SOC 2® assurance reports: Greater trust through greater transparency

Outsourcing is all the rage. To better focus on their core competencies, more and more companies are farming out some of their services to specialised service providers. There’s increasing demand for external support in IT and logistics, for example. In this kind of scenario, a company must make sure that it has also established appropriate internal controls for the outsourced functions based on sound risk management.

This issue is relevant for several stakeholders at the same time (see Figure 1). This is because when a service is contracted out, the service provider, the outsourcing company and, last but not least, the end customer all demand adequate control maturity with regard to the outsourced service. 

In the United States, both the supervisory authorities and customers are placing increasing emphasis on the security of outsourced services involving electronic data. Unsurprisingly, therefore, there is a growing interest in independent assurance reporting related to outsourcing services, especially among companies with (end) customers in the United States.

To meet this requirement, the American Institute of Certified Public Accountants (AICPA) has issued a standard for reporting on controls for service providers: the Service Organization Control 2 Report (SOC 2® assurance report). This assurance report focuses on confirming matters outside financial reporting in accordance with a defined catalogue of Trust Services Criteria.

A SOC 2® assurance report can cover areas such as infrastructure, software, processes and data. The auditing team assesses the facts on the basis of Trust Services Criteria (TSC) and associated Points of Focus defined by the AICPA in the following areas:

• Security;
• Availability;
• Processing integrity;
• Confidentiality; and / or
• Privacy.

If additional topics or criteria are addressed – which is permitted under the standard – then this is referred to as a SOC 2® + (‘plus’) assurance report.

The SOC 2® type 1 assurance report examines whether the actual description of the internal control system is appropriately presented and whether the controls are implemented at a specific point in time. The type 1 audit only relates to a specific reporting date. With a type 2 assurance report, the auditor concludes whether the controls, in addition to the requirements of type 1, were effective over the entire reporting period, which is usually a financial year.

The art of small steps

A step-by-step approach is recommended when carrying out the audit for a SOC 2® assurance report (see also Figure 2). The first step involves a suitability assessment, where the audit team determines whether the control framework developed on the basis of the AICPA TSC has achieved the necessary maturity level for attestation, and also whether it is fundamentally suitable or ready for an assurance engagement. The second step is for the service provider to subsequently implement new controls or adapt existing ones. Depending on the type selected, the audit team prepares a SOC 2® type 1 assurance report as part of the third step or – for a defined point in time – gives its opinion within the framework of a SOC 2® type 2 assurance report. In terms of timing, the first two preparatory stages can be expected to last between three and eight months. The reporting period is usually 12 months, but in exceptional cases (e.g. for new processes, applications or business units) it lasts for a period of at least three months.

In Switzerland and other European countries, more and more companies are producing a SOC 2® assurance report to serve the US market and to meet the needs of their diverse stakeholders.

The benefits of a SOC 2® assurance report go way beyond simple compliance. The standardisation of report contents via the Trust Services Criteria allows greater comparability of different assurance reports and makes them easier to use. The principle of ‘audit once, report many’ enables the company to reduce the number of independent enquiries from existing or potential customers and avoid multiple audits. It can pass on the SOC 2® assurance report to existing and future customers, thereby saving money, time and nerves.

In addition to this, consolidated reporting according to SOC 3® is also possible. Whereas a SOC 2® assurance report addresses a predefined group of recipients who are assumed to have adequate knowledge and understanding of the service provider and its systems, a SOC 3® assurance report addresses general needs and is therefore freely accessible.

When reporting on outsourcing services, the company provides an independent view of the outsourced processes. This creates clarity and security on the delivery of the outsourced service for all stakeholders, including end customers. This level of transparency can be a decisive factor in the market, especially when it comes to sensitive data such as health information, as it helps to establish trust, which benefits the company as a whole and lasts well beyond a reporting year.

Now you’ve seen the benefits in theory. Let us now find out how we at PwC took our client, a company developing customer service solutions, on its journey to an SOC 2® audit.

Attesting to our customers that assurance of the security principles is an integral part of our day-to-day work. To understand why attestation is so crucial, it’s important to understand the nature of our business.

We develop customer service solutions that enable organisations to communicate more effectively. Fully leveraging the Microsoft technology stack, our Nimbus (our contact-centre-as-a-service solution) adds the contact centre and intelligent task routing functionality needed to effectively manage customer enquiries in Microsoft Teams. Our Nimbus offers a certified extended contact centre and task routing integration for Microsoft Teams that can consolidate all enterprise communication, business tools and workflows to effectively manage customer enquiries.

Our Recording service extends the offering with a fully managed cloud recording solution that enables organisations to take advantage of these modern communication channels while remaining compliant. It provides comprehensive and fully managed solutions for financial compliance and quality management recording. With this Recording, our customers can capture, store and analyse all their conversations across all platforms – from Microsoft Teams to Trader Voice – to ensure quality assurance and adhere to complex regulatory demands.

Given the importance of building trust in our services and the relevant controls, we decided to embark on the journey to SOC 2® assurance, choosing PwC to accompany us.

In the course of the engagement we learned several important lessons. For one thing, we realised that implementing SOC 2® has an effect on the entire company culture. This means it’s essential for senior management to take a strong stance throughout, communicating continuously across the company on the importance of the control framework, adherence and timely delivery.

We also realised that it’s important, as early as possible in the process, to clearly define responsibilities in all areas of the control framework and involve subject matter experts capable of representing the interests of wider teams.

We also saw that considerable effort is required to evaluate the efficiency of technology supporting effective control management.

Another important lesson was that implementing a new framework creates additional work and responsibilities across all departments. Management must consider the deployment of existing staff but also plan any increase in resources and/or re-organisation of existing human resources in advance.

We started by testing the SOC 2® control framework before the official audit of the most critical controls. This test exercise required additional time and resources, but it did provide invaluable benefits in terms of ensuring that new and existing high-risk controls were operating, allowing us to make improvements and educate internal teams.

Another good decision was to clearly define individual and shared responsibilities and accountabilities on all levels. We also made sure that control performance was continuously monitored by senior management, compliance and control owners. Last but not least, we engaged continuously with PwC’s auditors, especially concerning improvements, changes and the exchange of feedback.

Was attestation a success?

SOC 2® attestation has been an unqualified success ‒ and by that I mean not just the assurance report itself, but the progress we made in the process of acquiring it.

For example, it has improved the organisation of our internal business operations, security controls, risks, policies and tools, supporting adequate business risk management, revenue growth and sustainable business development.

The improved security posture of our cloud-based systems has enabled us to significantly reduce risk exposure in terms of the integrity of security aspects of our systems and to increase the security of our customers’ data.

Obtaining a successful SOC 2® type 2 audit report was a compulsory requirement for our enterprise customers. For others it is a powerful added incentive to choose our solution. The report has therefore opened up new revenue streams for us.

PwC gave us invaluable support throughout our journey to SOC 2® attestation. The responsiveness, agility and expertise of their team substantially contributed to the success of our first audit report and will continue to do so in the future.

If you would like to provide transparency and build trust to address compliance requirements, our Trust & Transparency Solutions will help you remain competitive and sustain long-term growth for your company:

Trust & Transparency Solutions