article banner

System Organization Control (SOC)

Advisory

What is a SOC report – and do I need one?

In simple terms, a System Organization Control (SOC) report provides business partners with comfort that risks from your service offerings have been appropriately addressed. But why would you want one or need one? 

  1. Do you wish to grow your client base to include larger and more sophisticated firms?
  2. Do you host, process or store data considered confidential or private?
  3. Do you issue financial reports to your clients that they rely on as part of their financial reporting processes?
  4. Do your clients rely on the availability of your technology service offerings?

If you answered “yes” to one or more of the above questions, then SOC reporting should be something you may want to consider.

Any organization that provides such services and grows to a level of maturity in their business where their client base is also getting larger, more mature, and sophisticated will eventually be asked for one or more types of SOC reports as part of their risk management program.

There are two primary types of SOC reports that have varying alignments with Canadian, U.S. and international standards. These are:

SOC 1 Financial Reporting. Report on controls at a service organization relevant to user entities' internal control over financial reporting.

SOC 2/3 Trust Principles. Report on controls at a service organization relevant to security availability, processing integrity, confidentiality or privacy (trust service principles).

SOC 1 and SOC2/3 reporting chart. See Figure 1 long description below.

Figure 1: SOC 1 and SOC 2/3 chart

Figure 1: SOC 1 and SOC 2/3 chart - description

Who needs a SOC report?

SOC 1: Financial Reporting

Organizations offering services that could impact their clients' financial reporting including:

  • financial advisors and broker dealers
  • payroll processors
  • benefit or retirement plan operators
  • loan services

SOC 2/3: Trust Principles

Organizations that handle, process or manage data, including:

  • SaaS providers
  • IT service providers
  • distribution centres
  • data centres
  • cloud service providers

How can a SOC report benefit your business?

  • enhances trust for current or prospective clients
  • meets contractual commitments
  • lowers risks by identifying potential system and process weaknesses
  • demonstrates the integrity of internal processes
  • identifies inefficiencies to allow for process improvement

We’re here to advise you on your SOC assurance path and help you determine what service offering will provide the most value for your business. Now is the perfect time to get started, so contact us to learn how we can help.

Meet our people

Shane Troyer

Partner

View profile

Want to learn more? Let's talk.

David Florio
David Florio
Partner, Advisory Services Toronto
David Florio VCard
View full profile

Related content

View more
Audit and Assurance
Deferral of upfront non-refundable fees requirements (ASPE and ASNPO)
18 Aug 2022
Read more
Audit and Assurance
IFRS Example Consolidated Interim Financial Statements 2022
25 May 2022
Read more
Audit and Assurance
Keeping pace with changes to accounting standards and tax regulations
04 Apr 2022
Read more
View more