Financials – General

Get Involved. Join the Conversation.

Topic

    Dave Stevens
    SOC1 Report and Bridging Letter
    Topic posted May 30, 2019 by Dave StevensBlue Ribbon: 750+ Points, tagged Compliance, Financials 
    570 Views, 6 Comments
    Title:
    SOC1 Report and Bridging Letter
    Summary:
    Audit Requirement - Timing of SOC1 Report - Yearend 30-Sep
    Content:

    Hi

    We have raised an SR with Oracle in relation to the following question(s).

    However would like to know what others in a similar position are doing/has done?

     

    Summary:


    Our Auditors have raised concerns regarding the current timing of the SOC1 review from Oracle which will not meet their needs as part of the year end audit.


    From our understanding, Oracle do a full assessment twice per year in order to issue a SOC 1 report for the period ending 31 December and period ending 30 June.


    Beyond the timing of 31 December and 30 June, a bridging letter is issued by Oracle. 


    However, our auditors have highlighted to us that they cannot rely on a bridging letter that is more than 3 months old.


    Our year end is 30 September and we issue earnings to the market at the end of November. 


    The most recent SOC 1 report available from Oracle will be dated 30 June, and therefore the bridging letter (from our Auditors perspective) will expire on 30 September and will not cover the period up to when they sign their audit opinion at the end of November.


    If they cannot rely upon an Oracle SOC1 report, then they will need to do a full substantive (rather than controls based) audit.


    How have others in a similar position met this requirement?

     

    Kind Regards

    Dave

    Comment

     

    • Maria Centeno

      Hi Dave,

      Bridge letters are issued monthly to cover the period of time that has elapsed since the end of the latest review period. Please work through Support or download from My Services the bridge letter for the month in question.

      (SOC-1 reports are produced twice per year but cover different periods than those you describe)

    • Ajay Hathiramani

      Hi Dave, 

      We are a March 31 company and face a similar situation. Our auditors are also stating they cannot accept a SOC 1 report with a bridge letter more than 3 months. So, the gap period of 3 months needs to be assessed.

      We are exploring the options of 

      1) Exercising our “right to audit” to independently audit Oracle on key controls.

      2) Provide Agreed Upon Procedures for Oracle to execute and provide us results of the outcome.

      We are still to hear from Oracle if either is supported by them...

      I would love to hear if you have made any progress on this and what steps your organization has taken and if they have been accepted by auditors.

       

      Regards,
      Ajay.

      • Dave Stevens

        Hi Ajay

        Please see below the response we received from Oracle:

        I have provided the SOC Report, Bridging Letter and below response to our management.

         

        "- The SOC reports are done every 6 months, 

        - The Gap or Bridge letters are monthly, 
        - All reports can be downloaded directly from My Services by our customers, 
        - There is no exact date when we publish them, that depends on our auditors, and how long the process is, 
        - SOC reports for Oct 1st to March 31st available around May, for April 1st to Dec 31st available around Jan 
        - Your year end is Sept 30th, so the SOC report available then will be the one from May covering Oct 1st to March 31st. 
        The option is to rely on the Bridge letter for April to Sept, as the next SOC to cover this period will be available in Jan. 
        All other customers are using this, and the SOC report dates cannot change, nor we can issue a one off SOC report or something like that. 
        - Another option is to invoke the section 10 from the Data Processing Agreement for Oracle Cloud Services, where it states that under certain conditions you can audit Oracle up to once per year. 
        You can access the contractual documentation from this page > https://www.oracle.com/corporate/contracts/cloud-services/contracts.html 
        This will take a lot of time, and there are some specific conditions in order to request it. You can read more in the DPA document from the above link. 
         
        I’d also like to point to this KM article General Instructions for Submitting Security Questionnaires to Oracle ( Doc ID 2337651.1 ) , as it provides some great general guidance in regards to security specific requests from subscribers "
        • Ajay Hathiramani

          Thanks Dave,

          I have summarized my thoughts and problems that we are currently facing, you may face a similar situation. Still evaluating how to go about it. Will update this post if I come across anything as well.

          The option is to rely on the Bridge letter for April to Sept, as the next SOC to cover this period will be available in Jan.  - This is not possible for most clients as the auditors can only rely on a maximum 3 months bridge letter. This would mean a minimum 9 months coverage of the controls from a SOC report or customer audit.

           

          All other customers are using this, and the SOC report dates cannot change, nor we can issue a one off SOC report or something like that. - Similar correspondence we received as well. However, the reality is without confidence of 9 months of the control environment on our financials the Auditors would not accept this.

           

          - Another option is to invoke the section 10 from the Data Processing Agreement for Oracle Cloud Services, where it states that under certain conditions you can audit Oracle up to once per year.  - We actually did this last FY, and we found the process to be highly tedious with multiple back and fourths. We provided Oracle with specific controls we wanted to test. However, did not make too much progress as we couldn’t collect sufficient evidence to showcase to our external auditors that controls were satisfactory. Also in testing some controls Oracle stated that since it included Personal information e.g. revocation of access when an employee is terminated, the control could not be tested.

           

          You can access the contractual documentation from this page > https://www.oracle.com/corporate/contracts/cloud-services/contracts.html 

          This will take a lot of time, and there are some specific conditions in order to request it. You can read more in the DPA document from the above link. There is clause that states if it’s already included in the SOC 1 report, it cannot be tested or something like that. This again defeats the purpose of doing a customer audit, and we need to get comfort for 3 additional months where the SOC 1 report is not available.

          • Dave Stevens

            Thanks Ajay


            I will let you know as soon as I hear something from management on how they are progressing  with our auditors and what steps we are taking.

             

            Kind Regards

            Dave

            • Ajay Hathiramani

              Hi Dave, 

              Hope you are doing good.

              Just checking if you made any progress with the auditors and what steps you have taken.

              We have ruled out "Agreed Upon procedures" as Oracle confirmed the only option available to us is a Customer Audit. However that too will be limited in scope.

              We are also trying to push back our external auditors to rely on a 6 months bridge letter without much luck.

              If you have any information please do let me know.