Why Should You Request a SOC Report from Your Vendors?

Management Bears Responsibility for Minimizing Risk

The importance of vendor management continues to grow, especially given the rise in outsourcing tasks or entire functions of an organization to a service provider.  Many companies function more effectively and profitably by outsourcing tasks like data backups, cloud computing, network monitoring, telecommunications platforms, application development, managed security, bill processing, receivables collections, payroll services, and many more new services every day. 

However, practicing this breadth of outsourcing exposes your organization to risk and underscores the need for effective vendor due diligence.  Experience has shown that simple questionnaires and contractual clauses are not sufficient for critical vendors – businesses need to obtain an Independent System and Organization Controls (SOC) report. 

The American Institute of Certified Public Accountants states the following:

“Management of a user entity is responsible for assessing and addressing risks faced by the user entity related to financial reporting, compliance with laws and regulations, and the efficiency and effectiveness of operations.  When a user entity engages a service organization to perform key processes or functions, the entity exposes itself to additional risks related to the service organization’s system.  Although management of a user entity can delegate tasks or functions to a service organization, the responsibility for the service provided to customers of the use entity cannot be delegated.  Management of the user entity is usually held responsible those charged with governance (for example, the board of directors); customers’ shareholders’ regulators’ and other affected parties for establishing effective internal control over outsourced functions.” 

The SOC report that is provided to the service organization by an independent auditor is intended to provide the service organization’s customers and their auditors assurance on the internal controls over financial reporting, controls relevant to Security, Availability, Processing Integrity, Confidentiality, and Privacy, and/or controls relevant to an entity’s cybersecurity risk management program. 

Understand SOC Reports

There are currently four different reporting options that a vendor may choose to provide assurance over their internal control structure. 

  • SOC 1 – It is designed for financial transaction processing.  It is primarily used to validate controls over the completeness and accuracy of monetary transactions and financial statement reporting.  Service organizations specify their own control objectives and control activities. 
    • Type 1 – reports on the fairness of presentation of the system and the design of the system of controls at a specific point in time.
    • Type 2 – reports on the fairness of presentation of the system, the design of the system of controls, and the operating effectiveness of the controls over a period of time.
  • SOC 2 – It is designed to provide assurance over controls relevant to security, processing integrity, availability, confidentiality, and/or privacy of systems and the data the systems store or process.  Service organizations are held to a standardized set of control criteria for each of the principles covered in their report.  These reports can play an important role in oversight of the organization, corporate governance, risk management processes, and regulatory matters. 
    • Type 1 – reports on the fairness of presentation of the system and the design of the system of controls at a specific point in time.
    • Type 2 – reports on the fairness of presentation of the system, the design of the system of controls, and the operating effectiveness of the controls over a period of time.
  • SOC 3 – This report covers the same testing procedures and requirements as a SOC 2 engagement, but the report omits the detailed test results and the description of the system and is intended for general audiences and public distribution.
  • SOC for Cybersecurity – This report is designed to provide assurance about the effectiveness of the controls over a service organization’s cybersecurity risk management program.  An effective cybersecurity risk management program provides reasonable assurance that material breaches are prevented or detected, and mitigated in a timely manner.

Pressure your Vendors

Some vendors don’t obtain a SOC report for their system at all.  This is a serious risk that you need to consider during any vendor due diligence analysis.  Strictly speaking, there’s no requirement for any vendor to obtain a SOC report.  The requirements for a SOC report needs to come directly from the vendors’ clients and prospects, so be sure to inform the vendor of your due diligence criteria and requirements.  Many vendors that are new to the industry might not know about the existence of the SOC reports until their customers start to levy pressure on them. 

Ask for the right Reports

The SOC 1 report is more beneficial for evaluating the effects of controls over financial reporting.  If you’re more concerned with system security or availability rather than financial transaction processing, request a SOC 2 or SOC 3 report.  These reports hold service organizations to a more rigorous standard in terms of security controls and are guaranteed to include testing of all relevant controls criteria because vendors can’t’ define their own control objectives. 

Some organizations obtain both a SOC 1 and a SOC 2 depending on the types of services they offer to specific clients, so make sure you request the report that is most appropriate for your institution’s risks. 

It is the user organization’s responsibly to request, obtain, and review the SOC reports of its service provides and validate that the reports address the appropriate services received.  A user organization is placing itself in a position of undo risk if it is not proactively monitoring its vendors and requesting a SOC report from its service providers. 

If you have any questions about which report you should request from your vendors, please do not hesitate to contact Debbie McGlaun at 404-874-6244 or email us.  If you vendor cannot provide a SOC report, please consider referring them to Smith & Howard by contacting us.  We would be happy to provide additional information or advice on the use of these reports. 

Questions? Contact Us