Administrators prepare for new information requests

The Service Organisation Control 1 (SOC 1) report is an assurance document used by fund administrators, funds, auditors and investors alike to gain comfort about the controls in place at service organisations. In today’s changing environment, with increasing levels of compliance globally, providing assurance to funds and investors is proving ever more important.

After the Auditing Standards Board of the American Institute of Certified Public Accountants recently issued the clarified attestation standard, Statement on Standards for Attestation Engagements (SSAE) No.18, service organisations that undergo SOC 1 examinations will have to provide more information to their service auditors.

The clarified standards will be effective for service auditor opinions dated on or after 1 May 2017.

What is a SOC 1 report?

The SOC 1 report is an attestation engagement over the service organisation in which an external auditor opines on the operating effectiveness of a service organisation’s control environment, as it relates to financial reporting. The scope of the report encompasses underlying IT systems and applications which support the financial reporting process. The attestation is completed annually according to one or both current international standards: SSAE No.16 and/or International Standard on Assurance Engagements (ISAE) 3402.

Report areas requiring extra detail

Following clarification of the attestation standard, service organisations will have to provide more detail in the following areas:

  • Control objectives: the revised standards challenge service organisations to re-consider their control objectives by evaluating the link between these objectives and their internal controls over financial reporting. This challenge may result in service organisations modifying, adding to or removing control objectives that they previously included in their SOC 1 reports. This change should make it clearer to users of SOC 1 reports how the controls included in the SOC 1 report relate to their financial reports.
  • Information produced by the service organisation: the revised standards include a new section requiring the service auditor to evaluate whether information provided by the service organisation is sufficiently reliable for the service auditor’s purposes. The service organisation must demonstrate to the service auditor that management controls safeguard the reliability of reports and other information. If management is unable to demonstrate these controls exist, the service auditor will need to perform its own procedures. 
  • Sub-service organisations: the revised standards request that service organisations include additional information regarding sub-service organisations in the description of processes and controls. The extent of the additional information regarding the sub-service organisations depends on whether the sub-service organisation’s controls are necessary to meet a SOC 1 control objective. 
  • Internal audit function: the revised standards clarify that the service auditor is required to gain an understanding of the internal audit function when assessing the risk of material misstatement. This is a change to the current standards (which require this understanding only when the service auditor is relying on the work of internal audit). This change means that the service auditor must analyse findings from reports produced by the internal audit function, as well as regulatory examinations that relate to the services included in the scope of SOC 1 reports, when designing the nature, timing and extent of engagement procedures.

Citco and SOC 1 reporting

For the 13th consecutive year, the Citco group of companies has published a SOC 1 Type #2 certification related to operations which provide fund administration and related investor relations services for single manager, fund of hedge funds, private equity and real estate clients. This includes custody services. In addition, for the sixth consecutive year, the Citco group of companies has published a SOC 1 Type #2 certification relating to the Citco group of companies’ banking, custodial and depositary service offerings.

8th March 2017