About
Foundational Principles In the Community Diversity, Equity & Inclusion Technical Excellence Alumni TIAG Membership
Careers
Why Cohen & Company Our Culture Total Rewards & Benefits Intern & Entry Level Opportunities Experienced Opportunities
Contact
Akron, OH Baltimore, MD Chicago, IL Cleveland, OH Detroit, MI Milwaukee, WI New York, NY Philadelphia, PA Pittsburgh, PA St. Clair Shores, MI Youngstown, OH
Client Portal
Services Industries Knowledge Center People

About Our Services

We offer tailored solutions — whether private company or owner; public or private fund, adviser or fund service provider; or Fortune 1000 enterprise. Learn how we can help you.

Learn More

Assurance Services

Employee Benefit Plan Audits Internal Controls Investment Company Audits Private Company Audits SOC Readiness & Compliance

Tax Services

Federal Tax Planning & Compliance High Net Worth & Wealth Transfer International Filings & Structuring Investment Company Tax State & Local Tax Tax Credits & Incentives Transaction Tax Planning

Advisory Services

Business Valuations Data & Insights Digital Finance Solutions IT Strategy & Implementation M&A Advisory Outsourced Accounting Solutions Risk Assurance & Advisory Transaction Services Turnaround & Restructuring

Our Industry Expertise

Our industry experience means you can find professionals who speak your language and bring earned insights to the table. Learn how we can help you.

Learn More

Key Industries

Digital Assets Investment Companies Manufacturing Private Companies Private Equity Real Estate & Construction Technology & Life Science
VIEW THE COMPLETE LIST

Knowledge Center

Our team wants to help your team stay up to date. Browse our thought leadership, events and news for insights and a point of view on business-critical topics.

Learn More

Insights

Browse valuable articles and publications our experts have written to help you and your organization answer key questions — and consider new ones.

Read Our Insights

Events

Join us in person and online for events that address timely topics and key business considerations.

Explore Our Events

News

Find out what is happening at Cohen & Company, from industry recognitions and growth updates, to where we are contributing to important media stories.

Read Our News
People
Foundational Principles In the Community Diversity, Equity & Inclusion Technical Excellence Alumni TIAG Membership
Why Cohen & Company Our Culture Total Rewards & Benefits Intern & Entry Level Opportunities Experienced Opportunities
Akron, OH Baltimore, MD Chicago, IL Cleveland, OH Detroit, MI Milwaukee, WI New York, NY Philadelphia, PA Pittsburgh, PA St. Clair Shores, MI Youngstown, OH
Client Portal
Back to Insights

How Small Businesses Can Make a SOC Report a Reality

by Steve Guarini

February 15, 2023 Assurance Services, SOC Readiness & Compliance, Private Companies

You’re a small business of 20 or so people. It’s hard enough to keep up with customer demands, and to add to the work load you seem to get a new “security” questionnaire from customers every week. These questionnaires are time-consuming to complete, and none of them are the same. Many of the requests indicate they will accept a “SOC” report, but you feel like those are only for large companies with large budgets and teams. 

Or perhaps you finally get a bite at that “big fish,” the large potential customer that would make a significant impact and really put your business “on the map.” As you read the contract, your enthusiasm dims when you see a requirement to submit a “SOC” report to qualify for the work. 

Do either of these scenarios sound familiar? In the first instance, you may resign yourself to filling out never-ending customer questionnaires. In the second, you may assume you won’t be able to go after your dream customer after all. 

Neither of those outcomes is ideal or necessary, even for smaller companies. If you’ve considered having a SOC report created for your business but think that you can’t because they are only for large entities, think again. Your small business can produce one by following some key best practices — resulting in the same benefits enjoyed by many larger competitors. 

Additional Read

SOC Toolkit

Download Now

What is a SOC Report?

At a high level, SOC 1 and SOC 2 reports offer assurance regarding your service organization’s internal controls and data security. They also help you establish and maintain credibility with your customers, investors and regulators. SOC reports can provide many benefits to a service organization. They: 

  • Offer a window into your policies and procedures, often exposing holes impacting security or productivity that otherwise would go unseen.
  • Help you attract new customers, allowing you to pursue business with larger customers who may otherwise not consider you without the report.
  • Help you retain existing clients, assuring them their data is secure, will remain confidential and that your systems accurately process transactions and are available when needed. 

Steps to Successfully Prepare for a SOC Report 

As a small organization, you are right to assume you will face some challenges in completing a SOC report. This is because your organization structure may be less formal; a smaller staff size may make segregation of duties more difficult; you may have informal control documentation; and you may have  less resources to maintain a formal reporting system around SOC activities and controls moving forward. 

In spite of these challenges, your small business can successfully navigate the SOC landscape, meeting the control requirements and issuing a report that satisfies SOC criteria and customers. The following key activities and best practices can help:

Automate Your Processes

SOC reports at their core are about performing control activities to meet specified criteria, performing those activities consistently throughout the year and proving you’ve done so via appropriate documentation. One key strategy is to automate as many processes as possible. 

For example, using an HR software tool can help insure employee onboarding, evaluations and training activities are completed timely and documented appropriately. Using an automated “ticketing” system allows for documenting when key activities must be performed, who is involved in performing them and the results. For example, you can input into the system the activity to conduct an annual risk assessment, along with the necessary team, resulting documents and conclusions. 

Use Third-Party (“Subservice”) Service Organizations

Similar to automating manual tasks via software, using other service organizations to handle aspects of your business can help simplify the requirements for a SOC report (these are referred to as “subservice organizations”). 

For example, using a managed IT services provider to maintain the company’s network and computers minimizes the activities your business must perform. Another common example is using a platform such as Microsoft Azure or Amazon Web Services to host your IT infrastructure. Controls surrounding the IT infrastructure, such as physical security, now become the responsibility of the subservice organization, and not your small business. 

Standardize and Align Team Meetings with SOC Criteria

Most organizations, even small ones, have preexisting groups or teams that meet at regular intervals. For example, an executive team may meet monthly to discuss key business metrics, policies and procedures; an operations team may meet to discuss customer matters and service delivery issues; or an IT team may meet to discuss technology matters and risks. The key is to take these existing meetings and systematize them. That is, create standard agendas that address SOC-relevant criteria related to each particular team’s purpose. 

For example, a standard item on the executive team agenda could be risk and company objectives; the operations team could have items that address whether control activities (procedures) require updates or whether monitoring activities are effective; while the IT team could address infrastructure changes and security events. The key is to make these standing agenda items using a formalized agenda and document the discussions and results. That documentation can then be used as evidence to support an auditor’s testing for a SOC report. 

Lock In Commitment from Your Senior Executives

Possibly most important for a smaller company pursuing a SOC report is the commitment and support from senior management/ownership. Without this, it won’t be possible to make it through the SOC process. Having this support, however, can actually serve as evidence that supports an effective control environment, which is one area a SOC report will address. The hardest part of completing your first SOC report is the process of creating each required component step by step, which does take time and effort. 

Once the initial report is drafted and required supporting documentation identified, SOC becomes much more of a maintenance process, and ideally becomes part of an organization’s operating culture and DNA. Getting there requires a firm commitment that can only be made by the most senior members of your organization.


Pursuing a SOC report for a smaller entity can seem like a daunting task. With a strong commitment from top management/ownership, automating various tasks, using subservice organizations and creating standard agendas for existing meetings, your smaller company can reap all of the benefits a SOC report offers to even the largest of your competitors.

Contact Steve Guarini at sguarini@cohencpa.com or a member of your service team to discuss this topic further.

Cohen & Company is not rendering legal, accounting or other professional advice. Information contained in this post is considered accurate as of the date of publishing. Any action taken based on information in this blog should be taken only after a detailed review of the specific facts, circumstances and current law.

About the Author

Steve Guarini, CPA

Partner, Assurance
sguarini@cohencpa.com
586.541.7736

Sign Up for Our Emails & Events

Receive insights from our specialists in a variety of areas and timely information on upcoming events directly to your inbox as they go live in our online Knowledge Center.

Subscribe Today
Subscribe to our newsletter
About Contact Submit RFP Privacy Policy
LinkedIn Twitter Facebook
© 2023 Cohen & Company