Service organizations have many questions about SOC examinations: Whether they need to have one performed, when would be the right time to pursue it, and what does the process look like from day one. These are complex questions with a lot of moving parts, so this article is divided into two parts addressing each aspect individually. For clarity, we will describe the business providing the service as the “service organization” and their respective customers as “user entities”.
Who needs a SOC examination?
SOC examinations result in a report detailing whether appropriately designed internal controls have been put in place within the services being provided to the service organization’s user entities, and if those controls are operating as intended.
Below are a few initial considerations for the two most common SOC examinations, and examples of service organizations that are good candidates for each, that may help you determine which may be appropriate for your business.
Does your service organization provide a service which would be relevant to the financial reporting process of your user entities? If so, you may be a candidate for a SOC 1 examination. A few examples of these service organizations are payroll providers, third-party administrators, and claims processors.
Does your service organization store, process or transmit sensitive client data? Are you responsible for a key component of your user entities’ infrastructure? If so, you may be a candidate for a SOC 2 examination. Common examples of these service organizations are data centers / colocation providers and cloud computing / SaaS providers.
When is the right time?
The right time to pursue a SOC examination differs for every service organization, but generally, the timing is driven by the demands of their user entities. When service organizations are smaller and less complex, typically they have fewer customers and those customers have minimal compliance needs. Any vendor oversight or audit requirements on the part of the user entities at this stage are generally easily handled by providing a due diligence packet containing insurance information, key policies, financial health information, and perhaps the occasional on-site visit so the customer can “kick the tires”.
As a service organization grows over time, its user entities will typically also become larger and more complex, as will their oversight and due diligence requirements. This may necessitate a SOC examination as user entities will require that you provide them with an independent examination of your internal controls, in addition to the other due diligence information that was previously provided. A service organization may even decide to pursue customers that are publicly traded, or that perhaps customers that operate in highly regulated industries (e.g. financial services), in which case a barrier to entry in providing services to these types of customers might be a completed SOC examination.
This is a high-level overview and does not address every salient detail of the process. We are here to help! Each business is different, and we tailor our approach based on the unique needs and characteristics of your service organization. If there are any questions that you might have please feel free to contact us.