UK SOX: third party risk assurance and SOC reports
15 Jun 2021
A Sarbanes-Oxley approach in the UK (UK SOX) may drive the need for assurance over the activities of third party providers for critical services. We explain the different types of third-party risk assurance, including Service Organisation Control (SOC) reports.
The benefits of outsourcing are well known. It helps organisations grow their business and adopt new technology in a way that is both affordable and sustainable. Outsourced services often include processes and controls which have a significant impact on financial reporting (eg payroll, cloud services, shared service operations, data centres), meaning these third party providers will need to be considered as part of evaluating the internal control framework over financial reporting. Under expected UK SOX requirements the directors would need to ensure they operate effective controls and that they can confidently place reliance on the third party organisation’s controls environment when making their declaration.
What kind of assurance is available?
There are three key aspects of obtaining adequate assurance over outsourced services that you need to think about.
1 Comprehensive third party risk governance framework
An effective third-party risk governance framework helps in managing your risk exposure through your third parties and typically should provide:
visibility of all third-party relationships and contracts, and their risk profiles
a formal, pre-contract risk assessment and due diligence process
use of standardised contracting and onboarding process
third party questionnaires
allowance for vendor site audits
risk-based monitoring and oversight.
This can help drive efficiency and growth in your business and supply chain.
We have also seen the evolution of third-party risk governance frameworks from a ‘check-the-box’ process to a substantive function, at times onerous, for companies that are serious about managing third-party risk. However, these are not necessarily fit for purpose to meet UK SOX compliance requirements.
2 Third-party audits (in-house or agreed upon procedures)
You can also choose to perform a review of internal controls managed by the third-party service provider, either using your in-house team or independent auditors. However, this is probably not sufficiently objective or independent for UK SOX purposes.
3 Service Organisation Control reports
The preferred option for complying with SOX-style requirements are Service Organisation Control (SOC) reports. This is one of the most effective ways to obtain independent validation of outsource services. Other ISO 9001/ 27001 or PCI certifications held by your third parties do not provide adequate scope coverage to pass the SOX test.
SOC reports bring several key benefits for UK SOX compliance:
Providing a robust and independent assessment of the outsourced controls in support of the directors' declaration
Understood and accepted by external auditors – while the final role and requirements on external audit under UK SOX are still in consultation, we anticipate additional scrutiny in this area by external auditors
Independent and objective – SOC reports are independent and objective, and provide an opinion on the quality of the internal control environment, which increases trust and confidence in their conclusions
Efficient – SOC reports will eliminate the need for the third party service provider to support multiple separate audits from different customers
Promote confidence – SOC reports enable outsourced service providers to provide confidence and competitive advantage in their offerings
Depending on your third party there are several different types of SOC reports that may be relevant for UK SOX.
1 SOC 1/ISAE 3402 for service organisations
The SOC 1 report focuses on a service organisation’s controls that are likely to be relevant to an audit of the financial statements for a user entity (customer) and issued under AICPA and ISAE 3402 standards. Control objectives are related to both business process and information technology.
2 SOC 2/ISAE 3000 – SOC for service organisations
The SOC 2 report addresses a service organisation’s controls that relate to the AICPA’s Trust Services criteria in relation to availability, security, processing integrity, confidentiality, and privacy. SOC 2 reports are very common for third parties that provide services like data hosting, colocation, data processing, cloud storage, and Software-as-a-Service (SaaS).
3 AAF01/20 (financial services sector)
Complimentary to the ISAE3402 reporting standard, this service auditor report, established by the ICAEW, is focused on financial services.
Key considerations for obtaining a SOC report
Before you request a SOC report from your third party there are various things to consider to make sure that the report is going to give you the assurance you need.
Which type of SOC report is right for your third party service provider to meet your assurance requirements?
Who is the service auditor and what is their experience and reputation at providing this type of assurance?
Which locations and time period is covered? Does it provide adequate coverage for the specific fiscal year?
Does the SOC report comprehensively cover all services provided by the third party?
Does the report include testing the operating effectiveness of controls for a specific period of time, or does it only cover suitability of design tested at specific point in time?
Does the scope of the system include a subservice organisation?
Does the service organisation clearly outline the boundaries of their controls and identify specific controls that are the responsibility of the user entities?
As part of a readiness assessment for UK SOX, you might require assurance on your third parties or you might need to provide your customers with some form of SOC.
The key for engaging a SOC or performing a SOC readiness assessment is preparation and early gap analysis so there is ample time to remediate any issues identified.