As outsourced and cloud-based services become more commonplace, companies looking to go public need to be aware of, and determine the need for, System and Organization Control (SOC) reports. Companies are subject to a substantial number of risks related to financial data, cybersecurity, and hosting private information. To mitigate these risks, audits and certifications have expanded in recent years to provide assurance that risks of material misstatement, information leaks, and other security issues are minimized. The Sarbanes-Oxley (SOX) Act of 2002 was an important piece of legislation that created a number of requirements associated with corporate governance and internal controls for public companies. SOX requires larger issuers (i.e., accelerated or large accelerated filers) to certify, and receive independent attestation on, the effectiveness of internal controls over financial reporting. Importantly, the processes and controls over data processed by third parties are not exempt. To comply with SOX requirements, companies that outsource certain processes used to generate financial statement information need to obtain the service provider’s SOC report.
Although pre-IPO companies are not subject to the SOX requirement to gain an understanding of the control environment of a third-party service provider, they can still benefit from gaining an understanding of the internal controls surrounding key processes that SOC reports communicate. However, the fact that there are three different SOC reports—aptly named SOC 1, SOC 2, and SOC 3—can be confusing. This article serves to demystify SOC reports by outlining what each report is, and why it matters to a company considering an IPO.
The article mainly focuses on the content in SOC reports and how that could benefit companies looking to go public. However, for every company that receives a SOC report, another company has to send one. Companies that provide outsourced services dealing with financial information, or store and process companies’ data, may be asked to provide a SOC report to customers. It’s important that companies that provide those third-party services be aware of the SOC engagement, and requirements to provide customers with a SOC report. The SOC engagement is similar to an audit and is provided by an accredited CPA firm. More info on how that process works can be found here.
SOC 1 Report
Simply stated, a SOC 1 report gives a company assurance that financial information is being handled securely by a third party. Because financial data is being handled by a third party, part of a financial statement audit includes gaining assurance that the third party has controls in place to ensure that financial data is secure and accurate.
A company that utilizes a payroll processing company instead of hiring an internal payroll team will need to request that the payroll processing company send it a SOC 1 report. The SOC 1 will assure auditors that the payroll data is being accurately calculated, and that controls exist to mitigate risk. SOC 1 reports are not made for the general public and are usually only shown internally within a company and shared with auditors when requested.
Why does it matter to an IPO?
There are two main reasons that companies considering an IPO should be aware of SOC 1 reports:
- The report is not just for auditors. The report contains information that the company itself needs to be aware of. The service organization will identify control objectives and control activities. An audit firm will then provide an opinion on the control objectives and the associated activities.
A company needs to do more than just receive the report and give it straight to the auditors. Companies should read through the report to gain an understanding of the controls that are in place, and controls that are not in place. Similarly, the company should look through the associated control activities and determine if those activities are in line with the type of assurance it is looking for. In this way, a company can be aware of how the third party is handling the financial data and decide it is sufficient.
Additionally, the controls put in place by the service company can be rendered ineffective if the customer does not have adequate security in place. The SOC report will list Complementary User Entity Controls (CUECs) as a set of policies that the user entity (customer) must have in place. The CUECs are usually security controls such as separation of duties or encryption of data, but can be more complicated depending on the service provider. CUECs are documented within the SOC report to ensure that financial data is safe and accurate.
- Choosing companies that are SOC compliant is imperative. This report is commonly associated with financial statement audits, and as such, third party servicers that cannot provide SOC reports should not be utilized. SOC compliance can be costly, and not every service provider wants to be able to provide SOC reports.
The SOC 1 comes in two types, which are named appropriately. The Type 1 is simpler, while the Type 2 includes the criteria of Type 1 as well as additional assurance.
The AICPA defines a Type 1 report as “A report on the fairness of the presentation of management’s description of the service organization’s system and the suitability of the design of the controls to achieve the related control objectives included in the description as of a specified date” (emphasis added).1
This type is commonly called a point-of-time report, because it only provides assurance as to the design of the organization’s controls as of a point in time. Importantly, this type of report does not provide assurance on the operating effectiveness of the controls. In other words, the audit procedures are limited to obtaining an understanding of relevant controls; no tests of controls are performed.
The AICPA defines the Type 2 report as “A report on the fairness of the presentation of management’s description of the service organization’s system and the suitability of the design and operating effectiveness of the controls to achieve the related control objectives included in the description throughout a specified period” (emphasis added).2
This report differs from Type 1 in that it provides assurance that the system was operating effectively over the specified period. Additionally, this type of report not only includes auditors’ evaluation of the design of internal controls, but also of the operating effectiveness of those controls based on control tests. Thus, the type 2 report provides a higher level of assurance than the type 1 report and is the preferred report to request of a service provider.
SOC 2 Report
A SOC 2 report provides assurance around selected Trust Services Criteria (TSC), which are defined by the AICPA3 as:
- Processing Integrity
Similar to a SOC 1 report, companies request SOC 2 reports from third parties. However, where a SOC 1 report is primarily concerned with financial data, a SOC 2 report focuses on any data that could be regarded as important or sensitive. This report may be requested for a variety of reasons, but usually not for a financial statement audit.
For example, customer data handled by a third-party service provider should be:
- Protected from unauthorized access (Security)
- Available to the users when needed (Availability)
- Free from change errors while in custody of the service provider (Processing Integrity)
- Retained and/or deleted based on the contract details (Confidentiality)
- Destroyed and/or changed when requested by the personally identified individual according to generally accepted privacy principles (Privacy)
While the security TSC is always required by a SOC 2, the other four criteria are not required, as they might be less relevant in certain industries. As such, companies should be aware of the types of controls that are put in place to ensure that data is handled correctly, and the SOC 2 report provides that information.
These reports are a great way for companies to understand risks and how third parties are managing them. SOC 2 reports are not made for the general public and are usually only shown internally within the company that requested the report.
Why does it matter to an IPO?
There are two main reasons that companies looking forward to an IPO should keep a SOC 2 report in mind
- This report helps create a more secure control environment. When companies utilize third party and cloud services, they become subject to risks they don’t have control over. Getting a baseline understanding of the controls, and their effectiveness, of a third-party service provider could be extremely helpful for a growing company looking to manage risk. Controlled growth is essential for growing companies and a SOC 2 report can help companies grow alongside other companies that value keeping data secure.
- Customer retention and acquisition can be easier with this level of assurance. Companies that have a good foundation of data security have an easier time finding customers and retaining them. No one wants to do business with a company that has internal data issues like leaks, breaches, or mishandled information. Companies that have a handle on their risks will gain a better reputation in the community for their good governance practices.
A SOC 2 report also comes in two different types.
The AICPA defines this type as “A report on management’s description of the service organization’s system and the suitability of the design of the controls to provide reasonable assurance that the service organization’s principal service commitments and system requirements were achieved based on the applicable trust services criteria” (emphasis added).4
This report focuses on management’s description and the design of the controls for achieving the applicable trust services criteria. Testing the design can be as simple as doing a walkthrough of the process to ensure that it makes sense.
The AICPA defines Type 2 as “A report on management’s description of the service organization’s system and the suitability of the design and operating effectiveness of the controls to provide reasonable assurance that the service organization’s principal service commitments and system requirements were achieved based on the applicable trust services criteria” (emphasis added).5
A Type 2 is a direct upgrade to the Type 1 because it also includes assurance on the operating effectiveness of the controls that are meant to achieve the applicable trust services criteria. Testing the operating effectiveness is a more rigorous process than testing the design. Testing the operating effectiveness usually includes sampling instances of the controls to ensure that the proper procedures were put in place.
SOC 3 Report
The SOC 3 report is a watered-down version of the SOC 2 report made for the general public. The previous two SOC reports discussed are made for management, regulators, and other parties that request to know about the security of data. The SOC 3 report provides customers or any interested parties with the following information:
- The auditor’s opinion letter
- Management’s report of assertions on the effectiveness of the controls in place
- A list of tested services with descriptions
A company looking to get an outsourced service provider could request a SOC 3 report and gain an understanding of the controls in place to decide if the service provider deserves their business.
Why does it matter to an IPO?
Knowing that the SOC 3 exists and knowing what it contains is great for vetting potential service providers. For a company preparing to go public, understanding the SOC 3 report would be instrumental in helping a company have a better handle over its control environment.
SOC reports are something that pre-IPO companies need to be aware of. Keep the following points in mind to ensure your company is prepared:
- A public company needs a SOC complaint company to provide third party services that deal with financial data (like outsourced payroll).
- Read through the SOC report to gain an understanding of what controls your third-party service provider has in place, and what controls you should have in place.
- A SOC 2 report is to provide assurance on any of the five trust services criteria: security, availability, processing integrity, confidentiality, and privacy.
- SOC 1 and SOC 2 reports come in two types. The type 1 report only provides an assessment of the design of the controls at the service provider. The type 2 report provides assurance of both the design and operating effectiveness of the controls over a period of time.
- SOC 3 reports can help your company determine that a third-party service provider has sufficient controls in place.