Why SOC Reports Can Help You Sleep at Night
June 27, 2019
By Carolyn Haesler
As companies take steps to optimize their resources, there has been a move to outsource certain services to organizations that, with economies of scale, can provide automated services in an efficient and cost-effective manner. Many utilize providers to process and automate the payment of payroll and payroll-related items. Along a similar line, this has led to cloud-based outsourcing of benefits management and human resources data. These sites allow employees to access and establish elections directly and enable companies to store pertinent benefit and personnel information. For those companies with benefit plans, services have generally been outsourced to record keepers and custodians to maintain participant accounts and allow individuals to make online elections and investment decisions. As companies relocate data centers offsite, security around a center is often entrusted to an outsourced party. From the service provider’s perspective, each company is considered a user entity.
As companies increasingly outsource services, they are requesting confirmation that these vendors have established controls. But how? One way is via a SOC report. What is a SOC report and what does it tell users?
SOC 1, 2 and 3 Reports
There are several different types of SOC reports. A SOC 1 report addresses controls at a service organization relevant to user entities’ internal control over financial reporting. The SOC 1 is used to gain an understanding of the service organization’s system. A SOC 2 report addresses relevant non-financial internal controls such as security, processing, integrity, confidentiality and privacy. Because of the sensitivity of the information found in a SOC 2 report, a public-facing report giving an overview of the report is generated separately in a SOC 3 report.
Type 1 and 2 Reports
SOC reports are segregated into two types. A Type 1 report addresses the design and operating effectiveness of controls at a specified date. A Type 2 report addresses the same controls over a specified period.
Interpreting the Findings
What should a user entity do with the SOC report? Users need to understand the outsourcing controls in place and if they are functioning properly. SOC reports should be requested from vendors on a timely basis. As you read a SOC report, it is generally broken down into sections including (1) the independent service auditor’s report; (2) management’s assertion; (3) the description of the systems; and (4) the control objectives, related testing and results.
First, read the auditor’s report. It will describe the period covered and services rendered. If the opinion is qualified due to exceptions found during the testing, the report will highlight the controls that were not performing as designed. Users should determine the reliance they have placed on the impacted controls. In response, additional steps may need to be performed to compensate for the noted exceptions.
Complementary User Entity Control Considerations
Another key area a user should understand and read through carefully is labeled “Complementary User Entity Control Considerations.” In order for the service organization to achieve certain objectives identified in the SOC report, it assumes that complementary controls are appropriately designed and functioning at the user level. Within this section of the report, the service organization will list these controls under each objective. It is imperative that a user of this report understands the complementary controls and how they have been met. If users are not addressing these controls, reliance on the work performed at the service organization may be adversely impacted.
Ultimately, a timely review of SOC reports can help you sleep at night, knowing that the organizations you have chosen to rely upon have controls in place that are functioning as intended.