The System and Organization Controls (SOC) reports are growing in visibility and popularity. More and more companies want to take advantage of the benefits SOC reports provide—for their customers or for themselves—leading to the common question “How do I achieve SOC compliance?” or “How do I become SOC certified?”
Unfortunately, those questions won’t get organizations very far.
Here, we’ll answer questions about SOC reports and debunk the myth of “SOC compliance” and “SOC certification” so that you have answers to the right questions.
How can my company obtain SOC compliance?
While SOC reports can help companies to be compliant with regulations that are relevant to them, SOC exams and reports are not compliance-related actions themselves. So, there is no such thing as “SOC compliance.”
In truth, SOC reports are the result of SOC attestation examinations, which evaluate your internal controls. A SOC report includes the SOC auditor’s opinion about your controls, not a confirmation of compliance with certain standards.
With that said, it’s true that some SOC exam outcomes are more desirable than others. But the exams are not “pass” or “fail,” so they don’t have a resulting designation of “SOC compliant” or “not SOC compliant.”
Can my company get a SOC certification?
Similar to “SOC compliance,” there is no such thing as “SOC certification.”
This, again, is because the SOC report is not a result of passing or failing, and the SOC report includes the auditor’s opinion—not a certification of your company’s adherence to a defined set of rules. Instead of reviewing for compliance, the auditor reviews your internal controls to determine if they are appropriate and effective for your organization and its activities.
If there is no such thing as “SOC compliance” or “SOC certification,” what do I need to get to let my customers know I’ve completed a SOC exam?
Once your organization has completed a SOC examination, the auditor will issue a SOC report. The SOC report itself is what you’ll provide to your customers to prove that you have completed a SOC examination.
A SOC report is a package that includes:
- Independent Service Auditor’s report (which includes the auditor’s opinion);
- Management’s assertion;
- Management’s system description; and
- In the case of a Type 2 examination, any tests that the auditor conducted and the results of those tests.
Your customers will look for the auditor’s opinion to see how your organization’s controls faired in the exam, as opposed to an indication of SOC compliance or certification.
What is an auditor’s opinion?
The auditor’s opinion is the part of the report that is of greatest interest to your customer. It will include information about:
- If the description of your organization’s system is fairly presented (SOC 1®) or in accordance with the DC 200 Description Criteria (SOC 2®)
- If the controls are suitably designed
- For a Type 2 report, it will also include if the controls are operating effectively over a period of time, typically six to twelve months
Is one opinion better than another?
Yes. While no opinion indicates SOC compliance or SOC certification, there are several types of opinions that the auditor can give.
An “unmodified” opinion – This is the most desirable outcome of the SOC exam. This opinion means that, after reviewing the evidence, the auditor finds that the system is fairly presented and that the controls are suitably designed and for a Type 2, operating effectively over a period of time
A “qualified” opinion – Auditors may issue this opinion if they find that not everything that is required is in place. For example, the description of the system may be missing relevant information or be misleading, or there may be controls that are missing or not working correctly. A qualified opinion may be issued in these cases when the deficiencies are material but not pervasive.
An “adverse” opinion – This is the opinion that an auditor gives if the issues with controls or system description are material and pervasive. Obviously, this is the least desired outcome.
What can I do to prevent a qualified or adverse opinion from my SOC auditor?
Before beginning a SOC examination, start by evaluating your organization’s existing policies, procedures and internal controls. Are they adequate? Are they well designed? Will they prevent errors in reporting or reduce risk?
If not, consider a readiness assessment. This assessment will help you to review your existing controls to determine where controls can be strengthened or where they may be missing altogether. This offers the opportunity for your organization to create or edit your controls before a full SOC exam is conducted.
Ideally, to prevent delays, you’ll want to have your readiness assessment long before a customer requests a SOC report from you.
Can my SOC auditor write my internal controls so that I can get an unmodified opinion on my SOC report?
The purpose of a SOC report is to have an independent certified public accountant (CPA) review your systems. If your auditor were to write your system description or controls, they would no longer be an independent assessor. It would create a conflict of interest.
However, SOC auditors know that having strong controls in place is for the betterment of the organization, and they can and will offer guidance when it’s appropriate and give assistance in other ways where they can add value.
Learn More about SOC Reports and Get Started
Now that you’re informed about why the term “SOC compliance” is a misnomer, you may still have questions or need help in getting started. If that’s the case, contact us with any questions you may have about SOC reporting, and reach out to get started.