• Type 1: A simplified report with an opinion from a qualified independent auditor on design and implementation of controls at a specific point in time; enables user organizations and their auditors to assess risks and controls.
• Type 2: An expanded report with a full audit of control design and operating effectiveness over a 6 to 12 month period, and details on control testing and results; enables user auditors to rely on controls to reduce testing and avoid visiting the service organization.
Although it is common for service organizations to start with Type 1 and then expand to Type 2, it is essential for user organizations to discuss what type of report(s) is required with their board and auditors. Traditional “right to audit” clauses don’t cover SOC1 reporting, and if you need privacy assurance, which isn’t covered by SOC1, another SOC report may be necessary.
Users and providers should agree up-front on report type, timing and scope. The more reporting requested, the greater cost, so focus on what you really need and ensure cost responsibilities are also clear in the agreement.
In the gaming industry, there is a complexity involved with SOC audits that shouldn’t be underestimated by users or providers. Get advice from experienced professionals to help navigate stakeholder expectations around report content, scope, and timing. Significant effort is involved in effectively documenting controls in the required format—and even more in testing and fixing any issues—due to the necessary commitment by auditors and staff. Experienced practitioners can provide strategies and assistance to ease the process.
While this provides just an overview of the complexities of outsourcing and SOC reporting, it is clear that proactivity is key. Leaders in the gaming industry are forming deeper partnerships with vendors and each other. If controls assurance requirements are neglected or ignored, the resulting operational and governance issues will be more difficult and costly after the fact. To avoid this misstep, make your reporting needs clear from the start and, if you’re a service organization, begin planning the audit process—and talking to your advisers—as soon as possible.
To learn more about the effects of outsourcing and reporting on your organization, please contact Erik Niemi (firstname.lastname@example.org), Partner, Risk Consulting, Systems Assurance, KPMG; or Abby Hakim (aahakim@kpmg. ca), Senior Manager, Risk Consulting, KPMG.