Meeting stakeholder expectations on SOC reporting

This blog is part of our ongoing SOC Insight series. Each piece focuses on a different area of SOC reporting and aims to answer the questions that are important to your business. Read more to learn why SOC reporting is about much more than checking a compliance box.

Few would argue that when it comes to trust and transparency, particularly around controls, organizations are under more scrutiny than ever before. Consequently, as part of its role as regulator of public accounting firms, the Public Company Accounting Oversight Board (PCAOB) has been increasingly focused on a company’s internal controls over financial reporting, including controls outsourced to third parties.

Indeed, as more companies outsource financially significant processes, those service organizations must also be included in the scope of external financial audits. As it reviews those external audits, the PCAOB is paying close attention to how public accounting firms use SOC reports as part of their overall audit opinion—and their client companies are investing more to build a robust control environment over key financial processes.

Despite this investment, in our recent experience, many SOC reports don’t include all the scope areas they should. In some cases, controls are missing. In others, such as when controls are tested by inquiry rather than taking actual samples, testing might not be robust. And some lack ‘key report’ testing or completeness and accuracy procedures.

What should management do?

Failing to deliver assurance is not an option. Therefore, companies need sophisticated auditors with thorough knowledge of SOC 1 reporting to focus on doing the following:

• Make certain that the controls scope of the SOC report is appropriate based on what services have been outsourced.  
• Work to confirm that the SOC report meets the needs of the different stakeholders, including the external auditors.
• Takes into consideration latest audit industry guidance, including from AICPA and PCAOB and other professional bodies.   

Driving stakeholder trust through compliance reporting is more important than ever before. Those looking for assurance that their SOC 1 reporting is meeting the increased expectations should turn to experienced auditing experts to lead the way.