More and more business leaders are recognizing the value of a System and Organization Controls (SOC) report these days, whether it’s obtaining one for their own organization or seeking reports from outsourced service providers. A SOC report can play many roles – this assessment represents the quality of processes within an organization that are designed to prevent, detect and/or correct misstatements. Making a SOC report available shows that an organization is a step ahead of its peers and can reduce audit requirements, fulfill contract obligations, enhance regulatory compliance and indirectly boost sales and competitiveness.
But what is a SOC report, exactly? If you’ve heard the buzz but haven’t yet explored the topic in depth, here are 10 key facts about SOC reporting to help you understand this important assurance tool.
- A SOC assessment is a type of audit. SOC assessments focus on the controls in place to ensure the security of systems and data related to a particular service. Auditors examine control operation evidence retained and provided by the organization. When the examination is complete, the auditor provides a report that describes the effectiveness of the controls.
- Licensed CPA firms are the only authorized providers of SOC assessments. The American Institute of Certified Public Accountants (AICPA) designed SOC reporting methodology as a valuable assurance standard for organizations, as well as those who depend on their services. As such, it makes sense that SOC reports can only be created by licensed CPA firms, which must undergo periodic inspections and peer reviews to ensure quality standards for the audits they perform.
- The service auditor must be independent. The firm performing the SOC assessment cannot also perform any controls or management functions related to the area being audited. However, the auditing firm can provide consulting in other areas. It is also acceptable for the auditing firm to provide other independent services to the company being audited.
- There are primarily two types of SOC reports (and a special third option mentioned in #10) and their subject matter differs. SOC 1 reports focus on processes and controls relevant to client financial reporting. This includes the contents of the organization’s financial statements: income statement, balance sheet, statement of cash flows, financial statement notes and similar data.
SOC 2 reports focus on the security of data processing, transmission and maintenance. Besides those core requirements, a SOC 2 report may also include additional areas relevant for the service under audit: processing integrity, confidentiality, availability and privacy.
- The service you provide for your clients dictates the type of report you need. The individual nature of each service governs the control environment and the appropriate SOC report. Organizations reporting information that represents a material dollar amount on their clients’ financial statements should obtain an SOC 1 report. For organizations that maintain, process or transmit data on their clients’ behalf, a SOC 2 may be a more appropriate assessment. Take the short quiz at the bottom of this page to gauge your need for a SOC report.
- A SOC report is valuable for many types of organizations, though only some industries require it. Industries with low regulation rarely require companies to provide SOC reports to clients or obtain them from service providers. However, organizations in these industries can still benefit from conducting a SOC assessment to provide to their clients, or from seeking SOC reports from their chosen service providers. In more highly regulated industries, such as banking and finance, SOC reports are often required for consumer protection.
- SOC reports can cover a period of time or a fixed point in time. A type 1 report covers the design and implementation of controls at a specific point in time, using singular examples of tested controls. Type 2 reports gauge the control environment over a period of time. These assessments test a sample of control occurrences throughout the period under audit.
- The period under audit can vary in length based on your needs (or your client’s). Each type of SOC assessment has its own minimum period. For SOC 1, the minimum period is six months, while SOC 2 requires at least two months. Reporting periods can start or end at any time during the year. It’s best to learn about clients’ reporting requirements when determining the reporting period parameters, to be sure the SOC report meets regulatory or internal needs.
- If a client needs a full year of consideration, the reporting period can still be shorter. Auditors can test a partial-year period and provide a gap letter to bridge the end of the reporting period and the end of the calendar or fiscal year (often referred to as a stub period). The gap letter is generated by management and states whether controls have changed in the stub period and generally will cover a period that is a maximum of three months.
- SOC reports are generally not for public distribution. Companies should only provide SOC 1 and 2 reports to clients that utilize the services captured within the reports – for example, client data the company processes or client-leveraged systems that the audited company hosts, such as in an Software as a Service (SAAS) environment. SOC 3 reports, which are special reports that can be issued along with a SOC 2 report, are a bit different. These reports omit the specific and sensitive information normally included in an SOC 2 report, to allow for public review and marketing distribution.
A SOC report can offer company leaders, as well as current and potential clients, an added level of assurance that your control environment is both strong and effective. As a respected licensed CPA and advisory firm, RKL is a leader in providing SOC reports. Our Information Systems Assurance and Advisory team brings over 30 years of combined SOC experience across many industries.
We are happy to assist you with all your SOC reporting needs, whether you’re considering your first SOC report or seeking a new provider for your existing report. Use the contact form below or reach out to your RKL advisor to learn more about how our SOC reporting services can help your organization.