A SOC (Service Organization Control) report is a report on controls at a service organization related to various types of subject matter, for example: controls that affect user entities’ financial reporting; controls that affect the security, availability, and processing integrity of the systems; or the confidentiality or privacy of the information processed for user entities’ clients. The content of the report will depend on the services being provided.
So how does a service organization know if they need one? And if they do, how do they know which report to get [SOC 1 (formerly SSAE 16) vs. SOC 2 vs. SOC 3, or a combination]? We at Linford & Company often get this question from our customers and prospects. They wonder how long they can put it off, or if having the report will provide them some benefit that will outweigh the cost. The following are a few points to consider if you are looking into investing in a SOC report:
- Are you providing a service for clients? SOC engagements and reports are completed for service organizations. If you are providing significant services to clients, chances are they would be interested in the controls you have in place to protect them. Examples of service organizations that typically receive SOC reports include, but are not limited to: data centers, software as a service organizations, claims processing centers, payroll companies, and real estate title and closing companies.
- Are your existing clients asking for a SOC report? Generally if a client is asking for a SOC report it is because their financial auditors have requested it. This is because they are looking for documentation around the controls you, as the service provider, have in place. Providing a SOC report shows what controls are in place and that an outside firm tested those controls. If a SOC report is not available to fulfill this request, there is a possibility that the client could send in their own auditors to test the controls that are in place.
- When proposing on work for new clients, are clients asking if you have a SOC report? At Linford & Company, we have heard from many new or prospective clients that think they would be eliminated from the pool of service provider prospects just because they do not have a SOC report. While having the examination completed and a report generated can take some time, Linford & Company can provide you with a letter stating the engagement is in process once you engage our services.
- Do you want to have an edge over your competitors? If you are up against a competitor for a new client and only one of you has a SOC report, having a SOC report could give you the extra edge to win the work. Also, in industries where SOC reporting is just starting to gain traction, being one of the first to complete the examination and having a report to provide would be a definite advantage.
If any of these questions resonate, Linford & Company would be happy to talk to you about SOC report options. Additionally, check back for future blog posts on the types of SOC reports and who needs them.