Service Organization Control (SOC) engagements are seen as a growth area for CPA firms. John McLaughlin, CPA, Partner, Risk Advisory Services Leader, BDO in Philadelphia, stated rhetorically concerning the clients who need a SOC report, “Do you want to do it now and get some competitive advantage and be out in front and tell them, ‘I do care about security and confidentiality’”?
As part of an ongoing series on additional service practice areas for CPAs, CPA Magazine provides a glimpse into the practice of administering SSAE 16 audits by talking with one CPA with a CPA firm, one non-CPA with a CPA firm, and one non-CPA who helps CPAs handle the data security internal controls portion of the SSAE 16 audit. They are: John McLaughlin, CPA, partner, Risk Advisory Services Leader, BDO in Philadelphia, Brian Thomas, CISA, CISSP, partner in advisory services at Weaver, accounting firm, and Tony Scott, CISA, Technical Financial Solutions, LLC, data security internal control specialists, respectively.
For more information on SSAE 16 see “CPAs Expand Into SOC 2 After Death of SAS 70”. For more information on crowdfunding audits, see “Crowdfund & Small Firm Auditing”.
1. How did you get involved in SSAE 16/SAS 70 audits and what do you like about them?
John McLaughlin: I have been with BDO for two years in risk advisory practice. I was with Smart doing internal control and with PWC. I was also a controller with internal control responsibility. It is really process-oriented work and that is the way I am wired. I enjoy working with people. [In 2011] the AICPA changed the nomenclature. People are getting smarter about what they are asking. People asking for a SAS 70 really wanted a SOC 2 [Service Organization Control SSAE 16]. [It was necessary because] the needs for privacy, security and confidentiality needed to be addressed. People are becoming more aware. [For example] passwords expire and have several different characters and change every 60 days. The SAS 70 was a three-page CPA report. Attached were the controls and tests the CPA performed. In SOC reports management expresses its comfort of the controls working effectively signed by a senior officer of the company. The CEO or CFO must sign.
Brian J. Thomas: I first got involved with SAS 70 audits when I joined KPMG’s Information Risk Management practice 13 years ago and was responsible for performing IT audit procedures in support of the financial statement audit. That role evolved over time. When I came to Weaver in ‘06, I saw SAS 70s, now SSAE 16, as a good business development opportunity. I like SOC reporting because it is based on the nature of the services provided by the service organization. In other words, it is interesting because the scope and the controls are based on the nature of the service provided, and the methods by which the service organization (SO) provides its service to its customers. So, you learn a lot about the service being provided as a result of the examination.
Tony Scott: We are an IT audit firm working with CPAs. We also do SOC 2 engagements as well as HIPPA internal control audits.
2. How do you approach an SSAE 16 SOC 1 Type 2 audit engagement for a company that has not been audited before?
McLaughlin: For example, a sleeping disorder company is using sensitive health information. They gain contracts with large health systems. The health care company requires that they are maintaining the data with sufficient rigor and control. The cost is not baked into the contract. The CEO is thinking I have to spend several tens of thousands. He may as well get on board before more health companies begin demanding it. A smaller organization has a burden swallowing it, but it is not insurmountable. No one has ever said, “This was awful.” The cost could go down by a third in a year or two. There is an expansion of these service organizations. They may be privately held but are providing services for major companies. They are processing organizations. Exceptions are expected.
Thomas: If possible, these engagements should be approached with incremental progress. The worst-case scenario is that the SO has signed a contract obligating them to provide a SOC report immediately. In such cases, we are forced to perform the examination retroactively (looking backward at a period of time) and the results are what they are. These are often the most difficult reports and have a lot of findings/disclosures. It is best if the SO anticipates their future need for an SOC report and we are able to work with them in advance of any contractual or regulatory requirement. In those cases we are able to perform some preliminary gap assessment type procedures to help identify and remedy issues before the client begins their reporting period. Also, in such situations we are better able to consult with the client to define a reporting period that suits their needs (as opposed to having a reporting period dictated to them).
Scott: If a small to mid-sized firm needs a SOC audit but does not have an IT group, we get involved early as part of the sales cycle presenting to the client. We don’t bill for that. We work with the CPA firm as a team. We are going to take the framework of SOC, which is far more regimented. The Trust service principles (TSPs) are loaded up in a matrix, and then determine the tests to be performed. Most are very technical. The CPA will fold that in to their report utilizing their auditing workpapers from PPC or whoever. The CPA firm may be billing in six installments, we can bill the CPA firm based on work in progress on hours spent, or monthly billing.
3. Assuming the company has under 200 employees and $10,000,000 in revenue, how many and what type of staff are required to compete the audit through to the report?
McLaughlin: You have blended talents. You have people with a hybrid background from undergraduate. Many people cannot write well these days. Some are good at it. To be an IT auditor and process auditor you need to be able to write. When I recruit I am looking for writing skill in addition to the liberal arts skill of writing.
Thomas: This is not very easy to answer because it depends greatly on the nature of the services and the organization. However, as a broad guess, in this situation I would suggest that the number of staff involved on the client’s side would typically be five to ten key personnel providing the vast majority of the information to the auditor.
4. How long does it take on average?
McLaughlin: It depends on how much discipline management has, in program change control. How many people are new? How many programs do they run? How sophisticated is the work force. A SOC 1, Type 1 [report] anticipating a later Type 2 would include a scoping exercise, where gaps are identified by the company and the CPA. Type 1 is asserting that the controls were designed properly and worked on that day. If the company had decent controls it could be done in a couple of weeks. Section 3, describing management’s controls is time consuming.
Thomas: The minimum period that can be covered for a SOC 1 Type 2 report is six months. So, if we begin the examination May 1, the period will not be over until October 31. Reporting typically takes several weeks after that (six weeks is common).
5. How long do you need to be on-site?
Thomas: Again, this will depend heavily on the nature of the scope of the examination and the nature of the services provided by the SO. But, typically for an SO of this size, I would suggest a few days at the beginning of the reporting period; then a few days again during the middle of the reporting period; and then two to four weeks at the end of the reporting period.
Scott: We do business across the country. We do interim and final work; it takes about a week each time.
6. What problems do you encounter?
McLaughlin: Problems run the gamut. Many of these companies have not been around for 50 years. They are fast growing. They spend more time on growth than on structure of their processes.
Thomas: Common problems in smaller SOs include lack of segregation of duties, informal/undocumented procedures. Common problems in all first-time SOC reports involve whether the SO will have proper documentation to support the execution of a control activity over the entire reporting period.
7. What software helps with the internal control testing questions about the system?
McLaughlin: We use IDEA to make statistical selection and random number generation. We utilize segregation of duties analyzers we developed. We use our workpaper software application.
Thomas: Change control/versioning software; event logging; workflow documentation tools; IT ticketing systems.
Scott: We use a service called Ignite, as the file server for the client to upload files using Ignite with a secure log-in. Some CPA firms have their own binder for their audit engagement software for CPA firms.
8. What is the range of costs if there are no problems?
McLaughlin: In year one the heavy lifting includes the report on controls, which takes time and skill. Some companies say, “We will write Section 3 of the report”. [However] there is a style and skill necessary for other companies to understand the report. The detail takes a lot of time and focus. It takes a couple weeks to write the report depending on how much the client is available. Type 2 would take a year, sometimes 6 months. They can have an affiliation with a CPA firm somewhere. Do you have security processes and authorities documented and how do you hire? Is the change for these well documented and approved? They see the controls as slowing them down. We are looking for policies followed. I don’t know how they [a CPA firm] can quote a fixed cost.
Thomas: This varies wildly for a variety of reasons I cannot adequately disclose in this response.
Scott: SAS 70 was very competitive. Cost cutting could be half the price. A CPA could not reduce hours to that level. It takes more work now. It is [documenting] TSPs, and you have to cover them where they apply. Typically it is a 50/50 split [of work for the CPA firm and our firm]. We have done the lion’s share of the testing on the engagement. The CPA firms are happy with the engagement. It is solid work for us. The firms we are working with each have one client that returns each year. It is very meaningful for a small firm that does not want their client to go to a larger firm.
9. What is the exposure for risk? Does it require a special provision for professional liability insurance?
McLaughlin: I don’t know if there are lawsuits. If we are attesting to standards no matter what we are attesting to is based on clear and sufficient evidence. Do we feel comfortable to measure our own risks? It’s all risk reward. The greater fee may be necessary and we always consider due professional care.
Thomas: The risk is that a user of the report places reliance on the SO’s report and the controls therein. If the report is wrong, this could have an impact on the financials of the user organization.
Scott: The opinion is written on the CPA firm letterhead. It is their opinion. It is similar to a financial statement audit when they need IT expertise.
10. Do you also perform SOC 2 and SOC 3 attestations?
McLaughlin: The cost of SOC 3 is incremental. Section 1 is the CPA report. Section 2 is management’s assertion. Section 3 is the biggest part of the report that describes what management does, how controls are assembled and processed. Section 4 is where the tests are articulated within a matrix.
Scott: Type1 is a test of the design controls. With a Type 2, you review the effectiveness of the controls [for a SOC l or a SOC 2]
11. What software helps with the trust service criteria questions?
McLaughlin: For a SOC 2 we scope it with the five principles of trust service principles emphasizing which ones customers are most interested in. AT 101 to 801 from AICPA represents the framework.
Thomas: See #5.
Scott: PPC has a high-level framework. We use the trust service principles (TSP) loaded into a spreadsheet.
12. What situations do you find performing SSAE 16 pre-assessment engagements?
McLaughlin: The readiness assessment is determining what the user organization needs in order to narrow down the scope. Who is responsible? Who is involved? How many are involved? The next question for a SOC 1 is what controls are necessary. Security: logical and physical, program change control, systems operations, and backups.
Thomas: See #2.
13. What problems occur post-engagement, for example do clients refer to themselves as SSAE 16 Certified like they did with SAS 70?
McLaughlin: People are becoming more sophisticated about management’s assertion. There will always be rogue organizations, but most are recognizing the boundaries of what they can or can’t say. On the face of the report we put Private and Confidential. They will share with their customers.
Thomas: Yes, and they like to make inappropriate claims in their news releases. In some cases they also like to post all or a portion of the report on their website, which is also prohibited. At Weaver, we try to advise our clients on the appropriate language to use when describing their accomplishment, including sometimes reviewing their news releases.