Completing a System and Organization Controls (SOC 2®) examination is a tremendous accomplishment for any organization. Once you finish celebrating your team and debriefing with your examiner, it's time to determine how best to share your SOC report and leverage this new badge of honor. Here are some things to consider as you evaluate your next steps.
1) Evaluate risks and communicate standards for sharing your new SOC 2® report
The audience for SOC 2® reports is clearly defined and external distribution is generally restricted to current and prospective customers, business partners and CPAs providing services to those individuals. Because of those restrictions, the report should not be made available for general use (such as posted to the company website). However, this does not mean your SOC 2® report should be difficult for intended users to obtain.
A risk to consider when defining your communication standards should include whether or not the external party has a sufficient knowledge and understanding of your system to properly evaluate the SOC 2® report. Without such knowledge, the user may not fully understand the content of the SOC 2® report and could make inappropriate conclusions on the information presented.
2) Develop a formal process for sharing the SOC 2® report
Obtaining SOC 2® compliance is not possible without following formal processes and procedures. Identifying and implementing these efficiencies likely helped you through the exam. The next step is developing a formal, streamlined process for sharing your report with intended users.
Many people that receive requests for the SOC 2® report are separate from the core team that worked on the report and aren't given an understanding of how this information can be shared. We recommend arming these people with specific criteria to define who can receive the report and how it can be obtained. Generally, this will include a certification from the individual requesting the report that they meet the requirements for distribution and a non-disclosure agreement (NDA).
3) Consider a clickwrap agreement for certification
SOC 2® reports are nearly always shared as a PDF, but many organizations continue to obtain a paper signed NDA and certification from the requesting party. You should consider replacing this method with embedding a clickwrap agreement in your SOC 2® report so the recipient must click "I agree" to accept the terms of the document. Clickwrap agreements provide a streamlined process for intended users and also ensure unintended users follow the certification process, which further reduces organizational risk of parties placing inappropriate reliance on your SOC 2® report. These arrangements have been tested in court, but consultation should be made with legal counsel.
4) Share SOC 2® completion and consider a SOC 3® Report
While you cannot openly distribute the SOC 2 report – you are permitted to publish that you completed the examination, which can provide you with a competitive advantage in the marketplace. The AICPA has developed a SOC for Service Organization logo for display on your website (see here) and has issued specific guidelines regarding the use of the logo (see here) and on sharing this news with the general public, which can be found here.
A SOC 3® report, which can be issued concurrently with your SOC 2® report without extensive additional work, should also be considered. A SOC 3® report differs from a SOC 2® report because it can be made available for general use and used as a marketing document. A SOC 3® report provides similar information to your SOC 2® report, but at a much less detailed level that is typically shorter and more easily understood by a general audience. SOC 3® allows you to provide marketing collateral about the security of your system on your website and be shared with prospects.
5) Investigate needs for expanding your examination
As the marketplace continues to understand the benefits of SOC, you can expect your customer demand to grow. SOC provides a framework that can easily be expanded upon after completing your first exam. Expansion could include additional trust service categories or increasing the scope of your examination to include additional systems. We have also started to see an increased interest in SOC 2® "Plus" reports. They allow an independent CPA to issue an opinion on the SOC 2® framework as well as other regulatory frameworks such as HIPAA, NIST, ISO, etc. Expanding your examination allows you to anticipate future demands and continue to reduce due diligence requirements and security checklists that consume internal resources.
Helping clients meet standards for internal control compliance is a core focus of UHY. For more information or to have an initial consultation with one of our SOC experts, please contact us at firstname.lastname@example.org.
For additional resources, visit our SOC Report page.
Fill out the form to speak with one of our SOC professionals