Understanding the Three SOC Reports
SOC reports provide assurance to a company about how third party service providers are handling information. Companies looking to go public should be aware of the differences between the three SOC reports to maintain an effective control environment and comply with SOX.
Introduction
As outsourced and cloud-based services become more commonplace, companies looking to go public need to be aware of, and determine the need for, System and Organization Control (SOC) reports. Companies are subject to a substantial number of risks related to financial data, cybersecurity, and hosting private information. To mitigate these risks, audits and certifications have expanded in recent years to provide assurance that risks of material misstatement, information leaks, and other security issues are minimized. The Sarbanes-Oxley (SOX) Act of 2002 was an important piece of legislation that created a number of requirements associated with corporate governance and internal controls for public companies. SOX requires larger issuers (i.e., accelerated or large accelerated filers) to certify, and receive independent attestation on, the effectiveness of internal controls over financial reporting. Importantly, the processes and controls over data processed by third parties are not exempt. To comply with SOX requirements, companies that outsource certain processes used to generate financial statement information need to obtain the service provider’s SOC report.
Although pre-IPO companies are not subject to the SOX requirement to gain an understanding of the control environment of a third-party service provider, they can still benefit from gaining an understanding of the internal controls surrounding key processes that SOC reports communicate. However, the fact that there are three different SOC reports—aptly named SOC 1, SOC 2, and SOC 3—can be confusing. This article serves to demystify SOC reports by outlining what each report is, and why it matters to a company considering an IPO.
SOC 1 Report
Simply stated, a SOC 1 report gives a company assurance that financial information is being handled securely by a third party. Because financial data is being handled by a third party, part of a financial statement audit includes gaining assurance that the third party has controls in place to ensure that financial data is secure and accurate.
A company that utilizes a payroll processing company instead of hiring an internal payroll team will need to request that the payroll processing company send it a SOC 1 report. The SOC 1 will assure auditors that the payroll data is being accurately calculated, and that controls exist to mitigate risk. SOC 1 reports are not made for the general public and are usually only shown internally within a company and shared with auditors when requested.
Why does it matter to an IPO?
There are two main reasons that companies considering an IPO should be aware of SOC 1 reports:
- The report is not just for auditors. The report contains information that the company itself needs to be aware of. The service organization will identify control objectives and control activities. An audit firm will then provide an opinion on the control objectives and the associated activities.
A company needs to do more than just receive the report and give it straight to the auditors. Companies should read through the report to gain an understanding of the controls that are in place, and controls that are not in place. Similarly, the company should look through the associated control activities and determine if those activities are in line with the type of assurance it is looking for. In this way, a company can be aware of how the third party is handling the financial data and decide it is sufficient.
Additionally, the controls put in place by the service company can be rendered ineffective if the customer does not have adequate security in place. The SOC report will list Complementary User Entity Controls (CUECs) as a set of policies that the user entity (customer) must have in place. The CUECs are usually security controls such as separation of duties or encryption of data, but can be more complicated depending on the service provider. CUECs are documented within the SOC report to ensure that financial data is safe and accurate.
- Choosing companies that are SOC compliant is imperative. This report is commonly associated with financial statement audits, and as such, third party services that cannot provide SOC reports should not be utilized. SOC compliance can be costly, and not every service provider wants to be able to provide SOC reports.
SOC 2 Report
A SOC 2 report provides assurance around selected Trust Services Criteria (TSC), which are defined by the AICPA3 as:
- Security
- Availability
- Processing Integrity
- Confidentiality
- Privacy
Similar to a SOC 1 report, companies request SOC 2 reports from third parties. However, where a SOC 1 report is primarily concerned with financial data, a SOC 2 report focuses on any data that could be regarded as important or sensitive. This report may be requested for a variety of reasons, but usually not for a financial statement audit.
For example, customer data handled by a third-party service provider should be:
- Protected from unauthorized access (Security)
- Available to the users when needed (Availability)
- Free from change errors while in custody of the service provider (Processing Integrity)
- Retained and/or deleted based on the contract details (Confidentiality)
- Destroyed and/or changed when requested by the personally identified individual according to generally accepted privacy principles (Privacy)
While the security TSC is always required by a SOC 2, the other four criteria are not required, as they might be less relevant in certain industries. As such, companies should be aware of the types of controls that are put in place to ensure that data is handled correctly, and the SOC 2 report provides that information.
These reports are a great way for companies to understand risks and how third parties are managing them. SOC 2 reports are not made for the general public and are usually only shown internally within the company that requested the report.
Why does it matter to an IPO?
There are two main reasons that companies looking forward to an IPO should keep a SOC 2 report in mind
- This report helps create a more secure control environment. When companies utilize third party and cloud services, they become subject to risks they don’t have control over. Getting a baseline understanding of the controls, and their effectiveness, of a third-party service provider could be extremely helpful for a growing company looking to manage risk. Controlled growth is essential for growing companies and a SOC 2 report can help companies grow alongside other companies that value keeping data secure.
- Customer retention and acquisition can be easier with this level of assurance. Companies that have a good foundation of data security have an easier time finding customers and retaining them. No one wants to do business with a company that has internal data issues like leaks, breaches, or mishandled information. Companies that have a handle on their risks will gain a better reputation in the community for their good governance practices.
SOC 3 Report
The SOC 3 report is a watered-down version of the SOC 2 report made for the general public. The previous two SOC reports discussed are made for management, regulators, and other parties that request to know about the security of data. The SOC 3 report provides customers or any interested parties with the following information:
- The auditor’s opinion letter
- Management’s report of assertions on the effectiveness of the controls in place
- A list of tested services with descriptions
A company looking to get an outsourced service provider could request a SOC 3 report and gain an understanding of the controls in place to decide if the service provider deserves their business.
Why does it matter to an IPO?
Knowing that the SOC 3 exists and knowing what it contains is great for vetting potential service providers. For a company preparing to go public, understanding the SOC 3 report would be instrumental in helping a company have a better handle over its control environment.
Conclusion
SOC reports are something that pre-IPO companies need to be aware of. Keep the following points in mind to ensure your company is prepared:
- A public company needs a SOC complaint company to provide third party services that deal with financial data (like outsourced payroll).
- Read through the SOC report to gain an understanding of what controls your third-party service provider has in place, and what controls you should have in place.
- A SOC 2 report is to provide assurance on any of the five trust services criteria: security, availability, processing integrity, confidentiality, and privacy.
- SOC 1 and SOC 2 reports come in two types. The type 1 report only provides an assessment of the design of the controls at the service provider. The type 2 report provides assurance of both the design and operating effectiveness of the controls over a period of time.
- SOC 3 reports can help your company determine that a third-party service provider has sufficient controls in place.
Resources Consulted
- https://us.aicpa.org/content/dam/aicpa/interestareas/frc/assuranceadvisoryservices/downloadabledocuments/soc-logo-guidelines-service-organization.pdf
- https://us.aicpa.org/content/dam/aicpa/interestareas/frc/assuranceadvisoryservices/downloadabledocuments/soc-logo-guidelines-service-organization.pdf
- https://us.aicpa.org/content/dam/aicpa/interestareas/frc/assuranceadvisoryservices/downloadabledocuments/trust-services-criteria.pdf
- https://us.aicpa.org/content/dam/aicpa/interestareas/frc/assuranceadvisoryservices/downloadabledocuments/soc-logo-guidelines-service-organization.pdf
- https://us.aicpa.org/content/dam/aicpa/interestareas/frc/assuranceadvisoryservices/downloadabledocuments/soc-logo-guidelines-service-organization.pdf