A SOC (System and Organization Controls) report is a report on controls at a service organization related to various types of subject matter, for example: controls that affect user entities’ financial reporting; controls that affect the security, availability, and processing integrity of the systems; or the confidentiality or privacy of the information processed for user entities’ clients. The content of the report will depend on the services being provided.
So how does a service organization know if they need one? And if they do, how do they know which report to get [SOC 1 (f. SSAE 16) vs. SOC 2 vs. SOC 3, or a combination]? We, at Linford & Company often get this question from our customers and prospects. They wonder how long they can put it off, or if having the report will provide them some benefit that will outweigh the cost. The following are a few points to consider if you are looking into investing in a SOC report:
- Are you providing a service for clients? SOC engagements and reports are completed for service organizations. If you are providing significant services to clients, chances are they would be interested in the controls you have in place to protect them. Examples of service organizations that typically receive SOC reports include, but are not limited to: data centers, software as a service organizations, claims processing centers, payroll companies, and real estate title and closing companies.
- Are your existing clients asking for a SOC report? Generally, if a client is asking for a SOC report it is because their financial auditors have requested it. This is because they are looking for documentation around the controls you, as the service provider, have in place. Providing a SOC report shows what controls are in place and that an outside firm tested those controls. If a SOC report is not available to fulfill this request, there is a possibility that the client could send in their own auditors to test the controls that are in place.
- When proposing work for new clients, are clients asking if you have a SOC report? At Linford & Company, we have heard from many new or prospective clients that think they would be eliminated from the pool of service provider prospects just because they do not have a SOC report. While having the examination completed and a report generated can take some time, Linford & Company can provide you with a letter stating the engagement is in process once you engage our services.
- Do you want to have an edge over your competitors? If you are up against a competitor for a new client and only one of you has a SOC report, having a SOC report could give you the extra edge to win the work. Also, in industries where SOC reporting is just starting to gain traction, being one of the first to complete the examination and having a report to provide would be a definite advantage.
If any of these questions resonate, your organization probably needs a SOC report. So which one do you need?
We get clients and prospects asking us all the time about how to determine what type of report they need. The first answer to that question is always whatever report the service organizations’ clients are asking for. If they are not asking specifically, the below information may help determine which report is needed by a service organization. A number of our clients need more than one report (i.e., a SOC 1 and a SOC 2 report), which is sometimes the best answer.
SOC 1 (f. SSAE 16)
SOC 1 reports are specifically intended to meet the needs of the clients (more specifically the auditor/CPA of the client) of a service organization. The report is used by the client to evaluate the effect of the controls at the service organization on their (the service organization’s client) financial statements. The auditor/CPA of the client of the service organization will use the report to plan and perform their audit of the financial statements. These reports can be thought of as an auditor-to-auditor report.
SOC 2 reports can be used to meet the needs of clients of service organizations that need information and assurance about the controls at a service organization that impact the security, availability, and processing integrity of the systems the service organization uses to process users’ data, and the confidentiality and privacy of the information processed by these systems. These reports can include from one to all five of the Trust Services Principles (TSPs), which are Security, Availability, Processing Integrity, Confidentiality, and Privacy. Each report is required to include at least Security.
SOC 3 reports also use Trust Services Principles, though these reports are used by clients of service organizations that do not need the details of what was tested and how the testing was performed. SOC 3 reports are general user reports and can, therefore, be freely distributed.
If there are any additional questions not answered above, Linford & Company would be happy to talk to you about SOC report options and what is right for your organization.