How and Why to Request a SOC Report from Your Vendors

The importance of vendor management continues to grow; especially given the rise in outsourcing tasks or entire functions of an organization to a service provider. Many companies function more effectively and profitably by outsourcing tasks like data backups, cloud computing, telecommunications platforms, application development, managed security, bill processing, and many more services daily.

However, practicing this breadth of outsourcing exposes your organization to risk and underscores the need for effective vendor due diligence. Experience has shown that simple questionnaires and contractual clauses are not sufficient for critical vendors; businesses need to obtain an independent Service Organization Controls (SOC) report.

The American Institute of Certified Public Accountants states the following in its SOC Quick Reference Guide:

“Management of a user entity is responsible for assessing and addressing risks faced by the user entity related to financial reporting, compliance with laws and regulations, and the efficiency and effectiveness of operations. When a user entity engages a service organization to perform key processes or functions, the entity exposes itself to additional risks related to the service organization’s system. Although management of a user entity can delegate tasks or functions to a service organization, the responsibility for the service provided to customers of the user entity cannot be delegated. Management of the user entity is usually held responsible by those charged with governance (for example, the board of directors); customers; shareholders; regulators; and other affected parties for establishing effective internal control over outsourced functions.”

The SOC report that is provided to the service organization by an independent auditor intends to provide the service organization’s customers and their auditors assurance on the internal controls over financial reporting over the outsourced services.

Understand SOC Reports

There are three different standards for SOC reports that a vendor may offer:

• SOC 1 also known as a SSAE No. 16, is designed for financial transaction processing. Its primary use is to validate controls over the completeness and accuracy of monetary transactions and financial statement reporting. Service organizations specify their own control objectives and control activities.
• SOC 2 is designed to certify the security, processing integrity, availability, confidentiality, and/or privacy of hosted systems and the data they store or process. Service organizations are held to a standardized set of controls criteria for each of the principles covered in their report.  These reports can play an important role in:
  • Oversight of the organization
  • Vendor management programs
  • Internal corporate governance and risk management processes
  • Regulatory oversight

• SOC 3 report covers the same testing procedures as a SOC 2 report. However, this report omits test result details with the intension of general public distribution.

Additionally, you can produce each of the SOC reports as either a Type I (point-in-time) or Type II (period of time) report. Type II reports are more valuable, since they validate the operating effectiveness of controls throughout the year.

Pressure Your Vendors

Some vendors don’t offer a SOC report at all. This is a serious risk that you need to consider during any vendor due diligence analysis. Strictly speaking, there’s no requirement for any vendor to produce a SOC report. The requirement for a SOC report needs to come directly from vendors’ clients and prospects; be sure to inform the vendor of your due diligence criteria. Many vendors that are new to the industry might not know about the existence of the SOC reports until their customers start to levy pressure on them.

Ask for the Right Report

The SOC 1 report is more beneficial for evaluating the effects of the controls over financial reporting.  If you’re more concerned with system security or availability rather than financial transaction processing, request a SOC 2 or SOC 3 report. These reports hold service organizations to a more rigorous standard in terms of security controls. Additionally, they guarantee testing of all relevant controls criteria because vendors can’t define their own control objectives.
Some organizations produce both a SOC 1 and a SOC 2 report depending on the types of services they offer to specific clients, so make sure you request the report that is most appropriate for your institution’s risks.

It is the user organization’s responsibility to request, obtain and review the SOC reports of the its service organizations and validate that the reports address the appropriate services received.  A user organization is placing itself in a position of undo risk if it is not proactively monitoring its vendors and requesting a SOC report from its service providers.

Have questions about which report you should request from your vendors? Contact our SOC team at 404-874-6244 or contact us online. If your vendor cannot provide a SOC report, please consider referring them to Smith & Howard by contacting us. We would be happy to provide additional information or advice on the use of these reports.