Courtesy / Baker Newman Noyes
Patrick Morin is a principal at Baker Newman Noyes.
Updated: August 9, 2022
How to protect data while working with clients outside your organization
By Patrick Morin, principal, Baker Newman Noyes
For the small business owner that regularly deals with the data of outside parties, there's a risk in sensitive data getting into the wrong hands.
Maybe you’re involved in providing payroll services to companies. Maybe a cloud-based storage system or a customer service platform. If you’re engaged in any of these activities, you may want to think about preparing a SOC report with a trusted adviser. SOC reports, in short, help companies vet and understand the safeguards in place when they outsource business (and sensitive data) to outside vendors.
If your business has ever been through an audit, you’ve likely been asked for System and Organization Controls, or SOC, reports. While these reports have been around in some form for quite a while, it’s not unusual (and I assure you it’s OK) for mention of it to give you a feeling of mild to significant confusion.
SOC reports are internal control reports about the services provided by an outsourced company that provide valuable information about the potential risks of that organization. For example, a SOC report about a cloud-based storage service would provide information about the processes in place to safeguard user data within that system.
Essentially, a SOC report gives assurance to customers that use an outsourced system and business partners that an organization’s controls over the system are suitably designed to achieve the objectives and commitments related to the use of the system.
While SOC reports have become most common in industries like technology, claims processors and finance, we’ve also seen them benefit various cloud providers, service organizations, data analysts, and much more.
There are a few different kinds of SOC reports, but the two most commonly required are:
- SOC1 - reports about information relevant to user entities’ internal control over financial reporting, and
- SOC2 - reports about controls related to security, availability, confidentiality, processing integrity and privacy.
Most SOC reports will contain the following components:
The auditor’s opinion. The core part of a SOC report is what’s known as the Service Auditors’ Report. This portion of the report documents an auditor’s opinion about the quality of the service organization’s controls over the system. This opinion includes an assessment of the suitability of the control design the service provider has in place. This essentially means determining if the control will likely achieve what it is intended to do.
The results of an independent auditor’s testing will also be contained within a SOC report, including a description of the controls implemented by the service organization and the corresponding tests performed by the auditor to check the effectiveness of controls.
Deviations during testing. The auditor will also include any exceptions that are identified during testing, such as when a system control did not operate effectively. For the benefit of the report user, a SOC report will include a description of the exceptions and can include a note from management to provide what they will do about it.
A word from management. Another key component of SOC reports is what’s known as management assertions. This is additional information about the functions performed by the service provider and the criteria management has used in establishing its control objectives and service commitments.
Trust as a two-way street. SOC reports also contain information about the controls that the service organization assumes will be implemented by user entities to ensure control objectives will be met.
When dealing with transaction processing, information technology, software, data and other high-sensitivity operations, SOC reports can be a valuable way of understanding the controls that are in place to guard those processes and information. It might sound confusing at first, but SOC reports can help provide clarity and peace of mind about the systems that safeguard important information and business processes.
Most Recent
Most Recent
0 Comments