Why It’s Important to Review Vendors’ SOC Reports

LinkedIn Share Button Twitter Share Button Other Share Button Other Share Button
windy road through desert hills

Organizations continually look for opportunities to implement efficiencies and cost savings, which may lead to outsourcing.

As a result of COVID-19, many organizations also moved data to the cloud to be more accessible in a remote working environment. Some common service providers include enterprise resource planning (ERP) systems, payroll providers, and investment managers and custodians. Not-for-profit organizations might also use donor and grant management systems. However, new risks can occur when outside providers perform operational duties and store or process data.

Organizations can reduce the risks of using outside service providers by implementing appropriate controls and systems to prevent fraud, theft, and cyberattacks. To address the risks related to outside service providers, organizations can hire certified public accountants (CPAs) to perform system and organization controls (SOC) examinations. Organizations should obtain SOC reports from vendors whenever they’re looking into working with a new vendor.

What Needs to Be Considered During Vendor Due Diligence?

The SOC reports should be reviewed with all the following considerations in mind:

  • Type of report
  • Accounting firm
  • Auditor opinion
  • Service scope
  • Covered period
  • Description of processes and controls
  • User entity control considerations
  • Complementary subservice organization controls
  • Testing results

The checklist below covers a series of questions your organization could ask as it’s making its way through all the considerations.

If you need more information on what type of report you should request from your vendor, please see definitions of all SOC reports and their uses in our article What Is a SOC Report, and Why Is It Important?

A Checklist to Help You Review Vendors’ SOC Reports

green and white checklist

We’re Here to Help

If you have any questions about obtaining your vendors’ SOC reports or the types of questions you should be asking, please contact your Moss Adams professional.

Related Topics

Contact Us with Questions

Baker Tilly US, LLP, Baker Tilly Advisory Group, LP and Moss Adams LLP and their affiliated entities operate under an alternative practice structure in accordance with the AICPA Code of Professional Conduct and applicable laws, regulations and professional standards. Baker Tilly Advisory Group, LP and its subsidiaries, and Baker Tilly US, LLP and its affiliated entities, trading as Baker Tilly, are members of the global network of Baker Tilly International Ltd., the members of which are separate and independent legal entities. Baker Tilly US, LLP and Moss Adams LLP are licensed CPA firms that provide assurance services to their clients. Baker Tilly Advisory Group, LP and its subsidiary entities provide tax and consulting services to their clients and are not licensed CPA firms. ISO certification services offered through Moss Adams Certifications LLC. Investment advisory offered through either Moss Adams Wealth Advisors LLC or Baker Tilly Wealth Management, LLC.