The typical asset manager in the IT space ensures the daily and long-term strategic management of the company’s software and hardware. However, she also must establish relationships with service organizations whose control environment reflects the risk tolerance her company’s risk assessment established.

SOC 1 Compliance For Asset Managers

What is the purpose of a SOC 1 report?

A SOC 1 report provides entities that use service organizations, referred to as user entities, evaluations of the service organization’s controls to the extent they impact the user entity’s financial reporting. Breaking this down, organizations that hire vendors need to understand how the vendors’ controls can hurt their business.

SOC reports, in their simplest form, are a business partner promising you that they are enforcing internal controls that protect their data environment which ultimately protects yours.

What service organizations need to provide a SOC report?

An asset manager needs to collect information from all the companies to whom his organization has outsourced services. One example of a service organization for whom an asset manager may need SOC 1 reports is the payroll processing company. However, more broadly, service organizations include Software-as-a-Service (SaaS) providers, cloud service providers, and trust services whose activities can impact the user entities’ internal controls over financial reporting (ICFR).

Why do organizations need SOC 1 reports from service organizations?

The American Institute of Certified Public Accountants (AICPA) established auditing standards for attestation engagements. An attestations engagement is the fancy term for an independent auditor agreeing that someone else told the truth in interviews. Those in the internal audit space may still be calling SOC 1 reports SAS 70’s, which was the term used until 2011.

The AICPA updated these attestation requirements to the SSAE 16 and, most recently, the SSAE 18.

How is SOC 1 reporting related to Sarbanes-Oxley (SOX) reporting?

Despite sounding the same and both being related to financial reporting, SOC 1 reports and SOX have two different functions. While they may overlap, they do not rely on one another.

In 2002, the US Congress passed the Sarbanes-Oxley Act (SOX) after a series of public scandals by large corporations such as Enron Corporation, Tyco International PLC, and WorldCom that led to a stock market plummet only a few months before the 2002 elections. Attempting to regain consumer financial confidence, Section 404 of the Sarbanes-Oxley Act (SOX) focuses on the scope and adequacy of the internal controls and procedures for financial reporting.

A SOC 1 report aligns similarly to SOX 404 compliance. However, instead of investors reviewing the organization control environment for operating effectiveness, clients using the services provided evaluate the service organization control.

User entities want to review the service auditor report to determine appropriate review of organizational controls and related controls. Moreover, as part of the SOC 1 review, companies may want to engage in a review of subservice organizations, or those companies to whom their service organizations outsource.

For example, if a company outsources its payroll management to a third party, the asset manager might need to determine whether the payroll service provider’s database management SaaS service provider also incorporates appropriate internal controls to protect employee information.

What is in a SOC 1 report?

SOC 1 reports can be either Type I or Type II. While a user entity uses these reports the same way, they differ in the information they contain. A Type 1 report details the service organization’s system presented by management’s explanation of control designs and aligned to a specific date. A Type 2 report begins similarly to a Type 1 report but then tests the organization control and its effectiveness. Additionally, instead of being related to a specific date, it reviews a time period.

A SOC 1 Type 1 report, if control reporting were a sport, would be similar to having a coach tell a catcher what pitch call to make at a specific point in time. Just because the coach suggested a fastball, does not mean that the catcher will make that call at the particular moment.

A SOC 1 Type 2 report, following the same analogy, would be the tapes of all games for June to determine how often the catcher followed the coach’s directions.

What is a SOC 1 bridge letter?

SOC 1 bridge letters, also referred to as gap letters, fill in the time gap between the end of a review period and year-end. SOC 1 Type 2 reports cover the first through third fiscal quarters.

The service organization’s auditor wants the original report while doing the interim internal control testing. Therefore, the service organization must complete the original report before the auditor comes to do the audit. This time leads to the gap in attestation.

Once the SOC 1 audit completes, the service organization provides an update on the internal controls. This bridge letter, therefore, updates user entities about any material changes in the internal control environment and a reminder that user organizations must follow complementary user entity controls, also called client control considerations or user control considerations.

 

What is the Asset Manager’s scope in SOC 1 reporting?

Three asset manager areas relate to SOC 1 reporting. “Baseline” means that a user organization’s internal control about other internal controls over financial reporting is one common to SOC 1 scope. “Not baseline” means that the internal control is not common to SOC 1 scope issued by asset managers. “Other Areas to Consider” means that not only is this not common but it may be considered for inclusion in scope. Baseline, not baseline, and other areas to consider, relate to control environment, operations, and general computer controls.

How automating the SOC 1 reporting review can streamline vendor management

As more organizations become dependent on service organization partners, asset managers will need to review more reports and manage more vendors.

This constant flow of information and documentation means organizations need repositories for storing their data. During audits, companies are not only responsible for their own controls but for monitoring their vendors’ controls. ZenGRC provides a single source of truth enabling streamlined audit information gathering. Rather than reaching out to multiple stakeholders who access information based on their roles, organizations using ZenGRC’s role-based authorization platform allows workforce members access to information they need to do their jobs.

Asset managers need to work alongside the c-suite to address their organization’s risk management and to implement an IT risk management program that is adequate and effective in managing cyber risks. At the heart of this collaboration lies communication. Automated GRC tools, like ZenGRC, provide ease of cooperation by creating a single, accessible location where the stakeholders can meet. This location also can be controlled, providing appropriate access based on compliance role.