method

This method involves CSOCS coming into play. The controls performed by the subservice organization are not included in the report. Only an overview of what the subservice organization means for the service organization and how it interacts with it in combination with your system and the different expected controls so that you can achieve control objectives for trust services.

Inclusive method

With this method, the relevant aspects of the subservice organization’s operations and related internal control measures at the subservice organization are fully included in the report. The inclusive method can also be seen as a merger of separate SOC reports from two entities. What is important is that the same level of work that is used for the service organization must also be used for the subservice organization. This can be discouraging and therefore the use of the inclusive method is rarely seen in practice. Entities of the brother/sister type, such as an operational unit supported by a separate IT department, both from the same parent company, are an example of when inclusive could be used. Another example would be when the subservice organization carries out almost all its activities with an unrelated service organization.

Step 3. Demonstrate how your organization manages the split subservice organizations

Now you need to ensure that if there is a split subservice organization, the organization documents well how it is managed. With subservice organizations, a typical supplier management program where you evaluate the services, quality, policy, and procedures (e.g., IT security) and insurance coverage of the supplier is not sufficient. With a subservice organization, as a service organization, you need to take steps to determine whether the types of CSOCS you expect the subservice organization to have are actually present. This is done by one of the easiest ways is to obtain the subservice organization’s SOC report, assuming they have one.

If there is no SOC report available, the organization should gather information from the management of the subservice organization, read other internal reports that the subservice organization may produce, and/or conduct on-site visits to assess your required CSOCS.

Step 4. Understand and comply with complementary controls over user entities Arriving at the final step.

Most service organizations have expectations of their user entities, which auditors also refer to as CUECs. CUEC stands for “Complementary User Entity Controls.” The subservice organization also expects the organization as a user entity to engage in certain types of internal control measures. And now the final step is to understand and determine how the organization complies with these.

ISAE 3402 | SOC 1 adapted to an organisation?

ISAE 3402 | SOC 1

Adapted to an organisation?


Systems and Controls – SOC reporting revolves around controls. An ISAE 3402 | SOC 1 report focuses on financial outsourcing, including asset management, SaaS providers (financial software), data centers (storage of financial data). The SOC 2 report targets a broader scope for user organizations with additional requirements on security, availability, processing integrity, confidentiality, and privacy. Our consultants guide many organizations in achieving the ultimate goal; a professional SOC report and an approving statement. What are the necessary steps to achieve this?

The Method

The initial steps involve understanding the criteria, selecting the right audit scope, and following a structured approach for implementation. In this article, we outline how this process unfolds. Obtaining an approved assurance statement relies on various factors and requires significant discipline from your employees in adhering to procedures and performing controls, but effective structuring and planning can greatly assist!

Criteria

The criteria for an ISAE 3402 | SOC 1 report mainly depend on the reporting procedures of the user organization, the SLA agreement, and other requirements of the user organization. The criteria for an ISAE 3000 | SOC 2 report are developed by the American Institute of Certified Public Accountants (AICPA). The AICPA has developed criteria for trust services that are more descriptive and cover the control environment, risk management, communication, detailed controls, and detailed technical criteria.

In other words, the Trust Service Criteria broadly outline what needs to be done, but it is up to organizations to develop controls. Auditors verifying the organization’s controls through SOC audits observe and rephrase controls to determine if they are well-established, exist, and function effectively to achieve the desired outcome. The first step in the SOC implementation process is defining the audit scope.

Scope of Control

Gaining an overview of the environment and systems is crucial for defining the scope. Therefore, Risklane SOC implementation projects commence with a thorough analysis of the organization, infrastructure, services provided, and processes. Without this analysis, the quality of the SOC report may not be optimal, ultimately leading to a qualified opinion or, at the very least, an ineffective ISAE 3402 or ISAE 3000 audit. For an ISAE 3000 | SOC 2 report, the next step is understanding the Trust Service Criteria.

Understanding Trust Service Criteria
The first step to understanding the criteria is acquiring them from the AICPA website and studying them in relation to the defined scope. The Trust Service Criteria are contained in an extensive document, and the specific language may sometimes be challenging to comprehend, but investing time in studying them will pay off in later stages of the audit. The Trust Service Criteria include examples for each criterion of the risks and controls that typically mitigate these risks. After understanding the criteria, controls need to be mapped to risks and vice versa.

Mapping Risks and Controls

The most common errors we identify in existing frameworks are unmatched or redundant controls. Unmatched internal control measures are those that do not effectively cover a defined risk or risks for which internal control measures are lacking (unmatched internal control measures). Redundant internal control measures are defined as internal control measures covered by other internal control measures or not covering any risk at all. These redundant controls essentially exist without a real purpose. After this analysis and matching, the next step is creating a control matrix.

Creating a Control Matrix

Documenting control objectives and related controls in a structured control matrix will be beneficial for more than one reason; it will become the source for how risk controls are structured and implemented and will be a significant reference document for your SOC auditors.

Thus, the Trust Service Criteria related to monitoring controls are linked to a list of affirmative controls, demonstrating how these controls mitigate the relevant risk, are well-designed, and effective. In our experience, these should be as detailed as possible; who performs the control? What information is used? What is the outcome? How is this documented? Answering these questions will be very helpful for your auditor to validate that the listed internal control measures are present, designed to achieve control objectives, and effective. In future articles, we will delve deeper into how to structure your control framework. Following this phase, the readiness assessment (pre-audit) ensues, after which the reporting is tailored, and the final audit can be prepared.


Audit Preparation

The process described above may seem a bit daunting, but do not panic. We can support you in this regard. We can help you understand the Trust Service Criteria and advise you on how to effectively align controls with risks and remove redundant controls. Of course, you can also obtain a ControlReports license for ISAE 3402 | SOC 1 implementation or ISAE 3000 | SOC 2 implementation, which provides a well-defined approach and effective workflow for examining, understanding, and defining the different elements. Both ultimately result in SOC reporting in accordance with our industry best practices, based on years of experience. Contact Securance (+31) 30 2800888. 

Outsourcing throughout history

Outsourcing throughout history

 

Economies of scale

Since the industrial revolution, organizations have pondered on leveraging their competitive advantage to expand markets and increase profits. The predominant model in the 19th and 20th centuries was the large integrated organization. In the 1950s and 1960s, businesses broadened their bases to capitalize on economies of scale.

The large integrated organization diversified its product range, requiring more layers of management for expansions. Technological advancements like the internet in the 1980s and 1990s forced organizations to globalize more and were hampered by inflexibility due to bloated management structures. To enhance agility, many large organizations developed a strategy focused on their core activities and core processes.

Principal-agent problem

The focus on core processes initiated discussions about which processes were essential and crucial for business continuity and which could be outsourced to external service providers. Processes or functions lacking internal resources were outsourced to specialized agencies or service providers. Consequently, the principal-agent problem evolved between user organizations and service organizations, and the principal-agent theory and related information asymmetry gained importance in line with outsourcing growth.

Information asymmetry

The most common agency relationship in the financial domain occurs between investors (or shareholders) and the management of a company. The principal may not be aware of the agent’s activities or may be prohibited by the agent from obtaining information. The result is an information asymmetry between the principal and the agent. For instance, management might want to invest in emerging economies while the principal’s risk tolerance is unfavorable. This management strategy might sacrifice short-term profitability, increase the company’s risks, and potentially lead to future higher returns. Investors seeking high current capital income with low risks may not be aware of these management plans. If the consequence of this management strategy results in certain losses, management may be inclined not to disclose this information to shareholders. The development of the accounting profession was a significant global development in mitigating the agency problem.

Risk and resource planning

As indicated above, situations may arise where the agent intends to allocate certain resources of the investors to high-risk investments. The agent is the decision-maker and bears little to no risk as all losses are borne by the principal. This situation may occur when shareholders contribute financial support to an entity that management uses at its discretion. The agent may have a different risk tolerance than the investors due to unequal risk distribution. Alternatively, employees may decide to invest their energy in a project that has no long-term benefits for the organization. Management is responsible for the organization’s financial situation and may be unaware of employees focusing on the wrong goals.

Financial consequences

If the principal is an investor or shareholder of an organization, the principal’s interests are focused on optimizing returns on investments. Returns from investments are distributed as dividends to investors in the short or long term. Principles are focused on optimizing (long-term) dividend yields. Paying high dividends to principals restricts investment opportunities or may cause cash flow problems for the organization’s management. Principals and agents have opposing financial interests in this regard.

The agency theory is also relevant in the management-employee relationship. Employees have an interest in increasing their personal salary and personal satisfaction with minimal effort. Management aims to optimize production or sales volumes at the lowest labor costs. In this context, information asymmetry also exists in the form of incomplete understanding of employees’ daily operations by management. Management is likely to implement budgeting mechanisms and controls to optimize employee activities for the organization’s purpose. The agency theory is also relevant in outsourcing situations.

Agency theory in outsourcing

In general terms, agency theory pertains to all relationships between two parties where one party is the principal and the other is the agent representing the principal in transactions with third parties. Agency relationships occur when principals hire agents to perform a service on behalf of the principals. Principals typically delegate decision-making authority to agents. Because contracts and decisions with third parties are made by the agent affecting the principal, agency problems may arise.

In the situation where activities are outsourced by a user organization to a service organization, agency theory is relevant to all aspects described; information asymmetry, risk tolerance, and committed resources. For example, a financial institution outsources IT services to a managed services provider. The managed service provider lacks insight into the institution’s risk tolerance and may decide that weekly backups are acceptable or that storing data outside the EU is acceptable. The service provider may not inform the organization about downtime of certain servers if this network outage is not identified by the financial institution. The service organization may also be inclined to minimize resources performing activities while attempting to increase fees received. A service organization may have a different tolerance for fraud or may engage in fraud itself. In the pension sector, asset managers can profit by front running transactions from pension funds. This results in the principal-agent problem described above.

 

Benefits: enhancing risk management and transparency

Benefits: enhancing risk management

and transparency

Organizations often face inquiries about security standards from (potential) clients; what are the differences between an ISAE 3402 | SOC1, ISAE 3000 | SOC2, and an ISO 27001 audit? Which standard is more applicable to our business, ISAE or ISO 27001? What are the pros and cons of ISAE versus ISO 27001? ISAE 3402 and ISO 27001 are fundamentally different types of standards with equally dissonant usage. The main differences lie in the reporting format and the conducted audit.

Tangible benefits

  • Risk intelligence
  • Market confidence
  • Audit efficiency
  • Enhanced control

ISAE and security

ISAE 3402 is an attestation from an independent auditor comparing System and Organization Controls (SOC) information to audit objectives or criteria. In an ISAE 3402 (SOC1) report, general IT controls (ITGCs) and thus security are included, but the primary scope is financial procedures and controls. An ISAE 3000 (SOC2) report focuses on the Trust Service Criteria, including security, availability, and privacy, and has more overlap with ISO 27001. A significant distinction is that ISAE 3402 and ISAE 3000 (SOC 2) reports provide an assurance statement, while ISO 27001 is a certification.

ISO 27001

ISO 27001 is a risk-based standard for establishing, implementing, and improving the information security management system (ISMS) of an organization. This standard security framework is maintained by ISO and IEC. The implemented ISO 27001 framework is certified by independent certification bodies. The organization must have the procedures and controls described in the High Level Structure (HLS) and Annex A of the ISO 27001 framework. The resulting security framework mitigates risks through the implementation of procedures and controls. ISO 27001 is a comprehensive system for ensuring information security, and all organizations that have implemented ISO 27001 must have at least an information security management system.

ISO 27001 or ISAE 3402?

The world has changed. ISO 27001 used to be the benchmark for information security, but with information security risks constantly evolving, many organizations require greater certainty about information security. ISO 27001 is a prescribed set of controls, while ISAE 3402 and 3000 standards are based on principles. This means that the controls cannot be formally implemented but work effectively. If so, an auditor will qualify the ISAE 3402 assurance opinion. An ISAE 3402/3000 audit is an in-depth audit focused on the effectiveness of the risk framework in controlling risks. If risks are not effectively controlled, this will be disclosed in the ISAE 3402 report. This level of transparency is required in the global economy and the constantly evolving threat landscape.