The private equity market is booming, driven by the continued influx of capital and record-high multiples. Deal volumes have reached a five-year high, and recovery post-COVID is astonishingly better than in the years after similar downturns.  Asset valuations are also trending higher, with the same capital chasing after similar investments. In this competitive market, PE investors are focused on value creation. Part of getting the most value out of a deal is putting the pieces in place for a strong management team and organizational structure and mitigating risk. The PE company did its due diligence on its acquisition target and will now look to the new management team to do its own. System and Organization Controls (SOC) reports are key to this process.

SOC reports, which verify a company’s third-party vendor systems and controls, play an increasingly critical role in helping PE firms safeguard new acquisitions and assets. These reports are the cornerstone of a proactive risk management policy and can make the first post-acquisition audit easier. To help clients, prospects, and others, Calvetti Ferguson has summarized the key details below.

Importance of the Post-Acquisition Audit

The first financial statement audit after an acquisition is usually more complicated than previous years. While the new management team is working on other priorities, it is common for a first-year audit to get pushed to the side. Getting used to a new management team can lead to communication problems. There may also be unfamiliarity with the scope of complex issues that arise, like purchase price accounting, transaction costs, or new compensation structures.

All these issues often lead to an inefficient, time-consuming, and expensive process—the opposite of PE firms’ goals. Yet, the first post-acquisition audit is key to establishing sound financial reporting frameworks.

In addition to numerous other benefits, obtaining SOC reports early in the post-acquisition timeline can help highlight internal controls and process gaps, simplify due diligence, and reduce regulatory scrutiny.

How SOC Reports Can Help

While the audit reasonably assures that the company’s financial controls and processes are compliant, it reveals little about third-party vendors’ potential internal control weaknesses. SOC reports are handy for the extra due diligence and risk mitigation layers.

SOC reports are divided into three categories:

  1. Service Organization
    • SOC 1: Type 1 and Type 2
    • SOC 2: Type 1 and Type 2
    • SOC 3
  2. Cybersecurity
  3. Supply Chain

These reports are intended to independently verify a third-party vendor’s systems and controls. For vendors, these are differentiators and ways to demonstrate trust and transparency. For companies, they’re part of a comprehensive vendor and risk management strategy.

Privacy and security are at the forefront, especially now that more businesses rely on third-party partners and collaborate remotely. Even without the rise in remote work, critical employment functions that were already outsourced, like payroll or benefit plan processing, can be at risk without the right internal controls. Vendor management needs to go beyond standard contracts; hence, there is a need for SOC reporting. PE firms cannot rely on the company’s previous assurances that their vendors adequately protect their information.

SOC reports are typically valid for one year, but circumstances and scope can affect this.

SOC Reports: Service Organizations

The service organizations category most likely includes payroll, software, loan servicers, and data companies.

Within this category, there are different levels of testing depending on the report’s purpose and who it’s for.

  • SOC 1 reports are intended for management and auditors. They’re designed to assess whether the vendor’s internal controls effectively address financial reporting risks. Type 1 reports describe the controls as of a specific date, whereas Type 2 reports describe a specific period and test how well the controls work.
  • SOC 2 reports expand the internal controls testing and apply the AICPA’s Trust Services Criteria for security and privacy. The audience for SOC 2 reports is external and may include regulators and the board of directors. Like SOC 1 reports, there are two types, except that they evaluate fairness in control design and presentation.
  • SOC 3 reports are broad, easy to understand, and less data-driven. They’re often used in marketing and don’t reference specific tests or details. Many vendors will have more than one SOC report covering different areas. It is also good to check the period the SOC report covers. For example, if the report covers a fiscal year but the payroll processing covers a calendar year, the company must request the appropriate reports covering all needed periods.
  • SOC Reports: Cybersecurity – These reports monitor and assess a vendor’s cybersecurity and risk management process. They’re suitable for any vendor in any industry and can evaluate the entire organization’s cybersecurity controls, not just within a specific system. Potential readers can include management, those charged with governance, investors, business partners, and other external stakeholders.

Contact Us

The months after a PE acquisition can be chaotic and fast-paced. It is precisely this reason why SOC reports are valuable. They add a layer of proactive risk and vendor management to the newly acquired company. If you have questions about the information outlined above or need assistance with a SOC report, Calvetti Ferguson can help.