Nonprofit Accounting Basics

How Closely are you Monitoring your Third Party Service Providers?

Note: Articles published before January 1, 2017 may be out of date. We are in the process of updating this content.

How Closely are You Monitoring Your Third-Party Service Providers? In May 2013, the Committee of Sponsoring Organizations (COSO) released the updated Integrated Internal Control Framework which is effective for fiscal years beginning after December 15, 2014. Although the definition of internal control and the five overarching components of internal control remain intact, the revised guidance focuses on these key areas:

• Enhanced expectations of proper governance oversight.

• Managing globalization of businesses and the related complexity of international business, laws, and regulations.

• Monitoring of third-party service providers who process significant transactions.

• Expectations for competency and accountability throughout an organization.

• Increased use and reliance on technology.

• Increased expectations to prevent and detect fraud.

The majority of the key areas noted above focus on the controls an organization can internally develop, the third bullet point emphasizes the importance of the monitoring the controls that reside outside of an organization and how those external controls can impact the internal controls of an organization. To provide clarity and direction, the enhanced COSO framework discusses obtaining information on significant transactions that occur outside of an organization in order to obtain assurances on the controls over these processes. Examples of these significant transactions include, but are not limited to, the processing of payroll and investment purchases and sales, both of which are typically outsourced to third-party service providers (TSP).

While most organizations have an internal control environment built upon the principles noted above, the monitoring of TSPs is becoming an area of increased scrutiny. Additionally, as organizations look for ways to become more lean and nimble, the use of TSPs becomes more prevalent. For these reasons, it is essential that an organization’s monitoring of TSPs includes the regular review of the Statement on Standards for Attestation Engagements (SSAE) 16 reports of those TSPs that process significant transactions. These reports are commonly referred to as SOC (Service Organization Controls) reports and tend to be issued on an annual basis.

Currently there are three types of SOC reports. A SOC 1 report is a restricted-use report on the controls at a service organization in relation to an organization’s internal control over financial reporting. A SOC 2 report is a general restricted report on the internal controls in relation to the security, availability, processing, integrity, confidentiality, and privacy of data. As well, a SOC 2 report provides the reader with a description of the test of controls performed and the results of those tests from the auditor. There are two types of SOC 1 and 2 reports. A Type 1 report provides a report on the procedures and/or controls in place at an organization at a given point of time. A Type 2 report provides a report on the operating effectiveness of the procedures and/or controls in place at an organization for a specific period of time. A SOC 3 report is a trust services report and is similar to a SOC 2 report. However, unlike the SOC 2 report, the SOC 3 report does not include a description of the test of controls performed and results of those tests from the auditor.

Similar to reports on audited financial statements, SOC reports will include either an unmodified, qualified, or adverse opinion on the subject matter. As always, an unmodified opinion is desired; however, a qualified opinion is not necessarily an indication that the internal controls of a TSP have failed. That being said, a qualified opinion should not be ignored and should prompt a quick call to your TSP. An adverse opinion might prompt an entirely different conversation.

In closing, if you are not already doing so, consider obtaining and reviewing the SOC reports of your TSPs that process significant transactions. Keep in mind that significant transactions are not limited to the areas of payroll and investments and will vary by organization. As well, data backup, recovery, and security TSPs provide integral support for an internal control environment and process significant and sensitive information of an organization. Reviewing any available SOC reports should be a key component of an organization’s monitoring activities. Ultimately, the review of SOC reports provide an independent analysis of the internal controls in place around key processes at TSPs and can assist management in the identification of external weaknesses in the systems in place in order to mitigate the impact on an organization’s internal control environment.