Insights

Do I need a SOC exam? And do I need more than one?

 

Do I need a SOC exam? And do I need more than one?

Jun 27, 2019

Not sure if you need a SOC exam? Or if you need more than one? You’re not alone. 

SOC stands for System and Organization Controls (formerly Service Organization Controls), and there are different ones. And it can be confusing to figure out which ones you may need and for which parts of your business. 

But it boils down to this: You should have an SOC exam if you handle or store data on behalf of other clients.

SOC exams review and document key issues like security, availability, confidentiality, processing integrity, and privacy of data, which means you can show your clients their data and your processes are secure and sound.

Here are some examples of the types of service organizations that need SOC exams:

  • Payroll processors
  • Claims Processing Services
  • Loan servicing companies
  • Data center and Colocation Services
  • Accounts Receivable Management/Collections Services
  • Application Development Services
  • Benefit Plan Administration Providers
  • Check Imaging and Processing Services
  • Claims Processing Services
  • Data Center and Colocation Services
  • Document Management Services
  • Healthcare Billing Services
  • Healthcare Records Management Services
  • Hosted Application Providers
  • Information Security Management Services
  • Internet Banking Providers
  • Loan Servicing Providers
  • Managed Technology Services
  • Order Fulfillment and Distribution Services
  • Payroll Processing Services
  • Practice Management System Hosting Services
  • Printing and Mailing Services
  • Section 8 Housing Services
  • Software as a service (SaaS) Providers
  • Software Hosting Providers
  • Third Party Administration Services

How many SOC exams do I need?

Now that you know you need an SOC exam, the next question is, do you need more than one?

Getting a single report is typically less expensive, but there are times you may need multiple stand-alone reports.

Here are three factors to consider:

  1. Multiple Services:If you have multiple services or business lines, multiple reports will let you give a single report to the customers using a specific service area, which means they don’t have to wade through reports on services they aren’t using. It also doesn’t expose them to any problems in areas that aren’t relevant to them. 
  2. Multiple Locations: If your company operates out of multiple locations and those locations don’t have all the same services or controls, you will want multiple SOC exams. Even if you have the same processes in all locations, multiple reports can cut down on confusion and better help you assess operations in each location. It’s also helpful if you’re expanding since new locations — through mergers, acquisitions or recently opened — may not be aligned with the rest of the locations in the first year. 
  3. How customers use your services:You may also get multiple SOC exams depending on how customers are using your services. For example, if they use data processing services and hosting services, they will need an SOC 1 and a SOC 2. Or if you want to have one report for customers and one report for marketing, they would get a SOC 2 and a SOC 3.

Types of SOC exams

To help you determine what type of SOC exam you need, here’s a breakdown: 

SOC 1 (SOC for Service Organizations – Internal Control over Financial Reporting)
The performance and reporting requirements for an examination of controls at a service organization that are likely to be relevant to user entities’ internal control over financial reporting.

SOC 2 (SOC for Service Organizations – Trust Services Criteria)
The performance and reporting requirements for an examination of controls at a service organization relevant to one or more of the following principles: Security, Availability, Processing Integrity, Confidentiality, and Privacy.

SOC 2 (for HITRUST)
Designed for service organizations that desire to use the SOC 2 reporting framework to leverage both the SOC 2 Trust Services Principles and the HITRUST Common Security Framework (CSF). See our other HITRUST Services. 

SOC 3 (SOC for Service Organizations)
Trust Services Criteria for General Use Report. The performance and reporting requirements for an examination of controls at a service organization relevant to one or more of the following principles: Security, Availability, Processing Integrity, Confidentiality, and Privacy resulting in a general use report.

Within the different types of SOC exams, there is also a Type 1 and a Type 2. Type 1 is for a specific point in time while Type 2 spans a period of time, generally 6 to 12 months. 

If you would like to discuss your specific service offerings to determine how many SOC exams that you need, contact us

Author(s)

Durward Ferland, Partner, South Portland, Maine
Durward J. Ferland, Jr., CISA, CISM, CRISC
Partner
View Profile