Expertise Beyond the Numbers

A Client’s Guide to SOC Reports

Why Get One, What to Ask for, and What to Do When It Gets There

In our previous post on System and Organization Control (SOC) reports, we covered potential concerns from the perspective of the service organization. For this post, we’ve switched our perspective and will directly address the client, or outsourcing entity. We’ll tackle your organization’s three biggest questions about SOC reporting:

  • Whether to request a SOC report from vendors;
  • If so, what type of SOC report to request; and
  • What to do with the vendors’ response.

First, though, it’s important to note that requesting, obtaining and reviewing SOC reports should be part of a larger vendor-management, due diligence or risk management program. Since no law requires vendors to have a SOC audit or to produce a SOC report, your organization’s rights and decisions throughout the process will depend on your relationship with your vendors and the terms of the agreements you’ve negotiated with them.

Do We Need to Obtain SOC Reports from Our Vendors?

Any organization that outsources work must make this judgment call. The answer will depend on the nature of the work performed and the access the vendor has to the client’s financial information, other key data, or personal information protected by law (PPI).

As we noted last month, a business or professional entity can outsource its work but not its financial-reporting or data-security obligations. If your business has entrusted information to a vendor, you need to know that the vendor has controls in place to protect it.

For example, if you’ve outsourced payroll, credit-card processing or website services, ask for a SOC Report. If you use Software as a Service (SaaS), ask for a SOC Report. If you store data with a cloud service provider, ask for a SOC report. If your computer system’s servers are physically located and managed outside of your office, ask for a SOC report. Cliché or not, a chain is only as strong as its weakest link.

What Type of SOC Report Should We Request?

The multiple kinds of SOC reports and their subtypes can be confusing, especially as they continue to evolve. We offer a few rules of thumb below and have included a comparison chart for easier reference. Further details are provided in our e-book, “SOC 1, 2, and 3 Reports: A Service Organization’s Guide.”

SOC 1: Think “one for the money.” The SOC 1 is designed to report on controls that are relevant to user entities internal control over financial reporting. For example, organizations that use a payroll processing vendor may realize the material impact payroll has on their financial reporting and should request a SOC1 Report. The SOC 1 Report will provide assurance that payroll is handled in accordance with their expectation (and accurately reflected within the organization’s financial statements). Similar scenarios exist across various industries, including but not limited to mortgage lending services and medical claim processing centers.

A SOC 1 report can be either a “Type 1” or “Type 2” report. A Type 1 report will provide assurance that controls are in place as of a point in time and whether the controls are appropriately designed and implemented. A Type 2 report takes the next step and assesses the operating effectiveness of controls over a specified period of time.

SOC 2: A SOC 2 report has a much wider range of uses than the SOC 1; it is the report you should seek from vendors with access to or storage of your organizational data that’s not connected to financial reporting, including PPI and any data that is key or imperative to your business. A SOC 2 audit examines the vendor’s controls within five “trust services principles” established by the Association of International Certified Public Accountants (AICPA), beginning with the “common” criteria which focuses on the security of customer data.  Like SOC 1, the SOC 2 can also be a Type 1 or Type 2 report.

SOC 1 and SOC 2 reports are not mutually exclusive. For example, if your organization stores healthcare information in the cloud, you will want a SOC 2 from the vendor that hosts it.  If the same vendor also processes healthcare related transactions that impact your financial reporting, you will also want to request a SOC 1.

SOC 2 Plus: Clients in industries that face changing regulatory landscapes, like health care, may find interest in the “SOC 2 Plus” option. A SOC 2 Plus audit is a typical SOC 2 report, plus an attestation on additional subject matter from industry-specific standards such as Cloud Security Alliance and HITRUST.

SOC 3: As a practical matter, it’s less likely that your organization will request a SOC 3 report, simply because it is designed to be a marketing tool for the vendor. It contains much of the same information as a SOC 2 report, but with less detail, and is intended for public distribution.  A vendor can obtain a SOC 3 report only after undergoing a SOC 2 audit.

What to Do When the Report Arrives

Congratulations: the SOC report you requested has arrived. Resist the temptation to file it away and check it off your “to do” list.

First, review the report for completeness. Your vendors are likely to have other clients and to offer services beyond those you’ve outsourced to it; it may also be using subservice organizations of its own for some of the work.  Make sure the SOC report covers the controls needed to secure your organization’s data.

Next, look for a section called “Complementary User Entity Control Considerations.” This section will spell out the control activities that the vendor expects your organization to have in place, and warn that without those measures, its best efforts to protect your data may fail. Review the list and make sure your organization does, in fact, have those controls or better ones in place.

Finally, look for any exceptions identified by the auditor. Review the auditor’s opinion to see if it is unmodified and/or qualified based on exceptions found in testing. Additionally, review Section 4 of the report to identify any exceptions noted by the auditor. Even if the opinion is unmodified, there may still be exceptions which could impact your organization.  Assess the number and nature of the exceptions and discuss them with the vendor.

This final step underscores the importance of integrating SOC reviews into an overall vendor-management program. If the vendor comes through the SOC audit with less than flying colors, and is unwilling or unable to remedy the deficiencies, your organization will have to determine whether continuing the relationship is worth the risk it presents. In either case, the duty to comply with financial reporting and information-security requirements remains on your organization.

If you’d like a copy of our e-book, “SOC 1, 2, and 3 Reports: A Service Organization’s Guide,” please click here.  As always, if you’d like to discuss how our team can help with your SOC audit needs, please contact us here.