SOC is a term that stands for Service Organization Control. Service Organization Control Reports can be a critical part of vendor management and risk management. The general goal of a SOC report is to help service businesses that help other service organizations create a sense of trust and confidence in the said services being performed.
The concept of SOC reports is increasingly important as more organizations are using multiple vendors and applications and outsourcing many key tasks.
With cloud computing, companies are outsourcing everything from data backup to network monitoring as well as security, bill processing, application development and more.
That means that it’s essential to ensure all these vendors are properly vetted and that due diligence is done not only to protect your organization but your clients.
There isn’t a specific law requiring vendors to provide you with a SOC report, but you should be proactive in asking for them from your vendors.
The following are other important things to know about SOC reports and requesting them.
Different Types of Reports
There are four types of reporting options that a vendor can provide upon request. These include:
- SOC 1: This is the report that’s primarily for the processing of financial transactions. It is important for financial statement reporting, and within the larger category of SOC 1, there is SOC Type 1 and SOC Type 2. Type 1 reports look at the control systems at a certain point in the time, while Type 2 looks at the effectiveness of controls over a period of time.
- SOC 2: This type of report is about security, availability, and the privacy of data and data storage. Again, there is a Type 1 and Type 2 of this report also.
- SOC 3: These types of reports about similar to SOC2, but it’s less detailed and more tailored to the needs of a general audience.
- SOC for Cybersecurity: As even very small organizations face significant cybersecurity threats, this SOC report is important. This gives an indication of risk management and overall cybersecurity. This helps you gain a better understanding of how your vendors might deal with a breach and mitigate the fallout if a breach were to occur.
Reasons to Ask for a SOC Report
If your auditors don’t require you to ask for a SOC report, you may think you don’t need to request them, but you do. The following are reasons to request a SOC report.
- SOC reports give you a rundown of the system that your vendors are using to provide their services.
- You can learn more about the operating effectiveness of your vendor’s systems.
- When you review an SOC report it can help you identify potential risks and then put in place controls to reduce those risks.
The service providers you should think about requesting a SOC report from include:
- Accounts Receivables and Collections Vendors: This is especially important because these vendors are going to be dealing with a lot of sensitive personal and financial information from your business and also your clients. You want to be able to demonstrate to your clients that all of your vendors are going to safeguard their information.
- Managed Services: Managed services can include cloud storage providers such as SaaS and IaaS platforms. You need to make sure these vendors are not only looking out for the security of your data, but you also want to see how they maintain the system availability and reliability.
- Document Management: Do you outsource any element of your document management? If so, it would be prudent to request a SOC report and especially and SOC 2 report. This will show you how your documents are being stored and maintained.
- Healthcare: If your business relates to healthcare in any way, you should think about requesting SOC reports and especially SOC 2 reports. Just one data breach when a company deals with health care information could be devastating.
What To Do with the Report
Once you request and then receive your SOC report, it’s not just something to push to the side and check a box with—you need to review it. You want to review it for completeness first and foremost.
You’ll also want to look at the control activities the vendor believes your organization will be using, and you want to ensure you do have those controls.
Then you can start looking to see if there are any exceptions stipulated by the auditor.
Finally, if you have a vendor who isn’t willing to provide an SOC report or raises any red flags, it’s best to look elsewhere.