We often get questions about sharing SOC reports. The questions and answers apply to SOC 1 and SOC 2 reports alike. Besides wondering why their user organizations (clients) want a SOC report, some of the most common questions we hear from service organizations who receive a SOC report include:
- Are SOC reports public documents?
- Do I have to share my SOC report?
- How do I prove my compliance if I cannot share my SOC report?
- Can I share my SOC report?
- Who can I share a SOC report with?
- Can I use my SOC report in marketing or post it on my website?
- How long is my SOC report valid?
- What can I do if there is a gap of time between my report period and when a client needs the SOC report?
Are SOC Reports Public Documents?
SOC 1 reports and SOC 2 reports are not public or general use documents. They are limited in their distribution. A lot of people hear this and assume that this means that an organization cannot share their report. This assumption is incorrect. We will talk more about this later.
Do I Have to Share My SOC Report?
Service organizations often ask our firm if they have to give out their SOC report to clients or prospective clients. The short answer is no. A SOC report belongs to the service organization and they do not have to share it with anyone. While there are some legitimate reasons for not sharing a SOC report, we find that most organizations will benefit from sharing their SOC report with current or prospective clients. This is because many of them require a SOC report or a third-party certification to give them assurance about the security level of a service organization’s control environment in order to do business.
How Do I Prove My Compliance if I Cannot Share My SOC Report?
It would be difficult to prove or evidence your achievement of the specified control objectives (for a SOC 1) or Trust Services Criteria (for a SOC 2) without being able to share your SOC report. If you couldn’t share a SOC, each client or their auditors would need to come in and assess your control environment for themselves. Fortunately, you can share your SOC reports with appropriate entities. Read on for additional detail on exactly who you can share the report with.
Can I Share My SOC Report?
Yes, you can share your SOC reports with those entities that are specified in the report’s limited distribution.
Who Can I Share a SOC Report With?
This is a common question. Many organizations will decline their client requests for a copy of their SOC report because they know that it is not a general use document. While it is true that there is a restriction on the report’s distribution, it is not as limited as one might think.
The auditor’s report at the beginning of a report specifies what the limitations are. For illustrative purposes, the following is an example “Restricted Use” section of a SOC 2 report:
This report, including the description of tests of controls and results thereof in Section IV, is intended solely for the information and use of ABC Corporation, user entities of ABC Corporation’s system during some or all of the period July 1, 2018 to June 30, 2019, business partners of ABC Corporation subject to risks arising from interactions with the system, practitioners providing services to such user entities and business partners, prospective user entities and business partners, and regulators who have sufficient knowledge and understanding of the following:
- The nature of the service provided by the service organization.
- How the service organization’s system interacts with user entities, business partners, subservice organizations, business partners, and other parties.†
- Internal control and its limitations.†
- Complementary user entity controls and complementary subservice organization controls and how those controls interact with the controls at the service organization to achieve the service organization’s service commitments and system requirements.†
- User entity responsibilities and how they may affect the user entity’s ability to effectively use the service organization’s services.†
- The applicable trust services criteria.†
- The risks that may threaten the achievement of the service organization’s service commitments and system requirements and how controls address those risks.
This report is not intended to be, and should not be, used by anyone other than these specified parties.
What does that all mean? Essentially, it limits the company’s ability to share the report to your:
- User Entities—clients who used the system/services for part or all of the period.
- Business Partners—those with business relationships you’re your organization and interact (not a user) with the system or services.
- Practitioners serving User Entities and Business Partners—This is broad and vaguely defined group that typically creates some confusion. An organization is okay giving it to a client, but will be hesitant when a client asks to share it with their auditors who have asked for a SOC report.
- Regulators—pretty self-explanatory.
Can I Use My SOC Report in Marketing or Post it on My Website?
While you are not allowed to post a SOC 1 or a SOC 2 report on a website or to use it in marketing materials, you may do so with SOC 3 report. See another one of our post for the detailed differences between SOC 2 and SOC 3 reports and how a SOC 3 report can be used.
How Long is My SOC Report Valid?
SOC reports are retrospective or backward-looking. So, a report will always be a valid assessment for the period covered. However, what you probably want to know is, “How long will user entities accept a SOC report as evidence of your organization’s control environment?”
User entities will typically accept a SOC report for about a year after its issuance. Meaning that they will expect a new report on an annual basis. As 12 months is the typical report period, most clients will accept a report from the prior year with the assumption that another will be provided when available.
What Can I Do if There is a Gap of Time Between My Report Period and When a Client Needs the SOC Report?
The period of time covered by SOC reports vary and often do not correspond with fiscal year-end. This testing often occurs in the quarter prior to the user organization’s calendar or fiscal year-end.
For example, if a SOC report has a period ending on September 30, but the user organization has a calendar year-end of December 31. In this case, there will be a three-month gap between the attestation from the SOC examination and the user entities. You can prepare bridge letter (a.k.a. gap letter) to bridge the “gap” between the service organization’s report date and the user organization’s year-end. See our post on “gap/bridge letters” for more details.
We hope this post addressing some common question has helped you better understand the key points about sharing SOC reports. If we can help your company with a SOC 1 or SOC 2 audit, please contact us.
† source: https://www.aicpa.org
Isaac Clarke is a partner at Linford & Co., LLP. He began his career with Ernst & Young in 2003 where he developed his audit expertise over a number of years. Isaac specializes in and has conducted numerous SOC 1 and SOC 2 examinations for a variety of companies—from startups to Fortune 100 companies. Isaac enjoys helping his clients understand and simplify their compliance activities. He is attentive to his clients’ needs and works meticulously to ensure that each examination and report meets professional standards.