As the calendar year end approaches, it’s time to start collecting and analyzing Service Organization Controls (SOC) Reports. SOC reports are independent audit reports regarding your service providers’ controls. Since most organizations choose the calendar year as their fiscal year, vendors and their SOC auditors plan to complete their SOC audits and deliver the reports around now, close to the end of the year. This helps ensure that the related testing was completed as close to year end as possible, which is important for financial statement and Sarbanes-Oxley (SOX) audits.
When obtaining the SOC reports, remember they are audit reports, not certifications. The report may include red flags, and it’s incumbent upon you to read them and determine if there are any matters that negatively impact the service you receive. Be sure to consider these items when evaluating SOC reports: