You are going about your day and have great plans on how to tackle your growing to-do list when you are suddenly tasked with a new project: Your company needs a SOC report. ASAP. Maybe you are familiar with SOC reports and know exactly what to do next. In our experience, we find that people are often asked to work on this type of project unexpectedly and are unsure of where to begin. Here, we will break down the reasons why your organization might need a SOC report followed by six questions and answers you may find useful.
Does my company need a SOC report? If so, why?
Start by asking these questions:
- Does my organization provide services or functions to customers that may affect the delivery of their services?
- Does my organization receive high volumes of customer requests for assurance?
- Is my organization contractually required to provide insight into our control environment?
- Is my organization losing business to competitors because transparency into our control environment is not readily available?
- Are my customers asking for a SOC (Service Organization Controls) report or Statement on Standards for Attestation Engagements (SSAE) 18 report?
If you answered yes to ANY of these questions, it sounds like your current or potential customers are likely looking to gain comfort over how you, as a service organization, are protecting their intellectual property and addressing the risks associated with your organization, its services, functions and the system used to provide them.
Your organization can provide awareness and customer assurance through SOC reporting. SOC reporting offers a consistent, repeatable reporting process where you can assess once and report out to many.
So let’s address some common questions that can help your organization navigate next steps with SOC reporting.
Your top 6 SOC questions answered
1. What is a SOC Report?
SOC reports are designed to help service organizations that provide services to other entities build trust and confidence in the service performed and in its controls through a report by an independent Certified Public Accountant (CPA). Each type of SOC report is designed to help service organizations meet specific user needs.
2. Which SOC Report do I need?
There are three different SOC reports that a service organization may offer, and there are perhaps three key questions you should ask when determining which report will meet your customer’s needs:
SOC 1 Report (SOC 1 type 1 or SOC 1 type 2)
A SOC 1 report is designed for financial transaction processing. It is primarily used to validate controls over the completeness and accuracy of monetary transactions and financial statement reporting. Service organizations specify their own control objectives and control activities.
SOC 2 Report (SOC 2 type 1 or SOC 2 type 2)
A SOC 2 report is designed to meet the needs of a broad range of users that need detailed information and assurance about the controls at a service organization relevant to security, availability and processing integrity of the systems it uses to process users’ data and the confidentiality and privacy of the information processed. These reports can play an important role in:
- Oversight of the organization
- Vendor management programs
- Internal corporate governance and risk management processes
- Regulatory oversight
Note: SOC 1 and 2 reports can be produced as either a Type I (point-in-time) or Type II (period of time) report. Type II reports are more common since they validate the operating effectiveness of controls throughout the year.
SOC 3 Report
A SOC 3 report covers the same testing procedures as a SOC 2 report, but it omits the detailed test results and is intended for general public distribution.
3. Who can perform a SOC audit?
A SOC audit can only be performed by an independent CPA or accountancy organization. SOC auditors are regulated by the American Institute of Certified Public Accountants (AICPA) and must adhere to specific professional standards established by the AICPA. Additionally, AICPA members are required to undergo a peer review to ensure their SOC engagements are conducted in accordance with attestation standards.
4. How much will I pay for a SOC report?
It depends. The cost for a SOC report depends on various factors.
Here are some things to consider when performing price comparisons between CPA firms. Keep in mind that the answers to these questions will drive the price range for your report:
- What type of report is being performed? SOC 1, 2 or 3? Type 1 or 2?
- Will you need assistance with developing the description of your system?
- How many and what type of controls are in place? Automated vs. manual controls.
- How often is the control performed? Frequency – daily, weekly, monthly, quarterly, annually, etc.
- How complex is the system and the control environment?
5. What is the audit period and how long is a SOC report valid?
Based on SOC guidance and our experience, we recommend that service organizations consider the review period of their customers, or if needed, inquire of customers if there is a preference of the period to be covered by the SOC report. Completing the SOC report annually allows a service organization to provide clients with a report that opines on the service organization’s controls year over year without a break in the period being covered.
6. How long does a SOC audit take?
It depends. This is usually determined by how prepared your company is and how many resources they have dedicated to the project. Initially, we suggest service organizations perform a readiness assessment followed by the SOC report, which can take between 1 to 3 months. However, there are situations where it may take longer should issues be identified during the readiness assessment that need time to be corrected or where the service organization does not have the resources or sufficient priority assigned.
It can be daunting to be suddenly tasked with obtaining a SOC report for your organization. Even if it is not an unexpected request, it still requires a lot of research to ensure you are making the right decision for your company. The points covered in this blog are a great start and will get you thinking about the important questions to ask yourself and your potential vendors. As SOC compliance can be a complex topic, we understand you might still have some questions. If that’s the case, please feel free to contact us here.
Journet Greene is a Senior Manager in Moore Colson’s Risk Advisory and Compliance Services Practice. She leads Sarbanes-Oxley initiatives, internal audits, SOC audits and other compliance engagements for the firm’s many large IT and consulting engagements.