Why It’s Key for Technology Companies to Prove Integrity of Internal Controls

Lisa Dion, Principal, Technology Practice
Kim Koch, Principal, IT Compliance Services

September 16, 2020 | Updated May 26, 2022
LinkedIn Share Button Twitter Share Button Other Share Button Other Share Button
Person balancing on a tightrope

Many technology companies depend on the integrity of their internal control environment to serve and protect their business and customers.

Particularly when work environments are shifting to increasingly remote functions in response to the COVID-19 pandemic, technology companies are at the forefront of not only providing secure systems to help carry out those functions but also needing to protect confidential and personal data as a result.

One way to help build confidence—and potentially drive revenue—with the integrity of your internal controls is through a System and Organization Control (SOC) report or audit. These are commonly requested to show systems are secure and data is protected. This is becoming more prevalent at technology start-ups where such a report is often considered an entry to doing business.

Who Needs a SOC Report?

In addition to start-ups, mid-size and larger companies also conduct annual SOC audit. Services within outsourcing arrangements that drive SOC 1 or SOC 2 adoption include the following:

  • Software as a service (SaaS)
  • Infrastructure as a service (IaaS)
  • Platform as a service (PaaS)
  • Cloud providers
  • Big data technologies
  • Advanced analytics
  • Artificial intelligence-focused companies
  • Managed services

What Challenges Can Be Combated With SOC Reports?

Integrity is complicated to secure with new technologies unveiled at record speeds and the increased prevalence of third-party vendors.

In fact, requests for SOC 2 reports—which evaluate an organization’s information systems relevant to security, availability, processing integrity, confidentiality, or privacy—are increasing in tandem with the IT industry’s growth.

For technology companies, the main issues driving adoption of SOC reporting include the following:

  • Rapid rate of cloud adoption
  • Cybersecurity threats
  • Increased due diligence of customers
  • Compliance involving other frameworks, including the Cloud Security Alliance (CSA), International Organization for Standardization, and the National Institute of Standards and Technology

Drive Revenue

A SOC examination, or SOC audit, serves as an examination of internal controls related to information systems or transaction processing.  When performed upfront, it can save time and resources in the end, particularly when it comes to responding to due diligence questions.

While these examinations aren’t required, customers use the reports to reduce other due diligence procedures; and sophisticated customers often demand them to demonstrate that the controls in their information systems are designed and operating effectively.

The higher the trust level, the more a service organization can focus on new opportunities and generating revenue.

Build Confidence

A number of new organizations requesting SOC audits are start-ups—emerging entities with five to 50 employees. While raising funds or going public, they’re looking to develop internal controls, set up a risk assessment infrastructure, or create sophisticated documentation controls. In these cases, issuing a SOC report can increase credibility and boost confidence in its management by validating an organization’s control environment.

What to Monitor
  • Financial and performance history
  • Security and availability safeguards
  • Reliable processing integrity
  • Confidential and private records
  • Regulatory and operational compliance
  • Compliance with service-level agreements
  • Regular due diligence and monitoring

Having a SOC report can help to build confidence between service organizations and clients, which in turn could affect revenue.

Additional Insight

Cybersecurity Note

Technology companies are busier than ever with more people working remote.

A SOC report can complement your cybersecurity and application security efforts when it comes to mitigating risk with your third-party vendors. It won’t necessarily stop a cybersecurity attack, but you’ll have a better sense of your organization’s preparation. Read more in Consider Third-Party Relationships When Setting Up Controls for Risk.

We’re Here to Help

For more insight on how a SOC report can help you establish trust with your internal controls, contact your Moss Adams professional. You can also explore further information about the different kinds of SOC reportswhat a SOC report can provide, and how SOC 2 compliance can affect your business operations.

Ask a Question

The material appearing in this communication is for informational purposes only and should not be construed as advice of any kind, including legal, accounting, tax, or investment advice. This information is not intended to create, and receipt does not constitute, a legal relationship, including, but not limited to, an accountant-client relationship. Although these materials have been prepared by professionals, the user should not substitute these materials for professional services, and should seek advice from an independent advisor before acting on any information presented. Changes in tax laws or other factors could affect the information provided in this communication.

Related Topics

Article
The World Has Changed Due to COVID-19—Has Your SOC Report?
Article
Article
SOC for Cybersecurity: How to Check the State of Your Cyberrisk Program and Build Stakeholder Confidence
Article
WebPage
Guide | SOC Reports: Protect the Integrity of Your Internal Controls
WebPage
View More

Contact Us with Questions

Baker Tilly US, LLP, Baker Tilly Advisory Group, LP and Moss Adams LLP and their affiliated entities operate under an alternative practice structure in accordance with the AICPA Code of Professional Conduct and applicable laws, regulations and professional standards. Baker Tilly Advisory Group, LP and its subsidiaries, and Baker Tilly US, LLP and its affiliated entities, trading as Baker Tilly, are members of the global network of Baker Tilly International Ltd., the members of which are separate and independent legal entities. Baker Tilly US, LLP and Moss Adams LLP are licensed CPA firms that provide assurance services to their clients. Baker Tilly Advisory Group, LP and its subsidiary entities provide tax and consulting services to their clients and are not licensed CPA firms. ISO certification services offered through Moss Adams Certifications LLC. Investment advisory offered through either Moss Adams Wealth Advisors LLC or Baker Tilly Wealth Management, LLC.