Selecting the Right Service Organization Control Report for Outsourced Operations
Joe from the marketing department could lose his documents if your outsourced infrastructure isn’t secure. That might not seem like the end of the world (unless you’re Joe), but if a bank’s website goes down, the bank loses money.
To help protect you from this situation, the American Institute of CPAs established Service Organization Control reports. While addressing these requirements can be tedious, these reports ensure that service organizations are keeping a close eye on businesses’ information.
These reports provide a standardized way to evaluate and report on internal controls at service organizations. But understanding which SOC report is best for your business can be complicated if you’re not fully informed.
Increased Outsourcing Calls for Better Security
To understand SOC reports, you need to know why the AICPA helped establish them in the first place. In short, they were born out of the need to better govern the influx of outsourced services to organizations.
One major example involves cloud service providers. Cloud solutions are becoming widespread because they save time and money. Plus, companies can avoid the challenges associated with maintaining their own technology infrastructures. Companies that collect customers’ personal information or process transactions trust their providers to protect that information and maintain a system of integrity. In the case of a breach, however, companies are still liable for their customers’ privacy.
This is where the three types of SOC reports come into play for companies that use third-party service organizations. The three types of SOC reports vary in function, usage, and scope. To ensure you’re providing your clients with the information they need, it’s important to choose the right form — but deciding which SOC is needed can be tricky. Here’s a brief overview of each:
SOC 1: This is the most basic report with the most limited use and the most general objectives. Formerly known as SAS 70 and also known as SSAE 16, SOC 1 is relevant to service organizations that perform or support their customers’ financial reporting transactions, such as payment processing, asset management, and payroll processing. If your customers rely on you to support their internal control over financial reporting, stick with SOC 1.
The objectives of the report are general, and they relate to business processing and IT controls. This report is for your company’s auditors and for the management at a service organization. If the service organization doesn’t support financial reporting transactions, beware — this report is commonly misused.
SOC 2: The standard scope of this report includes security, availability, processing integrity, confidentiality, and/or privacy. This standard is defined as the Trust Services Principles and Criteria. This report can be applied to a range of systems used by customers and companies. And because these reports include controls over specific requirements, such as disaster recovery solutions and security risk monitoring, they’re generally considered a “deeper dive” into the service provider’s systems.
A SOC 2 report offers management a certified public accountant’s opinion on the service organization’s handling of information. In addition to this opinion, it includes details on all the inner workings of the system and how it’s controlled.
SOC 3: The SOC 3 report is shorter than the SOC 2. It doesn’t contain all the details or reference operational effectiveness tests like the SOC 2 report does, but it still offers a CPA’s opinion on the system. The benefit of a shorter report is that there are no restrictions on report distribution. This report can be posted on the service organization’s website, which can make marketing departments happy and reassure consumers.
Anything related to system uptime, security beyond general IT controls, confidentiality, or privacy will call for SOC 2 or 3 reports. The difference between these two concerns what the reports cover. Remember, SOC 3 includes fewer details about the environment.
SOC reports can be pretty complicated. If you’re interested in getting more information, including which professional standards govern each type of audit, visit the AICPA’s page on SOCs.
As the use of outsourced services continues to rise, people will want more assurance that the information they’re handing over is in safe hands. SOC reporting, in particular, can be a daunting task for many organizations. But by doing your due diligence and selecting the correct report, you’ll protect your organization and your clients (including Joe) from risk.
Share This Article:
About Brad Thies
Brad Thies is principal at Barr Assurance & Advisory Inc. , a risk consulting and compliance firm that provides business performance, information technology, and assurance services to clients across a variety of industries