fbpx

< Back to Thought Leadership

Requesting a SOC Report

The significance of managing risks associated with your vendors is more important than ever. As more companies outsource key processes, technologies, and data management and storage, many control activities are no longer directly performed by company personnel. However, the responsibility for those controls still resides with your company.

Outsourcing exposes your organization to risk and underscores the need for effective vendor risk management and due diligence. Experience has shown that security questionnaires and/or contractual clauses are not sufficient for critical vendors – organizations need independent validation that controls are not only properly designed, but also operating effectively at key vendors. Obtaining a vendor’s SOC report allows an organization to effectively monitor the controls in place at the vendor.

The SOC report that is provided to the service organization by an independent auditor is intended to provide the service organization’s customers, business partners, and auditors assurance on the internal control activities relevant to the service organization’s system.

There are three different SOC reports that a vendor may offer:

SOC 1 is designed for financial transaction processing.

SOC 2 is designed to certify the security, processing integrity, availability, confidentiality, and/or privacy of hosted systems and the data they store or process.

SOC 3 report covers the same testing procedures as a SOC 2 report, but it omits the detailed test results and is intended for general public distribution.

Click here for some answers to frequently asked questions about SOC reports.

Assess the risk of your vendors:

Not all vendors pose the same risks to your organization. As such, not all vendors would require a SOC report to validate they are properly securing your data or ensuring the accurate processing of financial transactions, for example (e.g., your cleaning crew, the company you buy office supplies from, etc.). However, vendors that have access to your company data or that provide financial data utilized in your company’s financial statements certainly pose a much greater risk to your system of controls. These are simple examples of the type of company that should provide a SOC report.

Many of your critical vendors do not offer a SOC report. This increases your risk. While there is no requirement from a regulatory or industry perspective for any vendor to produce a SOC report, they are often performed due to requests from the vendor’s customers.

As you assess the risk of your vendors, you need to think broadly about who has the potential to negatively impact your system of internal controls. You need to ask the following questions about all of your vendors:

  • Do they process business transactions on your behalf (401K administrators, other TPAs, billing outsourcers, payroll processors, etc.)?
  • Do they do some type of processing of data on your behalf? Look beyond the normal day-to-day transaction processing of your vendors and to those vendors that may be performing data analytics, data modeling, billing analysis, legal analysis, accounting, etc.
  • Do they host your data processing equipment?
  • Do they host key business applications that have sensitive/confidential data (e.g., HR information, electronic health records, banking transactions, enterprise resource planning, or accounting systems, etc.)?
  • Do they perform key ancillary activities on your behalf such as network monitoring, security monitoring, etc.?

How to ask for a Report

  • The most effective method is to ask for or demand it during contracting and vendor selection. A SOC report should be a requirement for all critical vendors.
  • If the vendor is already in place, simply ask your account executives/sales representative.
  • Some larger vendors (e.g., Google Cloud, AWS, Microsoft Azure, etc.) have links on their websites that allow you to request a copy of their respective SOC reports.

What if they don’t have a report?

At this point, you need to assess the importance of the outsourced controls to your financial statements of the risk of the data you have provided and the criticality of the controls you have entrusted to that vendor. Some things to take into consideration:

  • Are you impacted by legal/regulatory requirements regarding the adequacy of your controls (e.g., HIPAA, GLBA, FDICA, PCI, or the other alphabet soup of acronyms that are prescriptive in control requirements)?
  • Contractual obligations you have with your customers/clients to adequately protect their data

At the end of the day, you’re responsible for monitoring the controls of your vendors.  A SOC report is often the most efficient way to accomplish this, due to its comprehensive nature and the independence and objectivity of the auditor.

If you have questions about which report you should request from your vendors, please do not hesitate to contact Tom Skoog at 614-220-4131 or tskoog@blueandco.com. If your vendor does not have a SOC report to provide, please consider referring them to Blue & Co. by contacting us. We are happy to provide additional information or advice on the use of these reports.

Roth 401(k) Plans — why they should be utilized

Roth 401(k) Plans: Why they should be utilized

Roth 401(k) accounts are relatively a new retirement plan option that allows for tax-free earnings and distributions. Studies have shown the number of available Roth 401(k) plans are increasing every year. A recent study by the Plan Sponsor Council of America (PSCA) found that 70% of employer plans include a Roth 401(k). However, despite the […]

Learn More
Looking Ahead: A Reminder on the Upcoming New Lease Standard

Looking Ahead: A Reminder on the Upcoming New Lease Standard

Back in 2016, the Financial Accounting Standards Board (FASB) released Accounting Standards Update (ASU) 2016-02- Leases (Topic 842). While most not-for-profit organizations (NFPs) have some time before required adoption (calendar year 2020 for most non-public entities), it is not too early to begin considering the effects that the implementation of this standard will have on […]

Learn More
Proposed Changes to the Wage Index

Proposed Changes to the Wage Index

On April 23, 2019, the Centers for Medicare and Medicaid Services (CMS) released the Proposed Rule for the Hospital Inpatient Prospective Payment System (IPPS) for Acute Care Hospitals. The proposed rule includes several significant changes to the wage index calculation impacting the wage index factors and rural floor calculation. It is important to understand and […]

Learn More