Please ensure Javascript is enabled for purposes of website accessibility

Do You Make These User Control Consideration Mistakes?

Discussing cyber extortion got the wheels turning about trust and reliance on our increasingly distributed IT ecosystems. Outsourcing IT functionality causes certain IT controls to be a fleeting afterthought for the user entity — the service provider will handle it, right? Well, maybe not.

That’s where a Service Organization Controls (SOC) report comes in handy. According to the AICPA, a SOC 1 report1 helps “evaluate the effect of the controls at the service organization on the user entities’ financial statement assertions.”

For example, if you outsource payroll to ADP it is a good idea for your auditor to obtain their SOC 1 report to make sure they have proper internal controls in place. No big deal. It’s easy:

Step 1: Request report.

Step 2: Read report. Note opinion.

Step 3: Note any exceptions and decide if they apply to your environment.

Move on.

Stop right there… You missed one important step. What about checking for complementary user control considerations (UCC) or user entity controls? These are your responsibility (not theirs) and the service organization is kind enough to spell them out for you. Don’t gloss over these pesky, but important controls.

Jason Pett, PwC's US Internal Audit Services Leader, was quoted in the JoA:

When it comes to ICFR [Internal Controls over Financial Reporting], it’s really important that you understand what the third party’s role is in the execution of control activities, because as a company, you can outsource activities, you cannot outsource responsibilities.

Nailed it. You can’t hand off complementary user control considerations. Here’s a few mistakes to avoid when addressing UCCs.

Mistake 1: “Umm… What user control considerations?”
We have touched on this one already… but I will say it again. Don’t blow off user control considerations. They are the user entity’s responsibility and clearly outline how you (the user) must help the service organization or vendor achieve a stated control objective.

AICPA Peer Review team concluded in its matters for further consideration (MFCs) after evaluating SOC 1 engagements that “the client acceptance, the description of controls, and the audit documentation” often omitted “reference to the need for complementary user controls, if any exist.” In other words, even auditors are forgetting about UCCs and you can’t expect clients to know this without a head’s up.

That’s not good, people. These need to be on our radar (as auditors and user entities) or even outsourced systems with a clean opinion might not be under proper control.

Mistake 2: “Wait, you’re telling me I need to restrict access to authorized individuals?”
The majority of logical access controls are up to the user entity, not the service organization or vendor. According to Linford & Co, LLP, here’s an example of a UCC pertaining to logical access:

User organizations should have controls in place to restrict access to the secure web portal that is used to transmit data to the service organization to only authorized individuals. Controls should include notifying the service organization when an individual’s access is no longer required or if authentication credentials have been compromised.

For instance, even if the your cloud storage provider is ironclad you still have to keep the access secure. If you don’t, you might end up like Jessica Lawrence when her iCloud account was phished. Oh, and don’t forget to remove access promptly if someone jumps ship. It could be bad… again, cyber extortion anyone?

Mistake 3: “Oh yeah, I have those controls… I think.”
Just because you “have” controls doesn’t mean that they are working. Elliot Davis recommends for all vendors that you validate each key user entity control for every key SOC report and “provide evidence that the UCC is designed appropriately and operating effectively.” Someone in the company may have written a well-crafted policy and procedure document to address the UCC, but that doesn’t mean anyone has read or has any interest in implementing it.

It’s like when a sport coach drafts up a fabulous playbook and tells reporters before a game that the team plays like a well-oiled machine. Later, after losing miserably, the coach has to answer questions about why the players were all over the place. It’s clear that no one bothered to read the playbook.

Don’t be the embarrassed coach when auditors come knocking. The goal is to validate that UCCs are not only designed and documented well, but are operating effectively.

Have you seen any of these user control consideration snafus or others mistakes user entities make that I forgot? Do tell.

1 In case you have been under a rock since 2011, the SOC 1 is prepared in accordance with SSAE 16 which supersedes the old SAS 70 reporting framework.

Image: iStockphoto/GOSPHOTODESIGN

Latest Accounting Jobs--Apply Now:

Have something to add to this story? Give us a shout by email, Twitter, or text/call the tipline at 202-505-8885. As always, all tips are anonymous.

Comments are closed.

Related articles

sketch of a robot among business people to signify AI replacing workers

PwC Chief Products & Technology Officer Says Not to Worry, They Don’t Want to Replace You With AI

A couple days ago, NYT published a piece asking an important question: Who will protect the workers losing their jobs to AI? The article references a May 16 senate subcommittee hearing chaired by Senator Richard Blumenthal at which OpenAI’s Sam Altman is told Mr. Blumenthal’s greatest nightmare is AI causing massive job loss. “There will […]

man holding a phone speaking to a chatbot

ChatGPT Can Pass the CPA Exam But Here’s What It Can’t Do (Yet)

If the headlines are to be believed, humanity is mere months away from being enslaved by artificial intelligence or, at the very least, being permanently unemployed (cue sounds of the Going Concern audience celebrating here). You may have seen clickbait articles about entire marketing departments being turfed in favor of ChatGPT (we never liked the […]