While this may be all and well for productivity’s sake, new questions surrounding transparency and compliance have inevitably emerged. How are they managing their risks? How are they protecting their clients’ assets? How can these practices be advantageous (or disadvantageous) to ownership? And how can they demonstrate their own reliability? Quite simply: the SOC 1 is a modern-day solution for accounting, auditing AND accountability.
In the past, the Statement on Auditing Standards (SAS) 70 was the widely accepted auditing medium that enabled organizations and their third party auditors to gain insight into a service provider’s practices for managing their clients’ assets. However, the SAS 70 proved itself rather outdated and was becoming used as a tool for any service provider, instead of being used strictly for organizations that provided a service that impacted an organization’s financial reporting processes, as intended. Furthermore, it had shortcomings in accounting for service providers’ security measures, data compliance and the intricacies of cloud technologies.
Enter The SOC. To overcome the emerging inadequacies of the SAS 70, the American Institute of Certified Public Accountants (AICPA) created the three-part Service Organization Control (SOC). The latter two parts concern themselves with those previously-neglected issues of security and confidentiality, while the first one – the SOC 1 – was designed to provide a means for an independent party (i.e. CPA) to assess and report on a service organization’s internal control over financial reporting.
As a result, the SOC 1 became a more specific, relevant and far-reaching version of the SAS 70 (while the SOC 2 and SOC 3 were designed to address specific elements relating to the security, confidentiality, processing integrity, availability, and privacy of the service(s) being provided by the service provider). Generally speaking, the SOC 1 is a report that assesses a service organization’s system of controls utilized in processing, handling, and/or maintaining assets on behalf of their clients and reporting the related financial data to those clients, as a means to demonstrate that the information provided is complete, accurate, and timely.
As previously stated, management companies in the hospitality space can use the SOC 1 report to demonstrate that the financial information they process on behalf of their clients, the property owners, is handled appropriately, and the processes are running on all cylinders. This is of particular importance because these management companies represent a host of stakeholders who often require financial statement audits of their own. Having a SOC 1 audit done may eliminate the need to respond to each individual client’s auditor with separate requests related to tests of controls – and the human and financial capital that is expended each time. Hotel owners may also elect to have a SOC 1 audit for a variety of reasons or, of course, one may be required for certain regulatory purposes.
In short: SOC 1 reports are becoming almost standard. Management companies often need to go through the steps of presenting audited information on numerous occasions. If, however, a company undertakes a SOC 1 audit, they can report across-the-board results to all clients who require the information. Thus, the benefit here is a more streamlined process with reduced disruptions, decreased workload, fewer costs and improved time management. In general, this is a win/win for both the management company and the property owners due to a more defined audit process as well as greater information reliability, respectively. Additionally, it can act as a marketing tool as well.
The SOC 1 can also serve as a recognized promotional device. In the case of a property management company, it can point to its validated SOC 1 report when pitching new clients. This will demonstrate that they take their responsibility of maintaining and processing client information seriously and evaluate their controls to demonstrate such a commitment. And part of the beauty here is that the audit is already completed, usually on an annual basis; it does not require any additional effort or resources at the negotiating table.
Instead, the management company can simply utilize the report to illustrate the ways in which their existing processes will benefit the client: With the SOC 1, they exhibit the reliability of the financial information they provide, both through use of manual and automated controls. With the related SOC 2 and SOC 3, the management company can alleviate any lingering fears their clients’ may have about the security, confidentiality and/or privacy of their clients’ data.
The idea here is to cultivate trust and use it proactively as an asset. In the hospitality industry, for instance, mechanisms of assurance are necessary to satisfy all investors, especially foreign investors who are unlikely to visit portfolio properties. Providing this assurance in the form of a SOC 1 report allows stakeholders to gain even more comfort with their investment decision. The existence of this symbol of assurance undoubtedly gives management companies a leg up on their competitors that lack the credibility that a SOC 1 report provides. Additionally, it allows these management companies to stay competitive with those organizations that have obtained the SOC 1 report.
The myriad of advantages in obtaining a SOC 1 report is clear, however they are best conducted by a dedicated team of experienced auditors in collaboration with advisory professionals fluent in the unique needs – and on the frontlines – of the latest trends in the hospitality industry itself. In collaboration with the right advisors, compiling the SOC 1 report and leveraging it in a marketing capacity is rather seamless. Furthermore, it eliminates the likelihood of redundant expenditures, boosts service provider and hotel ownership revenue, enhances brand optics and optimizes the customer experience. In turn, this helps all involved parties to propel themselves to a position of strength in the hospitality industry and beyond.