digital globe

Analysis

Third-party reporting proficiency with SOC 2+

Manage risks with system and organization control reporting

As organizations outsource more of their core operational functions, there’s been a large increase in demand for system and organization control (SOC) 2 reports. Enhanced SOC 2 reports, also called SOC 2+, are now in particular demand.

An integrated system and organization control approach gains traction

Doing business as an “extended enterprise” is now the norm. Today, companies of all sizes routinely rely on an ecosystem of outsource service providers (OSPs) to carry out a wide array of functions, many of them mission-critical. Through these loosely coupled networks of third parties, companies have been able to vastly expand their reach and capabilities, often extending around the world to create new and exciting market opportunities.

At the same time, their increasing reliance on OSPs is fueling concern over greater enterprise risk exposure—especially since the third-party risk is difficult to identify, manage, and monitor. For OSPs, this translates into increasing customer demand for system and organization control reports. These third-party assurance reports help OSPs build confidence in their service delivery processes and controls through the attestation of an independent certified public accountant.

Most organizations today are familiar with both SOC 1 and SOC 2 reports. While SOC 1 reports cover internal controls over financial reporting (ICFR) and support a customer’s financial audit, SOC 2 reports focus on the controls that are relevant to the following Trust Services Criteria (TSC) as established by the American Institute of Certified Public Accountants (AICPA):

  • Security. Information and systems are protected against unauthorized access, unauthorized disclosure of information, and damage to systems—damage that could compromise the availability, integrity, confidentiality, and privacy of information or systems and affect the entity’s ability to meet its objectives.
  • Availability. Information and systems are available for operation and use to meet the entity’s objectives.
  • Processing integrity. System processing is complete, valid, accurate, timely, and authorized to meet the entity’s objectives.
  • Confidentiality. Information designated as confidential is protected to meet the entity’s objectives.
  • Privacy. Personal information is collected, used, retained, disclosed, and disposed to meet the entity’s objectives.

As organizations outsource more of their core operational functions, they’re beginning to build requirements for SOC 2 reporting directly into their OSP contracts. As a result, we’ve seen a large increase in demand for SOC 2 reports. In our experience, they now comprise approximately one-half of all third-party assurance reports requested by OSPs.

Figure 1. SOC 2: Entering a more expansive territory for reporting

Enhanced SOC 2 reports, also called SOC 2+ reports, are in particular demand. These reports are being used to demonstrate assurance in areas that go beyond the TSC to include compliance with a wide range of regulatory and industry frameworks, such as those sponsored by the National Institute of Standards and Technology (NIST) and the International Standardization Organization (ISO), among others.

Back to top

Achieving third-party reporting efficiency with system and organization control 2+

System and organization control 2+ reports: A way for OSPs to highlight their integrated controls

Providing assurance with regard to the TSC may be sufficient for some OSP customers. But others may require greater detail. In particular, those in industries such as health care and financial services have additional industry-specific regulations and requirements. This is why the AICPA created SOC 2+. It’s an extensible framework that allows service auditors to incorporate various industry standards into a SOC 2 report. This integrated approach has been rapidly embraced by OSPs and their customers.

SOC 2+ reports are highly flexible tools that can incorporate multiple frameworks and industry standards into third-party assurance reporting. This flexibility can create substantial efficiencies for OSP customers, including reducing the amount of resources required for third-party oversight. Because system and organization control 2+ reports are based on a common control framework and address various industry standards, organizations don’t have to spend as much time and effort conducting performance reviews at their OSPs.

Organizations, as well as their OSPs, are also less likely to be exposed to compliance violations that can result in various forms of liability, including fines. For these reasons, some organizations have begun to stipulate their preference for using integrated frameworks as a means of obtaining third-party assurance by writing it into their OSP contracts.

Though customers can benefit greatly from system and organization control 2+ reports, the advantages for OSPs are even more significant. Consider that these businesses often must respond annually to hundreds of individual audit requests, customer questionnaires, and requests for proposals. Many of these inquiries ask the same questions and demand assurance on overlapping controls. Throw regulatory and industry-specific requirements into the mix, and things get even more complicated and onerous.

System and organization control 2+ examinations can dramatically reduce this burden. By providing a standardized format for meeting a broad range of regulatory and industry control requirements, SOC 2+ reports help to eliminate the need for redundant activities and one-off responses.

Figure 2: SOC 2+ reports can incoporate multiple frameworks

Back to top

blue connected lines and dots

Journeying from SOC 2 to system and organization control 2+

System and organization control 2+ reports call for a different way of organizing requirements and testing controls, which may take some getting used to. Yet any business that wants to become truly proficient in its approach to third-party reporting will need to consider issuing a SOC 2+ report sooner or later. Demonstrating compliance with a wide variety of frameworks within a single document simply makes more sense than approaching each request for assurance separately. To make the journey from SOC 2 to SOC 2+ easier and more effective, here are some guiding principles culled from our experience in performing system and organization control 2+ attestations:

Rapidly gaining traction

The complexity of the extended enterprise has exposed both OSPs and their customers to many risks that are out of their control. On one hand, organizations that outsource important and mission-critical functions need assurance that their providers have rigorous control processes in place. On the other hand, OSPs need a way to streamline how they provide that assurance.

SOC 2+ reports are rapidly gaining traction as the preferred method of addressing these concerns because they provide an efficient approach to organizing, testing, and reporting on controls for multiple frameworks simultaneously. OSPs that use SOC 2+ reports adeptly may gain a competitive advantage over other providers that are less proficient in their approaches to third-party reporting. And perhaps best of all, by using SOC 2+ reports to facilitate information exchange, everybody wins—as members of the extended enterprise gain the insight needed to better manage risk together.

Are you looking for help with critical business issues and anticipating risk?
Discover our Assurance & Internal Audit Services

Get in touch

Tom Haberman
Principal
Deloitte Risk and Financial Advisory
Deloitte & Touche LLP
thaberman@deloitte.com

Dan Zychinski
Senior manager
Deloitte Risk and Financial Advisory
Deloitte & Touche LLP
dzychinski@deloitte.com

Alan West
Senior manager
Deloitte Risk and Financial Advisory
Deloitte & Touche LLP
alwest@deloitte.com

 
contact us icon

Fullwidth SCC. Do not delete! This box/component contains JavaScript that is needed on this page. This message will not be visible when page is activated.