System and Organization Controls (SOC) reports are designed to demonstrate that service providers have proper controls in place. SOC 1 and SOC 2 reports primarily examine controls in place for the reporting and processing of financial transactions (SOC 1) and the security of data (SOC 2). Requests for these reports, especially the latter, are on the rise.
“Both private and public entities are increasingly requesting SOC 2 reports as it’s a way for a company to gain peace of mind that their data is being adequately protected,” says Andrew Sizemore, a manager with Clark Schaefer Consulting.
SOC reports must be completed by an external party that’s licensed by the American Institute of Certified Public Accountants (AICPA) — i.e., a CPA firm. But there’s little reason to see them as burdensome.
“The completion of a SOC report may streamline vendor management processes and increase overall comfort regarding controls in place,” says Jeanne Yang, a senior manager at Clark Schaefer Consulting. “SOC 2 reports can also be used by vendors to attract prospective clients, as it offers assurances that a sound control environment is in place before signing a contract.”
Smart Business spoke with Sizemore and Yang about SOC reports, the reason they’re increasingly requested, and what to expect if you’re asked for one.
Why are SOC 2 reports on the rise?
SOC 2 reports are not a new concept. However, there’s been an increase in demand for them as many companies want to have a standard report that better enables a one-to-one vendor comparison with regard to security practices. Companies tend to define their own control environment. Therefore, when the SOC auditors enter that environment, they’re able to attest as to whether the company’s defined controls are appropriately designed and operating effectively, placing any noted exceptions into a report.
Third-party auditors who are performing the testing must issue their report through organizations that are members of the AICPA. These audit teams often work with a company’s operating/processing teams and/or IT team to learn what they’re doing daily to preserve their control environment. Then the auditor conducts tests to verify the effectiveness of the control environment.
What does the SOC 2 report process look like?
Prior to a SOC 2 engagement, there is typically a readiness phase during which the auditors gain an understanding of the control environment and identify potential control gaps. A remediation period follows the readiness phase, allowing a company to resolve the gaps by implementing the necessary controls. After the remediation period, the auditors come back and perform a SOC 2 engagement — performing walkthroughs, talking with control owners and observing controls to determine that the controls are operating as designed.
Auditors work with the IT department to make sure that their needs and requests are fulfilled. Once all the necessary data is collected and tested, the engagement moves to the final phase: reporting.
How are the results used?
SOC tests are not pass/fail — a common misconception — and there’s no certification awarded to service organizations that are found to have adequate controls. The results of the SOC 2 engagement provide an opinion regarding whether a service organization’s end-users can rely on the system described in the report.
Typically, the report concludes with either an unqualified or qualified opinion. An unqualified report indicates that while there may be exceptions, in aggregate, the exceptions should not impede the end user’s reliance on the system/service provided by the service organization. A qualified opinion indicates the end user cannot rely on a specific area of the system/service provided.
In the case of a qualified report, the company vetting a vendor should review the identified exceptions and all controls in place to better understand the issues. An issue in some areas could be troubling enough to not proceed with signing a contract, while other exceptions are less of a concern.
When customers ask about a SOC 2 report as a prerequisite for a contract, vendors should engage with a CPA firm, talk through the steps to meet the criteria and prepare their environment accordingly.●
INSIGHTS Accounting is brought to you by Clark Schaefer Hackett
