Why It’s Key for Technology Companies to Prove Integrity of Internal Controls
by
Kim Koch, Partner, IT Compliance Services, and
Lisa Dion, Senior Manager, Technology Practice
Many technology companies depend on the integrity of their internal control environment to serve and protect their business and customers.
Particularly when work environments are shifting to increasingly remote functions in response to the COVID-19 pandemic, technology companies are at the forefront of not only providing secure systems to help carry out those functions but also needing to protect confidential and personal data as a result.
One way to help build confidence—and potentially drive revenue—with the integrity of your internal controls is through a system and organization control (SOC) examinations. These are commonly requested to show systems are secure and data is protected. This is becoming more prevalent at technology start-ups where such a report is often considered an entry to doing business.
Who Needs a SOC Report
In addition to start-ups, mid-size and larger companies also conduct annual SOC examinations. Services within outsourcing arrangements that drive SOC adoption include the following:
- Software as a service (SaaS)
- Infrastructure as a service (IaaS)
- Platform as a service (PaaS)
- Cloud providers
- Big data technologies
- Advanced analytics
- Artificial intelligence-focused companies
- Managed services
Challenges
Integrity is complicated to secure with new technologies unveiled at record speeds and the increased prevalence of third-party vendors.
In fact, requests for SOC 2 audits—which evaluate an organization’s information systems relevant to security, availability, processing integrity, confidentiality, or privacy—are increasing in tandem with the IT industry’s growth.
For technology companies, the main issues driving adoption of SOC reporting include the following:
- Rapid rate of cloud adoption
- Cybersecurity threats
- Increased due diligence of customers
- Compliance involving other frameworks, including the Cloud Security Alliance (CSA), International Organization for Standardization, and the National Institute of Standards and Technology
Benefits
In essence, a SOC examination could help drive revenue and build confidence.
In addition to showing you have the proper controls in place to protect sensitive information, there are other benefits to a SOC examination as well:
- Maintain and retain customer relationships
- Review the internal structure of your organization, which provides tremendous insight for management to help identify, analyze, and mitigate evolving risks
- Appease potential investors with credible and reliable data that shows the sophistication of a company
Drive Revenue
A SOC examination serves as an examination of internal controls related to information systems or transaction processing. When performed upfront, it can save time and resources in the end, particularly when it comes to responding to due diligence questions.
While these examinations aren’t required, customers use the reports to reduce other due diligence procedures; and sophisticated customers often demand them to demonstrate that the controls in their information systems are designed and operating effectively.
The higher the trust level, the more a service organization can focus on new opportunities and generating revenue.
Build Confidence
A number of new organizations requesting SOC examinations are start-ups—emerging entities with five to 50 employees. While raising funds or going public, they’re looking to develop internal controls, set up a risk assessment infrastructure, or create sophisticated documentation controls. In these cases, issuing a SOC report can increase credibility and boost confidence in its management by validating an organization’s control environment.
What to Monitor
- Financial and performance history
- Security and availability safeguards
- Reliable processing integrity
- Confidential and private records
- Regulatory and operational compliance
- Compliance with service-level agreements
- Regular due diligence and monitoring
Having a SOC report can help to build confidence between service organizations and clients, which in turn could affect revenue.
Additional Insight
Cybersecurity Note
Technology companies are busier than ever with more people working remote.
A SOC examination can complement your cybersecurity and application security efforts when it comes to mitigating risk with your third-party vendors. It won’t necessarily stop a cybersecurity attack, but you’ll have a better sense of your organization’s preparation. Read more in Consider Third-Party Relationships When Setting Up Controls for Risk.
We’re Here to Help
For more insight on how a SOC examination can help you establish trust with your internal controls, contact your Moss Adams professional.
Kim Koch has practiced public accounting since 2001 and has over 15 years of experience conducting System and Organization Control (SOC) readiness assessments and audits, compliance audits, and internal controls evaluations. She can be reached at 206-302-6425 or kim.koch@mossadams.com.
Lisa Dion has practiced public accounting since 2011. She serves private and public companies in the technology and life sciences industries. Her assurance expertise includes accounting for technical transactions such as equity and debt financings, acquisitions, and revenue recognition. She can be reached at (206) 302-6734 or lisa.dion@mossadams.com.