Outsourcing? Why your organisation needs a SOC report

If you are outsourcing parts of your business operations or infrastructure to third parties or are a provider of outsourced infrastructure, products and related services, then governance through assurance reporting is critical for the appropriate management of key outsourcing risks.

‘While you may outsource the operation and control of business risks, your business is still responsible for how outsource providers manage their operations and associated risks on your behalf.’

One of the better practices that has evolved over the last few years is seeking assurance over outsource operations, infrastructure, products, and related services through System and Organisation Controls (SOC) Assurance Reports. Alternatively, this can be achieved through ISO Compliance reviews (typically based on ISO 27001/2) however globally, countries are starting to move away from ISO 27001 certification and more towards SOC 2 - ISAE 3000 or the Australian equivalent ASAE 3402 (assurance reports on controls at a service organisation – for distribution to third-parties) or ASAE 3150 (assurance engagements on controls - for internal use only) assurance reports on controls.

This is mainly due to the value of the SOC assurance process, which provides greater coverage and broader organisation-wide value (not just within IT operations), and it can also be easily leveraged into Internal and External Audit assurance processes. Further, the combination of SOC 1 and SOC 2 Assurance Reports can incorporate all of the ISO 27001 frameworks, risks, and controls, which avoids duplication of control testing and provides greater assurance across the wider Governance, Risk and Compliance (GRC) landscape.

Increasingly, a SOC assurance report, which focuses on internal controls, is becoming a core part of governance as organisations manage outsourcing risks, ensure accountability, and improve transparency. Drivers for this adoption include rapid changes to the business environment, such as the prevalence of outsourcing in a tech-enabled world economy, demands from regulators, customers, and suppliers for accountability, especially at the Board level (notably by APRA, ASIC, ACNC, ACCC, and the ASX).

This article outlines the changing landscape and why undertaking SOC reports should be part of your annual governance program.

What is a SOC report?

A SOC report is an assurance report provided by a Certified Public Accountant (CPA) or a Chartered Accountant (CA). It was initially established by the American Institute of Certified Public Accountants (AICPA), and its use has since spread globally. The report is a collection of assurance services provided by subject matter technical specialists over the system of internal controls in a service organisation – that is, an organisation providing services to its client or user organisation. A SOC report assures that internal controls are appropriately designed and operated effectively across a ‘defined’ period of reliance.

At a high level, the SOC assurance report addresses concerns related to the ability of the service organisation to accurately process transactions, secure and protect user organisation’s confidential data, and maintain integrity.

For example, imagine the implications to your business if an outsource provider suffered a major data (privacy) breach due to poor controls around your data. There would be potential for your business’s sensitive information (such as personal information, pricing, product data or intellectual property) to be leaked and sold to your competitors. This could result in significant business decline within a period and could potentially lead to business failure.

Types of SOC reports

There are various reports available that can be used, depending on your business needs. In essence, there are three different SOC assurance reports, with each having either a ‘Type I’ or ‘Type II’ form of report:

SOC 1

• ‘Restricted use’ assurance report on internal controls over financial reporting and is suited to a third-party vendor’s accounting and financial controls.

SOC 2

• ‘Restricted use’ assurance report on (non-financial) controls focusing on one or more of the following Trust Services Criteria (TSC) security, availability, processing integrity, confidentiality, and privacy.

SOC 3

• Similar to SOC 2 it provides a summary compliance report that is ‘unrestricted’ in use and provides compliance without disclosing sensitive information (generally used for marketing purposes).

‘Type I’ assesses the effectiveness of the design and implementation of the defined internal controls, whereas ‘Type II’ examines both design and implementation together with the operating effectiveness over a specified period (e.g. 6 to 12 months):

Type I

• Description of the service organisation’s controls and management’s assertion regarding the design and implementation of these controls. A SOC Type I Assurance Report will provide you with a report ‘as at’ a specified date (e.g. as of 30 June 2023)

Type II:

• Provides the same information as Type I plus covers the operating effectiveness of these controls over a defined period (e.g. 1 July 2023 to 31 December 2023).

One of the misconceptions about SOC 1, 2, and 3 is that only a member of the American Institute of CPAs (AICPA) can issue these assurance reports. This is factually incorrect as any qualified CPA or CA can sign the SOC assurance report however as these typically deal with complex outsourced technology risks and controls, Technology Risk & Assurance specialists (subject matter experts) play a critical role in terms of completing the fieldwork and ensuring appropriate quality assurance measures are undertaken.

From a quality & risk perspective, SOC reports involving significant technology risks and controls should ideally involve a CPA or CA with deep technology risk and control skills and experiences.

I have a Service Level Agreement – shouldn’t that be enough?

The days of business relying solely on supplier-managed Service Level Agreements (SLAs) are long gone. In today’s digital age, where technology and related support services and infrastructure are heavily outsourced if an SLA were the only mechanism to ensure the appropriate conduct and control of your outsourced business operations, it could be deemed negligent from a governance perspective.

While an SLA outlines the level of service expected, it can only protect a business if the controls are designed and operating effectively on a continuous basis. Remember, an outsourcer manages your risks for you, but you still own the risk and are responsible for outcomes where risks are not managed to an appropriate standard.

What’s driving the demand for SOC reports?

The world economy is changing, and businesses must keep up or risk being left behind. While COVID was a significant catalyst for changing business operations and behaviours, these changes were well underway beforehand. It is easy to see how the world is being impacted by significant changes such as:

Technology-enabled

The number of businesses now outsourcing major components of their business (particularly Infrastructure as a Service (IaaS), Software as a Service (SaaS), Supply Chain, Security, including Security and Privacy services etc.) has increased dramatically over the last few years. Technology enablement has been forced by other factors such as COVID and new working methods. With this comes several risks that must be properly managed within the organisation’s governance, risk, and compliance (GRC) programs.

Regulatory driven 

From a regulatory perspective, obtaining independent SOC assurance reports has become a key focus of regulators such as APRA. Regulators are focusing on improving governance and, through this process, reinforcing the importance of ensuring outsourced operations are well-controlled and managed. This is critical to avoid adverse events affecting shareholders, investors, customers, suppliers, governments, and the wider community.

Regulators are particularly focused on accountability and whether organisations have appropriate governance mechanisms in place to ensure Boards and Audit Committees identify, understand, and appropriately manage outsourced operational risks, as operations remain the business’s responsibility. These risks include continuity, security, cyber security, and privacy (refer to APRA’s CPS 230 – Operational Risk Management that comes into effect in 2025).

A competitive supplier market

The supplier market is becoming saturated, with many suppliers opting for mergers and acquisitions, and as a result, outsource providers are looking for competitive advantages to maintain existing customers and win new business. They are now proactively seeking to demonstrate their proficiency, skills, and reputation by providing SOC assurance reports.

Better practice governance

Even if a business is not specifically required to obtain independent assurance over its outsourced operation by regulators, this is considered ‘better practice’ from a governance stance. Given that the outsourced provider’s risks are still owned by the business, there is also a fiduciary duty on business’ (including Directors) that can impact the broader community.

This includes markets, governments and consumers to ensure risks are appropriately managed, the control mechanisms remain relevant, and they are appropriate in design and effective in operation. There is also a reputational risk aspect, which in the case of outsourced operations can largely be achieved through the SOC assurance reporting process.

How does a SOC report differ from an external auditors report and what are the benefits?

SOC assurance reports specifically focus on the internal controls of a service organisation (often predominately technology risks and controls) and not the validity, completeness, accuracy, or otherwise of any underlying financial information. Therefore, they differ from the Financial Statement Auditor (Independent External Auditor).

In saying that, SOC assurance reports provide the External Auditor with a high degree of comfort over the control environment in place. External Auditors will want to obtain these reports (if available) and, after an IT Assurance specialist re-performs an appropriate level of control testing, be able to place a level of reliance on the contents of the SOC assurance reports, where relevant and supported by other audit procedures.

While a SOC assurance report for APRA-regulated organisations forms part of a regulatory requirement, for other organisations, having an increased understanding of how a service provider treats your information can bring many benefits as it demonstrates your control measures to pre-defined standards, thereby providing confidence in your organisation and its ability to provide ‘trusted’ services.

Other benefits of investing in reports on controls

• Minimisation of several annual repetitive/duplicate audits of technology risks.
• Enhanced risk management over complex areas.
• Improved competitive advantages.
• Streamlined business processes and controls.
• Potential marketing tool for prospective customers by suppliers.

If you outsource any aspect of your business, SOC assurance reports should make a key component of your governance program. Changes in the business environment have been the catalyst for businesses, regulators and customers to require assurance over their outsourced operations. Whether it be to ensure cyber threats are mitigated, compliance measures are met, or to uphold the overall integrity of the business and its success.

How can we help?

Our professionals provide a full range of SOC 1, 2, 3, ISO Compliance, and other third-party assurance services by applicable professional standards. Our technology risk and control assurance services work closely with our broader Risk team to provide the following:

• System and Organisation Controls reporting (e.g. SOC 1 & SOC 2 (ASAE 3402/ ASAE 3150)
• APRA Standards - IT Assurance (CPS 220, 231, 232, 233, 234, 235 & the new CPS 230)
• ISO Compliance (27001 Readiness & Maintenance Audits (Pre-Certification))
• IT Governance
• Operational Due Diligence (ODD), including Technology Due Diligence
• Internal IT Controls over Financial Reporting (using COSO & COBIT Frameworks)
• IT Risk & Assurance Control Library Mapping and Control Self-Assessments
• Data Privacy Impact Assessments
• Consumer Data Right (ACCC) Attestation
• Vendor / Third Party Assurance
• Governance, Risk & Compliance Framework Design and Implementation

For more information and to speak to one of our specialists, contact your local BDO adviser.