Is your company contemplating the need for, or benefits of, a System and Organization Controls (SOC) report? Perhaps your company already receives one, but you still have some questions.
In this article, we expose the truth behind 5 commonly held SOC myths.
Myth #1: You only need a SOC report if a customer requests one.
Many organizations do not consider the need for a SOC report until their customers start asking for one. A SOC report confirms to customers that you have controls in place to make sure that the system or service you are providing to them is secure. Another good reason for a SOC report is the value provided by an independent review of your systems or services. A third party evaluation can provide feedback on weaknesses and recommendations for improvement. It may even, ultimately, end up saving you money by detecting and mitigating risks and preventing possible breaches.
Myth #2: You do not need to update your SOC report annually.
While it is technically true that you are not required to obtain a new SOC report annually, SOC reports are dated as of a point in time (SOC Type 1) or for a given period of time (SOC Type 2). If too much times passes from the date of your report, it becomes much less useful to customers or regulators since it has been too long since the controls were tested. Therefore, an annual renewal of your SOC report is desirable and recommended.
Myth #3: There is no difference between the Type 1 and Type 2 SOC report.
The difference between a Type 1 and a Type 2 SOC report is considerable as far as providing trust in your company’s controls. The Type 1 report only opines on design effectiveness of controls, but does not include a determination of whether those controls are operating effectively. A Type 2 report includes the results of tests of operating effectiveness for your controls which provides much more information to customers or potential customers.
Myth #4: SOC reports can be used as a marketing tool.
Although companies use their SOC 1 and SOC 2 reports to provide prospective clients with the details around their system and service controls, only a SOC 3 report is truly general use and can be used for marketing purposes and widely distributed on a company’s website. SOC 1 and SOC 2 reports are restricted use which means they can only be provided to existing clients, regulators, and prospective clients.
Myth #5: The SOC period should only be six months or a year.
Although the most common SOC reporting periods are six or twelve months, there is no required time frame for a SOC report. AICPA guidance suggests that the reporting period be no less than six months, but more important, is that the report end as close to the fiscal year end of the customers for whom you are providing the system or service so that the information is as timely as possible.
If your company is considering a SOC report or has other questions that were not addressed by debunking these myths, please contact our team. We are happy to help answer any questions and determine if a SOC report would be useful for your company.