As organisations outsource more of their core operational functions, there’s been a large increase in demand for Service Organisation Control (SOC) 2 reports. In particular demand are enhanced SOC 2 reports, also called SOC 2+.
Providing assurance with regard to the American Institute of Certified Public Accountants’ (AICPA) Trust Service Principles (TSPs) may be sufficient for some outsource service providers’ (OSPs) customers. But others may require greater detail. For this reason, the AICPA has created SOC 2+.
This extensible framework allows OSPs’ auditors (also known as service auditors) to incorporate various industry standards, such as the National Institute of Standards and Technology (NIST) and the International Standardization Organization (ISO), into one SOC 2 report.
SOC 2+ reports create substantial efficiencies for organisations. Organisations are able to spend less time and fewer resources conducting performance reviews at their OSPs. Both OSPs and customers are also less likely to be exposed to compliance violations that can result in various forms of liability, including fines.
For OSPs, the benefits are even more significant. SOC 2+ reports allow OSPs to demonstrate to their stakeholders that effective internal controls are in place. These controls pertain to the criteria covered in the TSPs of security, availability, processing integrity, confidentiality and privacy, as well as many of the most detailed requirements covered in other regulatory and industry-specific frameworks. They offer a standardised format for meeting a broad range of regulatory and non-regulatory control requirements, eliminating the need for redundant activities and one-off responses. They’re also flexible enough that they can be tailored to meet the specific needs of organisations.
SOC 2+ reports call for a different way of organising requirements and testing controls. Therefore, issuing these reports may take some getting used to. There are a number of guiding principles that will make the journey from SOC 2 to SOC 2+ easier and more effective.
Start small
Focus initial reporting scope on a subset of environments or a subset of TSPs — the principle or principles that are most important to customers. Once confidence has been built about the controls surrounding a limited set of TSPs and environments, OSPs can then branch out, mapping and testing the controls relevant to a broader set of customer needs.
Know your customer
Understanding your customer's needs ultimately comes down to educating the salesforce and other customer touchpoints. When they understand SOC reporting, they can both communicate the benefits and ask customers the right questions to help scope and define their requirements.
Organise and plan
If this is the first time a SOC 2+ report is being compiled, it’s likely that compliance controls haven’t been tested by external or independent auditors in the past. So it’s best to perform readiness testing to determine whether controls are robust enough to meet the appropriate TSPs or various SOC 2+ framework requirements during an actual examination. OSPs that don’t prepare in advance tend to have more issues with controls during actual testing.
Build on your success
Once the necessary controls and procedures are in place for SOC 2, other frameworks can start to be integrated. Individual controls invariably fulfill multiple requirements. When organisations need OSPs to demonstrate compliance with various industry-specific or regulatory requirements, in addition to general compliance with the TSPs, mapping redundant requirements will greatly facilitate testing efficiencies.
The complexity of the extended enterprise has exposed organisations to many risks that are outside their control. Organisations that rely on OSPs for important and mission-critical functions need assurance that OSPs have rigorous control processes in place. Furthermore, as regulations proliferate, OSPs and their customers alike must be able to utilise an integrated internal control report with a wide range of industry-specific and other requirements.
SOC 2+ reports are an efficient approach to organising, testing and reporting on controls for multiple frameworks simultaneously. Outsourcers that have a streamlined process for delivering these reports to customers may find themselves with a significant advantage in demonstrating their third-party proficiency. When OSPs and organisations work together, SOC 2+ reports can become an efficient exchange of information in the marketplace.
Third-party assurance optimisation
Outsource service providers are increasingly managing core business and IT processes for clients, which entails gaining unprecedented access to sensitive data and connectivity to critical systems. But when outsource service providers are more tightly integrated with day-to-day operations, they also have an impact on their clients’ internal control environments. Companies, therefore, are holding outsource service providers to the same level of risk monitoring and regulatory compliance that they hold themselves.
As demand for third-party assurance reports increases, how can outsource service providers implement a more streamlined approach for dealing with both customer and regulatory requirements?
Consult our article on Third-party assurance optimisation for further information.
Deloitte has developed a comprehensive and structured approach for service auditor reporting. Our methodology for preparing and delivering service auditor reports follows a phased approach which is customised to meet specific business needs of our clients. Our approach incorporates a risk-centric focus, while also identifying the effective and efficient methods for identifying scope, testing controls and executing the tasks and activities associated with third-party assurance reporting.
Consult our Third-party assurance services page to discover Deloitte's methodology for service auditor reporting and what it can do for your company.