article banner

System Organization Control (SOC)

What is a SOC report – and do I need one?

In simple terms, a System Organization Control (SOC) report provides business partners with comfort that risks from your service offerings have been appropriately addressed. But why would you want one or need one? 

  1. Do you wish to grow your client base to include larger and more sophisticated firms?
  2. Do you host, process or store data considered confidential or private?
  3. Do you issue financial reports to your clients that they rely on as part of their financial reporting processes?
  4. Do your clients rely on the availability of your technology service offerings?

If you answered “yes” to one or more of the above questions, then SOC reporting should be something you may want to consider.

Any organization that provides such services and grows to a level of maturity in their business where their client base is also getting larger, more mature, and sophisticated will eventually be asked for one or more types of SOC reports as part of their risk management program.

There are two primary types of SOC reports that have varying alignments with Canadian, U.S. and international standards. These are:

SOC 1 Financial Reporting. Report on controls at a service organization relevant to user entities' internal control over financial reporting.

SOC 2/3 Trust Principles. Report on controls at a service organization relevant to security availability, processing integrity, confidentiality or privacy (trust service principles).

SOC 1 and SOC2/3 reporting chart. See Figure 1 long description below.

Figure 1: SOC 1 and SOC 2/3 chart

Figure 1: SOC 1 and SOC 2/3 chart - description

Who needs a SOC report?

SOC 1: Financial Reporting

Organizations offering services that could impact their clients' financial reporting including:

  • financial advisors and broker dealers
  • payroll processors
  • benefit or retirement plan operators
  • loan services

SOC 2/3: Trust Principles

Organizations that handle, process or manage data, including:

  • SaaS providers
  • IT service providers
  • distribution centres
  • data centres
  • cloud service providers

How can a SOC report benefit your business?

  • enhances trust for current or prospective clients
  • meets contractual commitments
  • lowers risks by identifying potential system and process weaknesses
  • demonstrates the integrity of internal processes
  • identifies inefficiencies to allow for process improvement

We’re here to advise you on your SOC assurance path and help you determine what service offering will provide the most value for your business. Now is the perfect time to get started, so contact us to learn how we can help.

Related content

View more