Do we really need a SOC 1 or 2 report?

Infographic Summarizing Do We Need a SOC Report?The most common reason for a company to have a SOC report is because their customers ask for (or demand) the report to be able to either do business or continue doing business with the company. When someone calls us for the first time, we will first gain an understanding about why they feel like they need a report and we will attempt to understand why their customer is asking them to have the audit performed. In some cases, their customer is simply asking for something from a checklist without understanding whether it is actually needed or not. Once we step through why the report is needed and understand a bit more about the caller’s business processes, we can usually help figure it out.

Is getting a SOC Report worth the time and expense?

Maybe. That’s short code for sometimes yes and sometimes no. Just because your customer is asking for and/or demanding the audit to be performed doesn’t mean that it is the best choice for your business. One of the examples that I like to give goes back to a decision that we had to make a few years ago. We had a prospective client that was interested in an engagement that would have resulted in about $30k of revenue for us to do the project. However, one of the requirements of their purchasing department was to carry a ridiculously high level of insurance (tens of millions of dollars higher than we actually carry) which would have cost us an additional $50k per year (and they required it was to be maintained for at least 3 years after the completion of the project).  When you look at the math for that prospective client, doing that project with them would have resulted in a $120k net loss, and that’s before we considered any other costs than additional required insurance. Needless to say, we chose to decline participation in that project.

While our example is a bit over the top, it plays itself out in our client’s worlds as well. Are you a hosting provider doing $5k of business per year with a client that wants you to spend three times that to be audited? If that’s the only client in your book of business that has a need for the audit report, then it may be better for you to look for alternative options to provide the assurance they are looking for or to part ways from the customer.

Are there any hidden costs?

As part of your cost/benefit analysis of getting a SOC audit performed, you will need to plan for time and expenses to be incurred above and beyond the cost of the audit. Your personnel will need to spend time responding to audit requests, explaining company processes and producing documentation that will be required as part of the audit. In many cases, we find that our clients have to add additional documentation processes to make sure that evidence is available to auditors when it is time for the report. These additional documentation processes can also add overhead to your personnel throughout the course of the year.

Do I need a SOC 1 Report?

You might need a SOC 1 Report if all of the following are true:

  • Your customer has asked you for one
  • Your services for this customer relate to transactions processed using your business processes on information systems that you control
  • The transactions that are processed through your system represent a material assertion within your customer’s financial statements
  • The cost/benefit of having the audit done is favorable to you

Do I need a SOC 2 Report?

You might need a SOC 2 Report if all of the following are true:

  • The customer has asked you for one
  • Your services for this customer relate to services or transactions processed using your business processes on information systems that you control
  • Your services do not relate to material assertions within your customer’s financial statements
  • You have made commitments to your customers that are addressed within the Trust Services Principles
  • The cost/benefit of having the audit done is favorable to you

Alternatives to SOC Reporting

There are a few other options in between losing a customer and going through the SOC audit process that may serve as a middle ground. One other third party assurance option is the use of an “Agreed Upon Procedures” report. This report is custom tailored to one of your customers and only audits controls specified in the scope of the engagement. While you cannot reuse these reports across customers, it can be used as a more cost effective and specific option when compared to a SOC report. Alternatively, your customer may be willing to perform its own audit of your controls that they are interested in gaining assurance over. Having an open a dialogue with your customers will help you find the best way to help them with their needs.

Final Words

We’ve covered some of the basics in what we look at when we help our clients figure out if a SOC report is right for their business. We can’t cover every specific situation, so if you would like to discuss your specific situation, we would be more than happy to do so – drop us a line or give us a call!

Infographic Summarizing Do We Need a SOC Report?