THE ROLE OF AN SOC 1 REPORT (formerly SAS 70) IN FREIGHT PAYMENT

Size: px

Start display at page:

Download "THE ROLE OF AN SOC 1 REPORT (formerly SAS 70) IN FREIGHT PAYMENT"

Philip Fisher
8 years ago
Views:

1 THE ROLE OF AN SOC 1 REPORT (formerly SAS 70) IN FREIGHT PAYMENT White Paper

2 THE ROLE OF AN SOC 1 REPORT (formerly SAS 70) IN FREIGHT PAYMENT Introduction An essential element in the selection of a freight payment company is a review of that company s SOC 1 report. The SOC 1 report provides important insight into the internal control structure of a freight payment provider, as well as the effectiveness of those controls. Why is SOC 1 important for Sarbanes-Oxley compliance? The Sarbanes-Oxley Act of 2002 is a U.S. federal law that has set new and enhanced standards for all U.S. company boards, management and public accounting firms. The objective of Sarbanes-Oxley, often referred to as SOX, is to provide assurance to investors that the internal control structure of a company is sound and can be relied upon to produce reliable financial data. The SEC has repeatedly reminded management teams of companies which are subject to SOX that the ownership of the internal control structure rests with them and no one else. They cannot blame the auditor or blame the outsourcer in this case. Therefore, the financial information coming from any outsourcer such as a freight payment company must be produced through a system with reliable internal control. In essence, the customer of a freight payment company owns the internal control structure of that freight payment company. Given the above expectations of ownership, the customer might find it extremely advantageous to do a thorough audit of the freight payment company s controls. The SOC 1 serves the purpose of such an audit and provides a document that can be relied upon by the customer. However, it should be noted that the customer cannot just obtain a copy of the SOC 1 report and file it away. Guidance from the SEC requires a user organization (the recipient of the SOC 1 report) to make a value judgment regarding the adequacy of the control structure. If the control objectives as stated in the report are insufficient, it is the user organization which will still be held responsible. SOC 1 or SSAE 16 (Formerly SAS 70) Many people have heard of a SAS 70 report and may be wondering how the SOC 1 report might be different. The short answer is that from a user organization s perspective there is no material difference between a SAS 70 report and a SOC 1. SAS 70 stood for Statement of Auditing Standards No 70. It was the guidance document promulgated by the American Institute of Certified Public Accounts (AICPA). The SAS 70 was intended to give guidance to independent accounting firms performing audits of service organizations. 2

Why is SOC 1 important for Sarbanes-Oxley compliance? The Sarbanes-Oxley Act of 2002 is a U.S. federal law that has set new and enhanced standards for all U.S. company boards, management and public accounting firms.

3 In this context, freight payment companies are referred to as Service Organizations. The AICPA replaced the SAS 70 with SSAE 16 or the Statement of Standard for Attestation Engagements No. 16. This updated guidance changes elements associated with the old SAS 70 in ways that are really only important to the auditing firms. The primary difference that a user organization will see is the name and branding. The Types of SOC 1 report There are two distinct types of SOC 1 reports. They are creatively named the Type 1 and Type 2. Accountants are not known for the branding acumen. A Type 1 report is a report on a service organization s system and the suitability of the design of controls. It focuses solely upon describing the internal controls in place, and whether the control activities, as designed, are suitable. NOTE: A Type 1 report does NOT involve any testing of the controls to see if they are operating as described. This is the primary difference between a Type 1 and Type 2 report. A Type 2 report is a report on management s description of a service organization s system and the suitability of the design and operating effectiveness of controls. They key wording difference is operating effectiveness. This means that in the course of preparing a Type 2 report, an auditor will actually test the control activities to see if they are functioning as described. If there are any deficiencies in the tests, they will be shared with management in a separate communication. A user organization will only know of deficiencies in controls should they rise to the level of undermining a control objective. If the auditor finds that a control objective cannot be achieved due to deficiencies, he will issue a Qualified Opinion which notes that certain control objective(s) could not be achieved due to deficiencies in the control structure. Although a qualified opinion should not be a disqualifying factor for a freight payment company, it should prompt further investigation by the user organization. Beware... The SOC 1 Does Not Speak to Financial Viability The SOC 1 report can provide great insight into a freight payment company s internal control structure, but it does not guarantee the financial viability of the company. The SOC 1 examination does not detect fraud, and makes absolutely no judgment as to the ability of the freight payment company to continue as a goingconcern. The SOC 1 report is one of several items that a customer should consider when evaluating a freight payment company s role as a fiduciary, but it should not be the sole factor evaluated. Only the audited financial 3

The primary difference that a user organization will see is the name and branding. The Types of SOC 1 report There are two distinct types of SOC 1 reports.

4 statements of a freight payment company can provide clear visibility to the financial strength of the provider and its ability to continue to serve the needs of customers. Conclusion The outsourcing of a freight payables process does not mean that a company can outsource their responsibility for internal control. A SOC 1 report serves as a window into the internal control structure of a freight payment company and goes a very long way to satisfying the expectations of Sarbanes-Oxley. However, freight payment customers should always be aware that the SOC 1 does not speak to the financial stability of a potential freight payment provider. That assurance can only be obtained through a set of audited financial statements. What a SOC 1 report does for a freight payment customer Goes a long way to satisfying internal control requirement of Sarbanes-Oxley If it is a Type 2, it provides assurance that internal controls are operating. Provides a view into the internal control structure at the freight payment company. What a SOC 1 report doesn t do for a freight payment customer It does NOT relieve a customer from making a judgment as to the appropriateness of the controls. It does NOT provide any assurance as to the financial stability of the freight payment company. If it is a Type 1 it provides no assurance that controls have been tested to discover if they are operating. 4

A SOC 1 report serves as a window into the internal control structure of a freight payment company and goes a very long way to satisfying the expectations of Sarbanes-Oxley.

5 A3 Freight Payment 8700 W Trail Lake Drive, Suite 100 Memphis, TN Tel: Fax: info@a3freightpayment.com A3 Freight Payment Published 9/12

Fax: 901-759-2966 info@a3freightpayment.com www.

Feeley & Driscoll, P.C. Certified Public Accountants / Business Consultants www.fdcpa.com. Visit us on the web: www.fdcpa.com Or Call: 888-875-9770

Feeley & Driscoll, P.C. Certified Public Accountants / Business Consultants www.fdcpa.com SAS 70 Background 2 SAS No. 70 Reports on the Processing of Transactions by Service Organizations Independent examination