pink&green highlighted cricket boll

Analysis

Third-party reporting proficiency with SOC 2+

SOC2+ reports and the focus on trust services criteria

As organizations outsource more of their core operational functions, there’s been a large increase in demand for system and organization control (SOC) 2 reports. Enhanced SOC 2 reports, also called SOC 2+, are now in particular demand.

An integrated system and organization control approach gains traction

Doing business as an “extended enterprise” is now the norm. Today, companies of all sizes routinely rely on an ecosystem of service organizations to carry out a wide array of functions, many of them mission-critical. Through these loosely coupled networks of third parties, companies have been able to vastly expand their reach and capabilities, often extending around the world to create new and exciting market opportunities.

Simultaneously, their increasing reliance on service organizations is fueling concern over greater enterprise risk exposure—especially since the third-party risk is difficult to identify, manage, and monitor. For service organizations, this translates into increasing customer demand for system and organization control reports. These third-party assurance reports help service organizations build confidence in their service delivery processes and controls through the attestation of an independent certified public accountant.

Most organizations are familiar with both SOC 1 and SOC 2 reports. While SOC 1 reports cover internal controls over financial reporting (ICFR) and support a customer’s financial audit, SOC 2 reports focus on the controls that are relevant to the following Trust Services Criteria (TSC) as established by the American Institute of Certified Public Accountants (AICPA):

  • Security. Information and systems are protected against unauthorized access, unauthorized disclosure of information, and damage to systems that could compromise the availability, integrity, confidentiality, and privacy of information or systems and affect the entity’s ability to meet its objectives.
  • Availability. Information and systems are available for operation and use to meet the entity’s objectives.
  • Processing integrity. System processing is complete, valid, accurate, timely, and authorized to meet the entity’s objectives.
  • Confidentiality. Information designated as confidential is protected to meet the entity’s objectives.
  • Privacy. Personal information is collected, used, retained, disclosed, and disposed to meet the entity’s objectives.

As organizations have sought better ways to manage their risks from external relationships, they’re beginning to build requirements for SOC 2 reporting directly into their service organization contracts to support due diligence and establish a monitoring mechanism. As a result, we’ve seen a large increase in demand for SOC 2 reports. In our experience, they now comprise approximately one-half of all third-party assurance reports requested by service organizations.
Enhanced SOC 2 reports, also called SOC 2+ reports, are in demand. These reports are being used to demonstrate assurance in areas that go beyond the TSC, including compliance with a wide range of regulatory and industry frameworks, such as those sponsored by the National Institute of Standards and Technology (NIST) and the International Standardization Organization (ISO), among others (see figure 1).

Figure 1. SOC 2: Entering a more expansive territory for reporting

 

Back to top

Third-party reporting proficiency with SOC 2+

SOC 2+ reports: A way for service organizations to highlight their integrated controls

Providing assurance about the TSC may be sufficient for some service organizations’ customers. But others may require greater detail. In particular, those in industries such as health care and financial services have additional industry-specific regulations and requirements. Therefore, the AICPA created SOC 2+. It’s an extensible framework that allows service auditors to incorporate various industry standards into a SOC 2 report. This integrated approach has been rapidly embraced by service organizations and their customers.

SOC 2+ reports are highly flexible tools that can incorporate multiple frameworks and industry standards into third-party assurance reporting (see figure 2). This flexibility can create substantial efficiencies for service organization customers, including reducing the amount of resources required for third-party oversight. Because SOC 2+ reports are based on a common control framework and address various industry standards, organizations generally don’t have to spend as much time and effort conducting performance reviews at their service organizations.

Organizations, as well as their service organizations, are also less likely to be exposed to compliance violations that can result in various forms of liability, including fines. For these reasons, some organizations have begun to stipulate their preference for using integrated frameworks as a means of obtaining third-party assurance by writing it into their service organization contracts.

Though customers can benefit greatly from SOC 2+ reports, the advantages for service organizations are even more significant. Consider that these businesses often must respond annually to hundreds of individual audit requests, customer questionnaires, and requests for proposals. Many of these inquiries ask the same questions and demand assurance on overlapping controls. Throw regulatory and industry-specific requirements into the mix, and things get even more complicated and onerous.

SOC 2+ examinations can dramatically reduce this burden. By providing a standardized format for meeting a broad range of regulatory and industry control requirements, SOC 2+ reports help to eliminate the need for redundant activities and one-off responses.

Figure 2: SOC 2+ reports can incorporate multiple frameworks

Back to top

blue connected lines and dots

Journeying from SOC 2 to SOC 2+

SOC 2+ reports call for a different way of organizing requirements and testing controls, which may take some getting used to. Yet any business that wants to become truly proficient in its approach to third-party reporting will need to consider issuing a SOC 2+ report sooner or later. Demonstrating compliance with a wide variety of frameworks within a single document simply makes more sense than approaching each request for assurance separately. To make the journey from SOC 2 to SOC 2+ easier and more effective, here are some guiding principles culled from our experience in performing SOC 2+ attestations:

Rapidly gaining traction

The complexity of the extended enterprise has exposed both service providers and their customers to many risks that could be difficult to mitigate. On one hand, organizations that outsource important and mission-critical functions need assurance that their providers have rigorous control processes in place. On the other hand, service organizations need a way to streamline how they provide that assurance.

SOC 2+ reports are rapidly gaining traction as the preferred method of addressing these concerns because they provide an efficient approach to organizing, testing, and reporting on controls for multiple frameworks simultaneously. Service organizations that use SOC 2+ reports adeptly may gain a competitive advantage over other providers that are less proficient in their approaches to third-party reporting. And perhaps best of all, by using SOC 2+ reports to facilitate information exchange, everybody wins—as members of the extended enterprise gain the insight needed to better manage risk together.

Are you looking for help with critical business issues and anticipating risk?
Discover our Third-Party Assurance Services

Get in touch

Sara Lademan
Partner
Deloitte Risk & Financial Advisory
Deloitte & Touche LLP
slademan@deloitte.com

Dan Zychinski
Managing Director
Deloitte Risk and Financial Advisory
Deloitte & Touche LLP
dzychinski@deloitte.com

Alan West
Managing Director
Deloitte Risk and Financial Advisory
Deloitte & Touche LLP
alwest@deloitte.com

 

Fullwidth SCC. Do not delete! This box/component contains JavaScript that is needed on this page. This message will not be visible when page is activated.