SOC vs SOX vs SOCK

In performing an internal control audit of a fund, it is important for the auditor to understand the structure of internal control over the financial reporting, so they can determine if some sort of reliance can be placed on it to minimize testing and thus overall cost of the audit. When a fund uses an outside SOC audit specialist or administrator to process its transactions, the auditor needs to understand and document the controls at the administrator, and then test those controls. If the administrator provides these audit services to several funds (which is typically the case) it would be cost effective to have a report on the administrator’s controls that can be used by all auditors of funds. This ultimately eliminates the duplication of work and reduces the cost of the audit.

It so happens that such an audit report exists, which can be furnished by fund administrators to help minimize the work of the fund auditors. This internal control report over financial reporting is called a “Service Organization Control (SOC) report. The internal control audit is performed by CPAs on the controls in place at a Fund Administrator, in accordance with the Statement on Standards for Attestation Engagements No. 16 (SSAE 18). This replaces the old Statement on Auditing Standards Report No. 70 (SAS 70). I did my first SAS 70 audit in 1992 when the standard was issued. It was also the last one I ever did.

While both reports are similar, a SOC audit is not to be confused with a Sarbanes Oxley, or SOX report (or socks, ya know, for your feet). Both SOC and SOX audits ensure data compliance and internal control reporting, but a SOX is government issued, while a SOC is not. However, having a SOC audit performed can help to ensure your organization is SOX compliant.

When I am asked by Fund managers what is the one thing they can do to help increase my efficiency on the audit (in other words, how they can help reduce the fee), I tell them to use an administrator that has a SOC report. It can greatly reduce my time on an audit, while allowing me to feel comfortable that the financial statements are accurately prepared.

While SOC reports are helpful, they are not brief by any stretch. Lucky for me, I rely on another one of my partners, Tony Chapman, to help me decipher the issues noted in the reports and their effect on my reliance on the report. Tony performs these types of SOC engagements all year long and is probably one of the top authorities on SOC reports. While our managing partner may go sockless at times, Tony always has a spare SOC around.

Recently, a new type of SOC report was introduced by the AICPA, the SOC for Cybersecurity audit. This audit functions similarly to the SOC 2 compliance report, but it’s for all organizations, not just service organizations. For more information on SOC for Cybersecurity, check out our cybersecurity faq page!