ARTICLE

Why Should Your Service Organization Provide a SOC Report to Customers?

by: Smith and Howard

January 23, 2018

Back to Resources

As an outsourced vendor of tasks for businesses, you may be asked to provide your customer with reliable documentation that your systems and procedures are structured in a way that significantly minimizes their risks. Businesses that most often are asked to provide this documentation are those that provide services such as:

  • data backups
  • cloud computing
  • network monitoring
  • telecommunications platforms
  • application development
  • managed security
  • bill processing
  • receivables collections
  • payroll services

Experience has shown that simple questionnaires and contractual clauses are not sufficient for businesses to rely on. The American Institute of Certified Public Accountants stresses this to business owners by stating, “Although management of a user entity can delegate tasks or functions to a service organization, the responsibility for the service provided to customers of the user entity cannot be delegated.  Management of a user entity is usually held responsible by those charged with governance (for example, the board of directors); customers’ shareholders’ regulators’ and other affected parties for establishing effective internal control over outsourced functions.”

The solution? Businesses seek to obtain an Independent System and Organization Controls (SOC) report from their vendors – in this case, you.

Understand SOC Reports

There are currently four different reporting options that you, as a vendor, may choose to provide assurance over your internal control structure.

SOC 1: Designed for financial transaction processing.  It is primarily used to validate controls over the completeness and accuracy of monetary transactions and financial statement reporting.  Service organizations specify their own control objectives and control activities.

  • Type 1 – reports on the fairness of presentation of the system and the design of the system of controls at a specific point in time.
  • Type 2 – reports on the fairness of presentation of the system, the design of the system of controls, and the operating effectiveness of the controls over a period of time.

SOC 2: Designed to provide assurance over controls relevant to security, processing integrity, availability, confidentiality, and/or privacy of systems and the data the systems store or process.  Service organizations are held to a standardized set of control criteria for each of the principles covered in their report.  These reports can play an important role in oversight of the organization, corporate governance, risk management processes, and regulatory matters.

  • Type 1 – reports on the fairness of presentation of the system and the design of the system of controls at a specific point in time.
  • Type 2 – reports on the fairness of presentation of the system, the design of the system of controls, and the operating effectiveness of the controls over a period of time.

SOC 3: This report covers the same testing procedures and requirements as a SOC 2 engagement, but the report omits the detailed test results and the description of the system and is intended for general audiences and public distribution.

SOC for Cybersecurity: This report is designed to provide assurance about the effectiveness of the controls over a service organization’s cybersecurity risk management program.  An effective cybersecurity risk management program provides reasonable assurance that material breaches are prevented or detected, and mitigated in a timely manner.

The Pressure to Obtain SOC Reports

Business owners incur serious risk if they choose to work with vendors that do not obtain a SOC report at all. Strictly speaking, there’s no requirement for any vendor to obtain a SOC report; however, increasingly business owners are making this a question during their due diligence process of vendor selection. Many vendors that are new to the industry may not know about the existence of the SOC reports until their customers start to levy pressure on them.

Which is the Right SOC Report for Your Business?

The SOC 1 report is more beneficial for evaluating the effects of controls over financial reporting.  If the business owner is more concerned with system security or availability rather than financial transaction processing, they may request a SOC 2 or SOC 3 report.  These reports hold service organizations to a more rigorous standard in terms of security controls and are guaranteed to include testing of all relevant controls criteria because vendors can’t define their own control objectives.

Some organizations may need to obtain both a SOC 1 and a SOC 2; it depends on the types of services they offer to specific clients.

It is the user organization’s responsibly to request, obtain, and review the SOC reports of its service provides and validate that the reports address the appropriate services received

If you have any questions about whether you should obtain a SOC Report or which report you should obtain, please do not hesitate to contact a member of our SOC team at 404-874-6244. You may also complete the contact form below.

 

How can we help?

If you have any questions and would like to connect with a team member please call 404-874-6244 or contact an advisor below.

CONTACT AN ADVISOR