Have you personally ever listened to a song and immediately felt warm and safe, like being wrapped in a blanket? Business owners often seek that same feeling of assurance and comfort about the “safety” of a potential business partner, especially in today’s environment of Big Data and cybersecurity risks.
The CPA profession has a number of objective products it offers businesses to help them build trust and confidence in their business’ internal controls. The System and Organization Control (SOC) report is one such tool; it’s the security blanket that helps businesses, particularly service organizations, help assure their customers they are a business partner with rigorous standards and controls in place to keep their data safe.
What Is SOC Compliance?
Achieving SOC compliance means your business has established and follows strict information security policies and procedures and has appropriate levels of oversight across your organization. It means you have an adequate monitoring program for unusual activity, authorized and unauthorized system changes, and user access levels. SOC compliance will require you to demonstrate the capabilities to identify processing errors or security incidents, and respond and take corrective action in a timely manner. To determine the root cause of issues and know where to begin to remediate an issue, audit trails of your internal controls must be in place to be SOC compliant.
Most companies start their SOC compliance journey with a readiness assessment, which will help identify missing controls or areas of improvement. The assessment is an opportunity to draft new or improve upon existing policies and procedures and establish an audit trail of your risk management, system operations and other areas of your business.
What Types of SOC Reports Are Available?
There are currently four different standards for SOC reports that may be appropriate for your service organization’s reporting:
SOC 1 Report
SOC 1 is designed for financial transaction processing activities. It is primarily used to validate controls relevant to the customer’s financial reporting. The service organization specifies its own control objectives and control activities.
SOC 2 Report
SOC 2 addresses controls around the security, processing integrity, availability, confidentiality and/or privacy of systems and the data the service organization stores or processes. The service organization is held to a standardized set of controls criteria for each of the principles covered in the report.
SOC 3 Report
These cover the same testing procedures as a SOC 2 report, but omit the detailed test results and are intended for general public distribution.
SOC for Cybersecurity
Becoming more and more popular among service organizations, this type of report is a framework through which to communicate relevant information about the effectiveness of an organization’s cybersecurity risk management program.
Additionally, each of the SOC reports can be produced as either a Type I (point-in-time) or Type II (period of time) report. Type II reports are widely accepted as more valuable, since they validate the operating effectiveness of controls throughout a period. Type II is generally only performed after a Type I has already been completed and serves to establish the start of the reporting period for the Type II.
Does Your Service Business Really Need a SOC Report?
The world can be a scary place … either from very real threats to data security or perceived threats associated with new technologies. Your customers already may be looking for the warmth of that security blanket; they already may be asking about your risk management activities and internal controls. But if you haven’t received those questions from your customers, there are some you might want to ask yourself to determine whether SOC reporting makes sense for you:
- Do you process large volumes of data — including personally identifiable information (PII) about customers or other data. Do your customers rely on you to have that data available to help them run their business?
- Could you lose business to competitors because you don’t provide a SOC report or other information to help your customers and prospects understand your internal controls?
- Are you spending time responding to third-party self-assessment questionnaires or other due diligence inquiries, time that could be better spent preparing a comprehensive SOC report?
- Would you know if a security incident had occurred, and are you prepared to respond?
A few examples of the types of companies that may answer “Yes!” to these questions include:
- Technology service providers,
- Third-party administrators,
- Custodians or trust companies,
- ACH processors,
- Health care claims processors,
- Payroll providers,
- SaaS companies and
- Data center services.
These companies are using the results of the independent assessment of their controls within the SOC report to retain customers, gain credibility and win more business.
Regardless of what your personal security blanket is (and if you’re looking for a great song we recommend “Fade Into You” by Mazzy Star), consider giving that same feeling of security to your customers about your internal controls and the protection of their data by considering SOC compliance and reporting for your business.
Please contact a member of your service team, or contact Steve Guarini at firstname.lastname@example.org for further discussion.
Cohen & Company is not rendering legal, accounting or other professional advice. Information contained in this post is considered accurate as of the date of publishing. Any action taken based on information in this blog should be taken only after a detailed review of the specific facts, circumstances and current law.