SOC1 (aka SSAE16) Reports that Include Non-ICFR (Internal Controls over Financial Reporting) Controls?

On the third page of the AICPA's brochure on Service Organization Controls that was released in November, 2010 it says:

As organizations became increasingly concerned about risks beyond financial reporting, SAS 70 often was misused as a means to obtain assurance regarding compliance and operations. SSAE 16 and ISAE 3402 were drafted to correct these misuses.

So will SOC1 reports, or SSAE16s as they have become known in the market, that are issued this year be free of non-ICFR controls?  The feedback I have received from user organizations is, no, the SOC1 contains most if not all of the controls that were in the SAS70 they received in the previous years.

We cannot fault the CPA firms issuing SOC1 reports this year for including non-ICFR controls; after all the SOC2 guidance did not come out  from the AICPA until June, 2011, so what alternative did they really have?  SOC engagements that are conducted in Q3 and Q4 are planned in Q1 and Q2.  By the time the SOC2 guidance came out, many CPA firms had already begun their SOC1 engagements.  So what about next year?

Looking through the Reporting on Controls at a Service Organization Checklist, I noticed that the only place it mentions that controls need to be relevant to financial reporting is Question AT208: 

“the control objectives stated in management’s description of the service organization’s system are reasonable in the circumstances(for example, the objective is relevant to financial reporting risks?”

It seems to me that this is too vague, and will allow organizations to get a SOC1 report keeping all of their controls that were in their SAS70 in the SOC 1 report as long as someone can make the reasonableness argument.

What can be done to strengthen the wording in this checklist so that leaving non-ICFR controls in a SOC1 cannot be interpreted as “reasonable in the circumstances?”

1 comment: