skip to main content
X

How Do I Share My SOC 2® Report?

How Do I Share My SOC 2® Report?

Completing a System and Organization Controls (SOC 2®) examination is a tremendous accomplishment for any organization. Once you finish celebrating your team and debriefing with your examiner, it's time to determine how best to share your SOC report and leverage this new badge of honor. Here are some things to consider as you evaluate your next steps.

1) Evaluate risks and communicate standards for sharing your new SOC 2® report

The audience for SOC 2® reports is clearly defined and external distribution is generally restricted to current and prospective customers, business partners and CPAs providing services to those individuals. Because of those restrictions, the report should not be made available for general use (such as posted to the company website). However, this does not mean your SOC 2® report should be difficult for intended users to obtain.

A risk to consider when defining your communication standards should include whether or not the external party has a sufficient knowledge and understanding of your system to properly evaluate the SOC 2® report. Without such knowledge, the user may not fully understand the content of the SOC 2® report and could make inappropriate conclusions on the information presented.

2) Develop a formal process for sharing the SOC 2® report

Obtaining SOC 2® compliance is not possible without following formal processes and procedures. Identifying and implementing these efficiencies likely helped you through the exam. The next step is developing a formal, streamlined process for sharing your report with intended users.

Many people that receive requests for the SOC 2® report are separate from the core team that worked on the report and aren't given an understanding of how this information can be shared. We recommend arming these people with specific criteria to define who can receive the report and how it can be obtained. Generally, this will include a certification from the individual requesting the report that they meet the requirements for distribution and a non-disclosure agreement (NDA).

3) Consider a clickwrap agreement for certification

SOC 2® reports are nearly always shared as a PDF, but many organizations continue to obtain a paper signed NDA and certification from the requesting party. You should consider replacing this method with embedding a clickwrap agreement in your SOC 2® report so the recipient must click "I agree" to accept the terms of the document. Clickwrap agreements provide a streamlined process for intended users and also ensure unintended users follow the certification process, which further reduces organizational risk of parties placing inappropriate reliance on your SOC 2® report. These arrangements have been tested in court, but consultation should be made with legal counsel.

4) Share SOC 2® completion and consider a SOC 3® Report

While you cannot openly distribute the SOC 2 report – you are permitted to publish that you completed the examination, which can provide you with a competitive advantage in the marketplace. The AICPA has developed a SOC for Service Organization logo for display on your website (see here) and has issued specific guidelines regarding the use of the logo (see here) and on sharing this news with the general public, which can be found here.

A SOC 3® report, which can  be issued concurrently with your SOC 2® report without extensive additional work, should also be considered. A SOC 3® report differs from a SOC 2® report because it can be made available for general use and used as a marketing document. A SOC 3® report provides similar information to your SOC 2® report, but at a much less detailed level that is typically shorter and more easily understood by a general audience. SOC 3® allows you to provide marketing collateral about the security of your system on your website and be shared with prospects.

5) Investigate needs for expanding your examination

As the marketplace continues to understand the benefits of SOC, you can expect your customer demand to grow. SOC provides a framework that can easily be expanded upon after completing your first exam. Expansion could include additional trust service categories or increasing the scope of your examination to include additional systems. We have also started to see an increased interest in SOC 2® "Plus" reports. They allow an independent CPA to issue an opinion on the SOC 2® framework as well as other regulatory frameworks such as HIPAA, NIST, ISO, etc. Expanding your examination allows you to anticipate future demands and continue to reduce due diligence requirements and security checklists that consume internal resources.

Helping clients meet standards for internal control compliance is a core focus of UHY. For more information or to have an initial consultation with one of our SOC experts, please contact us at info@uhy-us.com.

For additional resources, visit our SOC Report page.

 

09/29/2022

Have a Question?

Fill out the form to speak with one of our SOC professionals

Hide Firm Disclaimer

©2022 UHY LLP. ALL RIGHTS RESERVED.

UHY LLP is a licensed independent CPA firm that performs attest services in an alternative practice structure with UHY Advisors, Inc., and its subsidiary entities. UHY Advisors, Inc.’s subsidiaries, including UHY Consulting, Inc., provide tax and business consulting services through wholly owned subsidiary entities that operate under the name of “UHY Advisors” and “UHY Consulting”. UHY Advisors, Inc., and its subsidiary entities are not licensed CPA firms. UHY LLP, UHY Advisors, Inc. and UHY Consulting are U.S. members of Urbach Hacker Young International Limited, a UK company, and form part of the international UHY network of legally independent accounting and consulting firms. “UHY” is the brand name for the UHY international network. Any services described herein are provided by UHY LLP, UHY Advisors and/or UHY Consulting (as the case may be) and not by UHY or any other member firm of UHY. Neither UHY nor any member of UHY has any liability for services provided by other members.

On this website, (i) the term "our firm", "we" and terms of similar import, denote the alternative practice structure conducted by UHY LLP and UHY Advisors, Inc. and its subsidiary entities, and (ii) the term "UHYI" denotes the UHY international network, in each case as more fully described in the preceding paragraph.