That’s SOC, Not SOX: SOC Reports Audit the Safety of Company Data

Are Your Assets Safe? Find Out with an SOC Report

Private companies typically do not spend resources on Sarbanes-Oxley Act (SOX) compliance, but they do need to understand System and Organization Control (SOC) reports.

Financial audits are used to satisfy banks and investors. SOC reports are used to assure clients and owners that a service organization is properly safeguarding its assets. This applies to data, privacy, data centers and more.

The Origin of the SOC Report

As IT systems moved from on-premise to off-premise data centers, clients wanted assurance that their data was safe, and that their privacy was protected. This resulted in the SAS 70 audit reports that were first issued in April 1992 by the AICPA. After Sarbanes-Oxley became law in 2002, and with the move to outsourced services, the SAS 70 audit became a standard part of business.

The modern SOC report came into being in 2011, when the AICPA updated audit requirements to test the safety and integrity of assets.

3 Types of SOC Audits

An easy way to understand the differences between the three types of SOC reports is:

• SOC 1 – An attestation report for financial statements (follows the money)
• SOC 2 – Tests assurance of cloud computing and other outsourced business processes, and IT outsourced functions (follows the data)
• SOC 3 – A simplified SOC 2 intended for a public audience

For more details, look at the chart comparison of SOC reporting types:

5 Steps of SOC Audits

The five steps of the SOC audit process are:

• Planning the work;
• Understanding the control environment, processes and procedures;
• Pulling all of the documentation needed to structure testing;
• Designing and executing test procedures; and
• Writing the report and documenting the results of the testing.

Uses for SOC Reports

The most common use of these attestation reports is as part of a  compliance requirement for vendors that provide key external systems and outsourced services to customers (e.g., payroll, CRM, and logistics). The more your business runs in the cloud, the more important these controls become. In today’s interconnected world, as a vendor you are now a direct part of your customer’s business. Because of this, without a SOC report, you are likely to receive security questionnaires and other compliance requirements from existing and prospective customers, all of which is costly and prolongs the sales cycle.

Customers

For customers, while you can outsource a service, you cannot outsource the risk. Your vendors are an extension of your business. If you are handling sensitive data , or if you operate in a regulated industry, your vendors are equally responsible to protect your data and comply with your regulatory requirements. A SOC audit may be your only way to make sure your vendor is as reliable as you need them to be.

Buyers

If you are on the buy-side of a transaction, think of SOC 2 as a type of QoE tool for outsourced business processes. When you buy a business, you want to assess: “What can go wrong?” It is hard enough to understand the business you are buying, so how are you going to assess the cloud-based services that it relies upon or provides? Forcing the suppliers to produce SOC reports saves the time and money that most deals cannot afford.

Fiduciaries

Lastly, if you are a fiduciary director, your duty of care obligations require you to assess both internal and external systems. What happens if one of these systems fails? If there is a data breach? How do you determine if your crisis preparedness is commensurate to the risk? SOC 2 reports will help to assess both internal and external systems. As a fiduciary, it is worth exploring if a SOC report is warranted. Additionally, if you are a healthcare organization or serving that industry, you should consider HITRUST (Health Information Trust Alliance) certification, and if you have global operations and customers, you should consider ISO accreditation.

Should You Request a Report?

If you run a $5M revenue business, you should be asking your suppliers for their SOC  reports just to protect your business.

If you are in charge of a $100M revenue business, you should talk to your auditor about your risk profile, and if you should pursue SOC reports.

Finally, if you are on the Board of a $500M revenue business, you likely have an internal audit function, and should have some degree of SOC reporting already underway.

[Editor’s Note: To learn more about this and related topics, you may want to attend the following webinars: Data Privacy and Security 101 and How to Build and Implement Your Company’s Information Security Program.]