The private equity (PE) market is booming driven by the continued influx of capital and record-high multiples. Deal volumes have reached a five-year high and recovery post-COVID is astonishingly better than in the years after similar downturns. With the same capital chasing after similar investments, asset valuations are trending higher as well. In this competitive market, PE investors are focused on value creation. Part of getting the most value out of a deal is putting the pieces in place for a strong management team, organizational structure, and mitigating risk. The PE company did its due diligence on its acquisition target and will look now to the new management team to do its own as well. A key component of this process is System and Organization Controls (SOC) reports.
SOC reports which verify a company’s third-party vendor systems and controls play an increasingly critical role in helping PE firms safeguard new acquisitions and assets. These reports are the cornerstone of a proactive risk management policy. In addition, they can also make the first post-acquisition audit easier as well. To help clients, prospects, and others, Calvetti Ferguson has provided a summary of the key details below.
Importance of the Post-Acquisition Audit
The first financial statement audit after an acquisition is usually more complicated than in previous years. While the new management team is working on other priorities, it is common for a first-year audit to get pushed to the side. Getting used to a new management team can lead to communication problems. There may also be unfamiliarity with the scope of complex issues that arise, like purchase price accounting, transaction costs, or new compensation structures.
All these issues often lead to a process that’s inefficient, time-consuming, and more expensive; in other words, the opposite of PE firms’ goals. And yet, the first post-acquisition audit is key to establishing sound financial reporting frameworks.
In addition to their numerous other benefits, obtaining SOC reports early in the post-acquisition timeline can help to highlight gaps in internal controls and processes, simplify due diligence, and may help to reduce regulatory scrutiny.
How SOC Reports Can Help
While the audit provides reasonable assurance that the company’s financial controls and processes are compliant, it reveals little about the potential internal control weaknesses of third-party vendors. The extra layers of due diligence and risk mitigation are where SOC reports come in.
SOC reports are divided into three categories:
- Service Organization
- SOC 1
- Type 1 and Type 2
- SOC 2
- Type 1 and Type 2
- SOC 3
- SOC 1
- Supply Chain
The purpose of these reports is to independently verify a third-party vendor’s systems and controls. For the vendors, these are differentiators; ways to demonstrate trust and transparency. For the companies, they’re part of a comprehensive vendor and risk management strategy.
Especially now that more businesses are relying on third-party partners and collaborating remotely, issues like privacy and security are at the forefront. Even without the rise in remote work, critical employment functions that were already outsourced, like payroll or benefit plan processing, can be at risk without the right internal controls. Vendor management needs to go beyond standard contracts; hence, the need for SOC reporting. PE firms cannot rely on the company’s previous assurances that their vendors are adequately protecting their information.
SOC reports are typically valid for one year but circumstances and scope can affect this.
SOC Reports: Service Organizations
Payroll, software, loan servicer, and data companies are most likely to fall under the Service Organizations category.
Within this category, there are different levels of testing depending on the report’s purpose and who it’s for.
- SOC 1 reports are intended for management and auditors. They’re designed to assess whether the vendor’s internal controls effectively address financial reporting risks. Type 1 reports describe the controls as of a specific date whereas Type 2 reports describe a specific period, and test how well the controls are working.
- SOC 2 reports expand the internal controls testing and apply the AICPA’s Trust Services Criteria for security and privacy. The audience for SOC 2 reports is external and may include regulators and the board of directors. Like SOC 1 reports, there are two types, except that they evaluate fairness in control design and presentation.
- SOC 3 reports are broad, easy to understand, and less data-driven. They’re most often used in marketing and don’t reference specific tests or details. Many vendors will have more than one SOC report covering different areas. It is also a good idea to check the period the SOC report covers. For example, if the report covers a fiscal year but the payroll processing covers a calendar year, the company must request the appropriate reports covering all needed periods.
- SOC Reports: Cybersecurity – These reports monitor and assess a vendor’s cybersecurity and risk management process. They’re suitable for any vendor in any industry and can evaluate the entire organization’s cybersecurity controls, not just within a specific system. Potential readers can include management, those charged with governance, investors, business partners, and other external stakeholders.
The months after a PE acquisition can be chaotic and fast-paced. It is precisely this reason why SOC reports are valuable. They add a layer of proactive risk and vendor management to the newly acquired company. If you have questions about the information outlined above or need assistance with a SOC report, Calvetti Ferguson can help.