Throughout 2017, cost cutting efforts were seen in organizations across all industries. In particular, several studies have shown the outsourcing of IT services grew around 30%. As companies look to lower costs and focus on key business processes, outsourcing of IT services previously managed internally to third party service providers is on the rise. With the increase in IT outsourcing, management of these companies must ensure that third party service providers have an appropriate control structure in place. One way to do this is to obtain a System and Organization Control report (“SOC report”) from the service provider. So, how do service providers determine if they will be asked or required by a client to provide a SOC report? The questions below serve as a guide to assist in making this decision.
Do the services provided to clients affect their financial statements?
If a company’s services affect clients’ financial statements, management should consider obtaining a SOC 1 report, which is designed to examine internal controls that impact client financial reporting. When a company is providing crucial financial statement data, the client needs assurance that the service provider has proper controls in place to rely on the data they are providing. With a SOC 1 report, service providers are able to provide assurance to their clients that the data provided for their financial statements is reliable.
Are the following trust services principles important to the services that the company provides to the client: security, availability, processing integrity, confidentiality, and privacy?
A simpler way to ask this question is: does the service affect client’s operations? If the services provided to clients affect the client’s operations, service providers should consider getting a SOC 2 report, which focuses more on the pre-defined, standardized benchmarks for controls related to the security, availability, and processing integrity of the service provider’s system, and the confidentiality and privacy of client data within the service provider’s system. With a SOC 2 report, service providers will be able to provide assurance to clients that controls around the services provided meet these trust services principles and related criteria.
When service providers obtain a SOC 1 or 2 report over their controls, they will realize many benefits in addition to providing assurance to their clients. One of these benefits is a competitive advantage over organizations that do not have a SOC Report. With these benefits and many more not mentioned, third party service organization should strongly consider obtaining a SOC report.
Whitley Penn continues to be one of the region’s most distinguished public accounting firms. With a strong base in Texas and a worldwide network affiliation via Nexia International, the firm is strategically positioned for continued growth both locally and internationally. Whitley Penn has been consistently recognized as “One of the Top 100 Firms in the U.S.” and “Best of the Best” by INSIDE Public Accounting. For more information on Whitley Penn, please visit whitleypenn.com.