Trust, But Verify: System and Organization Controls (SOC) Reports

Dani Anspach October 15th, 2018

What is a SOC report and why do service providers pay to have one completed?

Financial institutions (FIs) are regulated by the Federal Financial Institutions Examination Council (FFIEC). The FFIEC is composed of five banking regulators responsible for establishing consistent guidelines and uniform practices and principals for FIs. Simply stated, the FFIEC wants to ensure that FIs don’t fail and cause a market crash. The FFIEC has created a handbook which provides guidance to FIs on how to ensure their internal controls meet the standards that the FFIEC would expect to see upon examination.

Internal controls for FIs often include a vendor oversight or vendor management program with the vendor being the FI’s fourth party. These programs vary in size and complexity, but all look for similar controls from their vendors. The controls range from information security questions, to vendor oversight, to HR-related items.

For most FIs, visiting all of their vendors would be nearly impossible and certainly cost prohibitive. Therefore, in lieu of visiting each vendor site, the FI sends a questionnaire to their vendors to complete along with a request for supporting documentation. While these questionnaires provide a reliable means of obtaining accurate information from the vendor, sometimes more information is needed and that is when the SOC report comes into play.

A SOC (System and Organization Controls) report is a third party audited report created using the American Institute of Certified Public Accountants (AICPA) framework. SOC reports are designed to help companies that provide services to other entities build trust and confidence in the services performed and controls related to those services. There are a few different types of SOC reports with each type designed to help companies meet specific user needs. The type of report the vendor uses is often based upon the nature of work they are completing. For more information on the different types of SOC reports, visit the AICPA website.

Is a SOC report right for your organization?

There are several good reasons for your organization to use a SOC report. First and foremost, retaining a third-party audit firm to test internal controls can save your company both time and money. It can even help to generate revenue by verifying that the necessary internal controls are in fact in place and are operating effectively. In many cases, when a SOC report is provided to FIs, it satisfies their oversight obligations, removing the need for a visit. Audits can be costly, confusing, and time-consuming. If you are in doubt as to whether you should use a SOC report, check with your compliance team, and they can guide you in the right direction.

This content is accurate at the time of publication and may not be updated.