Does your organization provide third-party services for other entities? Maybe it’s payroll, accounts receivable management, marketing, data hosting, software support or cloud computing. If this describes your organization, and you haven’t already received a request for a Service Organization Control (SOC) report from a prospect or client, there’s a good chance you will soon.
The business model for many organizations is built on outsourcing expertise—and transferring risk—for various business functions to specialized service organizations. Limited resources, knowledge and time force many organizations to rely on third-party service providers for noncore business services.
The new era of outsourcing has changed the list of risks facing an organization. It now includes the risk that an organization entrusted with client data or processes will allow that data to be compromised or will fail in its processes. That’s a pretty scary thought for many businesses, especially given the many recent reports of governance failure and security breaches. Think about all the situations that aren’t public or are operating idly, undetected at the moment. How do decision-makers and management know the subservice organization they’re entrusting with key information and processes is effectively mitigating financial, operational and compliance risks?
This is increasingly handled through a SOC report, which provides certain information about a third-party service provider’s systems and operations. Determining the type of SOC report depends on the risks associated with the services provided. The SOC 1 report addresses risks associated with internal controls over financial reporting, while the SOC 2 report addresses risks associated with one of the five Trust Services Principles: security, confidentiality, availability, processing integrity and privacy.
If you purchase services from an organization and that purchase includes transfer of risks to that organization, you should question whether that service provider is taking these risks seriously. If you’re a service provider, you should expect your clients will want to know these risks are being dealt with appropriately. In addition, vendor management has been a hot topic in recent years, meaning organizations that have been providing third-party services are suddenly receiving requests, as part of RFPs or from existing clients, for a SOC report to gain more information about these services—hence, the rise of the SOC.
The service provider reaps several benefits from obtaining a SOC report—beyond just satisfying a client request. A SOC report saves the service provider the cost of hosting auditors for all its clients, gives management confidence the organization is operating as expected and provides a tool for continuous process improvement and risk mitigation enhancement.
SOC report requests will continue to increase, and service providers should be prepared to provide these reports.