Use Degrees of Risk Separation (DoRS™) to Determine ICFR / non-ICFR

One of the challenges that face auditors of service organizations when conducting SOC1 (aka SSAE16) engagements is determining when a control is "reasonable in the circumstances." What that means, according to the attestation standard, is that a control must have relevance to Internal Controls Over Financial Reporting (ICFR) for it to be included in a SOC1 report.

In a previous post, I demonstrated a method I use to determine if a control is ICFR or not. In this post, I would like to elaborate further in hopes of helping anyone out there who may benefit from this approach.

The method I use is called Degrees of Risk Separation (DoRS™). This approach takes the guess work out of the process of determining if a control is ICFR or not by quantifying the number of degrees that separate the control from the risk of material misstatement of the financials. The auditor can then decide how many DoRS are reasonable based on their professional judgment.

In my professional judgment controls with three or more DoRS that separate them from the risk of material misstatement are non-ICFR controls. Here are two examples to illustrate the process of determining how many DoRS there are to material misstatement.

Control #1: Programmer access to production is prohibited.

1st degree:  Programmer gains access to the production environment and makes a change to a G/L balance.
2nd degree:  The change is not caught during the reconciliation process, and causes a material misstatement of the financials.
Conclusion: The control is ICFR
Control #2:  Critical systems are maintained on raised flooring. -->
1st degree:  Lack of raised floor causes increase in temperature.

2nd degree:  All customer hard drives of a server hosting financially relevant application crash.
3rd degree:  There are no redundant or replicated production servers or they are all hosted at the same datacenter and crashed as well.

4th degree:  Backups do not exist for the data on the crashed hard drives.
5th degree:  The data on the crashed hard drives cannot be re-created from source documents. 

6th degree:  The lost data causes the company to materially misstate their financials.

Conclusion:  The control is not ICFR

The DoRS method can be applied to any control that management includes in their system description.  If the service auditor finds that management has included controls in the 3rd, 4th, 5th, or 6th Degree of Risk Separation, it is unreasonable to conclude that the control is relevant to internal controls over financial reporting.  Rather, it is reasonable to conclude that the control is relevant to security, availability, processing integrity, confidentiality, or privacy which falls into the domain of a SOC2 report. Please contact me to receive a comprehensive analysis I performed that explains the DoRS approach in more depth. For a free #DoRS analysis in exchange for an opportunity to bid on your next #SSAE16 or #SOC2 report, please contact me at (404) 368-9228 or Here is a whitepaper on the subject, and below that is a form you can use to upload controls you would like to have analyzed.  I will perform the analysis for you and send the controls back to you with a DoRS score if you will include your contact information in the comments section.
Please use the form below to upload your list of controls.  I do not need the entire SAS 70 or SSAE 16 report, just the list of controls.  It would also be great if the company names were already sanitized to save me some time and keep things confidential.  If you include your email address in the comments section, I will know how to send back your analyzed document.
Thanks for your help!  Together we are going to revolutionize the risk assurance industry.

Conflict of Interest is the Root of Cheap Risk Assurance

One of the first things I learned when I crossed over to the auditing world from being an IT professional was that I needed to maintain my independence in fact and appearance.  As I audited my clients, I was to be objective, and always remember who I am really working for - the organization's stakeholders.  When process owners and management would challenge my findings, and pressure me to suppress them, I was comforted in knowing that I was ultimately working for the benefit of stakeholders who are interested in me doing my best as an auditor even if it upsets management in the process.  

I was, however, tempted many times to cut corners and not do a thorough job because I would get paid either way.  When I did a thorough job and uncovered weaknesses in an organization's processes, I was rewarded with grief from management.  When everything checked out and there were no issues, management was happy.  So my daily challenge was to fight the urge to do a  mediocre job and give management a pass.  I knew that if I compromised my independence, I would not be representing the stakeholders interest, but management's interest.  I would have compromised my independence for a paycheck because when it comes to outcomes of audits, there is a conflict of interest between management and stakeholders.

Last week I was shocked to learn that there are CPA firms providing Type 2 SOC reports for under $10,000.  I discussed this with several of my CPA firm partners and learned that SAS 70  reports (the predecessor of SOC reports) sometimes went for around $5,000.  That is what prompted my fake press release about $1,999 SSAE 16 reports from Ruse, Feaster, Coopers.  If CPA firms can do it for $5,000, then why not $1,999?  Why not throw in an free iPad 3 to the first 100 clients that sign up?  I had a record number of visits to my blog as a result by the way.

So what are the circumstances that enable a sub $10,000 SOC report to exist?  How can one CPA firm charge so much less than another one?  Here's my verdict as a non-authoritative by-stander:

  1. When management gets to choose the CPA firm they use to obtain their SOC report, they are naturally motivated to use the lowest cost provider that will provide them an unqualified opinion.
  2. In a tough and competitive market, CPA firms are motivated to provide management a cost sufficient to obtain the SOC engagement, and still fulfill the minimum requirements set by the AICPA to pass their peer reviews.
  3. For whatever reason, stakeholders are not paying close enough attention to see if the CPA firms providing this cheap risk assurance did a thorough job of auditing management to mitigate their risk.  

It is my analysis that in running after greater market share, CPA firms providing cheap risk assurance have neglected stakeholders, and have cut corners giving in to the temptations I described earlier.  Management is happy, and stakeholders are none the wiser.  This has created the current climate in the risk assurance market that promotes a race to the bottom to see who can provide the cheapest risk assurance.

Online Tech was the World's First Data Center to get a SOC 2 Report

I wanted to find out more about Online Tech and why they chose to undergo a SOC 2 engagement when the rest of the world was talking about "SSAE 16 replaces SAS 70", so I went to Detroit to interview Jason Yaeger.  Please take a few minutes to watch the video.

I share OnlineTech's hope that the market quickly realizes that SOC 1 (AKA SSAE 16) is "really about financial statement audits", as Jason said in the video, and that it is not designed to provide assurance about security or availability as the AICPA said from the beginning.