Updated: Do Printers/Printing Companies Require a SOC (System and Organization Control) Report?

The answer to this question is clearly based upon the level of risk that the printing company represents to its clients.  To answer this question, one must first gain an understanding of the services provided by printing vendors, sensitivity of the data shared with the printing company, the risk to the user organization should the printer experience a data loss and the expected level of security that is required to minimize the identified risk.


The primary service provided by printing companies is commercial printing (i.e., financial statements, event tickets, direct mailers, coupons, posters, labels, schedules, tourist guides, maps, rack literature, postcards) and digital printing of electronic marketing materials.  Printing companies also provide sophisticated data management to personalize content and develop target demographics to better focus marketing campaigns on the right audiences.  Many printing companies also provide order fulfillment services.

Data and Risk

Depending on the type of service provided by the printing vendor, the data being handled can span from names and addresses in mailing lists to social security numbers, bank account numbers, financial data, health information or payroll information.  Some of this data is highly sensitive and could be used to commit identity theft, resulting in material impact to individuals, which could be considered a required reportable event under most state information breach laws and result in substantial cost to the user organization.  Printing vendors are almost always provided mailing lists from user organizations.  At first glance, this may not seem to be sensitive, but if you consider that a mailing list is a record of an organization’s customers, most organizations would view this information as a valuable asset that needs to be protected against leakage or unauthorized disclosure to competitors.  In addition, the mailing lists could be focused on a group’s specific characteristics, such as high-net-worth individuals, that if disclosed, would result in a high level of dissatisfaction of the user organization’s clients.  Clearly, substantial risk could exist on behalf of the user organization should the printing vendor experience a data breach or mishandle its customer data.   In addition to the data risk that exists, printing companies that provide fulfillment services also have risk from shrinkage due to theft of merchandise or duplication of event tickets.

Industry Requirements

A significant increase in third-party management and regulatory requirements has occurred for a number of industries.  In particular, regulators are placing increased pressure on financial institutions to assess the security and controls of third-party vendors, evaluate data protection practices and understand the risk of their business partners. Healthcare organizations have adopted policies that require all third parties to demonstrate HITRUST compliance. Organizations migrating to a cloud environment have also raised the awareness of the need to evaluate data-protection capabilities of all business partners with which they share information.

Should a printing company have a SOC report?  Clearly, there is considerable risk associated with many of the data-fueled services provided by printing companies that would warrant a SOC report.  While a SOC report is not a requirement of the industry, the report would demonstrate to the user organizations that the level of security providing protection of data and merchandise is a major objective and is taken seriously by senior management of the organization.  A SOC report would also provide a distinct competitive and marketing advantage to the printing company, providing an authoritative and respected method to communicate and demonstrate to the marketplace that protection of client information is as valuable as the quality of the service that it provides.

Do you think your organization could benefit from a SOC Report?  Visit our Service Organization Control page or contact one of our professionals to discuss your need.

You’ve heard our thoughts… We’d like to hear yours

The Schneider Downs Our Thoughts On blog exists to create a dialogue on issues that are important to organizations and individuals. While we enjoy sharing our ideas and insights, we’re especially interested in what you may have to say. If you have a question or a comment about this article – or any article from the Our Thoughts On blog – we hope you’ll share it with us. After all, a dialogue is an exchange of ideas, and we’d like to hear from you. Email us at [email protected].

Material discussed is meant for informational purposes only, and it is not to be construed as investment, tax, or legal advice. Please note that individual situations can vary. Therefore, this information should be relied upon when coordinated with individual professional advice.

© 2021 Schneider Downs. All rights-reserved. All content on this site is property of Schneider Downs unless otherwise noted and should not be used without written permission.

our thoughts on
What Evidence Is Requested During SOC 2 Audits?
Do I Need a SOC 2 Type 1 Before a SOC 2 Type 2?
Why Do CPA Firms Perform SOC 2 Audits?
Register to receive our weekly newsletter with our most recent columns and insights.
Have a question? Ask us!

We’d love to hear from you. Drop us a note, and we’ll respond to you as quickly as possible.

Ask us
contact us

This site uses cookies to ensure that we give you the best user experience. Cookies assist in navigation, analyzing traffic and in our marketing efforts as described in our Privacy Policy.