For any investor evaluating a company’s viability, CEO considering expansion, or business leader trying to demonstrate transparency, the Systems and Operational Control (SOC ) report is an often overlooked tool to assess the health and well-being of an enterprise. Quality of Earnings, positive cash flows from operations, and net working capital reports are typically relied upon for due diligence assessments. However, fiscal analysis alone cannot expose vulnerabilities to hacking, security failures, or the likelihood of a privacy breach.
SOC reports evaluate an organization’s internal controls relating to financial statements and IT-based procedures and systems regulating data availability and confidentiality. In short, SOC reports identify material weaknesses, offer remedies, and prepare your company for what’s next. Like financial reports, they provide valuable performance measures and strength indicators.
Data privacy and security are top of mind due to the record number of high-profile data breaches and ransomware attacks on private companies. Costs for such attacks far exceed the ransom demanded. For example, in the State of Ransomware 2021 Report, the average recovery cost of ransomware attacks more than doubled year-over-year from $750,000 to $1.85 million. In a separate report, IBM and the Ponemon Institute concluded that the average cost of a data breach was $3.86 million.
Today’s (and tomorrow’s) economy relies on the constant exchange of electronic information creating untold risks and unforeseen threats to business continuity. Customers, investors, and corporate leaders who expect the highest data security standards can be unforgiving and litigious when systems fail. Moreover, skyrocketing IT costs represent a new and foreboding cost of doing business. An experienced CPA and internal control expert has the right tools, analytics, and testing procedures to help control costs and minimize liability.
SOC for CyberSecurity
The American Institute of Certified Public Accountants (AICPA) developed SOC reports for auditors to provide independent assurance relating to organizational risks using best practices and standardized review criteria. SOC reports provide criteria for evaluating, analyzing, repairing, and reporting on internal operational control processes and offer business leaders peace of mind to make decisions with insights and context to assess and mitigate risks.
Recently, the AICPA developed SOC for Cybersecurity in response to the heightened concerns over data privacy, storage, and transmission. The new framework builds on previous audit and assurance work by CPAs to assess the effectiveness of their clients’ protocols, in this case, for cybersecurity protection. Like other SOC reports, this tool uses common, consistent language for cybersecurity risk management reporting like financial reporting. In addition, consistent language allows for comparability and benchmarking to build trust and transparency for customers and other stakeholders.
SOC for Cybersecurity requires a multi-disciplinary team of trained internal control experts who have experience designing and implementing testing protocols and technical specialists who understand IT systems, security programs, and network management systems. Together, the team evaluates relevant quality control standards, objectively measures performance, and offers advisory remediation recommendations.
The Birth of SOC – Trust But Verify
CPAs lead the way in minimizing risk through the auditing of internal control environments. In the 1970s, CPAs began considering the effects of electronic data processing when evaluating the internal control environments during financial statement audits. As a result, CPAs added trust services criteria for evaluating norms and policies relevant to security, availability, processing integrity, confidentiality, and privacy when issuing SOC reports for the first time in the early 2000s.
SOC reports analyze business processes at the entity, department, and individual levels. For example, controls at the entity level can include regular meeting schedules of the leadership team; financial controls may consist of the approval process relating to cash disbursements; IT controls may include server maintenance and backup protocols.
Auditors use SOC 1 reports to evaluate the effectiveness of a service organization’s internal control mechanisms on the customer’s financial statements. The results may also recommend improvements for the customer’s operating efficiencies. By contrast, SOC 2 is a good governance type report for customers, or potential customers focused on security, availability, processing integrity, confidentiality, or privacy. SOC 3 reports are similar to SOC 2; however, they receive public distribution as a type of “Good Housekeeping Seal of Approval.”
Process and Timing
For all SOC reports, the timing and process are similar. First, the SOC team will evaluate the company’s current situation using customized testing methodologies compared to industry standards and best practices. The gap analysis is the starting point for immediate remediation requirements and exceptions to be addressed in the near term and future. Once initial shortfalls are remediated, the clock starts for the Type One (“as of date”) report. That is the status of internal controls as of the date of commencement. As a follow-up, it is advisable to annually produce the Type Two (“over some time”) report that captures changes and improvements over a period of time, typically one year.
Routine and ordinary process reviews keep businesses agile and ready for inevitable disruptions. Making SOC reports part of the due diligence checklist helps uncover potentially expensive and delaying problems before they occur. In addition, companies that engage SOC experts to prepare reports annually are better protected from unanticipated threats and are better positioned for growth opportunities.
Craig Podradchik received his AICPA Advanced SOC for Service Organizations Certificate, has extensive SOX experience, and is a Partner in the Audit & Accounting Services Department of Daszkal Bolton.