Staff byline: Dave Crozier
As your company grows, it’s inevitable that you will need to rely on outsourcing various parts of your operational processes to ensure you can keep up with demand. But as you share more sensitive information with your vendors, your key stakeholders and customers need to be sure that they can continue to trust you to be careful with their data.
For businesses with complex supply chains and several service providers, System and Organization Controls (SOC) reports can provide the vital information needed to ensure their vendors comply with regulations and operate ethically. Whether you need SOC 1 vs SOC 2, or any other type will depend on your vendor — but we’ll cover that in more detail later.
Here’s what you need to know about using SOC reporting in your vendor processes, and how you can decide which reports will work best for your third-party risk management.
What You Need to Know About SOC Reporting
Created by the American Institute of Certified Public Accountants (AICPA), SOC reports offer a detailed way for companies to assess their third party supplier risks from different perspectives. SOC reports are a type of attestation reporting, meaning that an external certified public accountant (CPA) has audited and validated the third party supplier’s financial statements and non-financial controls.
Why SOC Reporting Is Crucial for Onboarding Processes
Although SOC 1 and SOC 2 are used for various purposes in different industries, the overall benefits of using SOC reporting for your vendor management processes include:
- Providing valuable insight into your vendor’s processes, and their internal governance, risk management processes, and regulatory oversight
- Highlighting key areas of concern to help you identify vulnerabilities through specific vendors in your supply chain
- Providing validation and clarity for your vendor processes
- Gaining assurance of updated security best practices
- Helping you with long-term, proactive risk management
- Securing trust with your key stakeholders by increasing transparency in your supply chain
Comparing SOC 1 vs. SOC 2
Although there are several classifications of SOC audits that cover different purposes and intended audiences, risk management teams should understand the different classifications of SOC reports. For most, the two most significant are SOC 1 and SOC 2.
SOC 1 reports take a detailed look at an organization’s internal controls that monitor their accounting and financial reporting. An example of this is strict access policies for financial information or validation procedures in place to help catch accounting errors. This can give you a level of assurance (or not) of the integrity of your sensitive financial data.
There are two types of SOC 1 reports:
- SOC 1 Type 1: A Type 1 report shows the results of an audit at a single point in time. Its purpose is to show whether your vendor’s internal financial controls are in good shape.
- SOC 1 Type 2: A Type 2 report looks at the performance of your vendor’s internal financial controls over a specified period (ex., monitoring the relevance of specific staff or departments that have been accessing financial records over the course of a year). For this reason, Type 2 reports are seen as a more reliable indicator of financial control effectiveness, according to “Infosecurity Magazine”.
SOC 2 reports highlight the security controls your vendors use to protect their sensitive, non-financial customer data. In SOC 2, these controls are monitored using the AICPA Trust Services Criteria (TSC), which cover:
- Security: Whether your vendor protects your data and systems against any unauthorized access that could compromise the integrity of the other TSCs
- Availability: That your information and systems are functional and available for your business objectives
- Processing integrity: That any systems your vendor uses to process your data are doing what they are supposed to do and that they operate with no impairments
- Confidentiality: That your vendor ensures that confidential data is marked and treated as such
- Privacy: That any personal information the vendor collects is processed correctly
Just like SOC 1, SOC 2 also contains two subtypes:
- SOC 2 Type 1: A Type 1 report under this classification identifies whether controls are in place under your relevant TSCs at a single point in time.
- SOC 2 Type 2: A Type 2 report goes a step further than a SOC 2 Type 1 report by monitoring how well those controls work over a period of time.
How to Choose Between SOC 1 vs SOC 2 for Your Vendors
Businesses should know the differences between SOC 1 vs SOC 2, so they know how to choose the right reports that will work best for their vendor processes.
As SOC 1 and SOC 2 reports are completely different frameworks. Whether you should audit a vendor using an SOC 1 vs SOC 2, or both, depends on the services that vendor provides.
As an SOC 1 report focuses only on the financial control elements of a business, it would only apply to vendors providing services that can have a direct impact on your company’s bottom line. For instance, an SOC 1 would be a suitable reporting tool for vendors such as payroll providers, online payment processors, accounting services, and any other suppliers that primarily deal with financial information.
For example, let’s say you were a company using an external bookkeeping service. Given the significant financial impact of inaccurate bookkeeping, the company would request a SOC 1 report from that vendor to make sure financial record-keeping will be handled accurately and according to regulations and business expectations.
In contrast, an SOC 2 report covers a wider element of vendor activities around storing or organizing non-financial sensitive data. In this classification, the businesses that SOC 2 is suitable for include cloud infrastructure providers, data centers, digital marketing companies, and software-as-a-service (SaaS) companies, as well as any company that uses cloud computing technology to store their customers’ data.
Let’s look at the example of a company using customer relationship management (CRM) systems to hold customer data in the cloud. Here, the company would request an SOC 2 from the CRM system provider to verify the functionality, information security, and integrity of the system to then be able to assure their own customers of the safety of their personal data.
Where to Integrate Vendor SOCs for the Most Impact
To ensure your firm is getting a holistic view of your third-party management risks, integrate vendor SOCs into your supplier onboarding process. By taking the necessary steps to request and review a vendor’s SOC compliance in the relevant workflows, you can streamline your vendor vetting processes while making sure you’ve covered all bases of your compliance requirements.
Before starting the onboarding process with potential vendors, consider looking for vendors that already hold the appropriate SOC reports needed as part of your initial due diligence. But, take care not to simply check the boxes once a vendor shares the requested information with you — there’s still work to do:
- Pay close attention to the results of the potential vendor’s SOC report to make sure your risk management team has everything they need to see in terms of required internal controls.
- Check if the vendor uses sub-vendors and whether their controls adequately extend to these secondary service providers, especially in terms of data security.
- Review any exceptions noted to assess if they affect your business — and if so, the extent to which it might affect your operating effectiveness.
For efficiency, companies are recommended to use a secure vendor lifecycle management (VLM) tool to organize their onboarding processes and to easily keep track of the status of all their vendors in a real-time dashboard — this is vital for making sure your vendors have adequate financial and non-financial controls in place, and that these controls work effectively. This type of tool can help businesses to identify potential risks before they grow.