If your company is a service organization that provides outsourced services such as payroll, IT, human resources, records maintenance, customer service support or you are a company that uses such third-party providers, there’s a proven process to increase confidence, trust, and transparency in your business relationships. System and Organization Controls (“SOC”) certifications are an audit tool to help strengthen your internal control structures and protect against potential breaches or losses.
SOC certifications have traditionally provided assurances relating to financial reporting. Similar to Sarbanes-Oxley (“SOX”) Rule 404 audits for public companies, SOC 1 certifications indicate that a service organization has undergone extensive and intensive evaluation of the integrity of their financial reporting. Auditors request and depend on these reports.
In today’s cyber economy, it has become especially important for service providers “in the cloud” to demonstrate adequate risk mitigation strategies. SOC 2 certifications cover privacy, security and other systems controls for companies that host or process data belonging to their customers. A third type of SOC certification (SOC 3) allows public distribution of assurances.
Growth of Outsourcing
Third party service providers have grown significantly according to Statista. In 2017, the global outsourcing market amounted to $88.9 billion; it increased to $92.5 billion in 2019 with an emphasis on business services, energy, and healthcare. Outsourcing allows companies to focus on their core services while providing significant cost savings and improved quality of service. Companies must be aware, however, of potential risks.
According to ComputerWeekly, poor outsourcing decisions caused more than 60% of global data breach investigations. Data breaches are costly in terms of brand reputation, system downtime, customer loss, plus potentially litigation costs and/or regulatory fines.
SOC Reports Explained
The American Institute of Certified Professional Accountants (“AICPA”) created three types of SOC reports; each report serves a discreet purpose facilitating business transparency. Your company may determine that it could benefit from one, two, or even all three reports.
SOC 1 reports are used by the auditors of the customers of service organization in evaluating the effect of internal controls at the service organization on the customers’ financial statements. For example, let’s consider a payroll service provider for a manufacturer. The manufacturer’s auditor will request a copy of a SOC 1 report to gain an understanding of the internal controls at the payroll company. The report may also recommend internal controls needed at the manufacturer for the process to be designed and operating effectively. The recommendations are another reason it is critical to obtain the SOC 1.
SOC 2 reports on controls for security, availability, processing integrity, confidentiality or privacy, and is intended to provide information about the service organization’s system (services, components, boundaries) in accordance with certain criteria; primarily addressing the design and operating effectiveness of the service organization’s controls to achieve the applicable trust services criteria. SOC 2 reports are especially helpful in situations where service providers maintain the customer’s confidential personnel or client information “in the cloud”.
SOC 3 reports are similar to SOC 2, however, they are designed to be distributed publicly to customers and prospective customers. SOC 3 reports can and should be used by companies in their marketing toolkit to take credit for their strong internal controls and transparency.
The AICPA certifies auditors who demonstrate “advanced competency” with an “Advanced SOC for Service Organization badge”. Advanced SOC certified auditors who also have Sarbanes-Oxley (“SOX”) experience are best positioned to handle SOC reports due to their proven track record of evaluating and applying audit steps to plan, lead, perform and report on a SOC for service organizations.
SOC reports offer significant value to your business. Daszkal Bolton’s audit team will work with your IT professionals to conduct one, two or all three SOC audits. The team includes AICPA Advanced SOC certified auditors with substantial experience who can provide assurances to you, your customers, and vendors that financial reporting controls and internal systems handling sensitive and proprietary data are in place and working effectively.
Craig Podradchik received his AICPA Advanced SOC for Service Organizations Certificate, has extensive SOX experience and is a Partner in the Audit & Accounting Services Department of Daszkal Bolton.