Mitigate Risks Associated With Outsourcing Services

Posted on July 29, 2020July 6, 2022

If you outsource services such as payroll processing, loan servicing, data center/co-location/IT Managed Services, Software as a Service (SaaS), or medical claims processing, you rely on the service provider to keep your data secure, maintain confidentiality, integrity of processing, availability of services or systems, and/or privacy. However, AAFCPAs reminds clients that outsourcing may expose your organization to risk and underscores the need for effective vendor due diligence.

The American Institute of Certified Public Accountants states “Management of a user entity is responsible for assessing and addressing risks faced by the user entity related to financial reporting, compliance with laws and regulations, and the efficiency and effectiveness of operations. When a user entity engages a service organization to perform key processes or functions, the entity exposes itself to additional risks related to the service organization’s system. Although management of a user entity can delegate tasks or functions to a service organization, the responsibility for the service provided to customers of the user entity cannot be delegated. Management of the user entity is usually held responsible by those charged with governance (for example, the board of directors); customers; shareholders; regulators; and other affected parties for establishing effective internal control over outsourced functions.”

A service organization is part of your financial system of controls if they affect any of the following:

The classes of transactions in your operations that are significant to your financial statements;
The procedures, both automated and manual, by which your transactions are initiated, recorded, processed, and reported from their occurrence to their inclusion in the financial statements;
The related accounting records, whether electronic or manual, supporting information, and specific accounts in your financial statements involved in initiating, recording, processing, and reporting your transactions;
How your information system captures other events or conditions that are significant to your financial statements; or
The financial reporting process used to prepare your financial statements, including significant accounting estimates and disclosures.

How Do You Know If Your 3rd Party Service Provider Has Adequate Controls?

Systems and Organization Controls (SOC) reports provide user organization management with the information they need related to the service organization’s controls to help assess and address the risks associated with an outsourced service.

SOC 1: Report on Controls at a Service Organization Relevant to User Entities’ Internal Control Over Financial Reporting

The SOC 1 report is designed to address internal controls over financial reporting and concentrates on a service organization’s controls as they relate to the processing of your transactions. For example, a payroll processing company receives your records and banking instructions for all employees. This work is outsourced to the payroll company, but you are still responsible for the work and how it impacts your financial statements. If the payroll company cannot demonstrate they have adequate and suitably designed controls that operate effectively, they are viewed as a greater risk to clients and as a result are less likely to be hired for these outsourced services.

AAFCPAs advises our clients to request a SOC 1 from their service providers when the outsourced services have a relationship to their financial reporting. The SOC report should be assessed by the user organization and controls specified in the User Organization Controls section should be evaluated for whether they should be implemented at the user organization. Other SOC reports, such as those for subservice providers, should also be requested because the service provider may be relying on the services and controls of the subservice provider.

SOC 2: Report on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy

The SOC 2 report addresses a service organization’s controls for operations related to the security, confidentiality, processing integrity, availability, and privacy of IT, personally identifiable information (PII), and other sensitive information for their clients. For example, an organization that prints and/or mails statements for hospitals or other medical institutions may require a SOC 2 report. Hospitals often outsource the printing and mailing of client statements to an external vendor. The hired organization receives extensive confidential information, including names, addresses, diagnoses, and medications for patients. A SOC 2 report will provide reasonable assurance that information is securely received and transmitted for the service organization’s clients.

AAFCPAs advises our clients to request a SOC 2 from their service providers when the outsourced services have a relationship to their financial reporting. The SOC report should be assessed by the user organization and controls specified in the User Organization Controls section should be evaluated for whether they should be implemented at the user organization. Again, SOC reports for subservice providers should also be requested.

Vendor Risk Management Program

AAFCPAs advises clients to develop, document, and adhere to a vendor risk assessment program, which should include requirements for SOC reports and other attestations. Organizations are urged to only outsource services to a vendor that meets compliance standards.

The controls tested during a SOC 1 report will determine whether the service organization has sufficient internal controls over processes that can impact your company’s financial reporting. Similarly, SOC 2 examinations will test the controls that protect the systems or data of which service organizations have access.

When outsourcing the processing of financials or large amounts of sensitive data, you need to trust that the service organization has the systems and controls in place and in working order to protect your information.

If you have any questions, please contact James Jumes, MBA, M.Ed. at 774.512.4062, jjumes@nullaafcpa.com; Vassilis Kontoglis at 774.512.4069, vkontoglis@nullaafcpa.com; or your AAFCPAs Partner.

About the Authors

James Jumes, MBA, M.Ed.

James joined AAFCPAs in 2013 to lead the firm’s Business Process & IT Consulting practice. He leads a team of senior technologist in the delivery of solutions related to business intelligence & productivity, information risk management and cybersecurity, and special IT attestations, compliance, and certifications. His goal is to strengthen the links between people, process, and technology, which increases productivity and drives business growth. James has more than 30 years of experience working with information technology …

Vassilis Kontoglis

Vassilis has 20+ years’ proven experience providing business intelligence, productivity, information risk management, and cybersecurity solutions. He is a critical resource in keeping clients and the firm on the forefront of transformative technologies while mitigating risks that come along with these advancements. Vassilis leads the delivery of Robotic Process Automation solutions at AAFCPAs. He understands the unique requirements to achieve RPA success, including proper design, planning, implementation, and governance. He works collaboratively with clients and cross-functional …

Related Insights

Cost Center Coding Strategies for Effective Grant Reporting

For complex human and social services providers, managing grants and ensuring compliance can often feel like navigating a labyrinth. One effective strategy to simplify this process is through cost center coding. AAFCPAs provides the following detailed guidance on how to leverage cost center coding to streamline grant reporting and maintain compliance. Design Your Cost Centers […]

October is Cybersecurity Awareness Month. Are You Prepared?

Cybersecurity Awareness Month is observed in October in the United States to raise awareness about the importance of protecting digital systems and data from cyber threats. As of the third quarter of 2024, there were over 2,000 reported data breaches affecting an estimated 1.3 billion individuals globally with major breaches affecting companies like UnitedHealth, Snowflake, […]

Enhancing Reporting Capabilities With Integrated Systems

For CFOs and financial leaders within the Health and Human Services sector, the challenge of managing and reporting on diverse programs funded from various sources is a significant one. Accurate and efficient reporting is essential but often hampered by data spread across multiple, disconnected systems. AAFCPAs provides the following guidance on how integrating these systems […]