What is a SOC report and should my company have one?
17 May 2023 • Corporate Audit
Written by
SOC reports are a core part of internal governance and risk management – but what are they and who are they for? Read on to find out.
A System and Organisation Controls (‘SOC’) report is an independent assessment of the risks associated with using a service organisation (and other third parties). SOC reports are a core part of internal governance and risk management and can be used to enhance customer relationships by building confidence and trust.
There are different types of SOC reports (SOC 1, SOC 2 etc). SOC 1 reports focus on outsourced services that could impact a company's financial reporting and this is the type of report we’re focusing on in this article.
'SOC' is the most commonly used terminology when referring to internal control's assurance, however there are a number of different reporting frameworks in place:
ISAE3402: The international framework issued by the IAASB
SOC 1: The US framework issued by the AICPA
AAF 01/20: The UK framework issued by the ICAEW
As part of the engagement, business process and IT controls will be defined and tested. The report itself is signed off by a Service Auditor and can be either a type 1 or type 2 report:
Type 1: Point in time (assurance is provided on the design of controls)
Type 2: Over a specified time period (assurance is provided on the design and operating effectiveness of controls)
Who needs an internal controls assurance report?
There is currently no statutory requirement, however, they’re commonly performed for the following activities:
Custody;
Fiduciary management;
Fund accounting;
Investment management;
Investment administration;
Pension administration;
Private equity;
Property investment management;
Property investment administration;
Transfer agency; and
Information Technology.
What are the benefits of obtaining an internal controls assurance report?
Obtaining a SOC/ AAF report differentiates the service organisation from its peers by demonstrating effectively designed control objectives and control activities. In many cases, the report will also satisfy the user auditors’ requirements as well as specific requests from investors or customers.
Who are the users of these reports?
The users can be both internal and external e.g.
Internal management at the service organisation
External parties such as customers (or potential customers), investors or the external auditors of customers.