Service Organization Controls Report Review (Part 4)
While the previous contemplation in our blog post series was focused on “How to audit the IT-related processes and controls on application-level”, we will focus on the infrastructure-level in the following. As the responsibility for the processes and controls on database- & operating system-level as well as for the physical data storage etc. is in the sole responsibility of SAP SE (as service provider), this will be done by reviewing and assessing the SOC1 Type 2 report for the SAP S/4HANA Cloud, Public Edition.
What is the SOC1 Type 2 report and why is it used for the IT-related annual year-end audit?
The System and Organization Controls (SOC) report is an internal control report for service organizations such as SAP SE that is created by an external auditor. SOC reports are intended to examine services provided by a service organization so that customers can assess the risk associated with an outsourced service and if the risks are appropriately addressed by the service provider. SOC reports can be either Type 1 or Type 2. A Type 1 report is a management’s description of the services provided and the external auditor describes and gives an opinion on the suitability of the control designs to ensure the service risks are appropriately addressed. A Type 2 report goes a step further, as the service auditor tests and gives an opinion not only on the control designs but also on the operating effectiveness of the controls.
How to review and evaluate a SOC1 Type 2 report as part of the IT-related annual year-end audit?
In order to be able to rely on a report created by a third party, IT-auditors first need to ensure that the external auditor is sufficiently credible to conduct a thorough analysis of the Service Provider’s Internal Control System. In case the external auditor is sufficiently credible, an IT-auditor can rely on the appropriateness of the content described in the SOC report and start with reviewing and evaluating the SOC report.
The following exemplary relevant aspects need to be considered and need to be evaluated independently by each IT-auditor according to local law and internal requirements:
- Professional standards under which the report was prepared
- Type of the report (e.g. SOC1 Type 2, ISAE3402, IDW PS 951 n.F.)
- Report’s overall quality
- Determine whether management has provided a written assertion
Subsequently, it is important for the IT-auditor to gain an extensive understanding of the service provider, the services (nature, materiality, content, relationship etc.) that are consumed by their customer and if the consumed services are entirely covered in the audit report (e.g. for data hosting, auditors need to ensure that the data centres that hosts the data for the customer are included in the audit report).
After ensuring the Service Auditor’s credibility and understanding the nature and degree of outsourcing, IT auditors need to independently check and evaluate according to local law whether all relevant aspects of the IT-Audit (as part of the annual year-end audit) are covered by the report. Relevant aspects are for example:
- Reviewing, if the report is covering the customer’s entire fiscal year
- Understanding if subservice organizations are used, to which degree and what their impact on the customer is
- Ensuring the relevant IT General Controls (ITGC) are covered in the audit Report
- Evaluation of exceptions noted in the audit report regarding their relevance for the IT-Audit
- Assessment whether the relevant exceptions found by the Service Auditor were mitigated properly and whether they have an impact on the IT-Audit procedures
- Understanding if the Complementary User Entity Controls (CUEC) are properly addressed and executed by the customer. This part needs to be audited directly with the customer.
(Definition: CUECs are controls that SAP SE (as service provider) recommends their customer to have in place in order for them to properly use their services. An example for CUECs are typically user access controls: In case a customer needs to add, modify, or revoke access for their employees, it would be the responsibility of the customer to do so and ensure that the access is appropriate).
Note: The responsibility of the appropriateness & reliability of the Internal Control System (ICS) is in the sole responsibility of the customer! Therefore, when outsourcing services to a third party, customers need to ensure that the ICS of the service provider is reliable, certified, and regularly audited. The customer itself needs to request the audit report from the service provider, review it and evaluate the impact in case important control procedures are missing or in case exceptions were identified by the service provider’s auditor. This action is audited as part of the IT-related year-end audit as well.
In addition to the SOC review carried out by IT auditors, it is also the responsibility of customers to request and examine the SOC reports provided by their service providers. By undertaking this task, customers can promptly implement compensating controls within their internal control systems, effectively addressing any deficiencies highlighted in the SOC report.
SOC reports of SAP S/4HANA Cloud, Public Edition can be found at SAP Trust Center (https://www.sap.com/tc -> “Compliance” -> Select “Solution/Area”: “SAP S/4HANA Cloud”).
Engage with us
To read all upcoming posts in this series, please follow the S4HANACloud audit tag we’ve created for this purpose.”
Or contact us on LinkedIn.