Do we really need a SOC 1 or 2 report?

Infographic Summarizing Do We Need a SOC Report?The most common reason for a company to have a SOC report is because their customers ask for (or demand) the report to be able to either do business or continue doing business with the company. When someone calls us for the first time, we will first gain an understanding about why they feel like they need a report and we will attempt to understand why their customer is asking them to have the audit performed. In some cases, their customer is simply asking for something from a checklist without understanding whether it is actually needed or not. Once we step through why the report is needed and understand a bit more about the caller’s business processes, we can usually help figure it out.

Is getting a SOC Report worth the time and expense?

Maybe. That’s short code for sometimes yes and sometimes no. Just because your customer is asking for and/or demanding the audit to be performed doesn’t mean that it is the best choice for your business. One of the examples that I like to give goes back to a decision that we had to make a few years ago. We had a prospective client that was interested in an engagement that would have resulted in about $30k of revenue for us to do the project. However, one of the requirements of their purchasing department was to carry a ridiculously high level of insurance (tens of millions of dollars higher than we actually carry) which would have cost us an additional $50k per year (and they required it was to be maintained for at least 3 years after the completion of the project).  When you look at the math for that prospective client, doing that project with them would have resulted in a $120k net loss, and that’s before we considered any other costs than additional required insurance. Needless to say, we chose to decline participation in that project.

While our example is a bit over the top, it plays itself out in our client’s worlds as well. Are you a hosting provider doing $5k of business per year with a client that wants you to spend three times that to be audited? If that’s the only client in your book of business that has a need for the audit report, then it may be better for you to look for alternative options to provide the assurance they are looking for or to part ways from the customer.

Are there any hidden costs?

As part of your cost/benefit analysis of getting a SOC audit performed, you will need to plan for time and expenses to be incurred above and beyond the cost of the audit. Your personnel will need to spend time responding to audit requests, explaining company processes and producing documentation that will be required as part of the audit. In many cases, we find that our clients have to add additional documentation processes to make sure that evidence is available to auditors when it is time for the report. These additional documentation processes can also add overhead to your personnel throughout the course of the year.

Do I need a SOC 1 Report?

You might need a SOC 1 Report if all of the following are true:

  • Your customer has asked you for one
  • Your services for this customer relate to transactions processed using your business processes on information systems that you control
  • The transactions that are processed through your system represent a material assertion within your customer’s financial statements
  • The cost/benefit of having the audit done is favorable to you

Do I need a SOC 2 Report?

You might need a SOC 2 Report if all of the following are true:

  • The customer has asked you for one
  • Your services for this customer relate to services or transactions processed using your business processes on information systems that you control
  • Your services do not relate to material assertions within your customer’s financial statements
  • You have made commitments to your customers that are addressed within the Trust Services Principles
  • The cost/benefit of having the audit done is favorable to you

Alternatives to SOC Reporting

There are a few other options in between losing a customer and going through the SOC audit process that may serve as a middle ground. One other third party assurance option is the use of an “Agreed Upon Procedures” report. This report is custom tailored to one of your customers and only audits controls specified in the scope of the engagement. While you cannot reuse these reports across customers, it can be used as a more cost effective and specific option when compared to a SOC report. Alternatively, your customer may be willing to perform its own audit of your controls that they are interested in gaining assurance over. Having an open a dialogue with your customers will help you find the best way to help them with their needs.

Final Words

We’ve covered some of the basics in what we look at when we help our clients figure out if a SOC report is right for their business. We can’t cover every specific situation, so if you would like to discuss your specific situation, we would be more than happy to do so – drop us a line or give us a call!

Infographic Summarizing Do We Need a SOC Report?

How to select a Type 1 or Type 2 SOC Report

Type 1 or Type 2?

Highlights of choosing a Type 1 or Type 2 ReportOne of the many confusing things about getting a SOC audit for your business is deciding which would best help you meet your customers’ needs. Due to confusing naming conventions, you get to pick from a confusing number of options with the most popular being: “SOC 1 Type 1”, “SOC 1 Type 2”, “SOC 2 Type 1” or “SOC 2 Type 2”. For purposes of this post, we will discuss the “Type” only . For SOC reports, the “Type” of the report only tells you the time period that the service organization’s controls were audited and no more.

Type 1

In a Type 1 report, the service organization’s controls are audited “as of” a point in time (typically, a day). We think of this as something like taking a picture of the family at a holiday. Once you wrangle all of the kids into one place and pose them, you can just keep taking the picture until everyone happens to be smiling. The Type 1 reports work in a similar way – as long as the controls within the service organization are suitably designed and placed in operation at that time, then that is sufficient to get a favorable SOC Type 1 report.

In auditor-speak, suitably designed and placed in operation means that the service organization has Policies and Procedures in place, and from those a set of controls has been performed at least once that will be reviewed as part of the audit. During the audit process, the auditor will perform a “walk through” of the controls and observe evidence that each control has been performed at least once, hopefully gaining comfort that this is how things should be going forward.

Example

Let’s say you have a control that states that “the chief button pusher presses the red button each day”. The auditor would review the color of the button that is pressed and obtain some evidence that the red button was indeed pushed on that day. The auditor would not check a sample of other days to determine whether this is a one off event or if the button pusher actually pushed buttons reliably.

While a Type 1 report can give a service organization’s customers some level of assurance that they are performing controls as expected, it does not provide any assurance over the service organization’s consistency regarding that control. Knowing that, Type 1 reports are often used as stepping stones for organizations as part of the path to obtaining their Type 2 report as a way of demonstrating compliance to their customers. The other area where we see Type 1 reports used on an annual basis are for service organizations that focus on small to midsize businesses that are not publicly owned. SOX requirements necessitate public companies to have assurance over service organizations for a period of time and not just a point in time.

Type 2

In a Type 2 report, the service organization’s controls are audited over a period of time for a minimum of six months to up to a year. Going back to the picture analogy, instead of taking a posed picture, you would instead take a video of everyone posing which would allow you to identify who was making funny faces. The Type 2 report works in a similar way, requiring that controls are suitably designed, placed in operation and operating effectively during the specified audit period.

In auditor speak, suitably designed, placed in operation and operating effectively takes what is done in the Type 1 report (suitably designed and placed in operation) and builds upon it by determining the operating effectiveness of the control. During the audit process, the auditor will perform a “walk through” of the control (just like the Type 1) and once he/she determines that it is suitably designed and placed in operation, then the auditor will perform additional testing to conclude that it was also operating effectively during the audit period. This testing typically takes the form of taking a sample of the population of instances of the control and reviewing evidence to determine that the control was operating effectively.

Example?

Going back to our button pushing example, the auditor would first become content about the color of the red button and determine that it was pressed on a particular day. Then, to test the operating effectiveness of the button pusher’s daily red button pushing, the auditor would select a sample of days (expect about 25 days to be chosen at random) and review evidence that the red button was in fact pushed each of those days. This would allow the auditor to conclude that the button pusher indeed pushed the button daily over the entire audit period.

As you can see, Type 2 reports provide a higher level of assurance of how well controls are working at a service organization over a period of time. Larger companies as well as companies that know what they are asking for will ask service organizations to provide a Type 2 report as it is a much higher bar to in which to jump. As a service organization, we have found that the biggest leap between the Type 1 and Type 2 reports is the ability to document and evidence what the service organization is doing in a way that it can be reviewed afterward.

TL;DR (Too Long; Didn’t Read) – Which do I pick?

The most important thing for a service organization to remember is that getting a SOC audit performed is to meet its customers needs. Thus, in most cases, the variety and Type of report should be based on what is asked of them. Here are a couple quick ways to determine which Type is best:

Type 1

  • Your customer only asks for a Type 1.
  • Your customer asks for a Type 2, but you’re not confident that you can evidence the operating effectiveness of your controls (or you are a very new organization with a new product/platform). If the customer does not want to wait for the minimum six months for the Type 2 report, we typically suggest going through a Type 1 immediately and following that up with a Type 2 after the controls have been operating for six months.

Type 2

      • Your customer asks for a Type 2. The customer is always right!
      • Your customer asks for a Type 2, but you’re not ready for one. Get a Type 1 and follow it up with a Type 2 when you’re ready.

     

  • If you want to find out more, drop us a line and we’ll be more than happy to discuss the specifics of your needs!
  • Highlights of choosing a Type 1 or Type 2 Report
    Full Size Infographic