The benefits of outsourcing are well known. It helps organisations grow their business and adopt new technology in a way that is both affordable and sustainable. Outsourced services often include processes and controls which have a significant impact on financial reporting (eg payroll, cloud services, shared service operations, data centres), meaning these third party providers will need to be considered as part of evaluating the internal control framework over financial reporting. Under expected UK SOX requirements the directors would need to ensure they operate effective controls and that they can confidently place reliance on the third party organisation’s controls environment when making their declaration.
There are three key aspects of obtaining adequate assurance over outsourced services that you need to think about.
An effective third-party risk governance framework helps in managing your risk exposure through your third parties and typically should provide:
This can help drive efficiency and growth in your business and supply chain.
We have also seen the evolution of third-party risk governance frameworks from a ‘check-the-box’ process to a substantive function, at times onerous, for companies that are serious about managing third-party risk. However, these are not necessarily fit for purpose to meet UK SOX compliance requirements.
You can also choose to perform a review of internal controls managed by the third-party service provider, either using your in-house team or independent auditors. However, this is probably not sufficiently objective or independent for UK SOX purposes.
The preferred option for complying with SOX-style requirements are Service Organisation Control (SOC) reports. This is one of the most effective ways to obtain independent validation of outsource services. Other ISO 9001/ 27001 or PCI certifications held by your third parties do not provide adequate scope coverage to pass the SOX test.
SOC reports bring several key benefits for UK SOX compliance:
Depending on your third party there are several different types of SOC reports that may be relevant for UK SOX.
The SOC 1 report focuses on a service organisation’s controls that are likely to be relevant to an audit of the financial statements for a user entity (customer) and issued under AICPA and ISAE 3402 standards. Control objectives are related to both business process and information technology.
The SOC 2 report addresses a service organisation’s controls that relate to the AICPA’s Trust Services criteria in relation to availability, security, processing integrity, confidentiality, and privacy. SOC 2 reports are very common for third parties that provide services like data hosting, colocation, data processing, cloud storage, and Software-as-a-Service (SaaS).
Complimentary to the ISAE3402 reporting standard, this service auditor report, established by the ICAEW, is focused on financial services.
Before you request a SOC report from your third party there are various things to consider to make sure that the report is going to give you the assurance you need.
As part of a readiness assessment for UK SOX, you might require assurance on your third parties or you might need to provide your customers with some form of SOC.
The key for engaging a SOC or performing a SOC readiness assessment is preparation and early gap analysis so there is ample time to remediate any issues identified.