Have you been tasked with obtaining a SOC report for your organization? Do you have questions about why it’s needed, what type of report should be obtained and how you should get started? You are not alone. Many in your shoes have these questions, and a lot of research will be required to ensure you are making the right decision for your company.
Here, we will break down the reasons why your organization might need a SOC report followed by 4 frequently asked questions and answers you may find helpful.
Does my organization need a SOC report? If so, why?
Asking the following questions is a good place to start:
- Does my organization provide services or functions to customers that may affect the delivery of their services?
- Does my organization receive high volumes of customer requests for assurance?
- Is my organization contractually required to provide insight into our control environment?
- Is my organization losing business to competitors because transparency into our control environment is not readily available?
- Are my customers asking for a SOC (Service Organization Controls) report or Statement on Standards for Attestation Engagements (SSAE) 18 report?
If you answered ‘yes’ to ANY of these questions, it sounds like your current or potential customers are likely looking to gain comfort over how you, as a service organization, are protecting their intellectual property, correctly processing their transactions, and addressing the risks associated with your organization, its services, functions and the system used to provide them.
Your organization can provide awareness and assurance to customers through SOC reporting. SOC reporting offers a consistent, repeatable reporting process where you can assess once and report out to many.
So let’s address some common questions that can help your organization navigate the next steps with SOC reporting.
4 Frequently Asked Questions:
1. Which SOC Report do I need?
SOC reports are designed to help service organizations that provide services to other entities build trust and confidence in the service performed and in its controls through a report provided by an independent Certified Public Accountant (CPA). Each type of SOC report is designed to help service organizations meet specific user needs.
A SOC audit can only be performed by an independent CPA or accountancy organization. SOC auditors are regulated by the American Institute of Certified Public Accountants (AICPA) and must adhere to specific professional standards established by the AICPA.
There are three different SOC reports that a service organization may offer:
SOC 1 Report (SOC 1 type 1 or SOC 1 type 2)
A SOC 1 report is designed for financial transaction processing. It is primarily used to validate controls over the completeness and accuracy of monetary transactions and financial statement reporting. Service organizations specify their own control objectives and control activities.
SOC 2 Report (SOC 2 type 1 or SOC 2 type 2)
A SOC 2 report is designed to meet the needs of a broad range of users that need detailed information and assurance about the controls at a service organization relevant to security, availability and processing integrity of the systems it uses to process users’ data and the confidentiality and privacy of the information processed. These reports can play an important role in:
- Oversight of the organization;
- Vendor management programs;
- Internal corporate governance and risk management processes; and
- Regulatory oversight.
SOC 1 and 2 reports can be produced as either a Type I (point-in-time) or Type II (period of time) report. Type II reports are more common since they validate the operating effectiveness of controls throughout the year.
SOC 3 Report
A SOC 3 report covers the same testing procedures as a SOC 2 report, but it omits the detailed test results and is intended for general public distribution.
2. What’s the best way to prepare for a SOC audit?
In cases where service organizations have concerns related to preparation, we recommend a SOC readiness assessment be performed. In a SOC readiness assessment, a review of the in-scope controls is performed, and findings (or “gaps”) are identified. This provides a chance for the service organization to remediate any identified gaps before the start of the SOC reporting process. An added benefit is that, at times, this work can also be leveraged for the SOC audit.
3. How long does a SOC audit take?
This is determined by how prepared your organization is and how many resources they have dedicated to the project. If the service organizations perform a readiness assessment followed by the SOC report, this can typically take 1 to 3 months. However, there are situations where it may take longer if issues are identified during the readiness assessment that need time to be corrected or where the service organization does not have available resources or sufficient priority assigned to the project.
4. How much will I pay for a SOC report?
The cost for a SOC report depends on various factors.
Here are some things to consider when performing price comparisons between CPA firms. Keep in mind that the answers to these questions will drive the price range for your report:
- What type of report is being performed? SOC 1, 2 or 3? Type 1 or 2?
- Will you need a readiness assessment performed to assist with developing the description of your system and defining your controls?
- How complex is the system and the control environment?
- How many and what type of controls are in place? Automated vs. manual controls.
- How often is the control performed? Frequency – daily, weekly, monthly, quarterly, annually, etc.
The points covered in this blog are meant to get you thinking about the important questions to ask yourself and your potential vendors. As SOC compliance can be a complex topic, we understand you might still have some questions. If that’s the case, please feel free to contact us here.
Journet Greene is a Director in Moore Colson’s Risk Advisory and Compliance Services Practice. She leads Sarbanes-Oxley initiatives, internal audits, SOC audits and other compliance engagements for the firm’s many large IT and consulting engagements.