Are You Asking for a SOC Report?

We often meet with executives of small and medium-sized companies who are debating whether or not they need a
System and Organization Controls (SOC) report. The decision comes down to one simple question:

“Are your customers asking for a SOC report?”

If they are, you will need to get one or be prepared to lose their business. If they are not, you do not need one. It is that simple.

Are your customers asking for a SOC report?

Ironically, in a day when service providers are outsourcing sourcing to other service providers, too many organizations are not asking another important question in relation to SOC reports:

“Should I be getting SOC reports from my service providers?”

A public company may not have to ask this question because their financial auditors will ask for a SOC 1 report when they deem outsourced processes to have a material impact on their financial statements. Large corporations with mature control environments and robust risk management programs ask for a SOC 2 report when they identify a service provider that handles or processes sensitive data that must be kept secure whether it resides in their environment or that of a service organization. However, small or medium-sized businesses often do not have these luxuries and, consequently, fail to ask.

Why Ask for a SOC Report?

Some may say that smaller businesses do not need to get a SOC report because their auditors are not requiring it. Others excuse them because they do not have the resources (e.g., personnel, time, expertise, etc.) to assess the impact of service providers on their organization and clients. While the circumstances may be true, they only highlight the importance of a smaller organization getting a SOC report from their service providers.
A SOC report provides a user or client of the service organization with:

  • A description of the service organization’s system used to provide its services
  • An assertion from the service provider’s management regarding the:
    • Fairness of the presentation of the system description
    • Suitability of design (Type I) and operating effectiveness (Type II) of controls within the system
  • A description of an independent auditor’s test procedures and results related to the controls described by management
  • An independent auditor’s opinion regarding the:
    • Fairness of the presentation of the system description
    • Suitability of design (Type I) and operating effectiveness (Type II) of controls within the system

Receiving and reviewing a SOC report can help an organization identify risks that are not addressed by a service provider and the need to implement controls to mitigate those risks. Often service organizations will have these reports, but may not be providing a copy to a client because they have not requested it.
The American Institute of Certified Public Accounts’ (AICPA) Statement on Standards for Attestation Engagements (SSAE) No. 18 (which replaced SSAE 16 as the standard for SOC 1 reporting on May 1, 2017) emphasizes the importance of service providers monitoring controls at subservice organizations. Click here for a summary of the changes caused by the implementation of SSAE 18.

Who Should You Ask for A SOC Report?

You may be thinking to yourself, “Okay. I understand that I should be asking for SOC reports, but which of my service providers should I be asking?”
That is a great question. The truth is there are probably more service providers that you should be requesting the report from than you may have thought. The following are some of the different types of service organizations that you should be asking for a SOC report:

  • Accounts Receivable and Collections Services— For most organizations, accounts receivable (A/R) is a material account, which would require a SOC 1 report. Subcontracting A/R and collections processing also involves sharing sensitive, personal information that requires a service organization to have controls in place to ensure the security, confidentiality, and integrity of the information during the receipt and collection processes. These areas can be addressed by a SOC 2 report.
  • Colocation and Managed Services—These organizations may be a data center, infrastructure as a service, or cloud storage providers that maintain system availability, security, and data reliability to protect you and your clients from experiencing business interruptions, data breaches, or inaccurate processing. Many of these organizations will have both a SOC 1 and 2 report for their clients.
There are different types of service organizations that should be asking for a SOC report.
  • Document Management—In most cases document management SaaS or outsourcing includes storing sensitive or confidential information and records, both electronically or in hard-copy form. It would be appropriate to request a SOC 2 report to gain assurance that these service providers follow a controlled process and have a secure environment to properly store, maintain, and retain your information.
  • Financial Services—Financial services may be one of the largest and most regulated industries. However, if they are providing services to your organization their activities directly impact the company’s financial position. Additionally, they are likely processing transactions and storing sensitive data. While a SOC 1 report would likely be the most appropriate report, one might also request a SOC 2 report to assess the organization’s security or processing integrity.
  • Healthcare—Healthcare related services involve the use of confidential and personally identifiable information. A single data breach within a healthcare service organization could have significant negative effects for the company and those using their services. Consequently, a SOC 2 report would help a user organization understand the controls in place to maintain the security and privacy of this sensitive information.
  • Information Technology—IT is a complex industry that continues to grow as more organizations use outsourced solutions. These service providers should implement strong internal controls to protect the confidentiality, integrity, and availability of their clients’ data and systems. As you might have guessed, a SOC 2 report would be an excellent way to evaluate the security within their control environment.
  • Payroll Processing—These service organizations process payroll and submit payments to employees and governmental entities. Payroll is typically a material account within a company’s financial statements. So, these organizations typically provide a SOC 1 report. However, you might also request a SOC 2 report in relation to the security and processing integrity of their system.


Organizations often overlook service providers when assessing their businesses’ risks and control environment. As a user organization, you should request SOC reports from your service providers. A SOC report can help you to understand how services are being provided, identify any risk/control gaps at service organization, and implement the necessary compensating controls to mitigate the residual risks to you and your clients.

Related Blog Posts:

What is a SOC 1 Report? Expert Advice You Need to Know
SSAE-18 Attestation Standards: Clarification and Recodification
What are Trust Service Principles (TSPs) and which ones do you include in your SOC 2?

Leave a Reply

Your email address will not be published. Required fields are marked *