What is an SOC Report, and Why Should You Have One?

If your business relies on a third party to run a critical process like payroll — or if you provide companies with such services — you may benefit from requesting or producing a Service Organization Controls report, sometimes referred to as a System and Organization Controls report or SOC report, for short.

Why prepare or request an SOC report? At its core, an SOC report provides an assessment of the internal controls at businesses that provide services to other companies. This helps these service organizations and their customers manage and mitigate risk. And for the third parties themselves, having or not having an SOC report at the ready could mean the difference between landing or not landing a client.

SOCs fall under the Statement on Standards for Attestation Engagements No. 18 (SSAE-18), which replaced the previous standard, SSAE-16, in May 2017.

SOC reports come in three forms:

  • SOC 1: Assesses the financial reporting impact on an organization from outsourcing. An SOC 1 report assesses the fairness of management's description of the service organization's system. It also gauges the suitability of the design of the organization's internal controls as of a certain point in time.
  • SOC 2: Provides a detailed assessment of a service organization's operational controls. While an SOC 2 report also assesses the fairness of management's description, it measures the effectiveness of the internal control design as well as the operating effectiveness of the controls over the course of a specified period.
  • SOC 3: Examines privacy and data security controls and is narrower in scope than SOC 2. Unlike SOC 1 and 2, which most organizations do not publish, SOC 3 is often available to the public.

The SOC report comes mainly in two forms, type 1 and type 2. Since it's for public consumption, SOC 3 reports do not come in a detailed format; by default this makes them type 2 reports. For a more detailed comparison of SOC 1, 2 and 3 reports, visit the American Institute of Certified Public Accountant's site.

The AICPA provides a detailed analysis of the types of SOC reports, including information on the latest SOC for cybersecurity, designed to help organizations assess and communicate the effectiveness of their cybersecurity program.

Management's Role in SOC Reporting

Similar to a traditional audit of an organization's financial statement, businesses that wish to commission an SOC report engage auditors to do so. In order to ensure a smooth process, be prepared to provide the auditors with access to the records and documentation that will allow them to testify regarding your organization's system of controls.

Prior to the beginning of the engagement, ask the company you select to conduct the SOC for a list of documents they typically analyze. In addition, consider dedicating one or more members of your staff to serve as the primary point of contact for auditors as well as to gather relevant documents such as policies and procedures, job descriptions, risk assessments and other documents related to controls.

In a similar vein, make sure that employees and executives make themselves available to meet auditors as needed. Impress upon company personnel the importance of responding to emails from auditors in a timely manner.

Given the importance of compliance in today's business environment, it's highly likely that a service provider will receive a request to provide an SOC report. Alternatively, a service provider may voluntarily prepare one to land new business. In either event, compliance matters a great deal to the customers of business services, so an SOC report can mean the difference between winning or losing a services contract.

Stay up-to-date on the latest human capital management insights for finance leaders: subscribe to our monthly e-newsletter.

Tags: Reporting and Analytics Compliance