The American Institute of Certified Public Accountants (AICPA) issued System and Organization Controls (SOC) Reporting Standards to ensure that the internal controls of service providers follow definitive guidelines. Trust companies and investment advisors (service organizations) can establish greater trust and transparency with customers by meeting these standards.
What is a SOC Report?
SOC reports are internal control reports provided by independent CPAs for service organizations. They are a form of continuous audit to evidence that controls at the service organization are designed and operating effectively. These reports are useful for evaluating controls and understanding how the service organization oversees third parties that are utilized to provide services. The reports reduce the compliance burden on these organizations by providing one inclusive report to address the shared needs of multiple users. And, most importantly, they enhance the ability of the service organization to obtain and retain customers.
SOC Report Types
There are several different types of SOC reports, and it may be difficult to know which is best for your needs. The most common are SOC1 and SOC2.
These reports cover Internal Controls over Financial Reporting (ICFR), where the service organization specifies their own control objectives and control activities based on stakeholder needs (including the customers’ external auditors).
These reports cover controls such as security, processing integrity, availability, confidentiality, and privacy of hosted systems and data, where the service organization is held to a standardized set of controls criteria for each of the selected principles covered in the report.
Type 1 & Type 2
Each of these reports can be produced as either a Type 1 (point in time) or Type 2 (period of time) report. The Type 2 report is often viewed as more valuable and informative because it validates the operating effectiveness of controls throughout a defined period.
Trust and Investment Management Companies
The customers of a trust company or investment manager (service organization) will likely benefit most from a SOC1 report because the service organization impacts the customer’s financial reporting.
Customers of these types of trust companies and investment advisors rely on the investment statements provided by the service organization, so their external auditors want to understand the service organization’s controls related to the existence and valuation of investment assets and investment income.
In some instances, the trust or investment manager might custody some or all of the customer’s assets. Registered investment advisors who directly or indirectly perform a custody function are required to obtain a SOC1 audit or other type of attestation report to meet Securities and Exchange Commission (SEC) custody rule requirements.
Customers set high expectations for the professionals who manage their investments, and as they continue to strengthen their vendor management oversight, the demand for SOC reports continues to increase in this sector.
Planning Points To Consider
- SOC reports are highly transparent, and any significant deficiencies in the design or operation of controls will be disclosed in the report
- Readiness review by a qualified party (such as a CPA) should be performed to identify and remediate control gaps before the first examination
- Risk assessments must be performed to ensure controls are complete and properly designed to meet the needs of stakeholders
- The service organization must continually maintain a formal control structure, therefore controls must be simple, repeatable, and verifiable
Benefits Of SOC Reporting
The benefits of engaging a CPA firm to initiate SOC audits are vast.
First, SOC reports can become a great advantage in the marketing of your organization. Companies interested in targeting certain customers (like pension or sovereign funds) should know that they will encounter high expectations, and these potential clients might be unwilling to consider vendors who cannot produce SOC reports as evidence of appropriate controls.
Clients in this realm may be more likely to engage the services of an organization that is able to produce a verified SOC report. These reports will increase trust between clients and your business.
Improve Internal Controls
The wealth management industry is centered on trust, and one adverse risk event could destroy that trust. The SOC process allows your company to mitigate the risk of these potential events by exposing internal controls gaps. They are an investment in the reputation and health of the institution.
Simplify Due Diligence for All Stakeholders
SOC reports streamline the process of proving the quality of your control structure to stakeholders. Because the SOC report addresses the shared concerns of a broad range of customers, there should be less effort needed to respond to multiple customer information requests regarding internal controls and security.
Reduce Regulatory Scrutiny
SOC reporting communicates the effectiveness of controls and should reduce the amount of inquiries and detailed testing that regulators would perform to complete an examination.
Clients want to entrust their investments to organizations that have the best possible security controls in place. In order to strengthen client-business relationships, gain new clients, expand market standing, and protect client information, trust companies and investments managers should engage in SOC report audits to prove to customers (and themselves) that internal controls are sound.