A SOC report is a report on the effectiveness of controls at a service organisation. Its purpose is to provide assurance to the user organisation and to its auditors about controls operated by the service organisation.
SOC report types by assurance area: SOC1 – Internal Controls over Financial Reporting; SOC2 – Trust Service Criteria (TSC), such as Privacy and Confidentiality of Data; SOC2+ Other regulatory frameworks other than TSC, such as NIST or GDPR; SOC3 – a summary of a SOC2 report that can be shared publicly.
SOC types by the period covered: Type I report: covers a specific point in time (i.e. controls’ design effectiveness) Type II report: covers a period of time, usually 6 months (operating eff.)
Why SOC reports are increasingly important?
1) Corporations are always seeking opportunities for outsourcing non core-processes or specialised services, in an ongoing effort to cut costs and leverage on specialised knowledge
2) Regulators and stakeholders are consistently requiring more comprehensive and widespread assurance to cover the global status of internal controls across the business model in its entirety, thus including service providers and sub-service providers
Because it is not practical, nor feasible, or both, for the auditors of the user organisation to audit controls at service and sub-service organisations, a SOC report can be used for such purposes.
Furthermore, increased reliance on outsource logistic services has recently triggered discussions about the opportunity for SOC reports over logistics services.
What could go wrong?
Improper governance around your internal control framework and lack of SOC reporting can jeopardise your business in different ways depending on various factors such as the type of organisations, applicable regulations, type of service provided, risk exposure, etc. Some examples follow below:
Publicly listed companies – In this case, your external auditors will require you to obtain a SOC report from your key service organisations. If the vendor is not able to produce such a report, or the report is qualified, this could, in a worse case scenario, prevent your auditors from rendering an opinion on your financial statements.
Service organisation – The majority of existing and potential customers will require you to produce a SOC report. Failure to do so, or a qualified report, will negatively impact your business relationship and reputation or lose the prospective customer during a competitive bid when benchmarked across competitors.
How Horizon Compliance can help you with your SOC requirements?
Our SOC team comprises highly qualified professionals with 15+ years of hands-on SOC reporting experience in various industries including banking, payroll, finance and IT. We can help you optimise your SOC governance through a number of high-value adding services such as: