This article was written by Timothy McMahon, CPA, Manager.
During your annual audit process, auditors often request clients to provide SOC reports for the various third-party service organizations they have utilized during the year. Our requests are sometimes met with a “what is that?” or “I’m not sure I’ve seen that before” response. We use and review these SOC reports to help gain an understanding of our client’s internal control processes (most often for payroll), but it is also beneficial for our clients to evaluate and utilize these reports as well, as this could help them improve their internal controls.
What is a SOC Report?
System and Organization Controls (SOC) reports are examination reports which evaluate the effectiveness of internal controls over the services performed by a service organization (ex: Payroll provider) for a user entity (our client organizations). They are used to verify that a service organization is following best practices to protect their client’s data and provide correct information for the purpose of financial reporting. The most common type of SOC reports we review during our audits are SOC 1 reports, which are reports on the design and operating effectiveness of controls that are relevant to the user entity’s financial reporting.
One of the largest expenses for most organizations is payroll expense and many organizations use external service organizations for their payroll processing. Therefore, during our audits we request the SOC 1 reports for the service organizations that our clients use. In some instances, when a SOC report might not cover the full audit period for which we are testing, we also request “Bridge Letters” to cover the months not covered by the SOC report.
Why Should You Care About These Reports?
While the reports provide information on the effectiveness of the service organization’s internal controls, they also provide “Complementary User Entity Controls.” These are controls the service organization assumes the user entity has in place for the service organization’s control objectives to be achieved. This indicates that for the payroll controls listed on the SOC report to be achieved, the user entity must implement their own processes that align with the service organization’s recommendations.
Therefore, reviewing the SOC reports of the service organizations is an essential part of ensuring your data is secure. These reports are typically issued annually, so it is best practice for every organization who utilizes service organizations for services like payroll to request these reports. Every organization is different and not all user entity controls listed in the report may be applicable or able to be implemented, but it is an essential part of using a service organization to determine which controls are applicable and to implement them.
With the continuous rise of cyberattacks and other information technology security breaches, the need to protect data has become significantly more important. Reviewing the applicable SOC reports of the service your organization uses is an essential practice to help ensure that your data is safe and effective controls are in place.
If you need further guidance or have any questions on this topic, we’re here to help. Please do not hesitate to reach out to our trusted experts to discuss your specific situation.
This material has been prepared for general, informational purposes only and is not intended to provide, and should not be relied on for, tax, legal or accounting advice. Should you require any such advice, please contact us directly. The information contained herein does not create, and your review or use of the information does not constitute, an accountant-client relationship.