What are SOC Examinations (and Why Do They Matter?)
Meaghan Reynolds, Partner
If you’re in a leadership position at a business, you might have heard of a SOC examination. These examinations, typically requested by clients, prospective clients, or business partners, result in a report that covers the System and Organization Controls (SOC) your business has in place.
In recent years, SOC examinations, and the SOC reports that flow from them, have become increasingly commonplace as businesses take steps to ensure that the vendors they partner with embrace robust internal controls that safeguard confidential data.
Various types of SOC reports have emerged and it’s important you understand the distinctions between them. In this guide, we’ll provide an overview of the main categories of SOC examination and explore why your business should be able to produce these reports when requested.
Strothman+Co is a Louisville, KY CPA firm committed to helping entrepreneurial businesses grow. We provide a wide range of accounting and advisory services, including SOC examinations, that give our clients the confidence they need to grow their businesses. To learn more about our services, contact us today.
SOC Examinations: An Introduction
At a high level, a SOC examination can best be defined as an assessment of the internal controls that exist within a business. This examination, which you might see referred to as a SOC audit, results in the production of a SOC report.
Businesses use these reports, produced by independent CPA firms like Strothman+Co, to assure their clients and partners that they follow an approved series of internal controls within their business.
There are several types of SOC examinations. By far the most common are SOC 1 and SOC 2 examinations. In years to come, it’s expected that additional examinations, including SOC for Cybersecurity and SOC for Supply Chain, will become more commonplace.
For now though, if you’ve been asked for a SOC report, you’re likely being asked for a SOC 1 or SOC 2 report. Let’s take a closer look at the key distinctions between these two reports.
What is a SOC 1 Examination?
A SOC 1 examination evaluates controls related to the financial reporting of an entity.
Often, SOC 1 reports are requested by financial statement auditors to establish a level of confidence in the business’s existing financial controls. They may also be conducted by businesses that manage large amounts of money on the behalf of their clients, such as defined contribution plan sponsors that manage 401(k) plans.
During a SOC 1 examination, the business will describe its existing financial controls to the firm they have engaged to carry out the examination. The firm will then evaluate these processes––either on-site or virtually.
If the business’s description of the controls is accurate and satisfies the criteria specified by the AICPA, this process is straightforward. The result of the engagement is an independent SOC report the business can provide to interested parties as documentation of its internal financial controls.
If there are substandard controls in place, the firm carrying out the SOC examination will typically make recommendations outlining how these could be improved. They may also engage in a consulting project to lead the implementation of these recommendations.
What is a SOC 2 Examination?
A SOC 2 examination evaluates internal controls related to the security, availability, processing, integrity, confidentiality, and privacy of a business’s internal systems.
SOC 2 examinations are usually conducted for oversight and due diligence purposes. It’s common for existing customers, potential new customers, or business partners to request that a business share a SOC 2 report before working together.
Requests for SOC 2 audits are especially common in industries where businesses manage high volumes of confidential data, such as the Software as a Service (SaaS) and Managed Service Provider (MSP) industries. No business wants to work with a vendor that puts their data at risk, and SOC 2 compliance is seen as an indicator that a vendor is a reliable steward of information security.
SOC 2 reports have much more of a focus on information technology. The examination process typically is rarely conducted exclusively by CPAs––information systems security professionals are also drafted in.
Type 1 and Type 2 SOC Reports
SOC reports, regardless of whether they are SOC 1 reports or SOC 2 reports, can be presented as a Type 1 or Type 2 report.
A Type 1 report evaluates the suitability of the controls on a specific date: for example, the last day of a quarter or year.
A Type 2 report renders an opinion on the operating effectiveness of these controls over a certain period of time––usually one year. Type 2 reports are more in-depth, and require rigorous testing to ascertain whether certain controls were in place and functioning at different times during the reporting period.
Why Are SOC Examinations Important?
SOC examinations typically stem from a request for a SOC report from a customer, prospective customer, or some other stakeholder. By having an examination completed and a report produced, businesses get the tools they need to share this information. This allows the business to continue or start doing business with the party that requested the report.
Beyond this transactional dimension, a SOC examination also gives business owners peace of mind knowing that their internal processes are robust. If there are gaps or compliance issues within their processes, the business can take steps to remedy these and ensure they are ready for future SOC examinations.
Many businesses conduct SOC examinations on an annual or biannual basis. Once the first report has been completed, the process in subsequent years tends to be relatively straightforward, provided there have been no material changes to the controls in the time between examinations.
Strothman+Co: An Experienced SOC Examination Provider
If a client or partner has requested that your business share a SOC report, there’s no reason to panic. In most instances, provided you have sufficient internal controls, obtaining a SOC examination and report will be a relatively simple process.
When a partner requests a SOC report, it’s important to ask the right questions. Establish what type of SOC report they want, the reason they need to see it, and their expectations for what the report should contain.
With this information, you can engage an experienced SOC examination provider like Strothman+Co to produce a report that gives you and your partners peace of mind that your business is operating correctly.
To learn more about Strothman+Co’s SOC examination services, contact us today.