Page 276 - COSO Guidance Book
P. 276

  Point of focus — Integrates with business processes

               Ongoing evaluations are built into the business processes and adjust to changing conditions.
               For example, the accounts-receivable IT system will automatically deny additional credit to any
               customer if the customer has made no payment in the past two months.

              Point of focus — Adjusts scope and frequency

               Management varies the scope and frequency of separate evaluations depending on risk.
               For example, a local government agency learned of a massive security breach at several national
               retail store chains that compromised customer credit and debit card information and other sensitive
               personal information. The agency then elected to have more frequent vulnerability studies conducted
               by third parties to provide assurance that it maintains current security measures to mitigate the risk
               caused by these types of security breaches.

              Point of focus — Objectively evaluates
               Separate evaluations are preformed periodically to provide objective feedback.


            Outsourced service providers
            The framework does not list outsourced service providers as a separate point of focus. However, it is
            noted that entities that use outsourced service providers (warehousing or health care claims processing,
            for example) should obtain an understanding of the processes and controls associated with the services
            and how the outside service provider’s internal control system affects the entity’s system of internal
            control.

            The entity might obtain this understanding of the outsourced service provider’s system of internal control
            by following these steps:

            1.  Conduct its own separate evaluations of the outsourced service provider’s system of internal control
               as it relates to the entity.
            2.  Review an independent audit or examination report, such as a system and organization controls
                                                    2
               (SOC) for service organizations report.
            3.  Determine whether there is sufficient control over processing provided by the outsourced service
               provider by considering the type of processing and reporting it provides and the information
               conveyed between it and the entity.



            2
              In 2017, the AICPA introduced the term system and organization controls (SOC) to refer to the suite of services
            practitioners may provide relating to system-level controls of a service organization and system- or entity-level
            controls of other organizations. Formerly, SOC referred to service organization controls. By redefining that acronym,
            the AICPA enables the introduction of new internal control examinations that may be performed (a) for other types
            of organizations, in addition to service organizations, and (b) on either system-level or entity-level controls of such
                                                                                 ®
            organizations. The four examinations in the SOC suite of services are (1) SOC 1  — SOC for Service Organizations:
                         ®
                                                                                    ®
            ICFR; (2) SOC 2  — SOC for Service Organizations: Trust Services Criteria; (3) SOC 3  — SOC for Service
            Organizations: Trust Services Criteria for General Use; and (4) SOC for Cybersecurity.



            © 2020 Association of International Certified Professional Accountants. All rights reserved.    7-6
   271   272   273   274   275   276   277   278   279   280   281