Are You Asking for a SOC Report? Do You Need One? When It’s Required

Do you need a SOC report?

We often meet with executives of small and medium-sized companies who are debating whether or not they need a System and Organization Controls (SOC) report. The decision comes down to one simple question:

“Are your customers asking for a SOC report?”

If they are, you will need to get one or be prepared to lose their business. If they are not, you do not need one. It is that simple.

Ironically, in a day when service providers are outsourcing sourcing to other service providers, too many organizations are not asking another important question in relation to SOC reports:

“Should I be getting SOC reports from my service providers?”

A public company may not have to ask this question because their financial auditors will ask for a SOC 1 report when they deem outsourced processes to have a material impact on their financial statements. Large corporations with mature control environments and robust risk management programs ask for a SOC 2 report when they identify a service provider that handles or processes sensitive data that must be kept secure whether it resides in their environment or that of a service organization. However, too often, small or medium-sized businesses fail to ask their vendors for a SOC report because they simply do not know.

This post addresses the common “who, what, why, and when” questions that organizations ask (or should be asking) when considering whether or not they need a SOC report from a vendor or service provider. Some of these include:

  • Are SOC reports required?
  • What Companies are required to have a SOC report?
  • Why do you need a SOC report from service providers?
  • What service providers should I be asking for a SOC report?
  • What kind of SOC report should I be asking for?
  • Who has to have a SOC 1, 2, or 3 report?
  • How do I ask for a SOC report?
  • When should I request a SOC report?
  • Who should review a SOC report?
  • How do you read a SOC report?
  • What if there is no SOC report?

Are SOC Reports Required?

The short answer is yes and no. No, SOC reports are not required by law; meaning that government laws and regulations do not require a business to obtain a SOC report to register the organization or operate the delivery of its system or services. However, some clients/customers may require a SOC report to be provided on an annual basis as a term or condition of doing business with them. So, while not required by law, a SOC report may be a requirement imposed by potential customers to engage with them.

In some cases, a SOC report may not even be a requirement of doing business for some organizations. However, if they will often see it as a differentiating factor when evaluating the services of two similar service providers. If they prioritize the protection of their client’s information, they will likely go with the provider who is willing to substantiate their claims of maintaining security by providing an annual SOC report.

 

Why are SOC reports needed?

Why Do You Need a SOC Report from Service Providers?

Some may say that smaller businesses do not need to get a SOC report because their auditors are not requiring it. Others excuse them because they do not have the resources (e.g., personnel, time, expertise, money) to assess the impact of service providers on their organization and clients. While the circumstances may be true, they only highlight the importance of a smaller organization getting a SOC report from their service providers.

A SOC report provides a user or client of the service organization with:

Receiving and reviewing a SOC report can help an organization identify risks that are not addressed by a service provider and the need to implement controls to mitigate those risks. Often service organizations will have these reports, but may not be providing a copy to a client because they have not requested it.

The American Institute of Certified Public Accountants (AICPA) Statement on Standards for Attestation Engagements (SSAE) No. 18 (which replaced SSAE 16 as the standard for SOC 1 reporting on May 1, 2017) emphasizes the importance of service providers monitoring controls at subservice organizations. Check out our blog on the summary of changes caused by the implementation of SSAE 18.

 

Who should you ask for a SOC report?

What Service Providers Should You Ask for A SOC Report?

You may be thinking to yourself, “Okay. I understand that I should be asking for SOC reports, but which of my service providers should I be asking?”

That is a great question. The truth is there are probably more service providers that you should be requesting the report from than you may have thought. The following are some of the different types of service organizations and the types of SOC reports that you could/should be asking for a SOC report:

  • Accounts Receivable and Collections Services — For most organizations, accounts receivable (A/R) is a material account, which would require a SOC 1 report. Subcontracting A/R and collections processing also involves sharing sensitive, personal information that requires a service organization to have controls in place to ensure the security, confidentiality, and integrity of the information during the receipt and collection processes. These areas can be addressed by a SOC 2 report.
  • Colocation and Managed Services — These organizations may be a data center, infrastructure as a service, or cloud storage providers that maintain system availability, security, and data reliability to protect you and your clients from experiencing business interruptions, data breaches, or inaccurate processing. Many of these organizations will have both a SOC 1 and 2 report for their clients.

There are different types of service organizations that should be asking for a SOC report.

  • Document Management — In most cases, document management SaaS or outsourcing includes storing sensitive or confidential information and records, both electronically or in hard-copy form. It would be appropriate to request a SOC 2 report to gain assurance that these service providers follow a controlled process and have a secure environment to properly store, maintain, and retain your information.
  • Financial Services — Financial services may be one of the largest and most regulated industries. However, if they are providing services to your organization their activities directly impact the company’s financial position. Additionally, they are likely processing transactions and storing sensitive data. While a SOC 1 report would likely be the most appropriate report, one might also request a SOC 2 report to assess the organization’s security or processing integrity.
  • Healthcare — Healthcare-related services involve the use of confidential and personally identifiable information. A single data breach within a healthcare service organization could have significant negative effects for the company and those using its services. Consequently, a SOC 2 report would help a user organization understand the controls in place to maintain the security and privacy of this sensitive information.
  • Information Technology — IT is a complex industry that continues to grow as more organizations use outsourced solutions. These service providers should implement strong internal controls to protect the confidentiality, integrity, and availability of their clients’ data and systems. As you might have guessed, a SOC 2 report would be an excellent way to evaluate the security within their control environment.
  • Payroll Processing — These service organizations process payroll and submit payments to employees and governmental entities. Payroll is typically a material account within a company’s financial statements. So, these organizations typically provide a SOC 1 report. However, you might also request a SOC 2 report in relation to the security and processing integrity of their system.

As a general rule, you should be asking a service provider for a SOC report if they transact on your behalf or process store your organization’s data or your clients’ data.

 

What kind of SOC report should you request?

What Kind of SOC Report Should You Ask For?

Now that you know that one of your service providers should be providing a SOC report, how do you determine which SOC report you should be asking for? As mentioned earlier, you could ask for a SOC 1 or a SOC 2 report for certain services. How do you decide, or do you ask for both?

I would recommend familiarizing yourself with what SOC 1 and SOC 2 reports consist of and the differences between them by reviewing our earlier posts on those subjects. If you are still not sure which SOC report you should be asking for, I would suggest that you request the same type of SOC report that you have to provide to your clients. So, if you provide a service that your clients believe has a material impact on their financial statements, they are requesting a SOC 1 report from you and you should likely be requesting one of those service providers supporting your system and client services. Similarly, if your clients are requesting a SOC 2 you should probably be requesting a SOC 2 report from your services providers.

How Do You Ask for a SOC Report?

The only way to really have assurance that you can get a SOC report from a service provider is to include it in your contract or agreement. You should have a clause in service agreements that requires them to provide you with the appropriate SOC report on an annual basis. If you have specific requirements that you would like included, be sure to clearly articulate them in that clause. For example, some common items that you may want to explicitly state:

  • Can they provide a type I or type II report the first year?
  • If requiring a SOC 1 report, what control objectives need to be covered?
  • If requiring a SOC 2 report, what criteria needs to be covered?
  • When is the first report to be delivered?

These may seem like little details, but, if they are not clearly stated in an agreement, they are subject to interpretation.

If you have an agreement with this clause in place, you simply ask for the report and point to the agreement if there is any resistance. You should still ask even if you do not have a clause in your agreement. However, the organization may not have one or may be unwilling to share it.

 

When to ask for a SOC report

When Should You Ask for a SOC Report?

You should ask for a SOC report when evaluating organizations to provide services to your company. If they have a SOC report, they are typically happy to share it in order to win your business. If they do not have one, you should ask whether or not they are willing to get one and when that would be available. Either way, if you need one, be sure to include the requirement for an annual SOC report in the agreement.

A consideration regarding the timing of a SOC report is that it will take time for an organization to get its first SOC report. Depending on whether you want a type I or type II SOC report, agreements will allow between 6-18 months from signing for a service provider to deliver its first report.

Another item related to timing that should be considered is the period end date for a SOC report. While the period and timing of a SOC 2 report is not tied to anything, it is best if a SOC 1 report’s period ends close to the end of your fiscal year. This is because a SOC 1 report will be used by financial auditors in their assessment of controls over financial reporting. If there is a gap between the coverage, your auditors will want a bridge letter. Auditors will typically want a minimum of six months coverage of your fiscal year to rely on the SOC 1 report for a financial audit.

Another thing to keep in mind is that you will need to have the report before the financial audit is completed—45 days after the end of their fiscal year. So, make sure that you will be able to get the report with some time to spare. You should plan on it taking at least a month after the end of their period being assessed to get the report in your hands. It can take longer for the big four firms. I have seen a big four firm take up to six months to issue a report (this is uncommon). So, if you can specify the timing, you may want to ask that they provide SOC 1 reports before your fiscal year-end. For example, if you have a December 31st year-end for your fiscal calendar, you may want to request that they have a period ending September 30th or October 31st to get the majority of time covered (9-10 months) while allowing for a little for the report to be prepared and delivered.

Most service providers have many clients using their services. So, it is unlikely that they will be able to shift the timing of their report, but it is good thing to ask and understand when going into an agreement with a subservice provider.

How Do You Review a SOC Report?

What do you do now that you have the SOC reports from your service providers? You review them. This should be an annual process. Please read our post on SOC Review Guidance for details of what to look for when you review SOC 1 or SOC 2 reports.

Summary

Organizations often overlook service providers when assessing their businesses’ risks and control environment. As a user organization, you should request SOC reports from your service providers. A SOC report can help you to understand how services are being provided, identify any risk/control gaps at the service organization, and implement the necessary compensating controls to mitigate the residual risks to you and your clients.

If you are seeking assistance regarding an upcoming attestation engagement, or would like to learn more about the audit services provided by Linford & Co, please contact our team of external auditors.

Related Blog Posts:

This article was originally published on 5/23/2017 and was updated on 12/14/2021.

2 thoughts on “Are You Asking for a SOC Report? Do You Need One? When It’s Required

  1. Hi. In the beginning of the article, there’s a good list of questions and most are answered within the article except the last one – what to do if there’s no SOC 1 report. That’s kinda what I’m looking for today.

  2. If a service provider does not have a SOC 1 report, all is not lost. However, you will likely spend more time and effort to understand the service provider’s control environment and to determine if adequate controls are in place within the service provider’s and your own environments to mitigate those risks to your organization’s ability meet its service commitments and system requirements.

    If you have not already, you should review your service agreement with the provider. Does it include a requirement that the service provider obtain a SOC report or grant you the right to audit? If you do not have these requirements in your current service agreement, you should ask for the former to be included in any future agreements. If either or both of these are present, then you should bring this to your service provider’s attention and discuss how and when they intend to fulfill this obligation(s).

    If you are unable to get a SOC report or to audit the service provider and you still need to get comfort, you may perform other procedures to get comfortable about their environment. If you are doing it for yourself, then you can determine what is enough. However, if you are doing this for your own auditors, you should visit with your auditors to understand if they have specific concerns, explain the situation, and determine what actions would be adequate to get them comfortable (e.g., ISO 27001 Certification, inquire of service provider management about controls,
    operational or service level activity reports, whitepaper describing its control activities or security, attack penetration report, etc.).

    There isn’t a set list because there is some variability and subjectivity due to the nature of the services being provided, the impact of the service provider on your operations, and the auditor’s opinion.

Leave a Reply

Your email address will not be published. Required fields are marked *