What is a Service Organization?

A service organization is any entity that provides a service to another entity that traditionally has been performed (or can be performed) within the entity. A list of commonly used service organizations in the government sector include: investment custodians, IT cloud services, receivable collections, insurance claims processing, payroll services, bill processing, online credit card processing, and many more. If part of a control process runs through an external party, the external party is a service organization. If this service organization is handling a process that is material to the financial statements, then the auditors will want additional information about the service organization and management’s activity in relation to the service organization.

What are My Responsibilities?

While service organizations can provide great assistance to a government, it is important to understand that outsourcing services can create additional risks related to the service organization’s system. Although management of the government (the user entity) is responsible for establishing effective internal control over outsourced functions, using a service organization does not entirely eliminate management’s responsibility over the applicable process. Since service organizations often times may not stress the importance of maintaining responsibility over the process, it’s important for management to obtain an understanding of the service organization’s processes and the effectiveness of their controls. This can often be done by obtaining a report from the service organization which includes an opinion from an independent CPA firm.

What Report do I Need From the Service Organization?

In recent years, the American Institute of Certified Public Accountants (AICPA) overhauled reporting on service organization controls engagements, replacing SAS 70 with three different report types covering Systems and Organizational Control (SOC). This SOC framework addresses the growing dynamics and changing complexities of service organizations and the related reporting regarding their internal controls. Each year, the auditors of your financial statements will likely request a SOC 1, Type II report, which states that a service organization is maintaining systems and internal controls relevant to its clients’ internal controls over financial reporting for a period of time. The report is restricted to the management of the service organization, its user entities’ management, and auditors of the user entities. The other types of SOC reports may be useful to management but are not likely to provide the level of information required for the purpose of a financial statement audit. The service organization may provide a SOC 1, Type I report, but this likely not what the auditors will need—they need the Type II. A Type I report does not include testing of the operating effectiveness of the controls which is why it will likely not address all the requirements of the auditor.

Best Practice Suggestions for Management

  • Identify all service organizations by determining if there are any external parties which perform a key function in any accounting or financial reporting processes (including third parties that help to maintain the relevant IT systems).
  • Request a SOC 1, Type II report from the service organizations as soon as the services begin. (It is important to request the exact report that is applicable to the services they provide your government, as some organizations have multiple, different reports).
  • Read the SOC report and review the testing results to identify any findings that could impact the entity. In some cases you may want to ask the service organization about the findings and if they have been remediated, as these could significantly impact your financial statement audit.
  • Identify the complementary user entity controls listed in the SOC 1, Type II report. In most cases, the control objectives stated in the description can be achieved only if these complementary user entity controls are suitably designed, operating effectively, and are combined with the controls at the service organization.
  • Implement internal controls relating to the complementary user entity controls. Management should also document the internal controls in the process descriptions surrounding each service organization.
  • If in doubt, seek advice. Service organizations can be tricky but are very important to the financial statement audit.

It is important to note that some service organizations do not offer a SOC 1, Type II report. This is a risk that should be considered when vendors are being selected. There is no requirement for any service organization to produce a SOC 1, Type II report. In these cases, you still need to consider the service organization’s control environment and expectations of your internal controls and it is your responsibility to monitor the outputs of the service organization. For more information about the different types of SOC reports and how they could be useful for your organization, reach out to a CRI professional for more information