System and organization controls

The System and Organization Controls (SOC) report is an internal control report for service organizations such as SAP SE that is created by an external auditor. SOC reports are intended to examine services provided by a service organization so that end users can assess the risk associated with an outsourced service and if the risks are appropriately addressed by the service provider. SOC reports can be either Type 1 or Type 2. A Type 1 report is a management’s description of the services provided and the external auditor describes and gives an opinion on the suitability of the control designs to ensure the service risks are appropriately addressed. A Type 2 report goes a step further, as the service auditor tests and gives an opinion not only on the control designs but also on the operating effectiveness of the controls.

How to review and evaluate a SOC1 Type 2 report as part of the IT-related annual year-end audit?

In order to be able to rely on a report created by a third party, IT-auditors first need to ensure that the external auditor is sufficiently credible to conduct a thorough analysis of the Service Provider’s Internal Control System. In case the external auditor is sufficiently credible, an IT-auditor can rely on the appropriateness of the content described in the SOC report and start with reviewing and evaluating the the SOC report.

The following exemplary relevant aspects need to be considered and need to be evaluated independently by each IT-auditor according to local law and internal requirements:

Professional standards under which the report was prepared Type of the report (e.g. SOC1 Type 2, ISAE3402, IDW PS 951 n.F.) Report’s overall quality Determine whether management has provided a written assertion Subsequently, it is important for the IT-auditor to gain an extensive understanding of the service provider, the services (nature, materiality, content, relationship etc.) that are consumed by their customer and if the consumed services are entirely covered in the audit report (e.g. for data hosting, auditors need to ensure that the data centres that hosts the data for the customer are included in the audit report).

After ensuring the Service Auditor’s credibility and understanding the nature and degree of outsourcing, the IT auditors need to independently check and evaluate according to local law whether all relevant aspects of the IT-Audit (as part of the annual year-end audit) are covered by the report. Relevant aspects are for example:

Reviewing, if the report is covering the customer’s entire fiscal year Understanding if subservice organizations are used, to which degree and what their impact on the customer is Ensuring the relevant IT General Controls (ITGC) are covered in the audit Report Evaluation of exceptions noted in the audit report regarding their relevance for the IT-Audit Assessment whether the relevant exceptions found by the Service Auditor were mitigated properly and whether they have an impact on the IT-Audit procedures Understanding if the Complementary User Entity Controls (CUEC) are properly addressed and executed by the customer. This part needs to be audited directly with the customer. (Definition: CUECs are controls that SAP SE (as service provider) recommends their customer to have in place in order for them to properly use their services. An example for CUECs are typically user access controls: In case a customer needs to add, modify, or revoke access for their employees, it would be the responsibility of the customer to do so and ensure that the access is appropriate).

Note: The responsibility of the appropriateness & reliability of the Internal Control System (ICS) is in the sole responsibility of the customer! Therefore, when outsourcing services to a third party, customers need to ensure that the ICS of the service provider is reliable, certified, and regularly audited. The customer itself needs to request the audit report from the service provider, review it and evaluate the impact in case important control procedures are missing or in case exceptions were identified by the service provider’s auditor. This action is audited as part of the IT-related year-end audit as well.