Do Managed Service Providers Need a SOC Report?

A Managed Service Provider (MSP) is a company that performs an assortment of IT services for customers, often for small to moderately sized businesses with limited in-house IT capabilities. Services provided by an MSP can vary and may include technical support, which keeps a customer’s infrastructure up and running, and security services like managing firewalls, antivirus and patching solutions. MSPs can also help customers recover from a security breach.

So should MSPs have a SOC report? While there are no established requirements to do so, it may in fact be beneficial. A SOC 2 report, for instance, would demonstrate that an MSP has appropriate controls in place relevant to the services provided to customers based on the applicable trust services criteria. That could provide a competitive advantage in the marketplace, since obtaining a SOC report makes a strong statement about the MSP’s principal service commitments and system requirements. Plus, providing the report may render customer onsite visits or periodic assessments unnecessary.

Here are a few example controls that would be expected to be in place at an MSP (this is not an all-inclusive or exhaustive list):

  • The Network Monitoring Center monitors alerts on a 24/7 basis
  • Access to client information is permitted only via multifactor authentication
  • The MSP can access client systems only through a VPN or other encrypted means
  • Monitoring tools (such as a SIEM) monitor the MSP and customer systems to automatically detect threats
  • Change requests from clients are evaluated to determine requirements and the potential effect
  • Client approval is required for all changes prior to commencement of changes
  • For clients where the MSP monitors the status of backup jobs, tickets are created and attempts are made to correct any detected backup failures
  • When needed, the MSP communicates backup failures to the client

Customers rely on their MSP to protect data and answer questions regarding IT issues. By obtaining a SOC 2 report, MSPs can alleviate many customers concerns and demonstrate their commitment to implementing and maintaining strong controls.

You’ve heard our thoughts… We’d like to hear yours

The Schneider Downs Our Thoughts On blog exists to create a dialogue on issues that are important to organizations and individuals. While we enjoy sharing our ideas and insights, we’re especially interested in what you may have to say. If you have a question or a comment about this article – or any article from the Our Thoughts On blog – we hope you’ll share it with us. After all, a dialogue is an exchange of ideas, and we’d like to hear from you. Email us at [email protected].

Material discussed is meant for informational purposes only, and it is not to be construed as investment, tax, or legal advice. Please note that individual situations can vary. Therefore, this information should be relied upon when coordinated with individual professional advice.

© 2023 Schneider Downs. All rights-reserved. All content on this site is property of Schneider Downs unless otherwise noted and should not be used without written permission.

our thoughts on
What are the OCC’s Key Areas of Focus for Fiscal Year 2024?
20 Pre-Contract Questions To Ask Your Next SOC 2 Audit Firm
Deutsche Bank Fined $186 Million For Insufficient Anti-Money Laundering Controls
ESG and Internal Audit: Board and Audit Committee Considerations
ESG and Internal Audit
The Latest on the Department of Defense CMMC Certification Levels and Timeline
Register to receive our weekly newsletter with our most recent columns and insights.
Have a question? Ask us!

We’d love to hear from you. Drop us a note, and we’ll respond to you as quickly as possible.

Ask us
contact us

This site uses cookies to ensure that we give you the best user experience. Cookies assist in navigation, analyzing traffic and in our marketing efforts as described in our Privacy Policy.