Monitoring vs. Auditing Internal Controls

Internal Controls

The auditing of internal controls that provide assurance on the reliability of financial reporting, efficiency and effectiveness of operations and compliance with laws and regulations, should not be viewed as a part of the internal controls’ infrastructure, which includes control environment, risk assessment, information & communication, control activities, and monitoring (COSO, SOC, ISO 27001).

Process owners should guard against the temptation to wait and rely solely on the results of external audits to trigger considerations on the design and operating effectiveness of internal controls in their process. 

External Audit of Internal Controls

External audits can be SOC 1 or SOC 2 engagements or they can be projects performed by the company’s Internal Audit function.  These engagements are typically retrospective in their assessment and sometimes cover periods of substantial duration; for example, the past twelve months.  Therefore, these engagements may be late in bringing to light items of significant consequence to the organization (SOC for Service Organizations).

Process Owner Responsibility

Process owners should instead focus attention on monitoring mechanisms in their process that are designed to assure process objectives are met and risks are addressed consistent with the organization’s risk appetite.  That is, process owners should focus more on mechanisms that can detect and correct exposures instead of relying too heavily on external audits, which are meant to assess and opine to provide reasonable assurance to third-parties on the design, description, and operating effectiveness of process controls.

The good news for process owners ironically, is that external auditors can be a great resource to tap when considering internal controls design.  For example, external auditors can provide valuable insight during an organization’s pursuit of an ISO 27001 information security management system development and implementation initiative (ISO 27001).   

External Auditors

Although external auditors perform engagements to assess internal controls and must not perform the management function of internal controls monitoring, they, because of their garnered knowledge of internal controls, can nevertheless be a valuable resource to tap for recommendations on the design of internal control mechanisms.

Contact CompVisory with questions as we are always available to our current clients and to prospects considering engaging with us for our services.

SOC 1*, SOC 2~, or Both

SOC 1*, SOC 2~, or Both

How should a company decide on whether to have a SOC 1 or a SOC 2, or when it is appropriate to have both? The company should consider its creditors, investors, regulators, and the concerned parties that rely on the information that will be provided by the results of the SOC 1 or SOC 2 engagements. In addition, the company would be wise to consider its customers and their expectations on how the company will use their information, especially given the new European Union’s general data protection regulation (GDPR)) effective May 25, 2018.

SOC 1

A SOC 1 engagement provides assurance on financial information and assesses internal controls over financial reporting. This engagement is appropriate if the company, as a service to other companies, provides transaction support that directly or indirectly impacts the completeness, accuracy, validity, and access controls associated with financial information (COSO, SOC, ISO 27001)..

SOC 2

A SOC 2 engagement provides assurance on what the American Institute of Certified Public Accountants describes as Trust Service Principles. Namely; security, availability, data processing integrity, confidentiality, and privacy. There are some overlaps between the controls that are assessed in SOC 1 and SOC 2 engagements. However, there are some very distinct differences that must not be ignored. The SOC 2 engagement is appropriate if the company handles any information that a reasonable person would consider sensitive (COSO, SOC, ISO 27001)..

Both SOC 1 & SOC 2

SOC 1 and SOC 2 engagements are necessary together when a company provides transaction support that directly or indirectly impacts their clients’ financial information in addition to handling other information that a reasonable person would consider sensitive (COSO, SOC, ISO 27001).

Creditors, Investors, Regulators, & Customers

People want to know that you are treating them with dignity and respect when they engage with you in business. Transparency is critical in how you demonstrate your commitment to treating stakeholders with dignity and respect, so if your company provides transaction support for financial information and handles sensitive data, it is incumbent upon you to engage an independent third-party to provide the compelling evidence of that commitment and demonstrate that you are not just talk. Keep in mind that the EU through the GDPR is sending a clear message.

Important

Contact CompVisory and we will provide you with a readiness assessment, and then a SOC 1, a SOC 2, or both depending on the result of the assessment.

Contact us today.

*Service organization controls engagement cover internal controls over financial reporting relevant to user organizations.
~Service organization controls engagement covering security, availability, processing integrity, confidentiality or privacy.

Largest litigated amount ever obtained by FTC in latest ruling by U.S. District Court of Nevada

A U.S. District Court Judge in Nevada ruled in favor of the FTC, imposing a record $1.3 billion judgment against AMG Services Inc. owned by Scott A. Tucker.  The court found AMG Services misled consumers about a one-time servicing fee and the actual cost of the loan.  Instead of charging a one-time servicing fee, AMG Services would make several withdrawals from consumer bank accounts and then charge a financing fee for every withdrawal.  AMG Services Inc., as well as any of Tucker’s businesses, are prohibited from providing any consumer lending services.

You can read more here:

https://www.ftc.gov/news-events/press-releases/2016/10/us-court-finds-ftcs-favor-imposes-record-13-billion-judgment?utm_source=govdelivery

The CFPB Released Their Updated Exam Procedures to Address the New Requirements of the Military Lending Act

The CFPB has released their updated exam procedures to align with the requirements of the amended Military Lending Act.  The Military Lending Act was amended in July 2015 to provide further protections to service members and their families when they are acquiring certain types of credit.  Most Creditors are expected to comply with the new regulations by October 3, 2016 and most credit card companies are expected to comply by October 3, 2017.  The CFPB will begin to evaluate financial institutions’ implementation plans to address the new requirements of the Military Lending Act as early as October.

You can read more about the Military Lending Act and the CFPB’s updated exam requirements here:

http://www.consumerfinance.gov/about-us/newsroom/cfpb-releases-updated-exam-procedures-military-lending-act/

CFPB Sues Five Title Lenders for Failing to Disclose APR

The CFPB brought suit against five title lenders.  The CFPB is alleging the lender companies failed to disclose their annual percentage rate in their online advertisements.  Under the Truth in Lending Act the annual percentage rate (APR) must be disclosed in almost all consumer credit transactions.[1]  The CFPB claims one company went so far as to advise the consumer to take their interest rate and multiply it by twelve, but failed to disclose that was the annual percentage rate.


[1] Consumer Financial Protection Bureau, CFPB Rules and Regulation TILA, Truth in Lending Act (2015) at 14, available at:  http://files.consumerfinance.gov/f/201503_cfpb_truth-in-lending-act.pdf