What Are Your Customers Really Asking When They Ask for Your SOC Report?

Faith Kubicki September 18, 2020

    If a customer (or prospect) has asked you to provide a System and Organizational Controls (SOC) report, you have a valuable opportunity to communicate important information about your risk management and compliance program. In most cases, these organizations are looking for proof that you can protect any confidential information that they entrust you with. If you can’t provide the information they are looking for – or if your controls don’t meet their requirements – they may decide to move forward with a different vendor.

    The upside: if you have strong controls, your SOC report can provide a powerful narrative to your customers. If you’re in a vertical where SOC examinations aren’t an industry standard, you can use your efforts to set yourself apart from competitors. Your report will outline the policies and procedures that you’ve put in place to protect information, allowing you to establish trust among your users. Even if other organizations in your vertical also have SOC reports, you can strategically use yours to highlight the areas where you excel.

    Of course, this requires a strategic approach from the very beginning. You’ll need to work with an auditor that understands your goals – and won’t just “check the box” to create your report as quickly as possible. You’ll need to appropriately scope your examination; have your controls thoroughly assessed; and describe your system in a way that meets your customers’ expectations – all things your auditor can guide you through.


    Who is Going to Read Your SOC Report?

    SOC 1® and SOC 2® reports are intended for a specific – and highly technical – audience. In most cases, your customer’s internal audit or compliance team will be the one to read the document. In some cases, non-technical stakeholders can ask the auditors to look for certain pieces of information.


    What is a SOC Report Used For?

    When a user entity reviews a SOC report, they are often looking for proof that:

    • The examination was completed by an independent service auditor (i.e., someone other than your internal audit or information security team). Only licensed CPA firms are allowed to issue a SOC report; this assures the reader that the results are unbiased.
    • Your auditor has an appropriate understanding of your system. SOC examinations are much more technical than the financial audits that CPA firms typically perform. As a result, it’s important to have your report issued by an auditor with a deep understanding of cybersecurity, technology, and network configurations; not just a strong financial background.
    • Your claims about your system are accurate. In your SOC report, you will provide a written description of your system and controls – but your auditor will also provide their opinion on your controls. Your customers will be looking for evidence that your controls are what you say they are: designed and operating effectively. In other words, they need to know that the controls are carefully designed, correctly implemented, and capable of protecting their information.
    • You have taken appropriate measures to protect information once it leaves your hands. If you use sub-service organizations ( “fourth parties”) to process or store data, your customers need to know that those organizations have appropriate security controls as well. To help your customers do an appropriate level of due diligence, you may need to list out relevant sub-service organizations in your report.
    • Your auditor used thorough, consistent, and well-designed testing methods. Poorly designed tests cannot provide an appropriate level of confidence. Your customers will be looking for evidence that enough time was allocated for testing, and that your auditor’s methodology was appropriate for the controls being examined.
    • You have clearly identified complementary user entity considerations (CUECs). CUECs are controls that your customers will need to implement to ensure that your controls work as intended. It’s important that user entities understand their own responsibilities, including polices or procedures they may need to implement to satisfy your CUECs.

    Selecting the Scope of Your SOC Report Based on Your Customers’ Expectations

    SOC examinations can include – or exclude – various applications and technologies, physical locations, time frames, and processes. They can also include controls that are outside the scope of a traditional SOC examination, but relevant to the unique structure of your organization.

    Each customer may be looking for different information, depending on the products or services they will obtain from your company. As a result, you’ll need to be strategic about the scope of your examination, as well as the controls that you choose to include and the level of detail you choose to provide for each. You may even decide to obtain separate SOC reports for different products or service lines.

    If your customer has given you specific parameters, it’s easy enough to have your auditor meet those requirements. However, if you’re not completing a SOC report to satisfy one specific request, you’ll need to proactively determine what information will best meet your customers’ future expectations. This will require a collaborative conversation with your auditor – making it crucial to choose a provider that understands your organization’s goals.

    *Note: information you choose to include under “other information provided by the service organization” is only for the benefit of your customers. Your auditor will not provide a professional opinion on these controls.


    Is a Qualified Opinion A Deal-Breaker?

    If your auditor can confirm that your controls are described in a fair and accurate manner (and in the case of a Type 2 examination, that they are operating effectively), they will issue an unqualified opinion. If controls were not designed or operating effectively, they will deliver a qualified opinion.

    Although user entities would typically prefer to see an unqualified opinion when they review a SOC report, a qualified opinion is not always a deal-breaker. In fact, it’s not uncommon for an organization to receive a qualified opinion on their first-ever SOC report, then strengthen their security controls and receive an unqualified opinion for their subsequent effort.


    And What About a SOC Report with Exceptions?

    Your SOC report may include one or more exceptions. These are deviations from the expected result of your auditor’s testing process. For instance, your auditor might test a standard control for removing a user’s access to your system after the end of their employment; however, if operational evidence of this control is missing on one or more of the test samples, this will be noted as an exception.

    Many SOC reports – including those that are issued with an unqualified opinion – include exceptions. As with a qualified opinion, this may not be a deal-breaker. In the final version of your report, you will be able to respond to each exception, noting any remediation actions that were taken to address each issue. As customers read your report, they will look to see if there are exceptions noted in any of their most critical areas of concern, and whether your team took appropriate steps to improve their controls after your examination.


    What If the Customer Asks for a Type 2 Report, but I Only Have a Type 1?

    In some cases, user entities can be flexible with their reporting requirements. For instance, if you have a Type 1 report (which covers the design of your controls as of a point in time), but your customer is requesting a Type 2 report (which covers their operational effectiveness over a period of time), you may be able to satisfy their requirement – at least temporarily – with your existing Type 1 report. They may still ask you to complete a Type 2 examination in the future – and you may need to agree to this request as a condition of doing business – but this allows you to secure the contract and work the Type 2 examination into your future plans.


    Why Does My Customer Still Want to Audit Me After Reviewing my SOC Report?

    SOC reports can reduce the number of audit requests and security questionnaires that you receive – but they are often a single part of a broader due diligence plan. Your customers may still need to conduct their own security audits to satisfy their vendor oversight and risk management requirements; as a result, it’s rarely enough to “check the box” of a SOC examination and consider your efforts complete. (In fact, if you opt for a “check the box” SOC report, there’s a strong chance that the final document won’t contain the information your customer is really looking for; this may result in your customer auditing you further to complete their due diligence. To better meet your customers’ expectations, you’ll need to have well-designed and effective controls that can stand up to an independent audit, and a report that proactively answers your customers’ questions.


    Building a Better Business with 360 Advanced

    Your SOC report is an important way to communicate your security efforts to your customers – and our team is here to help. 360 Advanced can guide you through the entire process – from scoping your examination to meet the needs of your customer base, to providing detailed recommendations that can help you meaningfully improve your controls.

    Let us know how we can help: