How SOC reports provide assurance to stakeholders, customers
Service organizations are trusted with some of their customers’ most sensitive information. In order to thrive, these organizations need their stakeholders’ full faith that their internal controls safeguard both financial and nonfinancial information, and are designed and operating effectively. How can service organizations demonstrate that their control systems are protecting their customers? According to the American Institute of Certified Public Accountants (AICPA), Service Organization Controls (SOC) reports are the answer.
Smart Business spoke with Jeff Stark, audit partner at Sensiba San Filippo LLP, about SOC reporting and how they help service organizations provide the broad spectrum of assurance their stakeholders require.
What are SOC reports?
SOC reports are standards created by the AICPA to allow for reporting on controls at service organizations. There are three types of SOC reports: SOC 1, SOC 2 and SOC 3. Together, they both replace and expand on Statements on Auditing Standards (SAS) 70 reports, giving service organizations the tools they need to provide the assurance their stakeholders require.
Though not widely known, SOC reports are becoming essential to the ongoing growth of the technology service sector as more businesses are outsourcing tasks and functions to outside service providers. Since the risk of the service provider becomes the risk of their stakeholders and customers, SOC reports provide much needed assurance, empowering service organizations to gain trust, while helping to protect their stakeholders from outside risk.
Why was SAS 70 replaced?
Since 1992, SAS 70 has provided service organizations with a vehicle to disclose control objectives and activities related to financial reporting. As the market changed, service organizations had a growing need to report on many nonfinancial control objectives. SAS 70, with its limited intended focus, was too often being used for purposes outside of financial controls.
In order to solve this problem, the AICPA issued Statements on Standards for Attestation Engagements (SSAE) 16, which replaced audit standards with attestation standards for internal controls over financial reporting. SSAE 16 standards became the basis for SOC 1 reporting, replacing SAS 70.
Additionally, the AICPA issued guidance related to attestation on controls relevant to the Trust Service Principles and Criteria including security, availability, processing integrity, confidentiality and privacy. This guidance became the basis for SOC 2 reporting, bridging the gap between market need for broad assurance reporting and the previously narrow financial focus of SAS 70.
How can an organization know whether a SOC 1 or SOC 2 report is right for them?
Whether an organization should obtain a SOC 1 or SOC 2 report depends entirely on the controls in question. Controls relating to information that could affect financial statements are covered by SOC 1 reports. SOC 2 covers controls related to nonfinancial information.
Payroll processors, employee benefit plan managers and banks commonly use SOC 1 reports. Data centers, Software as a Service providers and companies subject to industry-specific regulatory standards frequently benefit from SOC 2 reports.
Why should companies consider SOC reporting?
Service organizations that want to remain competitive need internal control attestation in a variety of areas. Many companies will not even consider working with an organization without assurance that relevant controls are well designed and operating effectively. In a highly risk-averse business climate, organizations can demonstrate effective controls with the appropriate SOC report.