July 27, 2021

What is a SOC Report and why Should you Choose a Software Vendor that has one?

The key areas to review in a SOC report and why it matters when investing in a software solution
PROPERTY TAX MANAGEMENT TIPS

For companies investing in an enterprise solution, SOC reports are often a required component of the procurement and IT review process. But if you’re not in IT, SOC reports can be difficult to review and understand. They’re often dense documents, filled with technical language and jargon.  

As Rethink recently completed our annual SOC audit, we thought it would be helpful to share our knowledge of the process as well as what property tax teams should consider when reviewing their existing vendors or exploring new ones.  

In this blog post, we’ll cover some of the basics: what a SOC report is, the different types, and how to understand your software vendor’s SOC audit.  

 

What is a SOC report?

SOC (System and Organization Controls; formerly Service Organization Controls) reports are governed by the American Institute of Certified Public Accountants (AICPA). They focus on offering assurance that the controls service organizations put in place to protect their clients’ assets (in most cases, data) are effective.

A SOC audit can only be conducted by a third-party auditor (often an accounting firm, who also delivers the report). That’s what makes them such a useful tool: SOC reports allow you to objectively measure a company’s potential risks and internal practices.  

What kinds of companies complete SOC reports?

Many service organizations are required to conduct regular SOC audits. Broadly, SOC reports are required by companies that touch, store, process, or impact financial or sensitive data of their clients. Examples of companies that require SOC reports include:

  • Payroll and medical claims processors,  
  • Data center companies, and
  • Loan servicers

However, any company with a business model based on providing a service to another company can benefit from a successful SOC examination. First and foremost, a SOC report is an independent, third-party validation of a service organization’s commitment to evidencing the design and effective operation of their controls. It lets potential clients know that your company is legitimate and has gone through an assessment and review of its policies and work practices.

What are the different kinds of SOC reports?

Depending on the information needed and types of organizations involved, there are several versions of a SOC report. Below is a brief overview of the different types of SOC reports.  

For a more detailed breakdown of the different types of SOC 1 and SOC 2 reports, see this article.  


SOC 1 Reports

SOC 1 Reports are designed for companies that provide software/services that can impact a customer’s financial reporting or statements. These reports dig into areas such as change management, backup and recovery, and business process controls like reconciliations and reporting.  

SOC 2 Reports

SOC 2 reports are relevant to companies that provide software/services that protect, store, or collect sensitive customer data. These reports are more technical in nature and include a deeper review of security and privacy practices.  

SOC 3 Reports

SOC 3 reports are often considered an “add-on” and used as a marketing tool. These reports broadly communicate a company’s commitment to security. They are often published on a company’s website and distributed freely.  

Type I and II Reports

Within each SOC 1 and SOC 2, Type I and II reports can be completed. A Type I report reviews the design of company controls for a specified date. They’re often performed as the first examination in what will be a recurring engagement and may be conducted in response to an urgent customer need or request.  

Conversely, Type II reports include both tests of design and operating effectiveness over a period of time, generally about 6 months to a year.  

What criteria do auditors use to evaluate companies undergoing a SOC Report?  

The AICPA (American Institute of Certified Public Accountants) developed a set of criteria to use when evaluating a company. When a company is undergoing a SOC audit, the following areas serve as guiding principles:  

  • Security: information and systems are protected from unauthorized access, disclosure of information, and damage.  
  • Availability: information and systems are available for operation and use.  
  • Processing integrity: system processing is complete, valid, accurate, timely, and authorized to meet the organization’s objectives.  
  • Confidentiality: information designed as confidential is protected.    
  • Privacy: Personal information is collected, used, retained, disclosed, and disposed of as it pertains to the company’s objectives.  

For more detail on each of the areas above, see the AICPA’s criteria.  

Why should my software vendors have a SOC report?

When making an enterprise software investment, we recommend looking for companies that have undergone SOC reports. What’s more, you should closely review the SOC report results as it relates to each of the trust principles above: security, availability, confidentiality, privacy, and processing integrity.    

We recommend this because SOC reports signal the company’s commitment to maintaining a high operational standard. What’s more, it shows the company has well-thought-out policies and procedures across the organization. Finally, it also gives you the peace of mind that companies are doing what they say they do.  

What should I look for in my software vendor’s SOC report?

While this will vary depending on your organization, the software vendor, and the product/service they provide, there are a few general rules of thumb.  

  1. Read the report critically. Ensure each of the trust principles above (security, availability, processing integrity, confidentiality, and privacy) have been addressed.  
  1. Review any exceptions found by the auditor. Have any exceptions been noted? If so, what steps have been taken to remediate these issues? Specifically, you’ll want to understand whether you can accept any risk related to these deviations.  
  1. Note any concerns you have and discuss with the vendor. As you review the report, you should make note of any concerns you have, and discuss them with your team members. You should also feel comfortable discussing them with the vendor. This will help you understand the steps they’ve taken to fix any potential issues or problems since the report was published. Or how they maintain, update, and test their polices on an ongoing basis.
  1. Make sure you understand everything listed in the report and how the controls work. If you don’t, bring in team members with expertise in those areas so you can thoroughly vet the vendor.  

SOC reports are intended to help you make informed decisions, so being able to review and discuss with your team and the vendor can help.  

Final Thoughts on SOC Reports

SOC reports are a useful tool to help organizations understand potential vendors’ security protocols and plans. They also help you assess any potential risk involved with adopting new/proposed software, ensuring you make an informed decision.  

In fact, more companies now require that their vendors have a SOC report (though this is only for specific types of software, as we noted above).

While there are many areas to review when selecting a software vendor, a SOC report offers a useful, objective, and thorough measure of the company’s processes and controls.

Related Posts

Join our global community of property tax professionals

Subscribe to our newsletter for the latest property tax management tips, tools, and resources right to your inbox

© 2021 Rethink Solutions. All Rights Reserved
Twitter logoLinkedIn logoFacebook logo
© 2021 Rethink Solutions. All Rights Reserved
Twitter logoLinkedIn logoFacebook logo
© 2021 Rethink Solutions. All Rights Reserved