Does anxiety and panic set in when a client or prospect asks if you have a Systems and Organization Controls (SOC) report? Could you be in jeopardy of losing a current client or missing out on a new opportunity or prospective client? Have you even thought about whether it is practical for your organization to have a SOC examination conducted?
SOC report requests have become a common practice, and even a requirement in some cases, in today’s world, due in part to corporate compliance mandates, client auditor requests, and the need to provide assurance to the entities you do business with that your internal controls are sufficient and reliable. If your organization processes transactions on behalf of your client, provides a service that affects your client’s financial statements, provides a service that affects the compliance and operational controls of your clients, or is responsible for ensuring the security of client’s sensitive data, then your organization would benefit from engaging a CPA firm to perform a SOC examination.
When a client or prospective client asks your organization to provide a SOC report and you have determined your organization would benefit from having a SOC report, you should consider the following items in order to choose the most appropriate SOC report for your organization:
- Determine the services that should be included in your SOC report.
- A SOC report can be intended for your clients in general and include the overall services you are providing or be tailored for a specific requestor and specific services you provide.
- Determine the type of SOC report.
- A SOC 1 examination is intended to provide a report on the controls of a service organization that are relevant to the user entities’ financial reporting. The user entities are concerned about accuracy of their financial data and information technology general controls. Typical user entities include financial statement auditors, compliance personnel, and financial management personnel. A SOC 1 report is a restricted use report.
- A SOC 2 examination is intended to provide a report on the effectiveness of the controls at a service organization related to selected trust services categories (security, availability, processing integrity, confidentiality and privacy). The user entities are concerned with the governance, and operational and information technology general controls that pertain to one or more of the trust service categories. Typical users of the report include IT executives, compliance officers, regulators, security officers and appropriate business partners. A SOC 2 is a restricted use report.
- A SOC 2+ examination is the same as a SOC 2 but with additional suitable criteria such as HITRUST and HIPAA added into as part of the examination.
- A SOC 3 examination is intended to provide the same report as a SOC 2, but with fewer details of the service organization processes and controls in the actual report. A SOC 3 report is a general use report and can be posted on your website for distribution to prospective clients.
- A SOC for Cybersecurity examination is intended to provide a report on an organization’s enterprise-wide cybersecurity risk management program, including effective processes and controls in place to detect, respond to, mitigate and recover from breaches and other security events. The SOC for Cybersecurity is not limited to service organizations alone. Typical users of the report include board of directors, senior management, investors and business partners. A SOC for Cybersecurity report is a general use report, but can be restricted to specific users, if necessary.
- Determine if the SOC report should be at a point in time or cover a period of time.
- A Type I report is as of a point in time and is intended to determine if the controls stated in the description are suitably designed.
- A Type II report covers a period in time and is intended to determine if the controls stated in the description are suitably designed and operating effectively.
Note: SOC 1, SOC 2, and SOC 3 can be either a Type I or Type II report.
- Determine when your customers are requiring the SOC report to be provided to them.
- Timing of the CPAs’ field work is important in order to have the SOC report available to the customer when requested. Whether you are having a Type I report, which requires less lead in time and field work, or a Type II report, which requires more lead in time and field work, it is critical to have an established plan in order to meet customer requested delivery dates.
Let our experienced professionals lead the appropriate discussions with your organization and with the requesting parties to gain insight on the reason the SOC report is being requested, the value of SOC reports, and the type of SOC report that benefits all parties.
For more information regarding SOC reports, please visit Schneider Downs' website, review our Frequently Asked Questions about SOC Reports and read our Our Thoughts On articles that are published by our Risk Advisory professionals.