When we are approached by a prospective client to perform a SOC 1 (f. SSAE 16) audit, we will ask what control objectives do they want to include in the scope of the examination. In some cases, they have responded with their own question–What is a control objective? This blog will address that question as well as how to identify and draft appropriate control objectives for your SOC 1 report.
What is a Control Objective?
There are many definitions for what control objectives are. For example, the PCAOB (Public Company Accounting Oversight Board) has stated that, for SOX, “a control objective provides a specific target against which to evaluate the effectiveness of controls.”
Well, the authoritative source for a SOC 1 audit is the American Institute of Certified Public Accountants’ (AICPA) Statement on Standards for Attestation Engagements number 18 (SSAE 18). The AICPA’s control objective definition provided in SSAE 18 is “the aim or purpose of specified controls at the service organization. Control objectives address the risks that controls are intended to mitigate.”
As a SOC 1 examination has the added focus on a service organization’s services that may affect a user entity’s internal control over financial reporting, one could modify the AICPA’s definition slightly and say that a control objective is the purpose for a set of controls at a service organization to address risks to a user entity’s internal control over financial reporting.
How to Identify the Right SOC 1 Control Objectives for an Organization?
The control objectives in a SOC 1 report assist a user entity’s auditors in determining how the service organization’s controls affect the user entity’s financial statement assertions. So, when determining the control objectives to be included in the description of a report, the service organization’s management should select control objectives that relate to the types of assertions that are common to a number of user entities’ financial statements.
Control objectives need to be individually tailored to the activities performed by the service organization. Additionally, a service organization should strive to have a complete set of control objectives within the scope of the SOC 1 engagement. Meaning that the control objectives should address all of the major aspects of the services that may be relevant to user auditors.
Companies providing different services, such as a software as a service (SaaS) and a data center services providers, would not have the same control objectives in their reports. However, they may have some in common (i.e., Physical Security). Companies providing the same services will likely have similar control objectives, but not necessarily the same control objectives.
If you are struggling to identify or are not sure if you have the correct control objectives, you can ask management of the service organization or a user organization to list the key processing activities provided to user organizations. This exercise should quickly yield the correct areas for which control objectives should be formed. Be sure that all control objectives apply to things that the service provider actually performs.
How do Control Objectives Relate to Controls?
So, how do control objectives relate to controls? Control objectives should align with the services offered to user entities and the related risks to those user entities’ financial statement assertions. Controls are the activities performed to achieve a control objective to mitigate the risks to the user entities’ financial statement assertions. Each control activity should specifically relate to a control objective. Each control objective will typically have several controls related to them.
Example Control Objectives and Controls
So, perhaps the best way to show how control objectives and controls should correlate is by sharing some control objectives and examples of control activities that have used with them. The following are control objectives and control activities from actual reports that should help highlight how they should correlate and align with each other.
- Control Objective: Controls provide reasonable assurance that logical access to production application programs and data files is restricted to appropriately authorized personnel and programs.
- Control Activity: The acceptable use policy applies to all current and future employees as well as consultants, temporary staff, and vendors, and applies to new hires requiring password access.
- Analysis: The control does not specifically relate to the objective of restricting logical access. While the policy cited in the control may specify control activities that do restrict logical access, the policy itself does not control logical access. Some possible controls that could be used to restrict logical access would include: authorizations within access provisioning process, removing access for terminated employees or contractors, periodic access reviews, or password settings.
- Control Objective: Controls provide reasonable assurance that changes to the statement application are authorized, tested, approved, properly implemented, and documented.
- Control Activity: Testing is performed to confirm that the change meets the requirements outlined in the change management documentation.
- Analysis: This control is aligned with the control objective. This control is relevant to the tested portion of the control objective. There are at least four more controls that should also be included to support this control objective. Those controls should address how changes are authorized, approved, implemented, and documented.
In summary, we’ve discussed what a control objective is, how to identify the appropriate control objectives for a SOC 1 audit, and how control activities should relate to the objectives. Hopefully this has addressed your questions. If not, we would be happy to discuss them with you. You can contact us here.
Linford & Company is a CPA firm that specializes in SOC 1 and SOC 2 assessments. We can help you navigate through the process of obtaining your first SOC report. We welcome the opportunity to discuss each unique service organization’s audit needs in person or over the telephone. Feel to reach out to contact us online–we will respond promptly. After an engagement scoping discussion, we will deliver a brief audit proposal with firm pricing within a few business days.
If you would like to learn a little more about SOC 1 audits and related topics, take a look at some of our other blogs. We have a listed a few that may be of interest to you:
- SOC 1 Reports – SSAE 18 Replaces SSAE 16
- What is a SOC 1 Report? Expert Advice You Need to Know
- Gap or Bridge Letters for SOC 1 Reports
- What is an Assertion?
- How Long Does a SOC Examination Take?
Isaac Clarke is a partner at Linford & Co., LLP. He began his career with Ernst & Young in 2003 where he developed his audit expertise over a number of years. Isaac specializes in and has conducted numerous SOC 1 and SOC 2 examinations for a variety of companies—from startups to Fortune 100 companies. Isaac enjoys helping his clients understand and simplify their compliance activities. He is attentive to his clients’ needs and works meticulously to ensure that each examination and report meets professional standards.