In recent years regulators have transitioned toward control reporting standards that are more specific to the service offering provided by the service organization. Enter SOC 1 (formerly SSAE 16). SOC, or Service Organization Control audits, serves as a way to create more value, transparency and awareness within service organization reporting.
Within the framework, there are three types of SOC audits to choose from, the right one for you depends on the nature of your industry. The main difference is that SOC 1 reports on the controls of the service organization that are related to its client’s financial reporting, while the SOC 2 and 3 report on the effectiveness of controls related to compliance or operations. So how do you determine which (if any) report is right for you? Here are a few questions you can ask yourself to determine your reporting needs.
1. Does Your Company Provide a Service That Affects the Financial Statements of Another Company?
The main question to ask yourself in order to determine whether or not your company will need an SOC 1 audit is, Do we provide a service that affects the financial statements of another company? If the answer is yes, then the SOC 1 report is probably necessary for your company. Collections agencies, payroll administrators and fulfillment companies are a few specific examples of the types of businesses that may require an SOC 1 report.
2. Does Your Company Provide a Service That Affects Compliance and Operational Controls?
With technology advancing at the speed of light, there are more and more technology-based organizations popping up all the time. If your organization works with clients in any of the following categories, chances are you will need the SOC 2 report:
- Security - The system is protected against unauthorized access
- Availability - The system is available for operation and use as committed or agreed upon
- Processing Integrity - System processing is complete, accurate, timely and authorized
- Confidentiality - Information designated as confidential is protected as committed or agreed upon
- Privacy - Personal information is collected, used, retained, disclosed and/or destroyed in accordance with established standards
The SOC 2 report offers service organizations a way to create a separate report specific to systems not related to financial reporting. Data centers, I.T. managed services, software as a service vendors and other cloud-computing based businesses are a few examples of organizations that typically require the SOC 2 report.
3. Does Your Service Organization Wish to Keep the Details of Your Controls Confidential?
If you’ve determined that your organization requires the SOC 2 report, there’s a chance you could take advantage of the SOC 3 report instead. The SOC 3 report serves the same purpose as the SOC 2 report, however it doesn’t require a detailed description of the operations- or compliance-related controls, and the distribution of the report is not restricted. A company’s SOC 3 can be reviewed by anyone who would like confidence in the controls of your organization.
Each report serves a unique, specific purpose, and can be very valuable to a service organization. In today’s business world, relationships are built based on trust. Establish this critical foundation early with the appropriate reporting system in place right from the start.