For companies investing in an enterprise solution, SOC reports are often a required component of the procurement and IT review process. But if you’re not in IT, SOC reports can be difficult to review and understand. They’re often dense documents, filled with technical language and jargon.
As Rethink recently completed our annual SOC audit, we thought it would be helpful to share our knowledge of the process as well as what property tax teams should consider when reviewing their existing vendors or exploring new ones.
In this blog post, we’ll cover some of the basics: what a SOC report is, the different types, and how to understand your software vendor’s SOC audit.
SOC (System and Organization Controls; formerly Service Organization Controls) reports are governed by the American Institute of Certified Public Accountants (AICPA). They focus on offering assurance that the controls service organizations put in place to protect their clients’ assets (in most cases, data) are effective.
A SOC audit can only be conducted by a third-party auditor (often an accounting firm, who also delivers the report). That’s what makes them such a useful tool: SOC reports allow you to objectively measure a company’s potential risks and internal practices.
Many service organizations are required to conduct regular SOC audits. Broadly, SOC reports are required by companies that touch, store, process, or impact financial or sensitive data of their clients. Examples of companies that require SOC reports include:
However, any company with a business model based on providing a service to another company can benefit from a successful SOC examination. First and foremost, a SOC report is an independent, third-party validation of a service organization’s commitment to evidencing the design and effective operation of their controls. It lets potential clients know that your company is legitimate and has gone through an assessment and review of its policies and work practices.
Depending on the information needed and types of organizations involved, there are several versions of a SOC report. Below is a brief overview of the different types of SOC reports.
For a more detailed breakdown of the different types of SOC 1 and SOC 2 reports, see this article.
SOC 1 Reports are designed for companies that provide software/services that can impact a customer’s financial reporting or statements. These reports dig into areas such as change management, backup and recovery, and business process controls like reconciliations and reporting.
SOC 2 reports are relevant to companies that provide software/services that protect, store, or collect sensitive customer data. These reports are more technical in nature and include a deeper review of security and privacy practices.
SOC 3 reports are often considered an “add-on” and used as a marketing tool. These reports broadly communicate a company’s commitment to security. They are often published on a company’s website and distributed freely.
Within each SOC 1 and SOC 2, Type I and II reports can be completed. A Type I report reviews the design of company controls for a specified date. They’re often performed as the first examination in what will be a recurring engagement and may be conducted in response to an urgent customer need or request.
Conversely, Type II reports include both tests of design and operating effectiveness over a period of time, generally about 6 months to a year.
The AICPA (American Institute of Certified Public Accountants) developed a set of criteria to use when evaluating a company. When a company is undergoing a SOC audit, the following areas serve as guiding principles:
For more detail on each of the areas above, see the AICPA’s criteria.
When making an enterprise software investment, we recommend looking for companies that have undergone SOC reports. What’s more, you should closely review the SOC report results as it relates to each of the trust principles above: security, availability, confidentiality, privacy, and processing integrity.
We recommend this because SOC reports signal the company’s commitment to maintaining a high operational standard. What’s more, it shows the company has well-thought-out policies and procedures across the organization. Finally, it also gives you the peace of mind that companies are doing what they say they do.
While this will vary depending on your organization, the software vendor, and the product/service they provide, there are a few general rules of thumb.
SOC reports are intended to help you make informed decisions, so being able to review and discuss with your team and the vendor can help.
SOC reports are a useful tool to help organizations understand potential vendors’ security protocols and plans. They also help you assess any potential risk involved with adopting new/proposed software, ensuring you make an informed decision.
In fact, more companies now require that their vendors have a SOC report (though this is only for specific types of software, as we noted above).
While there are many areas to review when selecting a software vendor, a SOC report offers a useful, objective, and thorough measure of the company’s processes and controls.
Subscribe to our newsletter for the latest property tax management tips, tools, and resources right to your inbox