Private companies typically do not spend resources on Sarbanes-Oxley Act (SOX) compliance, but they do need to understand System and Organization Control (SOC) reports.
Financial audits are used to satisfy banks and investors. SOC reports are used to assure clients and owners that a service organization is properly safeguarding its assets. This applies to data, privacy, data centers and more.
As IT systems moved from on-premise to off-premise data centers, clients wanted assurance that their data was safe, and that their privacy was protected. This resulted in the SAS 70 audit reports that were first issued in April 1992 by the AICPA. After Sarbanes-Oxley became law in 2002, and with the move to outsourced services, the SAS 70 audit became a standard part of business.
The modern SOC report came into being in 2011, when the AICPA updated audit requirements to test the safety and integrity of assets.
An easy way to understand the differences between the three types of SOC reports is:
For more details, look at the chart comparison of SOC reporting types:
The five steps of the SOC audit process are:
The most common use of these attestation reports is as part of a compliance requirement for vendors that provide key external systems and outsourced services to customers (e.g., payroll, CRM, and logistics). The more your business runs in the cloud, the more important these controls become. In today’s interconnected world, as a vendor you are now a direct part of your customer’s business. Because of this, without a SOC report, you are likely to receive security questionnaires and other compliance requirements from existing and prospective customers, all of which is costly and prolongs the sales cycle.
For customers, while you can outsource a service, you cannot outsource the risk. Your vendors are an extension of your business. If you are handling sensitive data , or if you operate in a regulated industry, your vendors are equally responsible to protect your data and comply with your regulatory requirements. A SOC audit may be your only way to make sure your vendor is as reliable as you need them to be.
If you are on the buy-side of a transaction, think of SOC 2 as a type of QoE tool for outsourced business processes. When you buy a business, you want to assess: “What can go wrong?” It is hard enough to understand the business you are buying, so how are you going to assess the cloud-based services that it relies upon or provides? Forcing the suppliers to produce SOC reports saves the time and money that most deals cannot afford.
Lastly, if you are a fiduciary director, your duty of care obligations require you to assess both internal and external systems. What happens if one of these systems fails? If there is a data breach? How do you determine if your crisis preparedness is commensurate to the risk? SOC 2 reports will help to assess both internal and external systems. As a fiduciary, it is worth exploring if a SOC report is warranted. Additionally, if you are a healthcare organization or serving that industry, you should consider HITRUST (Health Information Trust Alliance) certification, and if you have global operations and customers, you should consider ISO accreditation.
If you run a $5M revenue business, you should be asking your suppliers for their SOC reports just to protect your business.
If you are in charge of a $100M revenue business, you should talk to your auditor about your risk profile, and if you should pursue SOC reports.
Finally, if you are on the Board of a $500M revenue business, you likely have an internal audit function, and should have some degree of SOC reporting already underway.
[Editor’s Note: To learn more about this and related topics, you may want to attend the following webinars: Data Privacy and Security 101 and How to Build and Implement Your Company’s Information Security Program.]
Bruce Werner is the Managing Director of Kona Advisors LLC and served as an outside director on private company boards for the last three decades. Kona Advisors LLC provides advisory services to the owners, investors and CEOs of private and family-owned businesses. With deep experience in governance, succession planning, finance, strategy and management issues, Kona…
Please log in again. The login page will open in a new tab. After logging in you can close it and return to this page.