“What are the responsibilities of management and the auditor in relation to internal control?” is a question we often hear from our clients and potential clients. We’ve talked a lot about what the auditor’s responsibilities are in an audit, but what about company management’s responsibilities in an audit? If you sign up for a SOC 1 or SOC 2 audit, what does that mean for your to-do list? Specifically, what is management’s responsibility for internal control and what does management need to do to identify the scope of the audit, i.e.; the system and corresponding internal controls?
Fortunately, the American Institute of Certified Public Accountants (AICPA) has issued clear guidance on management’s responsibilities prior to engaging a service auditor, during the audit examination, and during the completion of the audit engagement. In fact, many of these responsibilities are required to be outlined in a standard audit letter. Let’s review.
Management’s Responsibilities Prior to Engaging the Service Auditor
If you are a part of the management team of the organization that will be audited, you have responsibilities in an audit before you even sign an engagement letter with your service auditor. In fact, the scope of a SOC 1 or SOC 2 audit is required to be defined by management. As management, you decide what systems you believe should be reviewed in the audit based on the services you deliver to your clients, as well as which of the AICPA Trust Services Criteria is relevant (Security, Availability, Confidentiality, Processing Integrity, and Privacy).
Management is also responsible for identifying the service commitments it makes with its clients and business partners (also known as “user entities”), as well as the system requirements necessary to fulfilling service commitments. Establishing the system boundary; i.e., the scope of systems to be audited, is critical in planning for your SOC 1 or SOC 2 audit, and it’s management’s responsibility to do so based on the commitments made to the customers of the organization.
Who is Responsible for Managing Internal Controls?
Once the system scope is defined, management bears responsibility for designing, implementing, operating, monitoring, and documenting controls over that system boundary. In a Type I SOC audit, management is required to assert that controls are suitably designed and, in a Type II examination, operating effectively to provide reasonable assurance that the service organization’s service commitments and system requirements were achieved based on the applicable trust services criteria. While management bears this responsibility, your auditor should guide you through the process and it is recommended they be engaged early on to ensure alignment.
Management’s Responsibilities During the Examination
Once the system boundary and other scoping considerations have been established, management has a responsibility to prepare a description of its system and sign an assertion letter stating it is complete, accurate, and fairly presented.
Management is also responsible for identifying the risks that threaten the achievement of its service commitments and system requirements as stated in the description, and accordingly designing, implementing, and documenting controls to mitigate such risks. It is management’s responsibility to assert whether the controls are suitably designed and operating effectively to provide reasonable assurance that the service commitments and system requirements will be achieved according to the applicable Trust Services Criteria. This means that as management, you will need to be reasonably engaged in the day to day operations of your organization’s controls to have a reasonable basis for your assertion. In fact, the designated management representative is required to sign a letter of assertion at the completion of the engagement.
During the audit, your service auditor will expect management to grant access to all information, such as records, documentation, service level agreements, and internal audit or other reports, and any other information that is relevant to the system and in support of your auditor’s testing. This typically means your service auditor will have unrestricted access to personnel within the service organization as is relevant and necessary to obtain evidence during the examination.
As stipulated in the SOC 1 and SOC 2 guides published by the AICPA, there is also an expectation that management will disclose the following to the service auditor, as relevant:
- Incidents of non-compliance with laws and regulations, fraud, or uncorrected misstatements
- Knowledge of any actual, suspected, or alleged intentional acts
- Any deficiencies in the design of controls of which it is aware
- All instances in which controls have not operated as described
- All identified system incidents with significant impact
- Any events subsequent to the audit period that could have a significant effect on management’s assertion.
*Note: The above bullet points are taken almost verbatim from AICPA.org but it is a paid-for resource, so the direct link is not broadly available.
These responsibilities of management in a SOC 1 or SOC 2 audit may leave you feeling overwhelmed, but they are important. It’s worth repeating that your auditor should help guide you through this process, though, and early and regular communication with them will facilitate a smoother audit engagement.
Management’s Responsibilities During Engagement Completion
Once the heavy lifting of planning for your audit and supporting the service auditor in executing the audit engagement has completed, management bears certain responsibilities toward the end of the engagement, including the following:
- Modifying the description, if appropriate
- Modifying management’s written assertion, if appropriate, and
- Providing the service auditor with written representations.
The representations reinforce the disclosures noted in the section above, but are required to be signed by a member of the management team with an appropriate level of knowledge and awareness of the system and internal controls in a formal letter at the conclusion of the audit.
Are you now questioning your decision to undertake a SOC 1 audit report? Deciding to pursue a SOC 1 or SOC 2 and engaging a service auditor to start down the path towards SOC compliance can be daunting. The good news is your service auditor should be well versed in the requirements and able to support you throughout the process. Your service auditor should help by identifying management’s responsibilities in an audit and giving the company guidance on how to meet its responsibilities throughout the audit engagement lifecycle.
Maggie spent nearly 10 years in KPMG’s IT Advisory and Attestation practice before joining a financial technology company as the Risk and Compliance Director. She has overseen numerous SOC 1 / SOC 2 audits and other IT Compliance audits and has vast experience implementing risk management and IT compliance solutions. She is Certified in Risk and Information Systems Control (CRISC) and obtained a Bachelor of Science in Business Administration, Finance, from the University of Colorado at Boulder.