Ostendio Blog

How SOC audits help businesses during uncertain times

Written by Grant Elliott, President and CEO, Ostendio | May 13, 2020 3:49:06 PM

How is your business showing compliance to operational and business risks during these uncertain times? Many companies turn to the popular SOC report (Systems and Organizational Controls) conducted by a CPA who is accredited with the AICPA.  These auditing standards require an independent and rigorous evaluation of internal controls related to financial reporting, policies, and procedures. The report tells us if audits have been performed according to the guidance on standards that should be used for operational and technological business risks.  During this uncertain time it is critical that businesses look at their processes and procedures and how they handle risk and compliance.  The SOC criteria can help support business success now and in the future.

The AICPA has a helpful list of FAQs related to issues arising from COVID-19 that might affect audits.  The Q&A document covers issues from changes to an organization’s operations due to COVID-19, including personnel changes, and changes to the system used to service customers. The Q&A also covers the ability to perform SOC examinations remotely and the need for management representation letters to provide additional business information linked to COVID-19 that may affect operations.

[Ready to choose an auditor? Here are 6 questions you should ask.]

How can a SOC audit benefit my business?

Completing a SOC audit can strengthen your businesses reputation, financial statements, and stability by documenting, evaluating, and improving internal controls.  Many contracts are dependent on the company having a SOC report and if your company has already gone through the audit, or started the process, you will be ahead of your competitors in showing you are serious about business efficiency and security. 

SOC reports are especially important for businesses that handle customer data for others such as SaaS (software-as-a-service), healthcare and financial services.

How do I know what SOC report I need?

There are 3 different SOC reports and they can be applied to virtually any industry or business sector. In the past, SOC reports were focused on financial controls but now include all types of business risks that come with outsourcing including operations, data privacy, and compliance.

To determine which report is needed you first need to know they differ in the following ways:

SOC 1 is a report that’s financially focused and not able to verify at the level of big security, operations, and data compliance. It’s an audit of the internal controls at a service organization that’s relevant to financial reporting (ICFR). These reports are intended for auditor-to-auditor communication.

SOC 2 reports are specifically designed to report on the controls that make up the 5 categories of the Trust Services Criteria: Security, Availability, Processing Integrity, Confidentiality, and Privacy. SOC 2 Type 1 reports demonstrate that, at a particular moment in time, everything is correct and compliant and is, therefore, a report that’s recurring. They can be shared with customers, management, regulators and third parties. As they contain sensitive information, a Non-Disclosure Agreement may be necessary before sharing.  SOC 2 Type 2 reports  provide a historical record of execution, to demonstrate the control has in fact been operational for a period of time.

SOC 3 reports also focus on the Trust Services Criteria controls. However, unlike SOC 2 reports, SOC 3 reports are certified and can be widely shared. They’re considered ‘General Use’ reports and offer a less detailed summary of the information. The same information as in a SOC 2 report needs to be considered, so it’s not uncommon for organizations to do a SOC 2 and then have the auditors write the SOC 3 summarizing the SOC 2 report. They can be a valuable marketing tool for demonstrating the effectiveness of your control environment. 

Based on these factors you can begin to determine which report you need. If you only require financial reporting, a SOC 1 report is likely sufficient. If you require any data security verification you’ll need a SOC 2 or SOC 3 report.

Ostendio has been working with companies for over 7 years to guide them through the compliance process.  We have SOC experts that can help you prepare for an audit, show how the MyVCM platform can make it easier for your business to go through an audit, and help you select an auditor. Take a look at our resources page for more SOC-related help or talk to an expert at Ostendio for more information.