When Should You Be Requesting SOC Reports from Service Providers?
Organizations typically rely on third-party vendors and service providers to ensure the efficient and effective operations of the business. A wide variety of services can be provided by vendors/service providers including data hosting and management services, managed information technology services, application hosting, and outsourced financial services functions. These services provide the organization with operational efficiencies, cost savings, and technical expertise in areas that would otherwise require the organization to make substantial capital investments. The use of third-party service providers in these operational functions does not come without risks for the organization and managing those risks should be a paramount objective part of selecting the appropriate service provider.
Businesses and organizations that use service organizations need to provide effective oversight as part of their risk management and mitigation plan. Effective oversight begins by determining the organizational risk associated with each service provider. For example, a service provider that provides data hosting and management services for healthcare data may have a substantial risk profile given that maintaining the security over the data poses substantial regulatory and reputational risk for the business. The most effective way to provide oversight and manage organizational risk is to require third-party vendors to provide a System and Organizational Controls (SOC) report. SOC reports are a way for businesses to verify that effective controls have been designed and are operating at the service provider, in order for the organization to adequately mitigate the risk associated with using the third-party provider. SOC reports are prepared for the service organization by independent third-party auditors and typically cover controls related to organization, operations, security, availability, application processing, and privacy.
Determining which SOC Report is Required
There are two types of SOC reports which are intended for two different types of services, as defined below:
- SOC 1: Report is relevant to controls at a service provider which are relevant to user entities’ internal control over financial reporting. They primarily ensure that controls are designed and operate effectively to ensure the reliability of information for financial reporting purposes.
- SOC 2: Report assesses a service provider’s information systems relevant to specific predefined areas including security, availability, processing integrity, confidentiality, or privacy. SOC 2 has established controls that service providers must meet relevant to the areas of security, availability, processing integrity, confidentiality, or privacy.
Organizations requesting SOC reports should be requesting the specific report based on the service provided by the vendor to ensure they are receiving a SOC report that specifically covers controls related to the type of service being used by the organization. In addition, the SOC reports should include controls aligned with the organization’s objectives relevant to appropriately mitigate the risks related to those services.
Requiring SOC Reports from Service Providers
Businesses using service providers should evaluate the vendor’s/service provider’s controls before contracting with the vendor, as well as at least annually. The evaluation process should include a vendor/service provider risk assessment. The risk assessment should evaluate the type of service being provided and the level of risk from a data, systems, business continuity, or financial reporting perspective. The results of the risk assessment will further define whether the organization should require the vendor/service provider to have a SOC report. It should be noted that typically any service provider who maintains or accesses business data/systems, provides a key operational application/service, or processes information relevant to financial reporting should be required to provide a SOC report given those are high-risk areas to organizations. Businesses should request and review SOC reports before contracting with the service provider, as well as request the most recent SOC report at least annually.
Evaluating your organization’s vendor’s/service provider’s risk and requiring appropriate SOC reports to ensure that organizational risks are mitigated is essential to ensure your organization’s reputation and operations stability. Whether you are a service provider currently evaluating the need to have a SOC examination or a business currently evaluating service providers’ SOC reporting requirements, understanding the need for relevant SOC reports for your organization will enhance the strength of your organization’s control environment. For more information, be sure to visit our System and Organization Controls (SOC) service page and don’t hesitate to contact our team with further questions regarding SOC 2 reports and our services.
About the Author
Josh joined McKonly & Asbury in 2006 and is currently a Director with the firm. He is a key member of the firm’s Audit & Assurance Segment, primarily working with clients in the firm’s Service Organization Controls (SOC) Practice.… Read more