The Significance of a (SOC)ket – Illuminating the Controls

5 min read
September 23, 2016 at 10:15 AM

light-bulb-1209491_640.jpg

This is a guest post that was written by April Arruda, CPA from DiSanto, Priest, & Co. in Warwick, RI. DiSanto, Priest, & Co. is a professional advisory firm that has been in business for over 50 years providing a range of services to their clients. These services include Accounting and Assurance, Tax Planning and Compliance, Management Consulting, and Business Advisory services. For more information, please visit the DiSanto, Priest, & Co. website at http://www.disantopriest.com or by calling them at (401) 921-2000. 

We’re all too familiar with the pain of losing power, the inability to cook or watch television or recharge every mobile technology we could possibly possess.  Worst of all, we know what it’s like when the sun starts to set, and we start to lose the light and our ability to see, as we try to recuperate by using flashlights or candles to get a glimpse of our surroundings. At moments like these, I’m sure you don’t need to be reminded of the importance of electric lighting. But what if we weren’t talking about your home? What if we were actually talking about your business, and not simply a power outage at your business, but a blindness in the functioning of core business processes?

Now you might be thinking you already know how your business operates, or at least your boss does. But the fact of the matter is that it is becoming increasingly more common for organizations to outsource certain business functions or business processes to third party service providers. When an organization decides to outsource a core business process to a third party, the risks of the service organization often times become the risks of the user entity. Now you could “blindly” trust that your third party service provider knows how to properly process your company’s information, as well as keep that information secure. That is their job after all, right? But that doesn’t give you any assurance that your third party service provider doesn’t have a few “short wires” in their internal control process. As a result, you might be jumping to incorrect conclusions over the sufficiency of your own company’s internal controls.

This is where a Service Organization Control (SOC) report comes in. To provide a brief overview, a SOC report is a report on the controls at a service organization relevant to the user entities or customers of that service. The AICPA has established three different types of SOC reports, appropriately named SOC 1, SOC 2, and SOC 3. A SOC 1 report (often referred to as a SAS No. 70 or SSAE No. 16 report) specifically reports on controls at a service organization that relate to the user entity’s financial reporting.  Comparatively, a SOC 2 report is not restricted to financial reporting.  Instead, a SOC 2 report relates to controls over five key factors: security, availability, processing integrity, confidentiality, and privacy. Similarly, a SOC 3 report also relates to security, availability, processing integrity, confidentiality, and privacy.  However, a SOC 3 report is a general use report that provides a Certified Public Accountant’s (CPA’s) opinion on whether the organization maintained effective controls, similar to a SOC 1 and SOC 2, but without going into the specific detail of each control or the CPA’s tests of the controls.

Download a copy of the Compass IT Compliance Critical Security Controls eBook

So why do you need to obtain such a report? What insight can a SOC report provide? Well it’s no secret that we live in a world of increased security concerns, especially with expansions in cloud computing. So how do you know that your information is safe from hackers? What if your service provider’s computer hardware crashes, how will you recover your data? What about availability, how do you know that you will have continued access to your company’s information when you need it?

With a SOC report, you know that a Certified Public Accountant (CPA) is assessing the controls of the service organization and providing a statement on the appropriateness of the design of controls and, depending on the type of SOC report, whether the controls are operating effectively. This provides assurance that the service provider you are selecting is reliable. Also, depending on the type of SOC report, you will have access to details behind the control processes, allowing your company to create the appropriate internal controls to plug up any potential “power shortages.”

Now what if the roles were reversed?  What if instead of using a third party service provider, your company is the service provider? Why should you request a SOC report for your organization? Most importantly, it will build your customer relationships. Obtaining a SOC report that demonstrates your company provides a reliable service will build trust among your current customers and attract new customers who may have otherwise chosen to work with a competitor. For example, the financial services and health care industries will often require a SOC 2 report before working with or continuing with a particular service provider, as they are managing highly confidential information. In addition to acting as a marketing tool, a SOC report can also function as a self-assessment tool for your business. Because a SOC report provides an evaluation on the design and operating effectiveness of your company’s controls, it can be used to identify any gaps or areas for improvement that will not only protect your customers’ information, but potentially your own company’s information as well.

Now what if your company is being audited or you are a service organization whose customer is being audited? If the service organization plays a role in the user’s financial reporting process, the auditor is going to want some assurance that there are adequate controls in place at the service organization.  Now the auditor could perform some testing over the service organization, but this is going to take some time; and if you’re a service organization with many customers, you could be dealing with quite a few auditors. This process could become more efficient with a SOC report, particularly a SOC 1. By getting a SOC report, the service organization will work with only one set of auditors to establish the report.  Once the service organization obtains the report, it can be provided to its customers’ auditors as support that the service organization has the appropriate controls in place.  This saves time for both the service provider and the auditors of its customers, creating overall efficiency.

Just in case you haven’t figure out my little analogy quite yet, the socket that this title refers to is your service organization. While your service organization can be a power house for efficiency and increased margins, it is important to have an effective light, whether that be a light bulb or plug-in lamp, to illuminate the quality of those business processes. The light that I am referring to is a SOC report, which can help a service organization establish itself as reliable and trusted, and also provide its users with assurance that their company’s information is being handled properly and protected.

DiSanto, Priest & Co. is a full service public accounting firm headquartered in Warwick, Rhode Island with expertise in assisting companies in evaluating their current and planned third party assurance needs, like those described above.  Give us a call if you need assistance as we would be glad to talk with you about your needs and download the SSAE 16 Readiness Assessment brochure below for more information.

SSAE16 Readiness Assessment Brochure

Contact Us

Get Email Notifications

No Comments Yet

Let us know what you think