fbpx
Contact Us
 
Contact Us

Insights

< Back to Thought Leadership

Requesting a SOC Report

Requesting a SOC Report
April 26, 2019

The significance of managing risks associated with your vendors is more important than ever. As more companies outsource key processes, technologies, and data management and storage, many control activities are no longer directly performed by company personnel. However, the responsibility for those controls still resides with your company.

Outsourcing exposes your organization to risk and underscores the need for effective vendor risk management and due diligence. Experience has shown that security questionnaires and/or contractual clauses are not sufficient for critical vendors – organizations need independent validation that controls are not only properly designed, but also operating effectively at key vendors. Obtaining a vendor’s SOC report allows an organization to effectively monitor the controls in place at the vendor.

The SOC report that is provided to the service organization by an independent auditor is intended to provide the service organization’s customers, business partners, and auditors assurance on the internal control activities relevant to the service organization’s system.

There are three different SOC reports that a vendor may offer:

SOC 1 is designed for financial transaction processing.

SOC 2 is designed to certify the security, processing integrity, availability, confidentiality, and/or privacy of hosted systems and the data they store or process.

SOC 3 report covers the same testing procedures as a SOC 2 report, but it omits the detailed test results and is intended for general public distribution.

Click here for some answers to frequently asked questions about SOC reports.

Assess the risk of your vendors:

Not all vendors pose the same risks to your organization. As such, not all vendors would require a SOC report to validate they are properly securing your data or ensuring the accurate processing of financial transactions, for example (e.g., your cleaning crew, the company you buy office supplies from, etc.). However, vendors that have access to your company data or that provide financial data utilized in your company’s financial statements certainly pose a much greater risk to your system of controls. These are simple examples of the type of company that should provide a SOC report.

Many of your critical vendors do not offer a SOC report. This increases your risk. While there is no requirement from a regulatory or industry perspective for any vendor to produce a SOC report, they are often performed due to requests from the vendor’s customers.

As you assess the risk of your vendors, you need to think broadly about who has the potential to negatively impact your system of internal controls. You need to ask the following questions about all of your vendors:

  • Do they process business transactions on your behalf (401K administrators, other TPAs, billing outsourcers, payroll processors, etc.)?
  • Do they do some type of processing of data on your behalf? Look beyond the normal day-to-day transaction processing of your vendors and to those vendors that may be performing data analytics, data modeling, billing analysis, legal analysis, accounting, etc.
  • Do they host your data processing equipment?
  • Do they host key business applications that have sensitive/confidential data (e.g., HR information, electronic health records, banking transactions, enterprise resource planning, or accounting systems, etc.)?
  • Do they perform key ancillary activities on your behalf such as network monitoring, security monitoring, etc.?

How to ask for a Report

  • The most effective method is to ask for or demand it during contracting and vendor selection. A SOC report should be a requirement for all critical vendors.
  • If the vendor is already in place, simply ask your account executives/sales representative.
  • Some larger vendors (e.g., Google Cloud, AWS, Microsoft Azure, etc.) have links on their websites that allow you to request a copy of their respective SOC reports.

What if they don’t have a report?

At this point, you need to assess the importance of the outsourced controls to your financial statements of the risk of the data you have provided and the criticality of the controls you have entrusted to that vendor. Some things to take into consideration:

  • Are you impacted by legal/regulatory requirements regarding the adequacy of your controls (e.g., HIPAA, GLBA, FDICA, PCI, or the other alphabet soup of acronyms that are prescriptive in control requirements)?
  • Contractual obligations you have with your customers/clients to adequately protect their data

At the end of the day, you’re responsible for monitoring the controls of your vendors.  A SOC report is often the most efficient way to accomplish this, due to its comprehensive nature and the independence and objectivity of the auditor.

If you have questions about which report you should request from your vendors, please do not hesitate to contact Tom Skoog at 614-220-4131 or tskoog@blueandco.com. If your vendor does not have a SOC report to provide, please consider referring them to Blue & Co. by contacting us. We are happy to provide additional information or advice on the use of these reports.

Resources View More Resources

Coronavirus Resources & Information
2019 Year-End Tax Planning Guide
Implementation Guide: ASU 2016-14 Presentation of Financial Statements for Not-for-Profit Entities

Recent Articles View All Thought Leadership

Staffing Level Final Rule for Nursing Homes

April 26, 2024

On April 22, Center for Medicare and Medicaid Services (CMS) released the final rule on minimum staffing level requirements for nursing homes. This rule aims to improve quality care within […]

Learn More
Blue Named One of Kentucky’s Best Places to Work for 2024 | Best Places to Work in Kentucky

Blue Named One of Kentucky’s Best Places to Work for 2024

April 16, 2024

CARMEL, Ind. (April 16, 2024) – Blue & Co., LLC is honored to be named among the Best Places to Work in Kentucky by the Kentucky Chamber of Commerce, the […]

Learn More
Planned Gifts

Planned Gifts: A Plan for All

April 16, 2024

By Mike Gricius, CPA, Senior Manager at Blue & Co. Planned gifts are a tool that can help not-for-profits plan ahead and secure the future for the years to come. […]

Learn More
Subscribe to our newsletters.

Facebook

Blue & Co. is #hiring for a Receptionist role in our Indianapolis office!We are a people-first firm that focuses on employee support, inclusion, and development. Thanks to this, we've been recognized as a Best Place to Work in Indiana for an astounding 15 years.Learn more and apply here: hubs.la/Q02tC6pg0#ReceptionistOpportunity #AdministrativeJobs ... See MoreSee Less
View on Facebook
· Share

Share on Facebook Share on Twitter Share on Linked In Share by Email

📢 Accounting students in Indiana, Kentucky, and Ohio 📢Blue & Co. is taking applications for our paid internship positions, and we would love for you to apply! If you are studying accounting or a related field, our internships will allow you to gain hands-on experience in the accounting industry, participate in goal-oriented professional development, and build a network of contacts for your future career.Learn more about our internships, see open opportunities, and apply: hubs.la/Q02sSrZR0#InternshipApplications #AccountingInternships #CollegeInternshipOpportunities ... See MoreSee Less
View on Facebook
· Share

Share on Facebook Share on Twitter Share on Linked In Share by Email

Quick Links

AICPA SOC Award Banner for Service Organizations | Blue Button
Blue & Co. Logo

Copyright © 2024, Blue & Co., LLC.
All Rights Reserved.

See All Locations