From a cost and efficiency perspective, many large user organizations are choosing to outsource functions or portions of their own service offerings to outside service organizations that specialize in performing that function or service. All signs suggest that this trend towards more outsourcing will persist and the use of service organizations will continue to increase. This has created tremendous opportunities for service organizations of all types, but it also increases user organizations' risk and exposure.

Data breaches and other disruptive environments can often be traced to external providers, and as such, service organizations are being asked to demonstrate their controls to the user organization. This can be accomplished through a Service Organization Control (SOC) report.

The Rise of SOC Reports

More and more, service organizations are asked to produce a SOC report. Some are finding that they are not being considered or asked to bid on an opportunity because they do not have a SOC report. Other service organizations without a SOC report that do bid or compete for new projects or other ongoing work are finding that they are losing to competitors who already have a SOC report.

The message has become increasingly clear over the past several years: SOC reports can represent a competitive advantage for service organizations in many situations.

No one is immune from SOC reports. Even smaller service organizations may be asked to provide one to a user organization client. Before a significant customer, client or prospect asks for a SOC report, it is critical that service organizations of all types understand what SOC reports are and which type they may need.

Consider the Options

There are several options when considering a SOC report. A service organization may obtain a SOC 1 (also known as an SSAE 16 report), SOC 2 or SOC 3 report, and for SOC 1 and SOC 2 reports, the report may be a Type 1 or a Type 2 report. Each of these five options is different from the other, and it is important to clarify up front exactly which report is needed. This is typically specified within the service organization's contract with the user organization requesting the SOC report (generally your client or prospect) or via other communication with the user organization and your service auditor who will conduct the SOC engagement.

SOC 1 reports are detailed reports that cover internal controls that may affect financial reporting at the user organization. SOC 2 reports are also very detailed and cover internal controls that relate to one or more of the applicable Trust Services Principles (Security, Availability, Processing Integrity, Confidentiality, and Privacy), each having a set of criteria that have to be met. SOC 3 reports are essentially a very condensed version of a SOC 2 report without the level of detail that comes with a SOC 2 report. SOC 3 reports are the only SOC report that can be shared with the general public, however, because SOC 3 reports do not have the detailed information that clients and prospects generally want to see, and because an unqualified SOC 3 opinion cannot be issued for a service organization that uses a subservice organization, SOC 3 reports are rarely used. SOC 1 and SOC 2 reports, because of the detailed information within them, are restricted-use reports.

Type 1 reports (SOC 1 and SOC 2 only) are where the service auditor provides assurance regarding the description of the system and an assessment of the suitability of the design of internal controls. Type 2 reports provide everything a Type 1 report does, but they also provide assurance that the controls have been tested and are operating effectively. User organizations almost always want a Type 2 report, as this is the only type of report that gives them some assurance that controls have been implemented and are operating effectively.

Before starting the process, service organizations are advised to first consider what the user organization is requesting, and to confirm that the type of report to be obtained will meet that user organization's needs.

SOC Reports and Timing

Type 1 reports (SOC 1 and SOC 2) are performed as of a point in time, but are generally not as valuable as Type 2 reports (SOC 1 and SOC 2), which cover a period of time and provide assurance that controls are operating effectively. Generally, the period covered by the report should be at least six months (there are some limited exceptions that allow for a shorter period when certain criteria are met), although most will typically cover a 12-month reporting period.

In addition, a service organization is well-advised to spend some time before the start of the reporting period working with their service auditor to ensure they are ready (i.e., there are no significant obvious gaps in internal controls that may cause exceptions and possible unwanted modifications to the service auditor's report). Based on the above, service organizations seeking to get their first Type 2 SOC report may be looking at a minimum of eight or more months, depending on a number of factors that could affect timing and the number of months to be included in the initial reporting period. Timing should be discussed and clarified with the service auditor during initial conversations about the engagement.

Keys to a Successful SOC Engagement

One of the biggest challenges, and this is especially true for smaller service organizations, is the fact that many organizations do not have their policies and procedures and related internal controls formally documented. A service organization's management team is often unclear about what deficiencies may or may not exist, and the last thing a team wants to do is begin the SOC engagement, only to run into exceptions and possible modifications to the service auditor's report. Most users know that the value in a SOC report assumes that the report is free of significant exceptions and control deficiencies. For this reason, it is critical that service organizations have a consultation with their service auditor to assess their existing control environment, what potential deficiencies ("gaps") might exist and take steps to remediate those internal control deficiencies before beginning any SOC engagement. This exercise is often worth its weight in gold and may prevent a lot of headaches that might have occurred after starting the engagement.

Other keys to a successful engagement include allocating the appropriate resources and involving key members of the service organization's team, especially IT, up front. The most efficient and cost-effective engagements typically occur when there is a designated individual on the service organization side and an awareness among the entire team of the importance of the project, including goals and timelines.

Embrace Reporting

SOC reports are increasingly becoming a client-imposed requirement for some service organizations and a necessity for others, especially when it comes to differentiating the organization from its competitors and winning business from some of the larger institutions and more sophisticated user organizations. Many user organizations are monitoring their own risks and trying to minimize exposure from using a potentially substandard service organization with little or no internal controls.

Service organizations that understand the power and competitive advantage that comes with being able to produce a SOC report when necessary may be winning more new business than their competitors and reaping some important benefits that come with the additional revenues, the most significant one falling right to the bottom line. For additional information about SOC reporting and other information about the process for obtaining an SOC report, please contact us.

Published on December 27, 2016