The rise and demand for System and Organization Control Reports (SOC Reports) stem from an increase in outsourcing by organizations and the ever-changing and demanding landscape of cybersecurity threats. Organizations across all industries have improved the quality of their vendor management reviews and risk assessments related to those outsourced processes and third-party vendors. This increase in reviews occur because organizations cannot outsource the responsibility to hold client and customer data and information safely – it is the responsibility of the organization to know whom they are using and what risks and threats they face from that partnership.
SOC reports are a great way to show clients and customers that you have a standard for internal controls around those processes and procedures they have outsourced because it lays out the controls for all to see, thus increasing transparency. Below are definitions for understanding the different types of reports available:
- SSAE 18 / SOC 1® Report: Useful when it is necessary to show controls and processes around internal controls over financial reporting necessary for your customers and clients to validate financial information.
- SOC 2 ® Report: Useful when it is necessary to show controls and processes around one of the five criteria – Security, Availability, Confidentiality, Processing Integrity and/or Privacy. Important to build trust around your organization and how it functions in certain scenarios.
SOC Reports come in two varieties – Type 1 and Type 2. A Type 1 report shows a review and understanding of the design of the controls around the process and procedures (as of a certain date). A Type 2 report includes the design of the controls; but expands to provide a validation of the operating effectiveness of those controls for a period of time (6-or 12-month period). When a Type 2 report is completed, there has been third-party independent validation to the operating effectiveness of those controls. It is always recommended that an organization start with a Type 1 report while in the process of still implementing those controls.
During 2017, the AICPA put out a series of new standards and reporting guidance around SOC Reports (both SOC 1 and SOC 2) related to some enhanced controls that organizations need to have included in their listing of controls – risk assessments and vendor management reviews/assessments. While these might have been informal for a majority of organizations – the new guidance explicitly states that organizations need to have these controls in place to better the organization.
Organizations need to spend time understanding the risks to the organization as it relates to threats for breach or nonconformity of the controls in place around specific processes and procedures. This example shows the usual items reviewed during a risk assessment. These assessments should be done across all divisions and include all employees of the organization. They should be updated at least annually and specifically when an event or threat occurs. These documents help an organization link their threats to the controls in place to mitigate or prevent the threat from materializing.
SOC Reports are important for all who do business and outsource portions of their process or have processes and procedures outsourced to them by customers and clients. Having open communication with your clients and vendors is important to knowing that the right SOC report is being obtained with the correct level of examination and validation – so make sure you have clear meetings and consistently set expectations upfront.
View the full webinar recording below:
For more information on SOC Reports, please contact Paul Perry at Paul.Perry@warrenaverett.com or 205.769.3251.