Written by Michael Eanes, CPA
As technology continues to grow and affect each area of our lives and businesses, it becomes more and more important for technology and software companies to offer their customers assurance that their systems, processes and services are able to handle the ever-present threat of cyberattacks. Customers want to know that the services they request are being provided to them securely, accurately and reliably. And, not only are direct service providers affected, but third-party contractors that work with the direct service providers fall into this category as well.
In highly regulated industries like financial services, third-party compliance isn’t a nice-to-have; it’s a must-have. The Consumer Financial Protection Bureau, the Office of the Comptroller of Currency (OCC), and other regulators have shared explicit examination guidance on third-party risk management. The OCC actually mandates that banks stipulate the types and frequency of audit reports required in contracts with third parties. Similarly, in the healthcare industry, business associates and subcontractors are held liable under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security and Privacy rule. As a result, companies that provide technology services in financial services or healthcare industries are also impacted by those contractual and/or regulatory requirements.
As a result of these growing demands for more assurance, the AICPA developed Service Organization Control (SOC) reports to help companies that outsource tasks or functions to third party providers. SOC reports, formerly called SAS 70 reports, provide a framework for CPAs to examine controls and help senior management understand the related risks of outsourcing to a service provider. Historically, companies had misused SAS 70 to issue reports on controls related to outsourced, non-financial data rather than the correct attest standard which was in place. The SOC reports clarify which standard needs to be used and how it should be implemented to meet specific user needs. Typically, a SOC is applicable to companies providing outsourced services to user entities (ex. SaaS providers, payroll companies, benefits administrators, trust companies/administrators, claims processors, outsourced IT departments, application service providers, etc.)
Benefits of SOC
Undertaking SOC attestation can provide numerous benefits, including building trust with current customers and prospects. SOC reports provide a look under the hood without requiring the user entity to perform the audit itself. Most large organizations partner with hundreds or even thousands of outside service providers, and auditing each vendor one-by-one would be time-consuming, inefficient and disruptive to both parties.
Additionally, public companies, which must answer to both investors and regulators, may be more likely to engage a technology service provider if the service provider has met the rigors of the SOC process. However, this is not just limited to public companies. Private companies also like the assurance that a SOC report provides particularly if they rely on storing, processing or transferring private and confidential information.
Moreover, having an outside review provides company management with the peace of mind to know that their controls and activities are functioning as expected. Or, on the flip side, a SOC report can expose risks that need to be addressed and corrected by management in a timely manner.
Depending on a company’s needs, there are different levels of SOC reports. A brief description of the three reports is outlined below:
SOC 1
These reports examine controls at a service organization that are relevant to a user entity’s internal control over financial reporting and are primarily an auditor-to-auditor communication. This engagement is performed under the Statement on Standards for Attestation Engagements, SSAE 16 – Reporting on Controls at a Service Organization. The SOC 1 report is equivalent to the former SAS 70 and requires the same level of evidence and assurance. There are two types of SOC 1 reports; a Type 1 covers one point in time while a Type 2 covers a period of time and includes an assessment of the operating effectiveness of controls. Use of this report is restricted to management of the service organization, user entities, and user auditors.
SOC 2
These reports are intended to meet the needs of a broad range of users that need to understand internal controls at a service organization as it relates to security, availability, processing integrity, confidentiality, and privacy (based on the trust services principles and criteria). These are areas not covered by a SOC 1 report. A service organization can include one or multiple trust services principles in a SOC 2 report. SOC 2 reports are generally restricted and intended for use by stakeholders such as user entities, regulators, business partners, suppliers, and others who have an understanding of the service organization and its controls. SOC 2 reports are also prepared as a Type 1 or Type 2 report.
SOC 3
These reports cover the same subject matter as a SOC 2 report, but in a general use, short form format which can be freely distributed and publicly promoted with the AICPA SOC 3 seal on a service organization’s website. These reports are often issued in conjunction with a SOC 2 report. The primary difference from a SOC 2 report is that a SOC 3 report does not include a description of the service organization’s system nor does it contain any information on testing. It simply provides the auditor’s opinion on whether the service organization maintains effective controls over its systems. SOC 3 reports are designed for entities that maintain or process electronic consumer data through e-commerce, software as a service (SaaS) solutions, and other electronic systems.
When should you get a SOC report?
Service organizations frequently wait until it is requested or required of them. However, bear in mind that SOC reports can take as long as six months to a year to prepare for. In addition, most clients (user entities) prefer the SOC attestation to have been performed within the last six months to a year. From the Public Company Accounting Oversight Board’s perspective, a SOC 1 report that is more than three months old is a potential issue unless a gap letter (also known as a bridge letter) is obtained for the period not covered by the SOC report. Once an organization completes its first SOC examination, reports are typically performed on an annual basis going forward, but more frequency may be necessary. Requests for these types of reports have grown significantly in the last few years as user entities are increasingly requiring these reports from their outsourced service providers as part of their vendor management due diligence and to satisfy requests from their auditors and regulators.
BMSS can issue each of these types of reports and can help your company determine which type of report is right for you. Please contact one of our BMSS professionals if you have any questions or would like to discuss these reports in more detail. We can help determine what is right for you and the steps needed to ensure that your company is ready to meet increasing demands for assurance.