It’s becoming more and more common for customers to ask their vendors to provide a System and Organization Controls, or SOC, report. If your organization hasn’t been asked to supply a SOC report yet, you probably will be asked to do so sooner rather than later.
If you’re just beginning to consider a SOC report for your organization, you probably have a lot of questions.
What is a SOC report? What are the different types of reports? Do I need one if I haven’t been asked for it? Which type do I need?
Here, we’ve answered questions to help you better understand, clearly and concisely, what SOC reports are, their requirements, why your customers might ask for a report and how to get started.
What is a SOC Report?
SOC as defined by the American Institute of Certified Public Accountants (AICPA) is a suite of reports that are produced as part of an audit or attestation review. Basically, a SOC report is the result of a corresponding SOC examination of your organization.
A SOC examination identifies, outlines and validates that your organization has (and uses) appropriate internal controls over the information systems that you use.
SOC reports are designed to help service organizations build trust with their customers by demonstrating confidence in their services, systems and controls by having an independent certified public accountant review and report on them.
Which Organizations Need a SOC Report?
SOC reports are most commonly used by service organizations—those businesses that provide systems and services to other organizations.
What are Internal Controls?
Internal controls are the measures that your organization puts in place concerning its own internal operations to increase efficiencies, protect against liability and remain in compliance with regulations and laws.
These mechanisms and rules are intended to offer reasonable assurance regarding the organization’s achievement of business objectives related to the services they provide.
Why Would My Customers Want a SOC Report From My Company?
As a service organization, you have access to your customers’ data and systems, or you have oversight or influence on their financial processes like payroll and benefits.
A SOC report offers validation to your customers and assurance that your controls are operating effectively and that you have mechanisms and rules in place to reduce the risk of errors, omissions, data loss, etc. that could impact them.
A SOC report will communicate important information about your organization’s internal controls and risk management. It shows both customers and potential customers that you are taking steps to mitigate risk, protect their confidential information and safeguard the integrity of financial reporting data.
Why Would My Company Want to Get a SOC Report?
SOC reports don’t just provide value to your customers; SOC reports are a benefit for the companies that go through the SOC exam as well.
Even if your organization already has strong controls in place, a SOC report can help you better understand where you may need additional processes and rules to protect your organization and your clients’ financial and confidential information.
In the end, they can provide you with the resources you need to identify blind spots, fix problems before they happen and differentiate what isn’t working for your organization’s controls from what is. A SOC report can set your organization up for success when it comes to evaluating your internal controls.
What are the Different SOC Reports?
A SOC 1 report is specifically for organizations that have an impact—directly or indirectly—on a customer’s financial reporting. This can include payroll vendors, investment advisors, benefits administrators and more.
A SOC 2 report is focused on non-financial controls for service providers like IT outsourcing services, customer support, MSPs and MSSPs, FinTech services, healthcare claims processing and management and more.
The controls reviewed are related to operations in five AICPA-defined trust services categories:
- Security (also called the Common Criteria)
- Processing integrity
A SOC 2 report must include the common criteria, but the other categories are optional based on which ones are relevant to the organization’s service commitments and system requirements.
For both SOC 1 and SOC 2, there are two types of reports, as well.
- The Type 1 report includes examining controls as of a specified date by the auditor to determine if the controls are suitably designed and implemented as of that date.
- The Type 2 goes one step further. In Type 2, the auditor tests the controls to determine if they are operating effectively over an entire period (usually six to twelve months).
What is the First Step in Getting a SOC Report?
Before you begin the SOC report process, it’s a good idea to start with a readiness assessment. A readiness assessment indicates if your organization is in a position to begin the process for a SOC examination or if there are additional steps you should take first.
Who Conducts a SOC Report?
SOC reports are conducted by certified public accountants who are independent of your organization.
Still Have Questions About What a SOC Report is?
Even if you’ve answered the question, “What is a SOC Report?” SOC reporting can seem overwhelming, especially if you’re under a quick timeline because of a request for a report from a customer. The good news is that, while the process is involved, the service auditor will provide the assistance and advice throughout the process to help you get to that end result.
Providing a SOC report to your customers is a great way to demonstrate the care you give to their information and the concern you show for their risk.
If you have additional questions that we haven’t answered here about the SOC reporting process and which report you need, or if you’re ready to begin a SOC examination, please contact us.