Why Should You Request a SOC Report from Your Vendors?

The importance of vendor management continues to grow, especially given the rise in outsourcing tasks or entire functions of an organization to a service provider.  Many companies function more effectively and profitably by outsourcing tasks like data backups, cloud computing, network monitoring, telecommunications platforms, application development, managed security, bill processing, receivables collections, payroll services, and many more new services every day.

Practicing this breadth of outsourcing exposes your organization to risk and underscores the need for effective vendor due diligence.  Experience has shown that simple questionnaires and contractual clauses are not sufficient for critical vendors; businesses need to obtain an Independent System and Organization Controls (SOC) report.

The American Institute of Certified Public Accountants states the following:

“Management of a user entity is responsible for assessing and addressing risks faced by the user entity related to financial reporting, compliance with laws and regulations, and the efficiency and effectiveness of operations.  When a user entity engages a service organization to perform key processes or functions, the entity exposes itself to additional risks related to the service organization’s system.  Although management of a user entity can delegate tasks or functions to a service organization, the responsibility for the service provided to customers of the user entity cannot be delegated.  Management of the user entity is usually held responsible by those charged with governance (for example, the board of directors); customers’ shareholders’ regulators’ and other affected parties for establishing effective internal control over outsourced functions.”

The SOC report that is provided to the service organization by an independent auditor is intended to provide the service organization’s customers and their auditors assurance on the internal controls over financial reporting, controls relevant to Security, Availability, Processing Integrity, Confidentiality, and Privacy, and/or controls relevant to an entity’s cybersecurity risk management program.

Understand SOC Reports

There are currently four different reporting options that a vendor may choose to provide assurance over their internal control structure.

SOC 1

Designed for financial transaction processing.  Its primary use is to validate controls over the completeness and accuracy of monetary transactions and financial statement reporting.  Service organizations specify their own control objectives and control activities.

• Type 1 – reports on the fairness of presentation of the system and the design of the system of controls at a specific point in time.
• Type 2 – reports on the fairness of presentation of the system, the design of the system of controls, and the operating effectiveness of the controls over a period of time.

SOC 2

Designed to provide assurance over controls relevant to security, processing integrity, availability, confidentiality, and/or privacy of systems and the data the systems store or process.  Service organizations are held to a standardized set of control criteria for each of the principles covered in their report.  These reports can play an important role in oversight of the organization, corporate governance, risk management processes, and regulatory matters.

• Type 1 – reports on the fairness of presentation of the system and the design of the system of controls at a specific point in time.
• Type 2 – reports on the fairness of presentation of the system, the design of the system of controls, and the operating effectiveness of the controls over a period of time.

SOC 3

This report covers the same testing procedures and requirements as a SOC 2 engagement. However, the report omits the detailed test results and description of the system. It is also intended for general audiences and public distribution.

SOC for Cybersecurity

This report provides assurance about the effectiveness of the controls over a service organization’s cybersecurity risk management program.  An effective cybersecurity risk management program ensures that material breach are prevention or detection, and mitigation in a timely manner.

Pressure Your Vendors to Obtain a SOC report

Some vendors don’t obtain a SOC report for their system at all.  This is a serious risk that you need to consider during any vendor due diligence analysis.  Strictly speaking, there’s no requirement for any vendor to obtain a SOC report.  The requirements for a SOC report need to come directly from the vendors’ clients and prospects; so be sure to inform the vendor of your due diligence criteria and requirements.  New vendors to the industry might not know about SOC reports until their customers start to levy pressure on them.

Ask for the Right SOC Reports

The SOC 1 report is more beneficial for evaluating the effects of controls over financial reporting.  If your concern is with system security or availability rather than financial transaction processing, request a SOC 2 or SOC 3 report.  These reports hold service organizations to a more rigorous standard in terms of security controls. Additionally, they include testing of all relevant controls criteria because vendors can’t define their own control objectives.

Some organizations obtain both a SOC 1 and 2 depending on the types of services they provide specific clients. So, make sure you request the report that is most appropriate for your institution’s risks.

It is the user organization’s responsibility to request, obtain, and review the SOC reports; and validate that the reports address the appropriate services received.  A user organization is placing itself in a position of undue risk if it is not proactively monitoring its vendors and requesting a SOC report from its service providers.

Have any questions about which report you should request from your vendors? Reach out to a member of our SOC team at 404-874-6244. You can also contact us online.  If your vendor cannot provide a SOC report, please consider referring them to Smith and Howard.  We would be happy to provide additional information or advice on the use of these reports.