As a service organization, it is imperative to verify that effective internal controls are in place to establish trust and confidence for end-users of the service being provided. This is where a System and Organization Controls (SOC) Report comes into play.
A common example of a service provider is one that provides outsourced payroll services. Companies that utilize the outsourced services need to have trust and confidence that the payroll information being produced is accurate, timely, complete, and secure. To help gain this assurance, end users can request a SOC report to verify the payroll processing company has effective internal controls in place. Other common examples of service providers include claims administration, cloud service providers, human resources support services, lending services, and Software-as-a-Service (SaaS) companies.
Many end-users are requiring SOC reports as part of their overall vendor management programs, and are more apt to contract with service providers that have undergone a SOC examination.
If your company is a service provider, it is a best practice to seek out a SOC report on your own. However, before you do, it is important to understand the different types of SOC reports that an entity can receive, as well as how best to prepare for the examination. If you have any questions as to whether a SOC examination applies to your company, or if you need assistance in getting ready for a SOC examination, contact our team of specialists.
This article was written by Jan Schweitzer, CPA, CFE, and Shareholder in our Missoula office.