Third-party reporting proficiency with SOC 2+

Manage risks outside your organization

As organizations outsource more of their core operational functions, there’s been a large increase in demand for Service Organization Control (SOC) 2 reports. In particular demand are enhanced SOC 2 reports, also called SOC 2+.

Highlighting OSPs’ integrated controls

Providing assurance with regard to the American Institute of Certified Public Accountants’ (AICPA) Trust Service Principles (TSPs) may be sufficient for some outsource service providers’ (OSPs) customers. But others may require greater detail. For this reason, the AICPA has created SOC 2+. This extensible framework allows OSPs’ auditors (also known as service auditors) to incorporate various industry standards, such as the National Institute of Standards and Technology (NIST) and the International Standardization Organization (ISO), into one SOC 2 report. 

SOC 2+ reports can incorporate multiple frameworks

SOC 2+ multiple frameworks

SOC 2+ reports create substantial efficiencies for organizations. Organizations are able to spend less time and fewer resources conducting performance reviews at their OSPs. Both OSPs and customers are also less likely to be exposed to compliance violations that can result in various forms of liability, including fines.

For OSPs, the benefits are even more significant. SOC 2+ reports allow OSPs to demonstrate to their stakeholders that effective internal controls are in place. These controls pertain to the criteria covered in the TSPs of security, availability, processing integrity, confidentiality, and privacy, as well as many of the most detailed requirements covered in other regulatory and industry-specific frameworks. They offer a standardized format for meeting a broad range of regulatory and non-regulatory control requirements, eliminating the need for redundant activities and one-off responses. They’re also flexible enough that they can be tailored to meet the specific needs of organizations.

Journeying from SOC 2 to SOC 2+

SOC 2+ reports call for a different way of organizing requirements and testing controls. Therefore, issuing these reports may take some getting used to. There are a number of guiding principles that will make the journey from SOC 2 to SOC 2+ easier and more effective.

  • Start small. Focus initial reporting scope on a subset of environments or a subset of TSPs—the principle or principles that are most important to customers. Once confidence has been built about the controls surrounding a limited set of TSPs and environments, OSPs can then branch out, mapping, and testing the controls relevant to a broader set of customer needs.
  • Know your customer. Understanding your customer's needs ultimately comes down to educating the salesforce and other customer touch points. When they understand SOC reporting, they can both communicate the benefits and ask customers the right questions to help scope and define their requirements. 
  • Organize and plan. If this is the first time a SOC 2+ report is being compiled, it’s likely that compliance controls haven’t been tested by external or independent auditors in the past. So it’s best to perform readiness testing to determine whether controls are robust enough to meet the appropriate TSPs or various SOC 2+ framework requirements during an actual examination. OSPs that don’t prepare in advance tend to have more issues with controls during actual testing.
  • Build on your success. Once the necessary controls and procedures are in place for SOC 2, other frameworks can start to be integrated. Individual controls invariably fulfill multiple requirements. When organizations need OSPs to demonstrate compliance with various industry-specific or regulatory requirements, in addition to general compliance with the TSPs, mapping redundant requirements will greatly facilitate testing efficiencies.

Forging into new territory

The complexity of the extended enterprise has exposed organizations to many risks that are outside their control. Organizations that rely on OSPs for important and mission-critical functions need assurance that OSPs have rigorous control processes in place. Furthermore, as regulations proliferate, OSPs and their customers alike must be able to utilize an integrated internal control report with a wide range of industry-specific and other requirements. 

SOC 2+ reports are an efficient approach to organizing, testing, and reporting on controls for multiple frameworks simultaneously. Outsourcers that have a streamlined process for delivering these reports to customers may find themselves with a significant advantage in demonstrating their third-party proficiency. When OSPs and organizations work together, SOC 2+ reports can become an efficient exchange of information in the marketplace.

To learn more, download the full report, Achieving third-party reporting proficiency with SOC 2+, and read our paper on third-party assurance optimization.

Did you find this useful?