How to choose the right Service Organization Controls report

If you provide outsourced services to your clients, an excellent tool to create trust and confidence is the service organization controls (SOC) reports. These reports can boost growth, win and retain clients and open new markets.

But which one is right for your organization?

The SOC reports replace and expand the previous standard, SAS 70.  We have seen a seamless transition from the old standard to its replacement, the SOC 1 report (or SSAE 16). This report examines internal controls at a service organization that impact a user entity’s controls over financial reporting.

However, we are still seeing some confusion with the new reports (SOC 2 and SOC 3). The new reports are designed to examine operational issues, such as security, availability, integrity, confidentiality or privacy. And, since both reports examine the same areas, many of our clients are asking us why they should get a SOC 2, SOC 3 or both.

To assess what report is right for you, ask:

• Do your customers have the need for/ability to understand the details of processing and controls at a service organization, the tests performed by the service auditor and results of those tests?  If the answer is yes, a SOC 2 report will be right for you.
• Do you plan to use the report to market your services?  Do you need to make the report readily available?  Does a certification seal add value? If the answer is yes, a SOC 3 report will be the right choice and not a SOC 2.

Should you get both?

From the auditors’ perspective, the work we do to issue the SOC 2 and SOC 3 report is the same.  It’s the actual report and opinion that are different.  We are recommending our clients get a SOC 2 report and, since the work has been done, also issue a SOC 3 report. This way you will get the best of both worlds.

For more information on SOC reports, please refer our white paper New Tools Help Service Organizations Win Clients’ Trust.