Both internal and external stakeholders demand trust and transparency. And because risk management is an enterprise-wide concern, many organizations devote significant time and resources to deliver assurance.
Service Organization Controls (SOC) report helps service organizations that provide services to other entities build trust and confidence in the service performed and controls related to the services through a report by an independent auditor. Each type of SOC report is designed to help service organizations meet specific user needs.
Three types of reports.
There are three different types of SOC that cover varying levels of the operating effectiveness of a service organization’s controls.
- A SOC 1 (Internal Control over Financial Reporting) report, reports on controls relevant to the user entities' internal control over financial reporting (ICFR). A SOC 1 report is restricted to controls relevant to an audit of a user’s financial statement. The use of these reports is restricted to the management of the service organization, user entities, and user auditors. There are two types of reports for these engagements:
- Type 1 – report on the fairness of the presentation of management’s description of the service organization’s system and the suitability of the design of the controls to achieve the related control objectives included in the description as of a specified date.
- Type 2 - report on the fairness of the presentation of management’s description of the service organization’s system and the suitability of the design and operating effectiveness of the controls to achieve the related control objectives included in the description throughout a specified period.
- SOC 2 (Trust Services Criteria) reports on controls relevant to security, availability, processing integrity, confidentiality, or privacy.
- SOC 3 (Trust Services Criteria for General Use Report) is a trust services report for service organizations.
Because of the increasing use of the report, however, many organizations are being asked if they have a SOC Report by customers who don’t really understand what the report covers and whether or not it is really relevant to their own financial statements. It’s therefore important to have a least a basic understanding of the uses of the reports so that you can discuss the customer’s request.
Who should consider a SOC report?
Any organization can provide insight and stakeholder assurance through SOC reporting. It offers a cohesive, repeatable reporting process where companies can assess once and report out to many stakeholders. SOC reporting can:
- reduce compliance costs and time spent on audits and filling out vendor questionnaires
- meet contractual obligations and marketplace concerns through flexible, customized reporting
- proactively address risks across your organization
- increase trust and transparency to internal and external stakeholders
The following organizations would consider obtaining a SOC Report: payroll service providers, claims processors, benefits administrators, third party administrators, clearinghouses, transfer agents, trust administrators, data centers, application service providers (ASPs), and outsourced IT departments, and other service organizations.