Service organizations often ask our firm if they have to give out their SOC 1 (formerly SSAE 16) or SOC 2 report to user organizations or prospective user organizations. The short answer is no; however, that is usually not the correct response to requests and the reasons for not sharing can be complicated. This blog post may be useful in helping service organizations decide what to do.
- User Organizations (Clients) – When existing clients ask for the report that covers the services they are receiving from the service organization, every effort should be made to provide the client with the report. The report should be sent over immediately without delay. Even if the report is qualified. Sometimes we are asked if we can prepare an abstract of the report that can be shared in lieu of the actual report. The answer to this question is no. The entire report is an auditor-to-auditor communication in the case of the SOC 1 and a management-to-management communication in the case of the SOC 2. All the information that should be communicated is within the report. Anything less, such as an abstract, would be omitting some potentially important information.
- Prospective User Organizations (Future Clients) – When prospects ask for the report, it is usually part of due diligence. In other words, the prospective client wants to have a degree of assurance that the report exists and there are internal controls in place at the service organization. This sounds reasonable and it is. There are a couple of response options with this sort of request: 1) Ask the service auditor to prepare a single-page letter that simply states that the service organization has undergone an audit for the period(s) [state the periods] or 2) provide them with an access letter [go here for an SSAE 16 access letter] and have the requestor return the signed letter to you, the service organization.