For public companies, collecting service organization control (SOC) reports is one of the important activities as of the end of their fiscal year. Companies that have not yet gone public but are considering it are advised to request these reports as part of Sarbanes-Oxley (SOX) internal control analysis, and review them for any exceptions or deficiencies, to avoid potential audit problems down the road.
It is important for pre-IPO companies to identify their third-party service providers and begin understanding the providers’ own control environment, as it relates to the services provided. This is increasingly true as companies rely more and more on cloud-based infrastructure and applications to support critical business functions.
A SOC report is an attestation of the service organization’s internal control environment.
Why is a SOC report important?
- Services are outsourced to companies that have made the specific service their core competency. However, the user entity retains the responsibility for the services it provides and for securing the data.
- The SOC report is an effective way to gain transparency of the specific controls implemented by the service organization, and the specific tests performed by the service organization’s auditor.
- The success or failure of these controls can have a direct or indirect impact on the user organization’s financial statements.
Our observation at Protiviti is that while pre-IPO companies prioritize financial and operational details, and, to a lesser degree, IT controls, even less attention is commonly paid to the controls of the third-party service providers they’re engaging with.
Management may assume that an investment in tools and applications provided by third-party providers comes with a transference of risk. Unfortunately, this is not necessarily the case. In reality, the company is always responsible for ensuring that controls are in place, whether in its own environment or their vendor’s, to mitigate risk throughout the data custody chain. SOC reports reveal control issues that have been identified in the provider’s control environment.
Simply obtaining the reports is not enough, however. It is important for the company to analyze the reports carefully and understand exactly what controls are in place and what aren’t. Things to look for are whether the opinion issued by the service auditor is a qualified opinion (containing caveats or warnings), any control exceptions, any user-enabled controls, and whether the report includes sub-service providers.
With the use of cloud technology becoming increasingly prevalent, we encourage companies to understand the impact of the cloud on their own control environment. Start asking questions about the availability of SOC reports early, during the selection of a service provider. If you decide to move ahead with a service provider without a SOC report, be prepared to implement controls of your own.
For public companies, obtaining and analyzing SOC reports is considered part of their internal control activities but companies looking to go public will benefit from early attention to this also. Recently, we’ve seen examples where material weaknesses have been linked to inadequate service provider controls or gaps in SOC report coverage. Companies that understand the requirements ahead of time may very well avoid these risks after they go public. Our advice to those private companies that wish to be proactive – early planning and acknowledgement of this important area will prepare you for the future!