Still Getting Multiple Audit Requests Even Though You Have a Service Organization Control Report?

Risk Advisory/Internal Audit|SSAE 16/SOC

By Holly Russo

For a service organization, one of the benefits of having a SOC examination performed is that it SHOULD reduce or even eliminate additional audit requests, as a SOC report provides assurance to user organizations (customers) regarding the service organization’s system of internal controls.  However, many of our clients are still inundated with audit requests, whether they are on behalf of their customers or their customers’ auditors.  These audits or reviews are very time consuming and often seem redundant to the service provider.  We are often asked the question, “Why do I keep getting these requests?  Is there anything in the guidance that I can use to discourage or deny these requests?”

Unfortunately, there is no guidance from the AICPA that prohibits a user organization from requesting additional information from a service provider regarding its controls and its control environment. However, there are a number of options that a service provider can pursue to potentially eliminate or reduce these requests:

  • Talk to your customer.  Set up a meeting and obtain an understanding of the scope of their review.  Why do they need to perform an audit?  What is their objective? What procedures will they perform and why?  What risks are they are concerned about?  What assurances do they need? 
  • Map the risks.  Once their risks are defined, they can be mapped to the controls that exist within the service organization.  Are their risks mitigated by existing controls covered within the SOC report?  They may find that some or all of the controls may already be included and tested within the SOC report.
  • Identify any gaps and discuss solutions.   Are there any gaps?  What are the gaps?  How much time and effort are required to satisfy these control gaps? 

Depending on the results, the customer may determine that additional procedures may or may not still be necessary.  Or the service organization might want to consider whether it makes sense to expand or modify the scope of future SOC reports to incorporate controls to address any gaps, thus eliminating the need for the additional audit request.  Or…best case scenario, all of the customer’s risks map to existing controls within the SOC report.  Regardless of the outcome, these steps should help educate both parties on their respective processes and concerns.

Schneider Downs has a dedicated team of professionals in Pittsburgh and Columbus  who provide SOC services. We invite you to learn more about our SOC services. For more information on Service Organization Control Reports, visit our website.

© 2014 Schneider Downs. All rights-reserved. All content on this site is property of Schneider Downs unless otherwise noted and should not be used without written permission.

This advice is not intended or written to be used for, and it cannot be used for, the purpose of avoiding any federal tax penalties that may be imposed, or for promoting, marketing or recommending to another person, any tax related matter.

Material discussed is meant for informational purposes only, and it is not to be construed as investment, tax, or legal advice. Please note that individual situations can vary. Therefore, this information should be relied upon when coordinated with individual professional advice.

© 2018 Schneider Downs. All rights-reserved. All content on this site is property of Schneider Downs unless otherwise noted and should not be used without written permission.