System and Organization Controls (SOC) reports are issued by independent accountants under AICPA standards and enable companies to identify and attest to the effectiveness of their internal controls. The two most common SOC reports assess two broad ranges of controls: controls that impact client financial statements (known as a “SOC 1” report) and controls relevant to the security, availability, processing integrity, confidentiality, and/or privacy of the provided services (known as a “SOC 2” report). To add a layer of complexity, each SOC report has two types – Type I addresses a company’s control design at a point in time and Type II addresses a company’s control design and operating effectiveness across a period of time.
SOC reports are typically requested by a company looking at using another company’s services. A SOC report can give the buying company comfort that the servicing company has the controls and security measures in place to keep their sensitive information safe and process their transactions appropriately. Existing and prospective customers alike may be adamant when it comes to a vendor organization providing a SOC report and, if there isn’t one available, they may consider taking their business to a competitor. The thought of going through the process of obtaining a SOC report may be worrisome to a management team who has not gone through the process previously. When reaching out to an independent accounting firm to begin the SOC journey, there are ways for management to set itself up for the best possible outcome.
Companies typically begin the SOC journey by completing a Readiness Assessment in order to prepare for the SOC audit. The Readiness Assessment’s purpose is to help an organization identify the existing controls in place related to the SOC scope, as well as the gaps needing remediation, in order to be in a position of having strong internal controls before the SOC examination begins. After the Readiness Assessment concludes, companies typically follow with a Type 1 SOC report and subsequently a Type 2 SOC report, or follow directly with a Type 2 SOC report.
The driver for organizations to undergo a SOC examination will vary based on the nature of services being provided to its customers, although a classic trigger is a customer saying, “If you want our business, we need a SOC report contractually each year.” Between SOC 1 and SOC 2 reports, both have their purpose within the real estate services industry.
For example, a service provider may be performing lease administration activity on behalf of a customer, with the leases and abstracted data all stored in software controlled by the service provider. In this example, a customer is relying on the service provider to ensure the financial information being produced has sound data integrity, and a SOC 1 report is a great fit to address customer concerns, as well as the customer auditor concerns. The same thought process goes for other real estate services being provided, such as facilities management, asset management, transaction management, and accounting services.
Customers may want to ensure that the service providers have proper controls in place around the security, availability, confidentiality, processing integrity, and privacy of a service being provided. It isn’t uncommon for customers to send lengthy security questionnaires to service providers asking questions to obtain comfort and, depending on the number of customers that send different questionnaires, it can be very time consuming for organization resources to provide responses. The SOC 2 report is commonly accepted as a replacement to completing questionnaires provided by customers, allowing a service provider to get assessed one time and share the resulting report with inquiring customers.
Service providers understanding what a SOC report is can be critical to the continued relationship with existing customers, as well as locking in contracts with prospective customers. With the help of the right independent accounting firm that specializes in SOC reporting, companies that service the real estate industry can be in a position of strength compared to their competitors in this aspect of assurance to their customers.