Service Organization Control Reports and COSO Internal Controls
THERE WAS ONCE A TIME when enterprises built, implemented, and relied on their own internal control processes and systems. The original COSO internal control framework was largely built with that model in mind, where enterprise personnel were totally responsible for building and creating their own internal control systems and processes. The world has very much changed today; we now use outside service providers to manage many outside processes through a wide variety of contractual arrangements, and we need to rely on the internal controls that those outside providers administer, even though we do not have direct authority and responsibility for those internal controls.
When some other service provider has been chosen to perform contracted procedures, the contractor enterprise does not have direct control over those systems and processes. When some other nonenterprise entity or service may be operating certain systems and processes, enterprise management cannot say that any internal control or other problems are not its responsibility because someone else is doing the work. No matter whether an enterprise is doing the work itself or is contracting with another party to perform procedures, the enterprise is still responsible for the quality and management of its own internal processes.
Unless there has been a formal right-to-audit agreement or certain court-ordered legal actions, an enterprise cannot just ...