When we are approached by a prospective client to perform a SOC 1 (f. SSAE 16) audit, we will ask what control objectives they want to include in the scope of the examination. In some cases, they have responded with their own question: What is a control objective? This blog will address that question, as well as how to identify and draft appropriate control objectives for your SOC 1 report.
What is a Control Objective?
What are control objectives in auditing? A simple question. However, there are many definitions for a control objective. It all comes down to context. For example, the following defines three different types of control objectives:
- The PCAOB (Public Company Accounting Oversight Board), the body with oversight for the audits of public companies states that, for the Sarbanes-Oxley Act (SOX), “a control objective provides a specific target against which to evaluate the effectiveness of controls.” To learn more, read our article “What is the Sarbanes-Oxley Act?”
- The Committee of Sponsoring Organizations of the Treadway Commission’s (COSO) framework defines the objectives of internal control for entities to achieve across the five components of internal control. The internal control objectives include achieving:
- Accurate and reliable financial reporting;
- Compliance with laws and regulations; and
- Effectiveness and efficiency of the organization’s operations.
- The American Institute of Certified Public Accountants (AICPA) Statement on Standards for Attestation Engagements Number 18 (SSAE 18) is the authoritative source for SOC 1 audit guidance. The AICPA’s control objective definition provided in SSAE 18 is “the aim or purpose of specified controls at the service organization. Control objectives address the risks that controls are intended to mitigate.”
A SOC 1 examination has the added focus on a service organization’s services that may affect a user entity’s internal control over financial reporting. So, for a SOC 1, one could modify the AICPA’s definition slightly and say that a control objective is the purpose for a set of controls at a service organization to address risks to a user entity’s internal control over financial reporting.
Sometimes we are asked about SOC 2 control objectives. SOC 2 assessments are based on the Trust Services Criteria, rather than the audit control objectives that a company believes to be applicable to its users’ internal controls over financial reporting. You can read another one of our posts to learn more about the differences between SOC 1 and SOC 2 reports.
How to Identify the Right SOC 1 Control Objectives for an Organization
The control objectives in a SOC 1 report assist a user entity’s auditors in determining how the service organization’s controls affect the user entity’s financial statement assertions. So, when determining the control objectives to be included in the description of a report, the service organization’s management should select control objectives that relate to the types of assertions that are common to a number of user entities’ financial statements.
Control objectives need to be individually tailored to the activities performed by the service organization. Additionally, a service organization should strive to have a complete set of control objectives within the scope of the SOC 1 engagement. Meaning that the control objectives should address all of the major aspects of the services that may be relevant to user auditors’ assessment of their client’s internal controls over financial reporting.
Companies providing different services, such as software as a service (SaaS) and data center services providers, would not have the same control objectives in their reports. However, they may have some in common (i.e., Physical Security). Companies providing the same services will likely have similar control objectives, but not necessarily the same control objectives.
If you are struggling to identify or are not sure if you have the correct control objectives, you can ask the management of the service organization or a user organization to list the key processing activities provided to user organizations. This exercise should quickly yield the correct areas for which control objectives should be formed. Be sure that all control objectives apply to things that the service provider actually performs.
How Do Control Objectives Relate to Controls?
So, how do control objectives relate to controls? Control objectives should align with the services offered to user entities and the related risks to those user entities’ financial statement assertions. Controls are the activities performed to achieve a control objective to mitigate the risks to the user entities’ financial statement assertions. Each control activity should specifically relate to a control objective. Each control objective will typically have several controls related to them.
Example Control Objectives & Controls
Perhaps the best way to show how control objectives and controls should correlate is by sharing some control objectives and examples of control activities that have been used with them. The following are control objectives and control activities from actual reports that should help highlight how they should correlate and align with each other.
- Control Objective: Controls provide reasonable assurance that logical access to production application programs and data files is restricted to appropriately authorized personnel and programs.
- Control Activity: The acceptable use policy applies to all current and future employees as well as consultants, temporary staff, and vendors, and applies to new hires requiring password access.
- Analysis: The control does not specifically relate to the objective of restricting logical access. While the policy cited in the control may specify control activities that do restrict logical access, the policy itself does not control logical access. Some possible controls that could be used to restrict logical access would include: authorizations within the access provisioning process, removing access for terminated employees or contractors, periodic access reviews, or password settings.
- Control Objective: Controls provide reasonable assurance that changes to the statement application are authorized, tested, approved, properly implemented, and documented.
- Control Activity: Testing is performed to confirm that the change meets the requirements outlined in the change management documentation.
- Analysis: This control is aligned with the control objective. This control is relevant to the tested portion of the control objective. There are at least four more controls that should also be included to support this control objective. Those controls should address how changes are authorized, approved, implemented, and documented.
How to Setup your Internal Control Environment?
You now have an understanding of control objectives and control activities. What do you do if you are not ready for an assessment, or need help because you need to set up or strengthen your control environment? You probably have more questions. Please refer to my post about establishing an effective internal control environment. It should help you understand:
- What are the basic or main objectives of an internal control system?
- What types of control activities are present in a well-designed system of internal controls?
Click this link to learn more about controls, such as what are the four types of control activities?
In summary, we’ve discussed what a control objective is, how to identify the appropriate control objectives for a SOC 1 audit, and how control activities should relate to the objectives. Hopefully, this has addressed your questions. If not, we would be happy to discuss them with you. You can contact us here.
Linford & Company is a CPA firm that specializes in SOC 1 and SOC 2 assessments. We can help you navigate through the process of obtaining your first SOC report. We welcome the opportunity to discuss each unique service organization’s audit needs in person or over the telephone. Feel to reach out to contact us online–we will respond promptly. After an engagement scoping discussion, we will deliver a brief audit proposal with firm pricing within a few business days.
If you would like to learn a little more about SOC 1 audits and related topics, take a look at some of our other blogs. We have a list of a few that may be of interest to you:
- SOC 1 Reports – SSAE 18 Replaces SSAE 16
- Gap or Bridge Letters for SOC 1 Reports
- How Long Does a SOC Examination Take?
- How the COSO Principles & Trust Services Criteria Align
This article was originally published on 6/21/2018 and was updated on 4/20/2022.
Isaac Clarke is a partner at Linford & Co., LLP. He began his career with Ernst & Young in 2003 where he developed his audit expertise over a number of years. Isaac specializes in and has conducted numerous SOC 1 and SOC 2 examinations for a variety of companies—from startups to Fortune 100 companies. Isaac enjoys helping his clients understand and simplify their compliance activities. He is attentive to his clients’ needs and works meticulously to ensure that each examination and report meets professional standards.