For organizations unfamiliar with a System and Organization Control (SOC) report, this request can be perplexing. First, it is important to understand what a SOC report is and why your customer may be asking for one. A SOC report provides insights on the security and business functions of outsourced services. Your customer may be asking for this information as part of their annual vendor due diligence program or addressing a security or internal control concern within their own business.
Find out if a SOC report applies to your services
The next big question is whether a SOC report applies to your organization and services provided. Typically, if your company is holding, processing or handling client data, then the answer will start leaning toward yes. Take the quiz located on our SOC report page to continue to explore your need for a SOC report.
The type of SOC report your customer is requesting depends on the type of services you handle for them. There are two main types of SOC reports – SOC 1 and SOC 2. SOC 1 reports evaluate services that support your customer’s financial reporting business processes. SOC 2 reports test controls related to five principles of data: security, confidentiality, availability, processing integrity and privacy.
Conduct a SOC readiness assessment
If your company is new to the practice of SOC reporting, the next step after determining the need for a report is to gauge your readiness for the SOC report process. This readiness assessment, also referred to as a gap assessment, evaluates the maturity of your services and controls environment. This process includes multiple meetings with the owners of affected business processes to learn what they do and how they do it. Each control and process must be assessed individually for proper functionality and accountability. If the readiness assessment uncovers any gaps, the process owners have an opportunity to design improved controls and implement them prior to the start of the formal SOC assessment.
Figure out which type of SOC report to provide
Once the readiness assessment is complete, it’s time to pinpoint the precise type of report needed. Within the SOC 1 and SOC 2 reports described earlier in this post, there are two subcategories – Type I and Type II. The difference hinges on the period of time covered. A Type I SOC 1 or SOC 2 report presents the design and effectiveness of processes and controls as of a specific day. A Type II SOC 1 or SOC 2 report looks at a longer period of time and states whether the processes and controls operated effectively during the entire timeframe of the report.
RKL’s IS assurance and advisory professionals combined have nearly two decades of experience conducting SOC reports. We can help you respond to inquiries for SOC reports from your customers and get prepared for the experience. Contact your RKL advisor or use the form below to request support.