Article:

Why your organisation needs a SOC Report

02 June 2020

Vartika Kishore, Manager, Risk Advisory |
Mark Griffiths , Partner, Risk Advisory Services |

If you’re an outsourced provider, or your organisation engages with third-party providers as part of your business arrangements, considering your risks to privacy and confidentiality is critical. With legislation in place protecting the rights of the consumer, Vartika Kishore and Mark Griffiths discuss how your organisation must take steps to manage risks associated with third parties.

In today’s global economy, information technology has allowed for increases in efficiency and information-sharing, however, risks associated with corrupting information have become easier. For all organisations, ensuring their information remains accurate and meets privacy standards – both within Australia and internationally is imperative - especially concerning their supply chain and cybersecurity.

Given these various industry regulatory and risk standards, Service Providers must increasingly be able to demonstrate information security through adequate controls and safeguards over their client’s assets. This is where third-party assurance through a Service Organisation Control Report or “SOC Report” can help.

What is a SOC report?

A SOC report is a system and controls Audit report that assesses the internal control environment of a ‘service organisation’ – that is, an organisation providing services to its client or ‘user organisation.’ 

SOC Reports address concerns related to the ability of Service Organisation to accurately process transactions, protect user organisation’s confidential data, and maintain integrity.

Depending on the business needs, various reports are awarded to providers, depending on the defined set of security controls they meet. 

There are three SOC categories:

  • SOC 1 is an audit report on controls associated with the security of financial statements and is suited to service providers offering financial reporting service
  • SOC 2 is an audit report on controls associated with one or more of the following: security, availability, processing integrity, confidentiality, and privacy.
  • SOC3 is a higher level compliance report that can be shared with clients to prove compliance without disclosing sensitive information. It includes an assessment of the design and operating effectiveness of security controls.

There are two types of SOC reports. Type 1 assess the effectiveness of the design and implementation of the defined internal controls where  Type II looks at both design and implementation as well as operating effectiveness and security controls:

  • Type I: Description of the service organisation’s controls and management’s assertion regarding the design and implementation of these controls.
  • Type II: Provides the same information plus it covers the operating effectiveness of these controls over a period of time (typically six months to a year).

What are the benefits to your organisation?

While for APRA regulated industries, this is already a regulatory requirement, under Prudential Standard CPS 234; for any organisation, having an increased understanding of how a service provider treats information can bring many benefits because it demonstrates your control measures to pre-defined standards, giving client confidence in your organisation and ability to provide a service securely.  Investing in reports on controls has other benefits too, including:

  • Minimisation of frequent audits
  • Enhanced risk management
  • Improved competitive advantage
  • Streamlined business processes and controls
  • Potential marketing tool for prospective customers

 Who needs a SOC report?

If you’re a User organisation, it may be a requirement that you ask your service providing organisation for a SOC report, to ensure that your data is managed and maintained securely. In saying that, those service providers who proactively adopt SOC reporting as part of their information security review will make their organisation more favourable to Auditors who can easily apply the report to their Audit Standards. The below diagram shows the types of functions that require SOC Reports and their best-fit category:

SOC1

  • Service Organisation Management
  • User Organisation Management
  • User Organisation Financial Auditors

SOC2

  • Service Organisation Management
  • User Organisation Management
  • User Organisation IT auditor
  • Anyone who understands Internal controls

SOC3

  • Service Organisation Marketing team
  • Current and prospective User organisation management
  • Unrestricted distribution
     

How can we help?

Our professionals provide a full range of SOC 1, 2, 3, and other third-party assurance services in accordance with applicable professional standards. Our risk and control assurance services include:

  • Service organisations control reporting (e.g. SOC 1, SOC 2, ASAE3402 operational due diligence (ODD))
  • Internal controls over financial reporting (e.g. SOX, J-SOX)
  • Assurance mapping
  • Control Risk self-assessments
  • Vendor / Third Party risk assurance.

If you want to review the Information security of your organisation, speak to Mark Griffiths, or contact your local team.