We get this question frequently. Often the person who gets asked has little experience with SOC auditing and reporting and is concerned about responding appropriately. If your company is faced with this question, this article will help explain what you need to know.
First, a little background on SOC reporting. SOC stands for System and Organization Control. The purpose of a SOC report is for a company to gain greater trust with another company it outsources a business function to. This helps them gain confidence that “what they say they do is what they are actually doing.” A SOC report can only be issued by a licensed CPA firm. The type of relationship the two companies have will determine the type of SOC report that is most applicable. There are four different types of SOC reports (SOC 1, SOC 2, SOC 3 and SOC for Cybersecurity) — more on this later.
“Is a SOC report applicable?”
Currently, we are seeing many companies request SOC reports from their business partners or clients due to a corporate compliance mandate. Generally, if a business is sharing sensitive information or a company is completing some financial process on behalf of another, a SOC report can provide significant value to the requesting party. If either of these don’t apply, we would recommend further discussion with the company to further gain insight into why they’re asking for a SOC report — to determine if any of the four SOC report types are applicable based upon the services that are performed. Often we get involved to educate both companies that are involved to determine if a SOC report is applicable.
“Is my company prepared to receive a “clean” SOC report?”
The biggest challenge we see in first time SOC audit clients is the lack of documentary evidence they can provide to prove “what they say they are doing is what they are actually doing.” A SOC report contains the processes and controls the company has implemented to mitigate the risks with the duties they are performing on behalf of their client. We recommend a SOC readiness assessment be completed by any company considering a SOC audit for the first time to lower the chance of receiving a “qualified” (non-clean) SOC report. The goal of the assessment should be to identify any control gaps and provide a roadmap to complete the official SOC audit.
So, about the different types of SOC reports…
A SOC 1 report is applicable if one company completes a financial transaction process on behalf of another and that transaction has a material effect to their financial statements. An example of this would be a company performing payroll processing on behalf of another. A SOC 2 report is generally applicable if a company is sharing sensitive information with another company. An example of this would be a company that is a technology cloud provider that stores data on behalf of another. A SOC 3 report is a “subset” of the information that normally would be included in a SOC 2 report. Additionally, a SOC for Cybersecurity (new as of 2017) can be utilized to report on a company’s cybersecurity program.
To complicate it further, within the SOC 1, SOC 2 and SOC for Cybersecurity reports there is a further definition of type of report (Type I or Type II) a company can gain. Within a Type II report, more evidence is required to be gained versus a Type I report, thus providing the reader a higher degree of credibility. We find that firms are often unaware of these different report options and further discussion with them is generally necessary.
Applicability, organizational readiness and choice of report are just a few items to contemplate if your company has fielded a SOC report request. If you find yourself in this situation, the experienced professionals in Olsen Thielen’s SOC Audit Practice Area can help navigate the complexities.
Contact us to discuss if you need a SOC audit and to explore the various options available for you.