With security scrutiny booming due to reliance on service providers, the SOC report continues to advance from “nice-to-have” to “need-to-have” for vendors across all industries, including real estate services.
System and Organization Controls (SOC) reports are issued by independent accountants under AICPA standards and enable companies to identify and attest to the effectiveness of their internal controls. The two most common SOC reports assess two broad ranges of controls: controls that impact client financial statements (known as a “SOC 1” report) and controls relevant to the security, availability, processing integrity, confidentiality, and/or privacy of the provided services (known as a “SOC 2” report). To add a layer of complexity, each SOC report has two types – Type I addresses a company’s control design at a point in time and Type II addresses a company’s control design and operating effectiveness across a period of time.
SOC reports are typically requested by a company looking at using another company’s services. A SOC report can give the buying company comfort that the servicing company has the controls and security measures in place to keep their sensitive information safe and process their transactions appropriately. Existing and prospective customers alike may be adamant when it comes to a vendor organization providing a SOC report and, if there isn’t one available, they may consider taking their business to a competitor. The thought of going through the process of obtaining a SOC report may be worrisome to a management team who has not gone through the process previously. When reaching out to an independent accounting firm to begin the SOC journey, there are ways for management to set itself up for the best possible outcome.
Companies typically begin the SOC journey by completing a Readiness Assessment in order to prepare for the SOC audit. The Readiness Assessment’s purpose is to help an organization identify the existing controls in place related to the SOC scope, as well as the gaps needing remediation, in order to be in a position of having strong internal controls before the SOC examination begins. After the Readiness Assessment concludes, companies typically follow with a Type 1 SOC report and subsequently a Type 2 SOC report, or follow directly with a Type 2 SOC report.
Comments