SOC Reports: Fact vs. Fiction
In the landscape of the modern business environment, organizations face a myriad of challenges when it comes to service organizations and the various SOC reports they can obtain for themselves, whether they are a service organization or require their vendors who are service organizations to obtain.
Standards related to data security are ever changing and can come in the form of new compliance requirements for organizations or additional standards demanded by customers. One solution to regulatory requirements and/or lengthy customer security surveys is obtaining a SOC report!
Which type? What are the requirements? To answer these questions please refer to our article “8 Common System and Organization Controls (SOC) Questions.” The purpose of this article is to expand and clarify some of the misunderstandings related to the purpose and use of SOC reports. Businesses are constantly required to assess the needs of their customers while weighing their own capacity. This article will assist in deciding whether to obtain a SOC report for your organization and/or from a service organization your business may utilize.
Service organizations will typically obtain a SOC report to effectively communicate their risk management and controls framework to multiple stakeholders. Here are several misconceptions businesses may have about SOC Reports before beginning the process and the facts that should be known instead:
Fiction: These reports are used as marketing material and are typically displayed on a company’s website.
Fact: SOC Reports are obtained by a Company for a specific purpose. The purpose is generally dictated by the type of business and the risk management and controls framework typically associated with the industry they serve. In a SOC 2 audit, service commitments and system requirements play a large role in the purpose of the SOC 2 report. As a result, the confidential report (except for a SOC 3) is generally intended for a specific audience and intended for users that have sufficient knowledge and understanding to comprehend the report. Additionally, the reports cannot be used as marketing material and have specific restrictions on use. As a reminder, this prohibition relates specifically to SOC 1 and SOC 2 Reports, as a SOC 3 Report can be used in certain situations by a company as a potential marketing tool. For more information, please refer to our articles “SOC 2 Examinations” and “SOC 1 Examinations” for a discussion of these types of SOC reports.
Fiction: A SOC Report covers all aspects of the service organization.
Fact: SOC scope usually covers a specific line of business. Service organizations can get multiple SOC reports to cover different areas. It is important to note what the scope of the SOC report is and if that covers that area you require compliance in.
It is also important to understand that a SOC 1 report is only applicable as it relates to internal controls over financial reporting.
Some organizations may want to include other aspects of their data and risk management such as security, confidentiality, availability, processing integrity and privacy. In these cases, companies should obtain a SOC 2 report. For more information on the key differences between the various SOC reports, please refer to our article “SOC Reports and Your Service Organization’s Questions.”
Fiction: Once a report is issued for a service organization, no verification of said controls is required by the user entity (usually a customer).
Fact: A user entity reading the SOC report needs to get a comfort level around the controls the service organization put in place to meet either the control objectives in a SOC 1 or the Trust Services Criteria. The user entity is always permitted to ask more questions of the auditor or the service organization regarding the controls at the organization. The reader also needs to get a comfort level for the CPA firm issuing the report. Not all SOC reports are performed with the same quality. A properly done SOC report should continue to make the service organization’s security posture stronger from year to year. You do not want a rubber stamp SOC report.
Fiction: The testing period for a SOC report must be a minimum of 6 months.
Fact: The AICPA SOC guide does not specify a time period requirement. Usually, a SOC report is between six months to a year. Six months or more is usually the minimum because that is the usual time frame where sufficient appropriate evidence is available to test the service organization’s controls. Most of the time a shorter time frame most of the time does not allow for sufficient testing.
Fiction: A SOC report does not have to be conducted annually.
Fact: A SOC report should be done annually, and the date of the report should fall within 3 months of when the user entity is reviewing the report. It is generally accepted that a SOC report over 3 months old is getting too old to rely on.
Whenever your organization is assessing whether a SOC report is right for you, make sure to take into account your organization’s needs, capacity, and the overall benefits received from obtaining the SOC report. If you would like more information regarding security incidents or help setting up your company’s incident response plan, McKonly & Asbury would be happy to help. We currently offer the full suite of SOC services to clients in a broad variety of industries. Be sure to visit our System and Organization Controls (SOC) service page and don’t hesitate to contact us with any questions.
About the Author
Kevin joined McKonly & Asbury in 2022 and is currently a Supervisor with the firm. He is a member of the firm’s Audit & Assurance Segment, serving the manufacturing industry as well as the firm’s System and Organization Controls (SOC) practice.