We often meet with executives of small and medium-sized companies who are debating whether or not they need a System and Organization Controls (SOC) report. The decision comes down to one simple question:
“Are your customers asking for a SOC report?”
If they are, you will need to get one or be prepared to lose their business. If they are not, you do not need one. It is that simple.
Ironically, in a day when service providers are outsourcing sourcing to other service providers, too many organizations are not asking another important question in relation to SOC reports:
“Should I be getting SOC reports from my service providers?”
A public company may not have to ask this question because their financial auditors will ask for a SOC 1 report when they deem outsourced processes to have a material impact on their financial statements. Large corporations with mature control environments and robust risk management programs ask for a SOC 2 report when they identify a service provider that handles or processes sensitive data that must be kept secure whether it resides in their environment or that of a service organization. However, too often, small or medium-sized businesses fail to ask their vendors for a SOC report because they simply do not know.
This post addresses the common “who, what, why, and when” questions that organizations ask (or should be asking) when considering whether or not they need a SOC report from a vendor or service provider. Some of these include:
- Are SOC reports required?
- What Companies are required to have a SOC report?
- Why do you need a SOC report from service providers?
- What service providers should I be asking for a SOC report?
- What kind of SOC report should I be asking for?
- Who has to have a SOC 1, 2, or 3 report?
- How do I ask for a SOC report?
- When should I request a SOC report?
- Who should review a SOC report?
- How do you read a SOC report?
- What if there is no SOC report?
Are SOC Reports Required?
The short answer is yes and no. No, SOC reports are not required by law; meaning that government laws and regulations do not require a business to obtain a SOC report to register the organization or operate the delivery of its system or services. However, some clients/customers may require a SOC report to be provided on an annual basis as a term or condition of doing business with them. So, while not required by law, a SOC report may be a requirement imposed by potential customers to engage with them.
In some cases, a SOC report may not even be a requirement of doing business for some organizations. However, if they will often see it as a differentiating factor when evaluating the services of two similar service providers. If they prioritize the protection of their client’s information, they will likely go with the provider who is willing to substantiate their claims of maintaining security by providing an annual SOC report.
Why Do You Need a SOC Report from Service Providers?
Some may say that smaller businesses do not need to get a SOC report because their auditors are not requiring it. Others excuse them because they do not have the resources (e.g., personnel, time, expertise, money) to assess the impact of service providers on their organization and clients. While the circumstances may be true, they only highlight the importance of a smaller organization getting a SOC report from their service providers.
A SOC report provides a user or client of the service organization with:
- A description of the service organization’s system used to provide its services
- An assertion from the service provider’s management regarding the:
- Fairness of the presentation of the system description
- Suitability of design (Type I) and operating effectiveness (Type II) of controls within the system
- A description of an independent auditor’s test procedures and results related to the controls described by management
- An independent auditor’s opinion regarding the:
- Fairness of the presentation of the system description
- Suitability of design (Type I) and operating effectiveness (Type II) of controls within the system
Receiving and reviewing a SOC report can help an organization identify risks that are not addressed by a service provider and the need to implement controls to mitigate those risks. Often service organizations will have these reports, but may not be providing a copy to a client because they have not requested it.
The American Institute of Certified Public Accountants (AICPA) Statement on Standards for Attestation Engagements (SSAE) No. 18 (which replaced SSAE 16 as the standard for SOC 1 reporting on May 1, 2017) emphasizes the importance of service providers monitoring controls at subservice organizations. Check out our blog on the summary of changes caused by the implementation of SSAE 18.
What Service Providers Should You Ask for A SOC Report?
You may be thinking to yourself, “Okay. I understand that I should be asking for SOC reports, but which of my service providers should I be asking?”
That is a great question. The truth is there are probably more service providers that you should be requesting the report from than you may have thought. The following are some of the different types of service organizations and the types of SOC reports that you could/should be asking for a SOC report:
- Accounts Receivable and Collections Services — For most organizations, accounts receivable (A/R) is a material account, which would require a SOC 1 report. Subcontracting A/R and collections processing also involves sharing sensitive, personal information that requires a service organization to have controls in place to ensure the security, confidentiality, and integrity of the information during the receipt and collection processes. These areas can be addressed by a SOC 2 report.
- Colocation and Managed Services — These organizations may be a data center, infrastructure as a service, or cloud storage providers that maintain system availability, security, and data reliability to protect you and your clients from experiencing business interruptions, data breaches, or inaccurate processing. Many of these organizations will have both a SOC 1 and 2 report for their clients.
There are different types of service organizations that should be asking for a SOC report.
- Document Management — In most cases, document management SaaS or outsourcing includes storing sensitive or confidential information and records, both electronically or in hard-copy form. It would be appropriate to request a SOC 2 report to gain assurance that these service providers follow a controlled process and have a secure environment to properly store, maintain, and retain your information.
- Financial Services — Financial services may be one of the largest and most regulated industries. However, if they are providing services to your organization their activities directly impact the company’s financial position. Additionally, they are likely processing transactions and storing sensitive data. While a SOC 1 report would likely be the most appropriate report, one might also request a SOC 2 report to assess the organization’s security or processing integrity.
- Healthcare — Healthcare-related services involve the use of confidential and personally identifiable information. A single data breach within a healthcare service organization could have significant negative effects for the company and those using its services. Consequently, a SOC 2 report would help a user organization understand the controls in place to maintain the security and privacy of this sensitive information.
- Information Technology — IT is a complex industry that continues to grow as more organizations use outsourced solutions. These service providers should implement strong internal controls to protect the confidentiality, integrity, and availability of their clients’ data and systems. As you might have guessed, a SOC 2 report would be an excellent way to evaluate the security within their control environment.
- Payroll Processing — These service organizations process payroll and submit payments to employees and governmental entities. Payroll is typically a material account within a company’s financial statements. So, these organizations typically provide a SOC 1 report. However, you might also request a SOC 2 report in relation to the security and processing integrity of their system.
As a general rule, you should be asking a service provider for a SOC report if they transact on your behalf or process store your organization’s data or your clients’ data.
What Kind of SOC Report Should You Ask For?
Now that you know that one of your service providers should be providing a SOC report, how do you determine which SOC report you should be asking for? As mentioned earlier, you could ask for a SOC 1 or a SOC 2 report for certain services. How do you decide, or do you ask for both?
I would recommend familiarizing yourself with what SOC 1 and SOC 2 reports consist of and the differences between them by reviewing our earlier posts on those subjects. If you are still not sure which SOC report you should be asking for, I would suggest that you request the same type of SOC report that you have to provide to your clients. So, if you provide a service that your clients believe has a material impact on their financial statements, they are requesting a SOC 1 report from you and you should likely be requesting one of those service providers supporting your system and client services. Similarly, if your clients are requesting a SOC 2 you should probably be requesting a SOC 2 report from your services providers.
How Do You Ask for a SOC Report?
The only way to really have assurance that you can get a SOC report from a service provider is to include it in your contract or agreement. You should have a clause in service agreements that requires them to provide you with the appropriate SOC report on an annual basis. If you have specific requirements that you would like included, be sure to clearly articulate them in that clause. For example, some common items that you may want to explicitly state:
- Can they provide a type I or type II report the first year?
- If requiring a SOC 1 report, what control objectives need to be covered?
- If requiring a SOC 2 report, what criteria needs to be covered?
- When is the first report to be delivered?
These may seem like little details, but, if they are not clearly stated in an agreement, they are subject to interpretation.
If you have an agreement with this clause in place, you simply ask for the report and point to the agreement if there is any resistance. You should still ask even if you do not have a clause in your agreement. However, the organization may not have one or may be unwilling to share it.
When Should You Ask for a SOC Report?
You should ask for a SOC report when evaluating organizations to provide services to your company. If they have a SOC report, they are typically happy to share it in order to win your business. If they do not have one, you should ask whether or not they are willing to get one and when that would be available. Either way, if you need one, be sure to include the requirement for an annual SOC report in the agreement.
A consideration regarding the timing of a SOC report is that it will take time for an organization to get its first SOC report. Depending on whether you want a type I or type II SOC report, agreements will allow between 6-18 months from signing for a service provider to deliver its first report.
Another item related to timing that should be considered is the period end date for a SOC report. While the period and timing of a SOC 2 report is not tied to anything, it is best if a SOC 1 report’s period ends close to the end of your fiscal year. This is because a SOC 1 report will be used by financial auditors in their assessment of controls over financial reporting. If there is a gap between the coverage, your auditors will want a bridge letter. Auditors will typically want a minimum of six months coverage of your fiscal year to rely on the SOC 1 report for a financial audit.
Another thing to keep in mind is that you will need to have the report before the financial audit is completed—45 days after the end of their fiscal year. So, make sure that you will be able to get the report with some time to spare. You should plan on it taking at least a month after the end of their period being assessed to get the report in your hands. It can take longer for the big four firms. I have seen a big four firm take up to six months to issue a report (this is uncommon). So, if you can specify the timing, you may want to ask that they provide SOC 1 reports before your fiscal year-end. For example, if you have a December 31st year-end for your fiscal calendar, you may want to request that they have a period ending September 30th or October 31st to get the majority of time covered (9-10 months) while allowing for a little for the report to be prepared and delivered.
Most service providers have many clients using their services. So, it is unlikely that they will be able to shift the timing of their report, but it is good thing to ask and understand when going into an agreement with a subservice provider.
How Do You Review a SOC Report?
What do you do now that you have the SOC reports from your service providers? You review them. This should be an annual process. Please read our post on SOC Review Guidance for details of what to look for when you review SOC 1 or SOC 2 reports.
Summary
Organizations often overlook service providers when assessing their businesses’ risks and control environment. As a user organization, you should request SOC reports from your service providers. A SOC report can help you to understand how services are being provided, identify any risk/control gaps at the service organization, and implement the necessary compensating controls to mitigate the residual risks to you and your clients.
If you are seeking assistance regarding an upcoming attestation engagement, or would like to learn more about the audit services provided by Linford & Co, please contact our team of external auditors.
Related Blog Posts:
- 2022 Trust Services Criteria (TSCs) for SOC 2 Reports
- Monitoring the Effectiveness of Controls at Subservice Organizations for SOC Reports
- Leveraging the Google Cloud SOC 2: How to Build a SOC 2 Compliant SaaS
- Leveraging the AWS SOC 2: How to Build a SOC 2 Compliant SaaS
This article was originally published on 5/23/2017 and was updated on 12/14/2021.
Isaac Clarke is a partner at Linford & Co., LLP. He began his career with Ernst & Young in 2003 where he developed his audit expertise over a number of years. Isaac specializes in and has conducted numerous SOC 1 and SOC 2 examinations for a variety of companies—from startups to Fortune 100 companies. Isaac enjoys helping his clients understand and simplify their compliance activities. He is attentive to his clients’ needs and works meticulously to ensure that each examination and report meets professional standards.