Our clients frequently inquire about System and Organization Controls (“SOC”) reports – what they are, what types of reports are available, and how they can help businesses improve. With that in mind, here are some of those frequently asked questions regarding SOC reports and their answers:
Question(Q): What are SOC Reports?
Answer (A): Similar to financial statement audits performed by a CPA firm under guidance established by the American Institute of CPAs (“AICPA”), SOC reports provide organizations, their customers and/or their auditors with an independent, third-party assessment of whether the organization has controls in place that are designed and operating effectively to achieve specific, defined control objectives. SOC examinations are also performed under AICPA guidance (Statement on Standards for Attestation Engagements No. 18, or SSAE 18), and only CPAs are authorized to perform these services and prepare the resulting SOC reports.
Q: What are the different types of SOC reports?
A: In 2017, the AICPA updated the “SOC Suite of Services” which now includes the following three options for SOC examination and reporting:
SOC for Service Organizations, which consists of:
The remainder of this Q&A will focus on SOC 2® reports.
Q: Why are SOC 2® reports more prevalent in 2018 compared to prior years?
A: Although SOC reports have origins going back to 1974, they have evolved extensively since then and started growing in popularity and use in 2011 when the AICPA introduced the SOC 2®. The SOC 2® report provides a framework for organizations to convey to their customers the controls that they have designed, implemented, and follow to protect their office(s), information technology assets, and the related data that is critical to the organizations’ ongoing business operations. The focus of SOC 2® reports is on system security, with the option to also include system availability, confidentiality, processing integrity, or privacy. As technology grows in its pervasiveness throughout virtually every organization, business-to-business customers are more frequently requiring a SOC 2® report as a condition of doing business.
Q: How can a SOC 2® report help your business?
A: Many businesses operate within an informal program of internal control and information security. In the first year of a SOC report, the CPA firm provides company management with assistance in formally identifying and documenting best practice policies and controls which have many benefits, including:
Contributing toward mitigation of cybersecurity risks;
Also, even when a company has formally documented and implemented policies and controls, employee compliance tends to wane over time when there is not some form of monitoring. When a company chooses to engage a CPA firm for SOC examination and reporting services, employees tend to follow policies and controls more consistently, as they do not want to be the source of a control failure that may end up in the company’s SOC report.
Q: How long does it take to get a SOC 2® report?
A: In a company’s first year for a SOC 2® report, the time to prepare varies. Small to mid-size companies operating from a single office location (with remote employees), with computer servers located on premises, in a shared data center, or in a cloud environment typically take between eight to twelve weeks to design and implement the policies and controls that will be the foundation for their SOC 2® examination and report. This phase is called the “readiness” phase, during which the CPA firm provides direction. Once the readiness phase is completed, there is a “waiting period” which allows time for the controls to operate. The AICPA does not define the SOC 2® waiting period, however, in practice, this period typically varies between six to twelve months. Once the SOC 2® waiting period ends, the CPA firm typically requires four to eight weeks to complete testing of controls, and to issue the SOC 2® report.
As an illustrative example, assume that a company engaged a CPA firm for a SOC 2® examination and report in January. The readiness phase would commence in January and extend through March (using three months in this example). Then, the SOC 2® waiting period would occur from April through September (using six months in this example), with the final SOC 2® report ready to be issued in the October/November timeframe. In this example, there are eleven months of elapsed time from start to finish. It is possible to reduce this timeline if needed (for example, if a company’s customer requires a SOC 2® report sooner than within eleven months) by obtaining an optional SOC 2®, Type 1 report, or by working with the SOC auditor to reduce elapsed time during the readiness phase and/or control testing.
If you have additional inquiries about SOC reporting, please contact FGMK.
Risk & Controls Practice
FGMK is a Chicago-based assurance, tax and advisory firm. For more than 40 years, FGMK has recommended strategies that give our clients a competitive edge. As a leader among the top Regional Accounting firms in the Midwest, FGMK is ranked one of the 10 largest accounting firms in Chicago by Crain’s Chicago Business and is amongst the 50 largest accounting firms nationally. Our clients include privately held businesses, global public companies, private equity firms and entrepreneurs. Our value proposition is to offer clients a hands-on operating model, with our most senior professionals actively involved in client service delivery.
Please visit our website for our complete list of services.