| || |
Recession or not, we have resources to help your business master this moment of high interest rates, labor shortages, sticky inflation, and slower growth. We've put together our Agility & Excellence Resource Center to bring you strategies and solutions with a finger on the pulse of what's ahead.
In today's increasingly digital world, outsourcing is essential for many businesses. However, with great power comes great responsibility—namely, the responsibility to protect sensitive data. This can be challenging, especially when third parties (and beyond) are involved.
That's where Service Organization Control (SOC) reports come in. These crucial assessments provide a roadmap for businesses to navigate the complex landscape of third-party risk. CBIZ & MHM's 2023 SOC Benchmark Study, "Benchmarking Your SOC Compliance Framework," offers valuable insights to service providers on how to enhance their SOC reports for maximized efficiency and optimal customer satisfaction.
The study, which analyzed over 150 SOC 1 and SOC 2 reports from a diverse range of industries and company sizes, revealed several key findings that we’ve been highlighting over the past two months.
Let’s take a look at additional insights from this report.
Internal Audit Can Help Streamline SOC Audits
Our study revealed that over 90% of SOC reports do not leverage internal audits. This is a missed opportunity, as an internal audit can help streamline the SOC audit process and reduce costs for service providers.
Unfortunately, visibility regarding the usage of internal audit will likely not be easily discerned going forward. The January 2017 American Institute of Certified Public Accountants (AICPA) Audit and Accounting Guide for SOC 1 provided guidance on specific disclosures that were recommended to be made in reports. However, the updated September 2022 SOC 1 guide doesn’t appear to require such disclosures. Instead, they are at the discretion of service auditors since they are absorbing any risk from the utilization of the internal audit.
That said, service auditors should consider increasing their reliance on the work of internal audit, assuming the internal audit department has the capacity to perform independent testing. Still, it is important to note that internal audit is not a silver bullet. Service auditors should carefully evaluate the internal audit function before relying on its work.
Nearly 50% of SOC Reports Lack Control Exceptions
Our study found that 51% of SOC reports had control exceptions, while 49% did not. This suggests that even the best organizations have room for improvement regarding security and compliance.
The four most common control exceptions were:
- Lack of business approval reviews for SOC 1 reports
- IT general controls (ITGC)
- Documentation gaps
- Physical access
The lack of business approval reviews was not surprising, considering that most SOC 1 reports are primarily built around approvals of business process controls (e.g., transactional approval, bank reconciliations, etc.).
ITGC often presents a challenge for organizations, especially in areas such as user access reviews, change management and terminations (the most common exception areas).
User access reviews had the highest degree of exceptions within ITGC, usually through instances such as lack of evidence around general non-completion of the review; completeness and accuracy of populations (Information Provided by Entity); inappropriateness of a reviewer who reviewed their own access; and due to discovery of terminations which had not been detected or removed as part of the review. The latter has become a more common sore spot in recent years due to a push by the Public Company Accounting Oversight Board (PCAOB), questioning the effectiveness of reviews that miss key items that should be part of the review.
For change management, the exceptions revolved around a lack of documentation of changes (often related to infrastructure changes), lack of evidence of testing and/or segregation of duties where the developer promoted their own change. Lastly, terminations were specific to untimely revocations of former employees.
The last exception is particularly surprising, given that relatively few Sarbanes-Oxley (SOX) programs maintain physical access as a key control. For most organizations, physical access fell off as a key control (relying upon logical access as the primary control) as far back as year two of SOX. This suggests a misalignment in third-party controls with the organizations they support.
A Look at Control Exceptions
Our study found only 8% of SOC reports had a qualified opinion, meaning that the service auditor identified control issues that warranted the reader's attention. However, 11 of the unqualified reports had at least five control exceptions, and two had 11.
While a service auditor doesn’t need to provide absolute assurance that control objectives are met, these latter figures are significant. They should cause readers to take pause and independently evaluate if they come to the same conclusion that key objectives and/or criteria were met. It’s important to understand why these exceptions occurred and what steps are being taken to address them.
In other words, although most organizations are doing a good job of implementing and maintaining effective security and compliance controls, there is still room for improvement. If your SOC report has several control exceptions, you must talk to your service auditor to understand the root cause and develop a plan to address them.
SOC reports are important for organizations to communicate their security and compliance posture to customers. However, it's important to remember that quality is more important than quantity regarding SOC reports.
Think Quality Over Quantity
A good SOC report should include a "System Description" (Section 3 of any SOC report) that verifies that the report does not:
- Include inappropriate information, such as non-implemented controls
- Omit necessary information, such as complementary control considerations
- Change without justification, such as a control objective changing mid-period
- Represent a misstatement of facts
A vital component of any service auditor's opinion on a SOC report is to evaluate the fairness of the presentation, which should include consideration of the facts above. Per our study, we found that most companies achieved this via 10-19 pages (40%). Five percent of companies provided a “very” comprehensive overview at 50-plus pages, which is valuable if necessary to achieve these goals.
A small percentage (15%) had system descriptions of only 5-9 pages. Considering that a significant component of the fairness of presentation assertion is ensuring all key controls are described within the system description (98 on average for SOC 2 and 68 for SOC 1 per our study), achieving this in as little as 5-9 pages would seem difficult.
Next month, we will do one last deep dive into the findings from our SOC benchmark study. For more about these insights, takeaways, and other findings from our 2023 SOC Benchmark Study, check out this recording of our latest webinar. To learn more about SOC 1 and SOC 2 reports, please connect with one of our professionals.
Copyright © 2023, CBIZ, Inc. All rights reserved. Contents of this publication may not be reproduced without the express written consent of CBIZ. This publication is distributed with the understanding that CBIZ is not rendering legal, accounting or other professional advice. The reader is advised to contact a tax professional prior to taking any action based upon this information. CBIZ assumes no liability whatsoever in connection with the use of this information and assumes no obligation to inform the reader of any changes in tax laws or other factors that could affect the information contained herein.
CBIZ MHM is the brand name for CBIZ MHM, LLC, a national professional services company providing tax, financial advisory and consulting services to individuals, tax-exempt organizations and a wide range of publicly traded and privately held companies. CBIZ MHM, LLC is a fully owned subsidiary of CBIZ, Inc. (NYSE: CBZ).